FS#48112 - [hplip] Stack buffer overflow in BinaryURL handling in bb_ledm.c
Attached to Project:
Arch Linux
Opened by Vittorio Gambaletta (VittGam) - Tuesday, 09 February 2016, 21:35 GMT
Last edited by Andreas Radke (AndyRTR) - Wednesday, 16 March 2022, 19:24 GMT
Opened by Vittorio Gambaletta (VittGam) - Tuesday, 09 February 2016, 21:35 GMT
Last edited by Andreas Radke (AndyRTR) - Wednesday, 16 March 2022, 19:24 GMT
|
Details
Description:
The BinaryURL parameter is contained in an XML HTTP response from the scanner, so this is remotely exploitable (but the user still needs to manually start a scan with sane). From line 1011 of scan/sane/bb_ledm.c: char *c = strstr(buf, "<BinaryURL>"); _DBG("bb_start_scan() BinaryURL=%s \n", c); if (!c) goto bugout; c +=11; char BinaryURL[30]; i = 0; while(*c != '<') { BinaryURL[i++] = *c ; c++; } BinaryURL[i] = '\0'; //_DBG("bb_start_scan() BinaryURL=%s\n", BinaryURL); len = snprintf(buf, sizeof(buf), GET_SCAN_JOB_URL, BinaryURL); Line 1018 should be: while(*c != '<' && i < 29) to avoid the stack overflow. Additional info: * Both published version (3.15.11-2) and latest upstream version (3.16.2) are vulnerable * I don't know how to report this bug to HP... Cheers, Vittorio G |
This task depends upon
Not to mention the ugly XML "parser" that doesn't even check tag names but it trusts some built-in ordering of the tags, so it obviously gets some values wrong on my scanner... Sigh.
But I think that only the "HPLIP security team" can see it for now.
I don't know what to do exactly now; should I get a CVE number and do a full disclosure (somehow)?
https://h41268.www4.hp.com/live/index_e.aspx?qid=11503