The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Vulnerability of foomatic-rip: code execution via PPD

Synthesis of the vulnerability

When the system is configured to use a foomatic-rip or foomatic-rip-hplip print filter, a local attacker (or remote attacker via CUPS) can print a document, in order to execute code with privileges of the lp user.
Severity of this alert: 2/4.
Number of vulnerabilities in this bulletin: 2.
Creation date: 02/08/2011.
Références of this alert: 698451, CVE-2011-2697, CVE-2011-2964, DSA-2380-1, FEDORA-2011-9554, FEDORA-2011-9575, MDVSA-2011:125, openSUSE-SU-2011:0892-1, RHSA-2011:1109-01, RHSA-2011:1110-01, SUSE-SU-2011:0895-1, VIGILANCE-VUL-10883.

Description of the vulnerability

The foomatic-rip or foomatic-rip-hplip filter (written in C or in Perl) adapts print queries to printers.

A PPD (PostScript Printer Description) file contains a FoomaticRIPCommandLine directive which indicates the command line to execute by foomatic-rip.

The "-p" option of foomatic-rip indicates the name of a spool file to use. However, when "-p" is used, foomatic-rip also accepts a PPD file provided by the user. The "-p" option can be provided via the "-U" option of lp which indicates the user name (because all parameters are concatenated whatever their origin is).

An attacker can therefore print with a "-U" option containing "-p", and a PPD file containing a malicious FoomaticRIPCommandLine command. This command will be run with privileges of the print system.

When the system is configured to use a foomatic-rip or foomatic-rip-hplip print filter, a local attacker (or remote attacker via CUPS) can therefore print a document, in order to execute code with privileges of the lp user.
Full Vigil@nce bulletin... (Request your free trial)

This computer weakness announce impacts software or systems such as Debian, Fedora, Mandriva Linux, NLD, OES, openSUSE, Solaris, RHEL, SUSE Linux Enterprise Desktop, SLES, Unix (platform) ~ not comprehensive.

Our Vigil@nce team determined that the severity of this security alert is medium.

The trust level is of type confirmed by the editor, with an origin of intranet client.

This bulletin is about 2 vulnerabilities.

A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a technician ability can exploit this vulnerability.

Solutions for this threat

foomatic-rip: patch for PPD.
A patch is available in information sources.

Debian: new foomatic-filters packages.
New packages are available:
  foomatic-filters 3.0.2-20080211-3.2+lenny1
  foomatic-filters 4.0.5-6+squeeze1

Fedora: new foomatic packages.
New packages are available:
  foomatic-4.0.7-2.fc14
  foomatic-4.0.7-3.fc15

Mandriva: new foomatic-filters packages.
New packages are available:
  foomatic-filters-4.0.1-1.2mdv2009.0
  foomatic-filters-4.0.3-2.1mdv2010.2
  foomatic-filters-3.0.2-1.20060827.1.1.20060mlcs4
  foomatic-filters-4.0.1-1.2mdvmes5.2

RHEL: new foomatic packages.
New packages are available:
  RHEL 4: foomatic 3.0.2-3.2.el4
  RHEL 5: foomatic 3.0.2-38.3.el5_7.1
  RHEL 6: foomatic 4.0.4-1.el6_1.1

Solaris 11: patch 11/11 SRU 8.5.
A patch is available:
  https://support.oracle.com/CSP/main/article?type=NOT&id=1470139.1

Solaris 9, 10: patch for Foomatic.
A patch is available:
Solaris 9 :
  SPARC: 115835-06
  X86: 115836-06
Solaris 10 :
  SPARC: 149483-01
  X86: 149484-01

SUSE: new foomatic-filters packages.
New packages are available, as indicated in information sources.
Full Vigil@nce bulletin... (Request your free trial)

Computer vulnerabilities tracking service

Vigil@nce provides an applications vulnerabilities watch. The technology watch team tracks security threats targeting the computer system.