__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN hplip Security Update [Red Hat RHSA-2007:0960-3] October 12, 2007 17:00 GMT Number S-012 [REVISED 14 Jan 2008] ______________________________________________________________________________ PROBLEM: The hplip (Hewlett-Packard Linux Imaging and Printing Project) package provides drivers for HP printers and multi-function peripherals. There is a flaw in the way the hplip hpssd daemon handled user input. PLATFORM: Red Hat Enterprise Linux (v. 5 server) Red Hat Enterprise Linux Desktop (v. 5 client) Debian GNU/Linux 4.0 (stable) DAMAGE: A local attacker could run arbitrary commands as the root user. SOLUTION: Upgrade to the appropriate version. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. A local attacker could send a specially ASSESSMENT: crafted request to the hpssd daemon, possibly allowing them to run arbitrary commands as the root user. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/s-012.shtml ORIGINAL BULLETIN: https://rhn.redhat.com/errata/RHSA-2007-0960.html ADDITIONAL LINK: http://www.debian.org/security/2008/dsa-1462 CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2007-5208 ______________________________________________________________________________ REVISION HISTORY: 01/14/2008 - revised S-012 to add a link to Debian Security Advisory DSA-1462-1 for Debian GNU/Linux 4.0 (stable). [***** Start Red Hat RHSA-2007:0960-3 *****] Important: hplip security update Advisory: RHSA-2007:0960-3 Type: Security Advisory Severity: Important Issued on: 2007-10-11 Last updated on: 2007-10-11 Affected Products: Red Hat Enterprise Linux (v. 5 server) Red Hat Enterprise Linux Desktop (v. 5 client) OVAL: com.redhat.rhsa-20070960.xml CVEs (cve.mitre.org): CVE-2007-5208 Details An updated hplip package to correct a security flaw is now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. The hplip (Hewlett-Packard Linux Imaging and Printing Project) package provides drivers for HP printers and multi-function peripherals. Kees Cook discovered a flaw in the way the hplip hpssd daemon handled user input. A local attacker could send a specially crafted request to the hpssd daemon, possibly allowing them to run arbitrary commands as the root user. (CVE-2007-5208). On Red Hat Enterprise Linux 5, the SELinux targeted policy for hpssd which is enabled by default, blocks the ability to exploit this issue to run arbitrary code. Users of hplip are advised to upgrade to this updated package, which contains backported patches to resolve this issue. Solution Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 Updated packages Red Hat Enterprise Linux (v. 5 server) -------------------------------------------------------------------------------- SRPMS: hplip-1.6.7-4.1.el5_0.3.src.rpm c5f2b2ce887ac95075ba475d45baac01 IA-32: hpijs-1.6.7-4.1.el5_0.3.i386.rpm 4be2c867b1246aeed68d0844596d787c hplip-1.6.7-4.1.el5_0.3.i386.rpm 7afd906783f52fe1fa197fc1f3856715 libsane-hpaio-1.6.7-4.1.el5_0.3.i386.rpm da6f95abff9164ef5bae0047158c15b0 IA-64: hpijs-1.6.7-4.1.el5_0.3.ia64.rpm 7cf2ec0558c04de7ee684bb67315a752 hplip-1.6.7-4.1.el5_0.3.ia64.rpm f43e3af12f7377c05bf629b6a893ba1d libsane-hpaio-1.6.7-4.1.el5_0.3.ia64.rpm d40d9655bbb0774cae895de6fd93c63e PPC: hpijs-1.6.7-4.1.el5_0.3.ppc.rpm 4ca6e4a9d3f6abf3d990af0eff16e602 hplip-1.6.7-4.1.el5_0.3.ppc.rpm a9793da0ce6476abccdb932bc28807c4 libsane-hpaio-1.6.7-4.1.el5_0.3.ppc.rpm d4713ab787b5f3fa636a6a6dc2a27caf x86_64: hpijs-1.6.7-4.1.el5_0.3.x86_64.rpm 747e4df638df0a43104e0836d229d079 hplip-1.6.7-4.1.el5_0.3.x86_64.rpm a9eef76431a904c7bc8f306e133e496f libsane-hpaio-1.6.7-4.1.el5_0.3.x86_64.rpm 2b58cb4d8adf686133f691888887cbbf Red Hat Enterprise Linux Desktop (v. 5 client) -------------------------------------------------------------------------------- SRPMS: hplip-1.6.7-4.1.el5_0.3.src.rpm c5f2b2ce887ac95075ba475d45baac01 IA-32: hpijs-1.6.7-4.1.el5_0.3.i386.rpm 4be2c867b1246aeed68d0844596d787c hplip-1.6.7-4.1.el5_0.3.i386.rpm 7afd906783f52fe1fa197fc1f3856715 libsane-hpaio-1.6.7-4.1.el5_0.3.i386.rpm da6f95abff9164ef5bae0047158c15b0 x86_64: hpijs-1.6.7-4.1.el5_0.3.x86_64.rpm 747e4df638df0a43104e0836d229d079 hplip-1.6.7-4.1.el5_0.3.x86_64.rpm a9eef76431a904c7bc8f306e133e496f libsane-hpaio-1.6.7-4.1.el5_0.3.x86_64.rpm 2b58cb4d8adf686133f691888887cbbf (The unlinked packages above are only available from the Red Hat Network) Bugs fixed (see bugzilla for more information) 319921 - CVE-2007-5208 hplip arbitrary command execution References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5208 http://www.redhat.com/security/updates/classification/#important -------------------------------------------------------------------------------- These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from: https://www.redhat.com/security/team/key/#package The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/ [***** End Red Hat RHSA-2007:0960-3 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Red Hat for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) S-002: ELinks Security Update S-003: Security Vulnerability in Java Runtime Environment with Applet Caching S-004: Vulnerability in Kodak Image Viewer S-005: Security Update for Outlook Express and Windows Mail S-006: Cumulative Security Update for Internet Explorer S-007: Vulnerability in Windows SharePoint Services 3.0 and Office SharePoint Server 2007 S-008: Vulnerability in Microsoft Word S-009: Vulnerability in RPC S-010: X Font Server Vulnerabilities S-011: VMware Security Updates