Eygene Ryabinkin
2008-Nov-23 10:45 UTC
[vuxml] print/hplip: document CVE-2008-2940 and CVE-2008-2941
>Submitter-Id: current-users >Originator: Eygene Ryabinkin >Organization: Code Labs >Confidential: no >Synopsis: [vuxml] print/hplip: document CVE-2008-2940 and CVE-2008-2941 >Severity: serious >Priority: high >Category: ports >Class: sw-bug >Release: FreeBSD 7.1-PRERELEASE i386 >Environment:System: FreeBSD 7.1-PRERELEASE i386>Description:Multiple vulnerabilities were discovered in the hplip 1.6.7 [1]. I had analyzed RedHat patches [2] and [3]: first two (CVE-2008-2940) apply "as-is" to FreeBSD's port (2.8.2_2) and the second one (CVE-2008-2941) contains many fixes to the code that exists in 2.8.2_2 too. So, I am counting current FreeBSD port as vulnerable to both attacks. Moreover, I had traced the vulnerabilities through the release sources: proper device_uri handling was introduced in 2.8.4 and parser fragility in hpssd.py was eliminated in the same version, because hpssd was converted to a systray application. So, 2.8.4 and higher should not be vulnerable to the described attacks. [1] http://www.securityfocus.com/bid/30683 [2] https://bugzilla.redhat.com/show_bug.cgi?id=455235 [3] https://bugzilla.redhat.com/show_bug.cgi?id=457052>How-To-Repeat:Look at the above references.>Fix:The following VuXML entry should be evaluated and added: --- vuln.xml begins here --- <vuln vid=""> <topic>hplip -- multiple vulnerabilities in hpssd component</topic> <affects> <package> <name>hplip</name> <range><lt>2.8.4</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml"> <p>SecurityFocus database says:</p> <blockquote cite="http://www.securityfocus.com/bid/30683/discuss"> <p>HP Linux Imaging and Printing System (HPLIP) is prone to multiple vulnerabilities, including privilege-escalation and denial-of-service issues.</p> <p>Exploiting the privilege-escalation vulnerability may allow attackers to perform certain actions with elevated privileges. Successful exploits of the denial-of-service issue will cause the 'hpssd' process to crash, denying service to legitimate users.</p> <p>These issues affect HPLIP 1.6.7; other versions may also be affected.</p> </blockquote> </body> </description> <references> <cvename>CVE-2008-2940</cvename> <cvename>CVE-2008-2941</cvename> <bid>30683</bid> <url>https://bugzilla.redhat.com/show_bug.cgi?id=457052</url> <url>https://bugzilla.redhat.com/show_bug.cgi?id=455235</url> </references> <dates> <discovery>2008-08-12</discovery> </dates> </vuln> --- vuln.xml ends here ---
Eygene Ryabinkin
2008-Nov-23 12:22 UTC
ports/129097: [vuxml] print/hplip: document CVE-2008-2940 and CVE-2008-2941
Martin Wilke asked me if I am planning to update the port. My original intention was to wait for a 2.8.10 (I am aware of ports/128914, but, to my regret, it contains no patch now), but as the quick fix I had ported RedHat's patches to the current port version. Please note that the handling of alerts had been changed: now all alert configuration is stored in /etc/hp/alers.conf and isn't user-controllable anymore. And I had to mention that whilst I had tested the port for building and daemon for starting properly, I have no real hardware to test the thing. So maintainer's testing is needed. -- Eygene _ ___ _.--. # \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard / ' ` , __.--' # to read the on-line manual )/' _/ \ `-_, / # while single-stepping the kernel. `-'" `"\_ ,_.-;_.-\_ ', fsc/as # _.-'_./ {_.' ; / # -- FreeBSD Developers handbook {_.-``-' {_/ # -------------- next part -------------- A non-text attachment was scrubbed... Name: apply-fixes-for-CVE-2008-2940-and-CVE-2941.diff Type: text/x-diff Size: 13600 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20081123/0d415f47/apply-fixes-for-CVE-2008-2940-and-CVE-2941.bin
Anish Mistry
2008-Nov-23 18:31 UTC
ports/129097: [vuxml] print/hplip: document CVE-2008-2940 and CVE-2008-2941
On Sunday 23 November 2008, Eygene Ryabinkin wrote:> >Number: 129097 > >Category: ports > >Synopsis: [vuxml] print/hplip: document CVE-2008-2940 and > > CVE-2008-2941 Confidential: no > >Severity: serious > >Priority: high > >Responsible: freebsd-ports-bugs > >State: open > >Quarter: > >Keywords: > >Date-Required: > >Class: sw-bug > >Submitter-Id: current-users > >Arrival-Date: Sun Nov 23 18:50:00 UTC 2008 > >Closed-Date: > >Last-Modified: > >Originator: Eygene Ryabinkin > >Release: FreeBSD 7.1-PRERELEASE i386 > >Organization:Commit it. -- Anish Mistry amistry@am-productions.biz AM Productions http://am-productions.biz/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 195 bytes Desc: This is a digitally signed message part. Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20081123/8a9e5a8b/attachment.pgp