CVE-2011-2722
published 2012-05-25CVE-2011-2722: The send_data_to_stdout function in prnt/hpijs/hpcupsfax.cpp in HP Linux Imaging and Printing (HPLIP) 3.x before 3.11.10 allows local users to overwrite…
PriorityP49low1.2CVSS 2.0
AVLACHAuNCNIPAN
EPSS
0.44%
35.4th percentile
The send_data_to_stdout function in prnt/hpijs/hpcupsfax.cpp in HP Linux Imaging and Printing (HPLIP) 3.x before 3.11.10 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/hpcupsfax.out temporary file.
Affected
25 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | hplip | < hplip 3.12.6-3.1 (bookworm) | hplip 3.12.6-3.1 (bookworm) |
| debian | hplip | < hplip 3.11.10-1 (bookworm) | hplip 3.11.10-1 (bookworm) |
| hp | linux_imaging_and_printing_project | <= 3.12.4 | — |
| hp | linux_imaging_and_printing_project | <= 3.11.5 | — |
| hp | linux_imaging_and_printing_project | — | — |
| hp | linux_imaging_and_printing_project | — | — |
| hp | linux_imaging_and_printing_project | — | — |
| hp | linux_imaging_and_printing_project | — | — |
| hp | linux_imaging_and_printing_project | — | — |
| hp | linux_imaging_and_printing_project | — | — |
| hp | linux_imaging_and_printing_project | — | — |
| hp | linux_imaging_and_printing_project | — | — |
| hp | linux_imaging_and_printing_project | — | — |
| hp | linux_imaging_and_printing_project | — | — |
| hp | linux_imaging_and_printing_project | — | — |
| hp | linux_imaging_and_printing_project | — | — |
| hp | linux_imaging_and_printing_project | — | — |
| hp | linux_imaging_and_printing_project | — | — |
| hp | linux_imaging_and_printing_project | — | — |
| hp | linux_imaging_and_printing_project | — | — |
| hp | linux_imaging_and_printing_project | — | — |
| hp | linux_imaging_and_printing_project | — | — |
| hp | linux_imaging_and_printing_project | — | — |
| hp | linux_imaging_and_printing_project | — | — |
| redhat | enterprise_linux | — | — |
CVSS provenance
nvdv2.01.2LOWAV:L/AC:H/Au:N/C:N/I:P/A:N
osv1.2LOW
vendor_debian1.2LOW
vendor_redhat1.2LOW
vendor_ubuntu1.2LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
HPLIP vulnerabilities
vendor_ubuntu·2013-09-30·CVSS 1.2
CVE-2011-2722 [LOW] HPLIP vulnerabilities
Title: HPLIP vulnerabilities
Summary: HPLIP could be made to overwrite files.
It was discovered that HPLIP incorrectly handled temporary files when using
the fax capabilities. A local attacker could possibly use this issue to
overwrite arbitrary files. This issue only applied to Ubuntu 10.04 LTS.
(CVE-2011-2722)
Tim Waugh discovered that HPLIP incorrectly handled temporary files when
printing. A local attacker could possibly use this issue to overwrite
arbitrary files. In the default installation of Ubuntu 12.04 LTS and Ubuntu
12.10, this should be prevented by the Yama link restrictions.
(CVE-2013-0200)
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
hplip: insecure temporary file handling flaws
vendor_redhat·2013-02-21·CVSS 1.2
CVE-2013-0200 [LOW] CWE-377 hplip: insecure temporary file handling flaws
hplip: insecure temporary file handling flaws
HP Linux Imaging and Printing (HPLIP) through 3.12.4 allows local users to overwrite arbitrary files via a symlink attack on the (1) /tmp/hpcupsfilterc_#.bmp, (2) /tmp/hpcupsfilterk_#.bmp, (3) /tmp/hpcups_job#.out, (4) /tmp/hpijs_#####.out, or (5) /tmp/hpps_job#.out temporary file, a different vulnerability than CVE-2011-2722.
Statement: This issue does not affect the version of hplip and hplip3 as shipped with Red Hat Enterprise Linux 5. This issue has been addressed in Red Hat Enterprise Linux 6 via RHSA-2013:0500.
Package: hplip (Red Hat Enterprise Linux 5) - Not affected
Package: hplip3 (Red Hat Enterprise Linux 5) - Not affected
Debian
CVE-2013-0200: hplip - HP Linux Imaging and Printing (HPLIP) through 3.12.4 allows local users to overw...
vendor_debian·2013·CVSS 1.2
CVE-2013-0200 [LOW] CVE-2013-0200: hplip - HP Linux Imaging and Printing (HPLIP) through 3.12.4 allows local users to overw...
HP Linux Imaging and Printing (HPLIP) through 3.12.4 allows local users to overwrite arbitrary files via a symlink attack on the (1) /tmp/hpcupsfilterc_#.bmp, (2) /tmp/hpcupsfilterk_#.bmp, (3) /tmp/hpcups_job#.out, (4) /tmp/hpijs_#####.out, or (5) /tmp/hpps_job#.out temporary file, a different vulnerability than CVE-2011-2722.
Scope: local
bookworm: resolved (fixed in 3.12.6-3.1)
bullseye: resolved (fixed in 3.12.6-3.1)
sid: resolved (fixed in 3.12.6-3.1)
trixie: resolved (fixed in 3.12.6-3.1)
Red Hat
hplip: insecure temporary file handling
vendor_redhat·2011-07-13·CVSS 1.2
CVE-2011-2722 [LOW] CWE-377 hplip: insecure temporary file handling
hplip: insecure temporary file handling
The send_data_to_stdout function in prnt/hpijs/hpcupsfax.cpp in HP Linux Imaging and Printing (HPLIP) 3.x before 3.11.10 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/hpcupsfax.out temporary file.
Package: hplip (Red Hat Enterprise Linux 5) - Not affected
Debian
CVE-2011-2722: hplip - The send_data_to_stdout function in prnt/hpijs/hpcupsfax.cpp in HP Linux Imaging...
vendor_debian·2011·CVSS 1.2
CVE-2011-2722 [LOW] CVE-2011-2722: hplip - The send_data_to_stdout function in prnt/hpijs/hpcupsfax.cpp in HP Linux Imaging...
The send_data_to_stdout function in prnt/hpijs/hpcupsfax.cpp in HP Linux Imaging and Printing (HPLIP) 3.x before 3.11.10 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/hpcupsfax.out temporary file.
Scope: local
bookworm: resolved (fixed in 3.11.10-1)
bullseye: resolved (fixed in 3.11.10-1)
sid: resolved (fixed in 3.11.10-1)
trixie: resolved (fixed in 3.11.10-1)
GHSA
GHSA-3xc3-235x-7q23: HP Linux Imaging and Printing (HPLIP) through 3
ghsa_unreviewed·2022-05-17·CVSS 1.2
CVE-2013-0200 [LOW] CWE-59 GHSA-3xc3-235x-7q23: HP Linux Imaging and Printing (HPLIP) through 3
HP Linux Imaging and Printing (HPLIP) through 3.12.4 allows local users to overwrite arbitrary files via a symlink attack on the (1) /tmp/hpcupsfilterc_#.bmp, (2) /tmp/hpcupsfilterk_#.bmp, (3) /tmp/hpcups_job#.out, (4) /tmp/hpijs_#####.out, or (5) /tmp/hpps_job#.out temporary file, a different vulnerability than CVE-2011-2722.
GHSA
GHSA-mqf8-fvgr-vqf4: The send_data_to_stdout function in prnt/hpijs/hpcupsfax
ghsa_unreviewed·2022-05-17
CVE-2011-2722 [LOW] CWE-59 GHSA-mqf8-fvgr-vqf4: The send_data_to_stdout function in prnt/hpijs/hpcupsfax
The send_data_to_stdout function in prnt/hpijs/hpcupsfax.cpp in HP Linux Imaging and Printing (HPLIP) 3.x before 3.11.10 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/hpcupsfax.out temporary file.
OSV
CVE-2013-0200: HP Linux Imaging and Printing (HPLIP) through 3
osv·2013-03-06·CVSS 1.2
CVE-2013-0200 [LOW] CVE-2013-0200: HP Linux Imaging and Printing (HPLIP) through 3
HP Linux Imaging and Printing (HPLIP) through 3.12.4 allows local users to overwrite arbitrary files via a symlink attack on the (1) /tmp/hpcupsfilterc_#.bmp, (2) /tmp/hpcupsfilterk_#.bmp, (3) /tmp/hpcups_job#.out, (4) /tmp/hpijs_#####.out, or (5) /tmp/hpps_job#.out temporary file, a different vulnerability than CVE-2011-2722.
OSV
CVE-2011-2722: The send_data_to_stdout function in prnt/hpijs/hpcupsfax
osv·2012-05-25·CVSS 1.2
CVE-2011-2722 [LOW] CVE-2011-2722: The send_data_to_stdout function in prnt/hpijs/hpcupsfax
The send_data_to_stdout function in prnt/hpijs/hpcupsfax.cpp in HP Linux Imaging and Printing (HPLIP) 3.x before 3.11.10 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/hpcupsfax.out temporary file.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2013-0200 hplip: insecure temporary file handling flaws
bugzilla·2013-01-21·CVSS 1.2
CVE-2013-0200 [LOW] CVE-2013-0200 hplip: insecure temporary file handling flaws
CVE-2013-0200 hplip: insecure temporary file handling flaws
Temporary file handling flaws were found in several places in hplip. Because a predicatable temporary filenames are used, an attacker could use a symlink attack to overwrite an arbitrary file with the privileges of the process running hplip.
This is a different flaw than CVE-2011-2722.
Discussion:
Acknowledgements:
This issue was discovered by Tim Waugh of Red Hat.
---
This issue has been addressed in following products:
Red Hat Enterprise Linux 6
Via RHSA-2013:0500 https://rhn.redhat.com/errata/RHSA-2013-0500.html
---
Statement:
This issue does not affect the version of hplip and hplip3 as shipped with Red Hat Enterprise Linux 5. This issue has been addressed in Red Hat Enterprise Linux 6 via RHSA-2013:0500.
Bugzilla
CVE-2011-2722 hplip: insecure temporary file handling
bugzilla·2011-07-26·CVSS 1.2
CVE-2011-2722 [LOW] CVE-2011-2722 hplip: insecure temporary file handling
CVE-2011-2722 hplip: insecure temporary file handling
A temporary file handling flaw was reported [1] in prnt/hpijs/hpcupsfax.cpp, the hplip HP CUPS filter. Because a predicatable temporary filename is used (/tmp/hpcupsfax.out), an attacker could use a symlink attack to overwrite an arbitrary file with the privileges of the process running the HP CUPS fax filter.
422 FILE *fp;
423 fp = NULL;
424 if (iLogLevel & SAVE_PCL_FILE)
425 {
426 fp = fopen ("/tmp/hpcupsfax.out", "w");
427 system ("chmod 666 /tmp/hpcupsfax.out");
428 }
429 while ((i = read (fdFax, pTmp, iSize)) > 0)
430 {
431 write (STDOUT_FILENO, pTmp, i);
432 if (iLogLevel & SAVE_PCL_FILE && fp)
433 {
434 fwrite (pTmp, 1, i, fp);
435 }
436 }
437 free (pTmp);
This flaw only exists in hplip 3.x and is not present in earlier versio
http://hplipopensource.com/hplip-web/release_notes.htmlhttp://rhn.redhat.com/errata/RHSA-2013-0133.htmlhttp://secunia.com/advisories/48441http://secunia.com/advisories/55083http://security.gentoo.org/glsa/glsa-201203-17.xmlhttp://www.openwall.com/lists/oss-security/2011/07/26/14http://www.ubuntu.com/usn/USN-1981-1https://bugs.launchpad.net/hplip/+bug/809904https://bugzilla.novell.com/show_bug.cgi?id=704608https://bugzilla.redhat.com/attachment.cgi?id=515866&action=diffhttps://bugzilla.redhat.com/show_bug.cgi?id=725830http://hplipopensource.com/hplip-web/release_notes.htmlhttp://rhn.redhat.com/errata/RHSA-2013-0133.htmlhttp://secunia.com/advisories/48441http://secunia.com/advisories/55083http://security.gentoo.org/glsa/glsa-201203-17.xmlhttp://www.openwall.com/lists/oss-security/2011/07/26/14http://www.ubuntu.com/usn/USN-1981-1https://bugs.launchpad.net/hplip/+bug/809904https://bugzilla.novell.com/show_bug.cgi?id=704608https://bugzilla.redhat.com/attachment.cgi?id=515866&action=diffhttps://bugzilla.redhat.com/show_bug.cgi?id=725830
2012-05-25
Published