Multiple vulnerabilities were discovered in the hplip 1.6.7 [1]. I had analyzed RedHat patches [2] and [3]: first two (CVE-2008-2940) apply "as-is" to FreeBSD's port (2.8.2_2) and the second one (CVE-2008-2941) contains many fixes to the code that exists in 2.8.2_2 too. So, I am counting current FreeBSD port as vulnerable to both attacks. Moreover, I had traced the vulnerabilities through the release sources: proper device_uri handling was introduced in 2.8.4 and parser fragility in hpssd.py was eliminated in the same version, because hpssd was converted to a systray application. So, 2.8.4 and higher should not be vulnerable to the described attacks. [1] http://www.securityfocus.com/bid/30683 [2] https://bugzilla.redhat.com/show_bug.cgi?id=455235 [3] https://bugzilla.redhat.com/show_bug.cgi?id=457052 Fix: The following VuXML entry should be evaluated and added: How-To-Repeat: Look at the above references.
Maintainer of print/hplip, Please note that PR ports/129097 has just been submitted. If it contains a patch for an upgrade, an enhancement or a bug fix you agree on, reply to this email stating that you approve the patch and a committer will take care of it. The full text of the PR can be found at: http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/129097 -- Edwin Groothuis via the GNATS Auto Assign Tool edwin@FreeBSD.org
State Changed From-To: open->feedback Awaiting maintainers feedback (via the GNATS Auto Assign Tool)
Responsible Changed From-To: freebsd-ports-bugs->miwi I'll take it.
On Sunday 23 November 2008, Eygene Ryabinkin wrote: > >Number: 129097 > >Category: ports > >Synopsis: [vuxml] print/hplip: document CVE-2008-2940 and > > CVE-2008-2941 Confidential: no > >Severity: serious > >Priority: high > >Responsible: freebsd-ports-bugs > >State: open > >Quarter: > >Keywords: > >Date-Required: > >Class: sw-bug > >Submitter-Id: current-users > >Arrival-Date: Sun Nov 23 18:50:00 UTC 2008 > >Closed-Date: > >Last-Modified: > >Originator: Eygene Ryabinkin > >Release: FreeBSD 7.1-PRERELEASE i386 > >Organization: Commit it. -- Anish Mistry amistry@am-productions.biz AM Productions http://am-productions.biz/
Martin Wilke asked me if I am planning to update the port. My original intention was to wait for a 2.8.10 (I am aware of ports/128914, but, to my regret, it contains no patch now), but as the quick fix I had ported RedHat's patches to the current port version. Please note that the handling of alerts had been changed: now all alert configuration is stored in /etc/hp/alers.conf and isn't user-controllable anymore. And I had to mention that whilst I had tested the port for building and daemon for starting properly, I have no real hardware to test the thing. So maintainer's testing is needed. -- Eygene _ ___ _.--. # \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard / ' ` , __.--' # to read the on-line manual )/' _/ \ `-_, / # while single-stepping the kernel. `-'" `"\_ ,_.-;_.-\_ ', fsc/as # _.-'_./ {_.' ; / # -- FreeBSD Developers handbook {_.-``-' {_/ #
Anish, good day. Sun, Nov 23, 2008 at 02:46:26PM -0500, Anish Mistry wrote: > On Sunday 23 November 2008, Eygene Ryabinkin wrote: > > >Number: 129097 > > >Category: ports > > >Synopsis: [vuxml] print/hplip: document CVE-2008-2940 and > > > CVE-2008-2941 Confidential: no > > >Severity: serious > > >Priority: high > > >Responsible: freebsd-ports-bugs > > >State: open > > >Quarter: > > >Keywords: > > >Date-Required: > > >Class: sw-bug > > >Submitter-Id: current-users > > >Arrival-Date: Sun Nov 23 18:50:00 UTC 2008 > > >Closed-Date: > > >Last-Modified: > > >Originator: Eygene Ryabinkin > > >Release: FreeBSD 7.1-PRERELEASE i386 > > >Organization: > > Commit it. That's fine, thanks. But yesterday I had sent a patch that fixes the vulnerabilities for 2.8.2. What do you think about it? Could you test the patch? The VuXML entry details depend on this: I wrote that hplip >= 2.8.4 aren't vulnerable, but if you'll approve the patch that upgrades to 2.8.2_3, then VuXML entry should be corrected. Thanks again! -- Eygene _ ___ _.--. # \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard / ' ` , __.--' # to read the on-line manual )/' _/ \ `-_, / # while single-stepping the kernel. `-'" `"\_ ,_.-;_.-\_ ', fsc/as # _.-'_./ {_.' ; / # -- FreeBSD Developers handbook {_.-``-' {_/ #
On Monday 24 November 2008, Eygene Ryabinkin wrote: > Anish, good day. > > That's fine, thanks. But yesterday I had sent a patch that fixes > the vulnerabilities for 2.8.2. What do you think about it? Could > you test the patch? The VuXML entry details depend on this: I > wrote that hplip >= 2.8.4 aren't vulnerable, but if you'll approve > the patch that upgrades to 2.8.2_3, then VuXML entry should be > corrected. > > Thanks again! Finally got a around to it. The patches look fine, and it passed my basic testing. Commit. Thanks, -- Anish Mistry amistry@am-productions.biz AM Productions http://am-productions.biz/
miwi 2008-11-29 13:48:44 UTC FreeBSD ports repository Modified files: security/vuxml vuln.xml Log: - Document hplip -- hpssd Denial of Service PR: based on 129097 Submitted by: Eygene Ryabinkin Revision Changes Path 1.1766 +34 -1 ports/security/vuxml/vuln.xml _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
miwi 2008-11-29 15:36:43 UTC FreeBSD ports repository Modified files: print/hplip Makefile Log: - Fix hpssd Denial of Service This can be exploited to crash the service by sending specially crafted requests to the default port 2207/TCP. PR: 129097 Submitted by: Eygene Ryabinkin <rea-fbsd@codelabs.ru> Approved by: maintainer Security: http://www.vuxml.org/freebsd/37940643-be1b-11dd-a578-0030843d3802.html Revision Changes Path 1.21 +1 -1 ports/print/hplip/Makefile _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
State Changed From-To: feedback->closed Committed. Thanks!