Bug 129097

Summary: [vuxml] print/hplip: document CVE-2008-2940 and CVE-2008-2941
Product: Ports & Packages Reporter: Eygene Ryabinkin <rea-fbsd>
Component: Individual Port(s)Assignee: Martin Wilke <miwi>
Status: Closed FIXED    
Severity: Affects Only Me CC: security
Priority: Normal    
Version: Latest   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
vuln.xml
none
apply-fixes-for-CVE-2008-2940-and-CVE-2941.diff none

Description Eygene Ryabinkin 2008-11-23 18:50:00 UTC 
Multiple vulnerabilities were discovered in the hplip 1.6.7 [1].  I had
analyzed RedHat patches [2] and [3]: first two (CVE-2008-2940) apply
"as-is" to FreeBSD's port (2.8.2_2) and the second one (CVE-2008-2941)
contains many fixes to the code that exists in 2.8.2_2 too.  So, I am
counting current FreeBSD port as vulnerable to both attacks.  Moreover,
I had traced the vulnerabilities through the release sources: proper
device_uri handling was introduced in 2.8.4 and parser fragility in
hpssd.py was eliminated in the same version, because hpssd was converted
to a systray application.  So, 2.8.4 and higher should not be vulnerable
to the described attacks.

[1] http://www.securityfocus.com/bid/30683
[2] https://bugzilla.redhat.com/show_bug.cgi?id=455235
[3] https://bugzilla.redhat.com/show_bug.cgi?id=457052

Fix: The following VuXML entry should be evaluated and added:
How-To-Repeat: 
Look at the above references.
Comment 1 Edwin Groothuis freebsd_committer freebsd_triage 2008-11-23 18:50:08 UTC 
Maintainer of print/hplip,

Please note that PR ports/129097 has just been submitted.

If it contains a patch for an upgrade, an enhancement or a bug fix
you agree on, reply to this email stating that you approve the patch
and a committer will take care of it.

The full text of the PR can be found at:
    http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/129097

-- 
Edwin Groothuis via the GNATS Auto Assign Tool
edwin@FreeBSD.org
Comment 2 Edwin Groothuis freebsd_committer freebsd_triage 2008-11-23 18:50:10 UTC 
State Changed
From-To: open->feedback

Awaiting maintainers feedback (via the GNATS Auto Assign Tool)
Comment 3 Martin Wilke freebsd_committer freebsd_triage 2008-11-23 18:59:18 UTC 
Responsible Changed
From-To: freebsd-ports-bugs->miwi

I'll take it.
Comment 4 amistry 2008-11-23 19:46:26 UTC 
On Sunday 23 November 2008, Eygene Ryabinkin wrote:
> >Number:         129097
> >Category:       ports
> >Synopsis:       [vuxml] print/hplip: document CVE-2008-2940 and
> > CVE-2008-2941 Confidential:   no
> >Severity:       serious
> >Priority:       high
> >Responsible:    freebsd-ports-bugs
> >State:          open
> >Quarter:
> >Keywords:
> >Date-Required:
> >Class:          sw-bug
> >Submitter-Id:   current-users
> >Arrival-Date:   Sun Nov 23 18:50:00 UTC 2008
> >Closed-Date:
> >Last-Modified:
> >Originator:     Eygene Ryabinkin
> >Release:        FreeBSD 7.1-PRERELEASE i386
> >Organization:

Commit it.



-- 
Anish Mistry
amistry@am-productions.biz
AM Productions http://am-productions.biz/
Comment 5 Eygene Ryabinkin 2008-11-23 20:22:21 UTC 
Martin Wilke asked me if I am planning to update the port.  My original
intention was to wait for a 2.8.10 (I am aware of ports/128914, but, to
my regret, it contains no patch now), but as the quick fix I had ported
RedHat's patches to the current port version.

Please note that the handling of alerts had been changed: now all alert
configuration is stored in /etc/hp/alers.conf and isn't
user-controllable anymore.

And I had to mention that whilst I had tested the port for building
and daemon for starting properly, I have no real hardware to test the
thing.  So maintainer's testing is needed.
-- 
Eygene
 _                ___       _.--.   #
 \`.|\..----...-'`   `-._.-'_.-'`   #  Remember that it is hard
 /  ' `         ,       __.--'      #  to read the on-line manual   
 )/' _/     \   `-_,   /            #  while single-stepping the kernel.
 `-'" `"\_  ,_.-;_.-\_ ',  fsc/as   #
     _.-'_./   {_.'   ; /           #    -- FreeBSD Developers handbook 
    {_.-``-'         {_/            #
Comment 6 Eygene Ryabinkin 2008-11-24 06:45:55 UTC 
Anish, good day.

Sun, Nov 23, 2008 at 02:46:26PM -0500, Anish Mistry wrote:
> On Sunday 23 November 2008, Eygene Ryabinkin wrote:
> > >Number:         129097
> > >Category:       ports
> > >Synopsis:       [vuxml] print/hplip: document CVE-2008-2940 and
> > > CVE-2008-2941 Confidential:   no
> > >Severity:       serious
> > >Priority:       high
> > >Responsible:    freebsd-ports-bugs
> > >State:          open
> > >Quarter:
> > >Keywords:
> > >Date-Required:
> > >Class:          sw-bug
> > >Submitter-Id:   current-users
> > >Arrival-Date:   Sun Nov 23 18:50:00 UTC 2008
> > >Closed-Date:
> > >Last-Modified:
> > >Originator:     Eygene Ryabinkin
> > >Release:        FreeBSD 7.1-PRERELEASE i386
> > >Organization:
>
> Commit it.


That's fine, thanks.  But yesterday I had sent a patch that fixes the
vulnerabilities for 2.8.2.  What do you think about it?  Could you test
the patch?  The VuXML entry details depend on this: I wrote that
hplip >= 2.8.4 aren't vulnerable, but if you'll approve the patch that
upgrades to 2.8.2_3, then VuXML entry should be corrected.

Thanks again!
-- 
Eygene
 _                ___       _.--.   #
 \`.|\..----...-'`   `-._.-'_.-'`   #  Remember that it is hard
 /  ' `         ,       __.--'      #  to read the on-line manual   
 )/' _/     \   `-_,   /            #  while single-stepping the kernel.
 `-'" `"\_  ,_.-;_.-\_ ',  fsc/as   #
     _.-'_./   {_.'   ; /           #    -- FreeBSD Developers handbook 
    {_.-``-'         {_/            #
Comment 7 amistry 2008-11-24 14:57:32 UTC 
On Monday 24 November 2008, Eygene Ryabinkin wrote:
> Anish, good day.
>
> That's fine, thanks.  But yesterday I had sent a patch that fixes
> the vulnerabilities for 2.8.2.  What do you think about it?  Could
> you test the patch?  The VuXML entry details depend on this: I
> wrote that hplip >= 2.8.4 aren't vulnerable, but if you'll approve
> the patch that upgrades to 2.8.2_3, then VuXML entry should be
> corrected.
>
> Thanks again!

Finally got a around to it.  The patches look fine, and it passed my 
basic testing.  Commit.

Thanks,

-- 
Anish Mistry
amistry@am-productions.biz
AM Productions http://am-productions.biz/
Comment 8 dfilter service freebsd_committer freebsd_triage 2008-11-29 13:48:52 UTC 
miwi        2008-11-29 13:48:44 UTC

  FreeBSD ports repository

  Modified files:
    security/vuxml       vuln.xml 
  Log:
  - Document hplip -- hpssd Denial of Service
  
  PR:             based on 129097
  Submitted by:   Eygene Ryabinkin
  
  Revision  Changes    Path
  1.1766    +34 -1     ports/security/vuxml/vuln.xml
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
Comment 9 dfilter service freebsd_committer freebsd_triage 2008-11-29 15:36:55 UTC 
miwi        2008-11-29 15:36:43 UTC

  FreeBSD ports repository

  Modified files:
    print/hplip          Makefile 
  Log:
  - Fix hpssd Denial of Service
  
  This can be exploited to crash the service by sending specially crafted
  requests to the default port 2207/TCP.
  
  PR:             129097
  Submitted by:   Eygene Ryabinkin <rea-fbsd@codelabs.ru>
  Approved by:    maintainer
  Security:       http://www.vuxml.org/freebsd/37940643-be1b-11dd-a578-0030843d3802.html
  
  Revision  Changes    Path
  1.21      +1 -1      ports/print/hplip/Makefile
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
Comment 10 Martin Wilke freebsd_committer freebsd_triage 2008-11-29 15:38:43 UTC 
State Changed
From-To: feedback->closed

Committed. Thanks!