From rea-fbsd@codelabs.ru  Sun Nov 23 18:44:53 2008
Return-Path: <rea-fbsd@codelabs.ru>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 1F03D106564A;
	Sun, 23 Nov 2008 18:44:53 +0000 (UTC)
	(envelope-from rea-fbsd@codelabs.ru)
Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45])
	by mx1.freebsd.org (Postfix) with ESMTP id C2D598FC12;
	Sun, 23 Nov 2008 18:44:52 +0000 (UTC)
	(envelope-from rea-fbsd@codelabs.ru)
Received: from phoenix.codelabs.ru (ppp83-237-105-112.pppoe.mtu-net.ru [83.237.105.112])
	by 0.mx.codelabs.ru with esmtps (TLSv1:CAMELLIA256-SHA:256)
	id 1L4Jww-000AJF-G0; Sun, 23 Nov 2008 21:44:50 +0300
Message-Id: <20081123184449.6801AF181D@phoenix.codelabs.ru>
Date: Sun, 23 Nov 2008 21:44:49 +0300 (MSK)
From: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
Reply-To: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
To: FreeBSD-gnats-submit@freebsd.org
Cc: freebsd-security@freebsd.org
Subject: [vuxml] print/hplip: document CVE-2008-2940 and CVE-2008-2941
X-Send-Pr-Version: 3.113
X-GNATS-Notify: amistry@am-productions.biz amistry@am-productions.biz, tabthorpe@freebsd.org

>Number:         129097
>Category:       ports
>Synopsis:       [vuxml] print/hplip: document CVE-2008-2940 and CVE-2008-2941
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    miwi
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Nov 23 18:50:00 UTC 2008
>Closed-Date:    Sat Nov 29 15:38:45 UTC 2008
>Last-Modified:  Sat Nov 29 15:40:01 UTC 2008
>Originator:     Eygene Ryabinkin
>Release:        FreeBSD 7.1-PRERELEASE i386
>Organization:
Code Labs
>Environment:

System: FreeBSD 7.1-PRERELEASE i386

>Description:

Multiple vulnerabilities were discovered in the hplip 1.6.7 [1].  I had
analyzed RedHat patches [2] and [3]: first two (CVE-2008-2940) apply
"as-is" to FreeBSD's port (2.8.2_2) and the second one (CVE-2008-2941)
contains many fixes to the code that exists in 2.8.2_2 too.  So, I am
counting current FreeBSD port as vulnerable to both attacks.  Moreover,
I had traced the vulnerabilities through the release sources: proper
device_uri handling was introduced in 2.8.4 and parser fragility in
hpssd.py was eliminated in the same version, because hpssd was converted
to a systray application.  So, 2.8.4 and higher should not be vulnerable
to the described attacks.

[1] http://www.securityfocus.com/bid/30683
[2] https://bugzilla.redhat.com/show_bug.cgi?id=455235
[3] https://bugzilla.redhat.com/show_bug.cgi?id=457052

>How-To-Repeat:

Look at the above references.

>Fix:

The following VuXML entry should be evaluated and added:
--- vuln.xml begins here ---
  <vuln vid="">
    <topic>hplip -- multiple vulnerabilities in hpssd component</topic>
    <affects>
      <package>
	<name>hplip</name>
	<range><lt>2.8.4</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
	<p>SecurityFocus database says:</p>
	<blockquote cite="http://www.securityfocus.com/bid/30683/discuss">
	<p>HP Linux Imaging and Printing System (HPLIP) is prone
	to multiple vulnerabilities, including privilege-escalation
	and denial-of-service issues.</p>
	<p>Exploiting the privilege-escalation vulnerability may
	allow attackers to perform certain actions with elevated
	privileges. Successful exploits of the denial-of-service
	issue will cause the 'hpssd' process to crash, denying
	service to legitimate users.</p>
	<p>These issues affect HPLIP 1.6.7; other versions may also
	be affected.</p>
	</blockquote>
      </body>
    </description>
    <references>
      <cvename>CVE-2008-2940</cvename>
      <cvename>CVE-2008-2941</cvename>
      <bid>30683</bid>
      <url>https://bugzilla.redhat.com/show_bug.cgi?id=457052</url>
      <url>https://bugzilla.redhat.com/show_bug.cgi?id=455235</url>
    </references>
    <dates>
      <discovery>2008-08-12</discovery>
    </dates>
  </vuln>
--- vuln.xml ends here ---
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->feedback 
State-Changed-By: edwin 
State-Changed-When: Sun Nov 23 18:50:10 UTC 2008 
State-Changed-Why:  
Awaiting maintainers feedback (via the GNATS Auto Assign Tool) 

http://www.freebsd.org/cgi/query-pr.cgi?pr=129097 
Responsible-Changed-From-To: freebsd-ports-bugs->miwi 
Responsible-Changed-By: miwi 
Responsible-Changed-When: Sun Nov 23 18:59:18 UTC 2008 
Responsible-Changed-Why:  
I'll take it. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=129097 

From: Edwin Groothuis <edwin@FreeBSD.org>
To: amistry@am-productions.biz
Cc: bug-followup@FreeBSD.org
Subject: Re: ports/129097: [vuxml] print/hplip: document CVE-2008-2940 and CVE-2008-2941
Date: Sun, 23 Nov 2008 18:50:08 UT

 Maintainer of print/hplip,
 
 Please note that PR ports/129097 has just been submitted.
 
 If it contains a patch for an upgrade, an enhancement or a bug fix
 you agree on, reply to this email stating that you approve the patch
 and a committer will take care of it.
 
 The full text of the PR can be found at:
     http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/129097
 
 -- 
 Edwin Groothuis via the GNATS Auto Assign Tool
 edwin@FreeBSD.org

From: Anish Mistry <amistry@am-productions.biz>
To: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
Cc: FreeBSD-gnats-submit@freebsd.org, freebsd-security@freebsd.org
Subject: Re: ports/129097: [vuxml] print/hplip: document CVE-2008-2940 and CVE-2008-2941
Date: Sun, 23 Nov 2008 14:46:26 -0500

 --nextPart1462984.zUT7fY2mWr
 Content-Type: text/plain;
   charset="iso-8859-1"
 Content-Transfer-Encoding: quoted-printable
 Content-Disposition: inline
 
 On Sunday 23 November 2008, Eygene Ryabinkin wrote:
 > >Number:         129097
 > >Category:       ports
 > >Synopsis:       [vuxml] print/hplip: document CVE-2008-2940 and
 > > CVE-2008-2941 Confidential:   no
 > >Severity:       serious
 > >Priority:       high
 > >Responsible:    freebsd-ports-bugs
 > >State:          open
 > >Quarter:
 > >Keywords:
 > >Date-Required:
 > >Class:          sw-bug
 > >Submitter-Id:   current-users
 > >Arrival-Date:   Sun Nov 23 18:50:00 UTC 2008
 > >Closed-Date:
 > >Last-Modified:
 > >Originator:     Eygene Ryabinkin
 > >Release:        FreeBSD 7.1-PRERELEASE i386
 > >Organization:
 Commit it.
 
 
 
 =2D-=20
 Anish Mistry
 amistry@am-productions.biz
 AM Productions http://am-productions.biz/
 
 --nextPart1462984.zUT7fY2mWr
 Content-Type: application/pgp-signature; name=signature.asc 
 Content-Description: This is a digitally signed message part.
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.9 (FreeBSD)
 
 iEYEABECAAYFAkkpsxIACgkQxqA5ziudZT2s5gCbBXwqK3IFe1vQcxJ8a5/iGNjD
 rQEAoJAnaEw5NIkFO8Q9ZOXr7oMqaAFZ
 =HG/5
 -----END PGP SIGNATURE-----
 
 --nextPart1462984.zUT7fY2mWr--

From: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
To: bug-followup@FreeBSD.org, freebsd-ports-bugs@FreeBSD.org
Cc: freebsd-security@freebsd.org
Subject: Re: ports/129097: [vuxml] print/hplip: document CVE-2008-2940 and
	CVE-2008-2941
Date: Sun, 23 Nov 2008 23:22:21 +0300

 --Dxnq1zWXvFF0Q93v
 Content-Type: text/plain; charset=koi8-r
 Content-Disposition: inline
 
 Martin Wilke asked me if I am planning to update the port.  My original
 intention was to wait for a 2.8.10 (I am aware of ports/128914, but, to
 my regret, it contains no patch now), but as the quick fix I had ported
 RedHat's patches to the current port version.
 
 Please note that the handling of alerts had been changed: now all alert
 configuration is stored in /etc/hp/alers.conf and isn't
 user-controllable anymore.
 
 And I had to mention that whilst I had tested the port for building
 and daemon for starting properly, I have no real hardware to test the
 thing.  So maintainer's testing is needed.
 -- 
 Eygene
  _                ___       _.--.   #
  \`.|\..----...-'`   `-._.-'_.-'`   #  Remember that it is hard
  /  ' `         ,       __.--'      #  to read the on-line manual   
  )/' _/     \   `-_,   /            #  while single-stepping the kernel.
  `-'" `"\_  ,_.-;_.-\_ ',  fsc/as   #
      _.-'_./   {_.'   ; /           #    -- FreeBSD Developers handbook 
     {_.-``-'         {_/            #
 
 --Dxnq1zWXvFF0Q93v
 Content-Type: text/x-diff; charset=koi8-r
 Content-Disposition: attachment; filename="apply-fixes-for-CVE-2008-2940-and-CVE-2941.diff"
 Content-Transfer-Encoding: quoted-printable
 
 =46rom e8f2e991adcde572e1c08951c9b973ca6759455f Mon Sep 17 00:00:00 2001
 =46rom: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
 Date: Sun, 23 Nov 2008 23:02:17 +0300
 Subject: [PATCH] print/hplip: apply fixes for CVE-2008-2940 and CVE-2008-29=
 41
 
 Fix for CVE-2008-2940 was taken from [1] and was slightly modified
 to match the current code.
 
 Fix for CVE-2008-2941 was written by hand, but was based on the patch
 =66rom [2].  Note, that the mentioned patch fragility sits in the fact
 that the parsed values can represent string, integer, etc and this is
 user-controllable, but their values are manipulated as they are always
 strings, numbers, etc.  So daemon gets some exceptions that he is not
 prepared to handle and dies.
 
 [1] https://bugzilla.redhat.com/show_bug.cgi?id=3D455235
 [2] https://bugzilla.redhat.com/show_bug.cgi?id=3D457052
 
 Signed-off-by: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
 ---
  print/hplip/Makefile                  |    2 +-
  print/hplip/files/patch-CVE-2008-2940 |   74 ++++++++++++
  print/hplip/files/patch-CVE-2008-2941 |  210 +++++++++++++++++++++++++++++=
 ++++
  3 files changed, 285 insertions(+), 1 deletions(-)
  create mode 100644 print/hplip/files/patch-CVE-2008-2940
  create mode 100644 print/hplip/files/patch-CVE-2008-2941
 
 diff --git a/print/hplip/Makefile b/print/hplip/Makefile
 index 9845d37..683b285 100644
 --- a/print/hplip/Makefile
 +++ b/print/hplip/Makefile
 @@ -7,7 +7,7 @@
 =20
  PORTNAME=3D	hplip
  PORTVERSION=3D	2.8.2
 -PORTREVISION=3D	2
 +PORTREVISION=3D	3
  CATEGORIES=3D	print
  MASTER_SITES=3D	${MASTER_SITE_SOURCEFORGE}
  MASTER_SITE_SUBDIR=3D	hplip
 diff --git a/print/hplip/files/patch-CVE-2008-2940 b/print/hplip/files/patc=
 h-CVE-2008-2940
 new file mode 100644
 index 0000000..dbe14fa
 --- /dev/null
 +++ b/print/hplip/files/patch-CVE-2008-2940
 @@ -0,0 +1,74 @@
 +Patch for CVE-2008-2940
 +
 +Please note that alerts are now system-wide and they live in
 +/etc/hp/alerts.conf
 +
 +See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2008-2940
 +Obtained from: https://bugzilla.redhat.com/attachment.cgi?id=3D312878
 +Obtained from: https://bugzilla.redhat.com/attachment.cgi?id=3D312880
 +
 +diff -up hplip-1.6.7/hpssd.py.validate-uri hplip-1.6.7/hpssd.py
 +--- hpssd.py.validate-uri	2008-07-29 12:48:28.000000000 +0100
 ++++ hpssd.py	2008-07-29 13:41:29.000000000 +0100
 +@@ -1021,6 +1021,9 @@ class hpssd_handler(dispatcher):
 +         event_type =3D self.fields.get('event-type', 'event')
 +         event_code =3D self.fields.get('event-code', 0)
 +         device_uri =3D self.fields.get('device-uri', '').replace('hpfax:'=
 , 'hp:')
 ++        result_code =3D self.__checkdevice(device_uri)
 ++        if result_code !=3D ERROR_SUCCESS:
 ++            return
 +         log.debug("Device URI: %s" % device_uri)
 +=20
 +         try:
 +diff -up hplip-1.6.7/base/g.py.static-alerts-table hplip-1.6.7/base/g.py
 +--- base/g.py.orig	2008-01-18 02:10:29.000000000 +0300
 ++++ base/g.py	2008-11-23 22:39:11.000000000 +0300
 +@@ -134,6 +134,7 @@
 + # Config file: directories and ports
 + prop.sys_config_file =3D '/etc/hp/hplip.conf'
 + prop.user_dir =3D os.path.expanduser('~/.hplip')
 ++prop.alerts_config_file =3D '/etc/hp/alerts.conf'
 +=20
 + os.umask(0037)
 + try:
 +@@ -154,6 +155,7 @@
 +    =20
 + sys_cfg =3D Config(prop.sys_config_file, True)
 + user_cfg =3D Config(prop.user_config_file)
 ++alerts_cfg =3D Config(prop.alerts_config_file)
 +=20
 +=20
 + # Language settings
 +diff -up hplip-1.6.7/hpssd.py.static-alerts-table hplip-1.6.7/hpssd.py
 +--- hpssd.py.static-alerts-table	2008-07-29 14:57:04.000000000 +0100
 ++++ hpssd.py	2008-07-29 15:22:15.000000000 +0100
 +@@ -71,6 +71,12 @@ from prnt import cups
 +=20
 + # Per user alert settings
 + alerts =3D {}
 ++for user, cfg in alerts_cfg.iteritems ():
 ++    entry =3D {}
 ++    entry['email-alerts'] =3D utils.to_bool (cfg.get('email-alerts', 0))
 ++    entry['email-from-address'] =3D cfg.get('email-from-address', '')
 ++    entry['email-to-addresses'] =3D cfg.get('email-to-addresses', '')
 ++    alerts[user] =3D entry
 +=20
 + # Fax temp files
 + fax_file =3D {}
 +@@ -803,15 +809,10 @@ class hpssd_handler(dispatcher):
 +         self.out_buffer =3D buildResultMessage('InjectValueResult', None,=
  result_code)
 +        =20
 +=20
 +-    # TODO: Need to load alerts at start-up
 +     def handle_setalerts(self):
 +         result_code =3D ERROR_SUCCESS
 +-        username =3D self.fields.get('username', '')
 +=20
 +-        alerts[username] =3D {'email-alerts'       : utils.to_bool(self.f=
 ields.get('email-alerts', '0')),
 +-                            'email-from-address' : self.fields.get('email=
 -from-address', ''),
 +-                            'email-to-addresses' : self.fields.get('email=
 -to-addresses', ''),
 +-                           }
 ++        # Do nothing.  We use the alerts table in /etc/hp/alerts.conf.
 +=20
 +         self.out_buffer =3D buildResultMessage('SetAlertsResult', None, r=
 esult_code)
 +=20
 diff --git a/print/hplip/files/patch-CVE-2008-2941 b/print/hplip/files/patc=
 h-CVE-2008-2941
 new file mode 100644
 index 0000000..f4bb8ee
 --- /dev/null
 +++ b/print/hplip/files/patch-CVE-2008-2941
 @@ -0,0 +1,210 @@
 +Patch for CVE-2008-2941
 +
 +Fixes parser fragility: original code expects only strings or numbers as
 +the input values, but not both.  And hpssd client has the full control
 +on the input data, so when number is tried to be transformed as string
 +(by calling lower() method, for example) the unhandled exception
 +terminates the daemon.
 +
 +Based on: https://bugzilla.redhat.com/attachment.cgi?id=3D312881
 +
 +--- hpssd.py.orig	2008-11-23 22:41:08.000000000 +0300
 ++++ hpssd.py	2008-11-23 22:57:51.000000000 +0300
 +@@ -203,7 +203,7 @@
 +                 log.debug(self.out_buffer)
 +                 return True
 +=20
 +-            msg_type =3D self.fields.get('msg', 'unknown').lower()
 ++            msg_type =3D str(self.fields.get('msg', 'unknown')).lower()
 +             log.debug("Handling: %s %s %s" % ("*"*20, msg_type, "*"*20))
 +             log.debug(repr(self.in_buffer))
 +=20
 +@@ -260,9 +260,9 @@
 +=20
 +=20
 +     def handle_getvalue(self):
 +-        device_uri =3D self.fields.get('device-uri', '').replace('hpfax:'=
 , 'hp:')
 ++        device_uri =3D str(self.fields.get('device-uri', '')).replace('hp=
 fax:', 'hp:')
 +         value =3D ''
 +-        key =3D self.fields.get('key', '')
 ++        key =3D str(self.fields.get('key', ''))
 +         result_code =3D self.__checkdevice(device_uri)
 +=20
 +         if result_code =3D=3D ERROR_SUCCESS:
 +@@ -274,9 +274,9 @@
 +         self.out_buffer =3D buildResultMessage('GetValueResult', value, r=
 esult_code)
 +=20
 +     def handle_setvalue(self):
 +-        device_uri =3D self.fields.get('device-uri', '').replace('hpfax:'=
 , 'hp:')
 +-        key =3D self.fields.get('key', '')
 +-        value =3D self.fields.get('value', '')
 ++        device_uri =3D str(self.fields.get('device-uri', '')).replace('hp=
 fax:', 'hp:')
 ++        key =3D str(self.fields.get('key', ''))
 ++        value =3D str(self.fields.get('value', ''))
 +         result_code =3D self.__checkdevice(device_uri)
 +=20
 +         if result_code =3D=3D ERROR_SUCCESS:   =20
 +@@ -285,7 +285,7 @@
 +         self.out_buffer =3D buildResultMessage('SetValueResult', None, ER=
 ROR_SUCCESS)
 +=20
 +     def handle_queryhistory(self):
 +-        device_uri =3D self.fields.get('device-uri', '').replace('hpfax:'=
 , 'hp:')
 ++        device_uri =3D str(self.fields.get('device-uri', '')).replace('hp=
 fax:', 'hp:')
 +         payload =3D ''
 +         result_code =3D self.__checkdevice(device_uri)
 +=20
 +@@ -305,8 +305,8 @@
 +=20
 +     # EVENT
 +     def handle_registerguievent(self):
 +-        username =3D self.fields.get('username', '')
 +-        typ =3D self.fields.get('type', 'unknown')
 ++        username =3D str(self.fields.get('username', ''))
 ++        typ =3D str(self.fields.get('type', 'unknown'))
 +         self.typ =3D typ
 +         self.username =3D username
 +         self.send_events =3D True
 +@@ -314,13 +314,13 @@
 +=20
 +     # EVENT
 +     def handle_unregisterguievent(self):
 +-        username =3D self.fields.get('username', '')
 ++        username =3D str(self.fields.get('username', ''))
 +         self.send_events =3D False
 +=20
 +=20
 +     def handle_test_email(self):
 +         result_code =3D ERROR_SUCCESS
 +-        username =3D self.fields.get('username', prop.username)
 ++        username =3D str(self.fields.get('username', prop.username))
 +         message =3D device.queryString('email_test_message')
 +         subject =3D device.queryString('email_test_subject')
 +         result_code =3D self.sendEmail(username, subject, message, True)
 +@@ -343,11 +343,14 @@
 +=20
 +     # sent by hpfax: to indicate the start of a complete fax rendering job
 +     def handle_hpfaxbegin(self):
 +-        username =3D self.fields.get('username', prop.username)
 +-        job_id =3D self.fields.get('job-id', 0)
 +-        printer_name =3D self.fields.get('printer', '')
 +-        device_uri =3D self.fields.get('device-uri', '').replace('hp:', '=
 hpfax:')
 +-        title =3D self.fields.get('title', '')
 ++        username =3D str(self.fields.get('username', prop.username))
 ++        try:
 ++            job_id =3D int(self.fields.get('job-id', 0))
 ++        except ValueError:
 ++            job_id =3D 0
 ++        printer_name =3D str(self.fields.get('printer', ''))
 ++        device_uri =3D str(self.fields.get('device-uri', '')).replace('hp=
 :', 'hpfax:')
 ++        title =3D str(self.fields.get('title', ''))
 +=20
 +         log.debug("Creating data store for %s:%d" % (username, job_id))
 +         fax_file[(username, job_id)] =3D tempfile.NamedTemporaryFile(pref=
 ix=3D"hpfax")
 +@@ -360,8 +363,11 @@
 +=20
 +     # sent by hpfax: to transfer completed fax rendering data
 +     def handle_hpfaxdata(self):
 +-        username =3D self.fields.get('username', prop.username)
 +-        job_id =3D self.fields.get('job-id', 0)
 ++        username =3D str(self.fields.get('username', prop.username))
 ++        try:
 ++            job_id =3D int(self.fields.get('job-id', 0))
 ++        except ValueError:
 ++            job_id =3D 0
 +=20
 +         if self.payload and (username, job_id) in fax_file and \
 +             not fax_file_ready[(username, job_id)]:
 +@@ -373,12 +379,18 @@
 +=20
 +     # sent by hpfax: to indicate the end of a complete fax rendering job
 +     def handle_hpfaxend(self):
 +-        username =3D self.fields.get('username', '')
 +-        job_id =3D self.fields.get('job-id', 0)
 +-        printer_name =3D self.fields.get('printer', '')
 +-        device_uri =3D self.fields.get('device-uri', '').replace('hp:', '=
 hpfax:')
 +-        title =3D self.fields.get('title', '')
 +-        job_size =3D self.fields.get('job-size', 0)
 ++        username =3D str(self.fields.get('username', ''))
 ++        try:
 ++            job_id =3D int(self.fields.get('job-id', 0))
 ++        except ValueError:
 ++            job_id =3D 0
 ++        printer_name =3D str(self.fields.get('printer', ''))
 ++        device_uri =3D str(self.fields.get('device-uri', '')).replace('hp=
 :', 'hpfax:')
 ++        title =3D str(self.fields.get('title', ''))
 ++        try:
 ++            job_size =3D int(self.fields.get('job-size', 0))
 ++        except ValueError:
 ++            job_size =3D 0
 +=20
 +         fax_file[(username, job_id)].seek(0)
 +         fax_file_ready[(username, job_id)] =3D True
 +@@ -389,7 +401,7 @@
 +=20
 +     # sent by hp-sendfax to see if any faxes have been printed and need t=
 o be picked up
 +     def handle_faxcheck(self):
 +-        username =3D self.fields.get('username', '')
 ++        username =3D str(self.fields.get('username', ''))
 +         result_code =3D ERROR_NO_DATA_AVAILABLE
 +         other_fields =3D {}
 +=20
 +@@ -413,8 +425,11 @@
 +     # after being run with --job param, both after a hpfaxend message
 +     def handle_faxgetdata(self):
 +         result_code =3D ERROR_SUCCESS
 +-        username =3D self.fields.get('username', '')
 +-        job_id =3D self.fields.get('job-id', 0)
 ++        username =3D str(self.fields.get('username', ''))
 ++        try:
 ++            job_id =3D int(self.fields.get('job-id', 0))
 ++        except ValueError:
 ++            job_id =3D 0
 +=20
 +         try:
 +             fax_file[(username, job_id)]
 +@@ -442,15 +457,18 @@
 +     # EVENT
 +     def handle_event(self):
 +         gui_port, gui_host =3D None, None
 +-        event_type =3D self.fields.get('event-type', 'event')
 ++        event_type =3D str(self.fields.get('event-type', 'event'))
 +        =20
 +-        event_code =3D self.fields.get('event-code', STATUS_PRINTER_IDLE)
 ++        try:
 ++            event_code =3D int(self.fields.get('event-code', STATUS_PRINT=
 ER_IDLE))
 ++        except ValueError:
 ++            event_code =3D STATUS_PRINTER_IDLE
 +        =20
 +         # If event-code > 10001, its a PJL error code, so convert it
 +         if event_code > EVENT_MAX_EVENT:
 +             event_code =3D status.MapPJLErrorCode(event_code)
 +            =20
 +-        device_uri =3D self.fields.get('device-uri', '').replace('hpfax:'=
 , 'hp:')
 ++        device_uri =3D str(self.fields.get('device-uri', '')).replace('hp=
 fax:', 'hp:')
 +         result_code =3D self.__checkdevice(device_uri)
 +         if result_code !=3D ERROR_SUCCESS:
 +             return
 +@@ -461,7 +479,10 @@
 +=20
 +         log.debug("Short/Long: %s/%s" % (error_string_short, error_string=
 _long))
 +=20
 +-        job_id =3D self.fields.get('job-id', 0)
 ++        try:
 ++            job_id =3D int(self.fields.get('job-id', 0))
 ++        except ValueError:
 ++            job_id =3D 0
 +=20
 +         try:
 +             username =3D self.fields['username']
 +@@ -480,7 +501,10 @@
 +=20
 +         no_fwd =3D utils.to_bool(self.fields.get('no-fwd', '0'))
 +         log.debug("Username (jobid): %s (%d)" % (username, job_id))
 +-        retry_timeout =3D self.fields.get('retry-timeout', 0)
 ++        try:
 ++            retry_timeout =3D int(self.fields.get('retry-timeout', 0))
 ++        except ValueError:
 ++            retry_timeout =3D 0
 +         user_alerts =3D alerts.get(username, {})       =20
 +=20
 +         dup_event =3D False
 --=20
 1.6.0.4
 
 
 --Dxnq1zWXvFF0Q93v--

From: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
To: Anish Mistry <amistry@am-productions.biz>
Cc: freebsd-security@freebsd.org, bug-followup@freebsd.org
Subject: Re: ports/129097: [vuxml] print/hplip: document CVE-2008-2940 and
	CVE-2008-2941
Date: Mon, 24 Nov 2008 09:45:55 +0300

 --jFijuCULRDbBA23d
 Content-Type: text/plain; charset=koi8-r
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 
 Anish, good day.
 
 Sun, Nov 23, 2008 at 02:46:26PM -0500, Anish Mistry wrote:
 > On Sunday 23 November 2008, Eygene Ryabinkin wrote:
 > > >Number:         129097
 > > >Category:       ports
 > > >Synopsis:       [vuxml] print/hplip: document CVE-2008-2940 and
 > > > CVE-2008-2941 Confidential:   no
 > > >Severity:       serious
 > > >Priority:       high
 > > >Responsible:    freebsd-ports-bugs
 > > >State:          open
 > > >Quarter:
 > > >Keywords:
 > > >Date-Required:
 > > >Class:          sw-bug
 > > >Submitter-Id:   current-users
 > > >Arrival-Date:   Sun Nov 23 18:50:00 UTC 2008
 > > >Closed-Date:
 > > >Last-Modified:
 > > >Originator:     Eygene Ryabinkin
 > > >Release:        FreeBSD 7.1-PRERELEASE i386
 > > >Organization:
 >
 > Commit it.
 
 That's fine, thanks.  But yesterday I had sent a patch that fixes the
 vulnerabilities for 2.8.2.  What do you think about it?  Could you test
 the patch?  The VuXML entry details depend on this: I wrote that
 hplip >=3D 2.8.4 aren't vulnerable, but if you'll approve the patch that
 upgrades to 2.8.2_3, then VuXML entry should be corrected.
 
 Thanks again!
 --=20
 Eygene
  _                ___       _.--.   #
  \`.|\..----...-'`   `-._.-'_.-'`   #  Remember that it is hard
  /  ' `         ,       __.--'      #  to read the on-line manual  =20
  )/' _/     \   `-_,   /            #  while single-stepping the kernel.
  `-'" `"\_  ,_.-;_.-\_ ',  fsc/as   #
      _.-'_./   {_.'   ; /           #    -- FreeBSD Developers handbook=20
     {_.-``-'         {_/            #
 
 --jFijuCULRDbBA23d
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.9 (FreeBSD)
 
 iEYEARECAAYFAkkqTaMACgkQthUKNsbL7YiDMgCeIrW3GANQwaHSH77rUqKpu6Yd
 GZoAn3+QVO1JCozTuRkOOACJV3jNe9fh
 =1tQU
 -----END PGP SIGNATURE-----
 
 --jFijuCULRDbBA23d--

From: Anish Mistry <amistry@am-productions.biz>
To: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
Cc: freebsd-security@freebsd.org, bug-followup@freebsd.org
Subject: Re: ports/129097: [vuxml] print/hplip: document CVE-2008-2940 and CVE-2008-2941
Date: Mon, 24 Nov 2008 09:57:32 -0500

 --nextPart1436324.ylxnvIu4xE
 Content-Type: text/plain;
   charset="iso-8859-1"
 Content-Transfer-Encoding: quoted-printable
 Content-Disposition: inline
 
 On Monday 24 November 2008, Eygene Ryabinkin wrote:
 > Anish, good day.
 >
 > That's fine, thanks.  But yesterday I had sent a patch that fixes
 > the vulnerabilities for 2.8.2.  What do you think about it?  Could
 > you test the patch?  The VuXML entry details depend on this: I
 > wrote that hplip >=3D 2.8.4 aren't vulnerable, but if you'll approve
 > the patch that upgrades to 2.8.2_3, then VuXML entry should be
 > corrected.
 >
 > Thanks again!
 =46inally got a around to it.  The patches look fine, and it passed my=20
 basic testing.  Commit.
 
 Thanks,
 
 =2D-=20
 Anish Mistry
 amistry@am-productions.biz
 AM Productions http://am-productions.biz/
 
 --nextPart1436324.ylxnvIu4xE
 Content-Type: application/pgp-signature; name=signature.asc 
 Content-Description: This is a digitally signed message part.
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.9 (FreeBSD)
 
 iEYEABECAAYFAkkqwN0ACgkQxqA5ziudZT2ADQCg0ICasZ0UzPreA5uQFVwi5YPX
 rbIAoM1e7bLqHyFWCierN86Ts3CmLpkg
 =KiT+
 -----END PGP SIGNATURE-----
 
 --nextPart1436324.ylxnvIu4xE--

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: ports/129097: commit references a PR
Date: Sat, 29 Nov 2008 13:48:52 +0000 (UTC)

 miwi        2008-11-29 13:48:44 UTC
 
   FreeBSD ports repository
 
   Modified files:
     security/vuxml       vuln.xml 
   Log:
   - Document hplip -- hpssd Denial of Service
   
   PR:             based on 129097
   Submitted by:   Eygene Ryabinkin
   
   Revision  Changes    Path
   1.1766    +34 -1     ports/security/vuxml/vuln.xml
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: feedback->closed 
State-Changed-By: miwi 
State-Changed-When: Sat Nov 29 15:38:43 UTC 2008 
State-Changed-Why:  
Committed. Thanks! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=129097 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: ports/129097: commit references a PR
Date: Sat, 29 Nov 2008 15:36:55 +0000 (UTC)

 miwi        2008-11-29 15:36:43 UTC
 
   FreeBSD ports repository
 
   Modified files:
     print/hplip          Makefile 
   Log:
   - Fix hpssd Denial of Service
   
   This can be exploited to crash the service by sending specially crafted
   requests to the default port 2207/TCP.
   
   PR:             129097
   Submitted by:   Eygene Ryabinkin <rea-fbsd@codelabs.ru>
   Approved by:    maintainer
   Security:       http://www.vuxml.org/freebsd/37940643-be1b-11dd-a578-0030843d3802.html
   
   Revision  Changes    Path
   1.21      +1 -1      ports/print/hplip/Makefile
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 
>Unformatted:
