Bug#447341: CVE-2007-5208 arbitrary command execution via unfiltered from address

Mon, 22 Oct 2007 05:07:22 -0700 

Hi,
attached is a patch for an NMU which should fix this 
vulnerability.
It will be also archived on:
http://people.debian.org/~nion/nmu-diff/hplip-1.6.10-4.2_1.6.10-4.3.patch

Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

diff -u hplip-1.6.10/debian/changelog hplip-1.6.10/debian/changelog
--- hplip-1.6.10/debian/changelog
+++ hplip-1.6.10/debian/changelog
@@ -1,3 +1,12 @@
+hplip (1.6.10-4.3) unstable; urgency=high
+
+  * Non-maintainer upload by testing security team.
+  * Included CVE-2007-5208.dpatch to fix
+    arbitrary command execution in hpssd via crafted from address
+    because of missing sanitization (CVE-2007-5208) (Closes: #447341).
+
+ -- Nico Golde <[EMAIL PROTECTED]>  Mon, 22 Oct 2007 10:31:55 +0200
+
 hplip (1.6.10-4.2) unstable; urgency=low
 
   * Non-maintainer upload.
only in patch2:
unchanged:
--- hplip-1.6.10.orig/debian/patches/CVE-2007-5208.dpatch
+++ hplip-1.6.10/debian/patches/CVE-2007-5208.dpatch
@@ -0,0 +1,55 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## CVE-2007-5208.dpatch by Nico Golde <[EMAIL PROTECTED]>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
[EMAIL PROTECTED]@
+diff -urNad hplip-1.6.10~/hpssd.py hplip-1.6.10/hpssd.py
+--- hplip-1.6.10~/hpssd.py	2006-10-03 21:55:01.000000000 +0200
++++ hplip-1.6.10/hpssd.py	2007-10-22 13:44:45.000000000 +0200
+@@ -53,7 +53,7 @@
+ 
+ # Std Lib
+ import sys, socket, os, os.path, signal, getopt, glob, time, select
+-import popen2, threading, gettext, re, xml.parsers.expat, fcntl
++import subprocess, threading, gettext, re, xml.parsers.expat, fcntl
+ import cStringIO, pwd
+ 
+ from errno import EALREADY, EINPROGRESS, EWOULDBLOCK, ECONNRESET, \
+@@ -1383,21 +1383,23 @@
+         
+         if sendmail:
+             sendmail = os.path.join(sendmail, 'sendmail')
+-            sendmail += ' -t -r %s' % self.from_address
++            cmd = [sendmail,'-t','-r',self.from_address]
+             
+-            log.debug(sendmail)
+-            std_out, std_in, std_err = popen2.popen3(sendmail) 
+-            log.debug(repr(self.message))
+-            std_in.write(self.message)
+-            std_in.close()
++            log.debug(repr(cmd))
++            err = None
++            try:
++                sp = subprocess.Popen(cmd, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
++                std_out, std_err = sp.communicate(self.message)
++                log.debug(repr(self.message))
++                if std_err != '':
++                    err = std_err
+             
+-            r, w, e = select.select([std_err], [], [], 2.0)
++            except OSError, e:
++                err = str(e)
+             
+-            if r:
+-                err = std_err.read()
+-                if err:
+-                    log.error(repr(err))
+-                    self.result = ERROR_TEST_EMAIL_FAILED
++            if err:
++                log.error(repr(err))
++                self.result = ERROR_TEST_EMAIL_FAILED
+             
+         else:
+             log.error("Mail send failed. sendmail not found.")

Attachment: pgpwPhonWAXCZ.pgp
Description: PGP signature

Reply via email to