Bugzilla – Bug 853405
VUL-0: CVE-2013-6427: hplip: insecure auto update feature
Last modified: 2015-03-06 10:08:54 UTC
hplip comes with a "hp-upgrade" service, which does: upgrade.py let see this gem where it downloads a shell file via http and executes it as root (if previous conditions are met): if HPLIP_PATH is None: url="http://sourceforge.net/projects/hplip/files/hplip/%s/hplip-%s.run/download" %(HPLIP_latest_ver, HPLIP_latest_ver) download_file = None if TEMP_DIR: download_file = "%s/hplip-%s.run" %(TEMP_DIR,HPLIP_latest_ver) log.info("Downloading hplip-%s.run file..... Please wait. "%HPLIP_latest_ver ) sts,download_file = utils.download_from_network(url, download_file, True) if not os.path.exists(download_file): log.error("Failed to download %s file."%download_file) clean_exit() CURRENT_WORKING_DIR = os.getcwd() os.chdir(TEMP_DIR) # Installing hplip run. cmd = "sh %s" %(download_file) log.debug("Upgrading %s" % download_file) sts = os_utils.execute(cmd) os.chdir(CURRENT_WORKING_DIR)
The hp-upgrade thing should not be run on openSUSE/SUSE.
shouldnt even be in the package imho.
hp-upgrade seems to be run via hp-systray, which runs as the desktop user. not as bad as root, but still :/
bugbot adjusting priority
Security team, the HPLIP software is full of various kind of security issues. See our security bugs regarding HPLIP and additionally some of my recent stuff at HPLIP upstream like "Explanation why I cannot run hp-config_usb_printer via udev:" https://bugs.launchpad.net/hplip/+bug/1220628/comments/18 and https://bugs.launchpad.net/hplip/+bug/1197416 and https://bugs.launchpad.net/hplip/+bug/426161 and so on and so on ad nauseam... I am no longer able to actively maintain such kind of software (i.e. maintain software where I have to continuously work against what upstream intentionally provides). I do not have the time to continuously fix security bug after security bug after security bug in a software where upstream introduces security issue after security issue after security issue and where upstream introduces functionality that is "by design" a security issue for us. I suggest the following: 1) Either someone else maintains HPLIP who has sufficient time to continuously do all that work or 2) we (i.e. SUSE/openSUSE) in particular our security team gets in direct contact with HPLIP upstream (some kind of "general HPLIP security audit/workshop/whatever") so that HPLIP upstream understands how they must make their software so that we can distribute HPLIP "as is" so that our users get from us what HPLIP uptream intended to provide (and not a somewhat crippled remainder of HPLIP uptream's software where our users rightfully complain that "SUSE broke it") or 3) we do no longer distribute HPLIP - any user can download and install HPLIP from HPLIP upstream so that their own security issues are then only their own problems, compare https://bugs.launchpad.net/hplip/+bug/1197416/comments/4 For now I re-assign it to our security team because I would prefer if we at least try to do 2) because if HPLIP upstream would become sufficiently secure, then it would be best for everybody: for HPLIP, for all Linux distributors, and of course for all users of their software. Stefan Fent, what is your opinion?
Only openSUSE 13.1 is affected when the hplip binary RPM was intentionally installed by the user. In openSUSE 13.1 by default the hplip binary RPM is not installed (only hplip-hpijs and perhaps hplip-sane are installed by default) but upgrade.py belongs to the hplip binary RPM so that by default openSUSE 13.1 is also not affected. In openSUSE:12.3 we have hplip-3.12.11 that has no upgrade.py file. In openSUSE:12.2 we have hplip-3.12.4 that has no upgrade.py file. In SLE11 we have hplip-3.11.10 that has no upgrade.py file.
Created attachment 570200 [details] disable_hp-upgrade.patch Proposed patch that disables the whole hp-upgrade functionality. It keeps all installed files so that the whole HPLIP framework cannot break arbitrarily - it only lets upgrade.py immediately exit with an error message and exit code 1. Packages with that patch are currently scheduled for build in OBS project home:jsmeix:branches:Printing/hplip
I am not at all a real user of the various graphical stuff in HPLIP. For me it seems disable_hp-upgrade.patch works o.k. Therefore I submitted hplip with that patch to its OBS devel project "Printing" via submitrequest 209404 and forwarded it to openSUSE:Factory via submitrequest 209405. Of course this means that now "SUSE broke HPLIP" (in particular HPLIP's upgrade functionality). Actually "SUSE broke the broken upstream HPLIP".
This is an autogenerated message for OBS integration: This bug (853405) was mentioned in https://build.opensuse.org/request/show/209405 Factory / hplip
http://www.openwall.com/lists/oss-security/2013/12/05/1 http://www.openwall.com/lists/oss-security/2013/12/05/2
We (HPLIP team) are looking into this issue. Fix may be available tentatively in early Jan 14. Thanks & Regards, Amarnath
Amarnath Chitumalla, FYI: It seems hp-upgrade at least in HPLIP 3.13.10 (the version we provide in openSUSE 13.1) damages HPLIP, see bnc#856883: "After update via hp-upgrade hp-toolbox fails with Python traceback".
Can't we just remove such a auto update feature alltogether? That breaks our policy anyways.
Move, remove, disable, change, fix, enhance, whatever-you-like: I cannot do it. I cannot do it because I do not have any time at all to work on such kind of software - see my comment#5. I need sufficiently correct software from upstream - not something that I need to continuously change, fix, enhance, whatever-you-like to make it somehow work for us. To make this more clear I change the state to "wontfix" which means "cantfix" for me. If and only if HPLIP upstream provides sufficiently correct working software, then I will be able to still maintain it.
Johannes, can you please also submit a package with your fix from comment #7 for 13.1?
I will do a maintenance update for HPLIP for openSUSE 13.1 (the only SUSE version that is affected, see comment#6) with my current fix as in comment#7 together with a fix for bnc#852368. FYI, regarding https://bugzilla.novell.com/show_bug.cgi?id=852368#c11 that was probably actually meant for this bug here: In comment#7 I indicate why I prefer my fix: My fix implements a valid error exit that should be expected by the rest of HPLIP so that the rest of HPLIP could deal with it (e.g. show a meaningful error message to the user). In contrast if the hp-upgrade files were simply not installed, the rest of HPLIP may not expect it and therefore may fail in unfriendly ways (e.g. a "no such file or directory" message is probably meaningless for the user).
Submitted as maintenancerequest 213968 The issue is now fixed. I re-assign it to the Bugzilla default assignee for further processing.
This is an autogenerated message for OBS integration: This bug (853405) was mentioned in https://build.opensuse.org/request/show/213968 13.1+12.2+12.3 / hplip
openSUSE-SU-2014:0127-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 852368,853405 CVE References: CVE-2013-6402,CVE-2013-6427 Sources used: openSUSE 13.1 (src): hplip-3.13.10-4.2 openSUSE 12.3 (src): hplip-3.12.11-2.9.2 openSUSE 12.2 (src): hplip-3.12.4-3.10.1
Update for issues was released. I'm closing this bug, feel free to open it again to continue the discussion on how to handle this software in general