Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-93931

RFE: Add Allow list for FoomaticRIPCommandLine PPD values

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Story Story
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • rhel-9.8
    • None
    • cups-filters
    • None
    • cups-filters-1.28.7-24.el9
    • Moderate
    • 1
    • rhel-stacks-web-servers
    • ssg_core_services
    • 15
    • 0
    • False
    • False
    • Hide

      None

      Show
      None
    • Yes
    • _WS-Refined_
    • Requested
    • None
    • Feature
    • Hide
      Feature, enhancement: `Foomatic-Rip` filter rejects values of PPD options `FoomaticRipCommandLine`, `FoomaticRipCommandLinePDF`, and `FoomaticRipOptionSetting` which are not among hashed values listed in files in directories`/etc/foomatic/hashes.d` and `/usr/share/foomatic/hashes.d` by default. Customers are expected to run the tool `foomatic-hash` for newly installed printers, review its findings and if they approve the findings are not malicious, allow the values by moving the file with hashes into `/etc/foomatic/hashes.d`. See `man foomatic-rip` and `man foomatic-hash` for more info. The previously installed printers will allowed during upgrade, however it is highly recommended to review found values in the file beginning with `foomatic.` at the directory `/var/tmp`.
      Reason: Values of PPD options `FoomaticRipCommandLine`, `FoomaticRipCommandLinePDF`, and `FoomaticRipOptionSetting` are targets of possible exploits because the values are used to compose a bash command, which is applied on a file in filter chain during printing. Based on the previous behavior and considering the existing installations, mechanism to allow specific option values was implemented and included in RHEL.
      Result: The existing installations with `foomatic-rip` will be allowed during upgrade and customers are advised to review findings in the file beginning with `/var/tmp/foomatic`. If they find anything malicious in the output, it is highly recommended to reinstall the affected printer with different driver. Any new printer installations which uses `foomatic-rip` and contains unknown values of the mentioned PPD options, customer is required to run the tool `foomatic-hash` on the newly installed printer, review the findings, and move the file with hashes into the directory `/etc/foomatic/hashes.d` if they accept the findings.

      Example commands:
      (scan the PPD of new printer called `printer` - found values are in `file_to_review`, final hashes in `local_hashes`)
      $ sudo foomatic-hash --ppd /etc/cups/ppd/printer.ppd file_to_review local_hashes
      (review file `file_to_review`, and if values are not malicious, copy `local_hashes` to the directory)
      $ sudo cp local_hashes /etc/foomatic/hashes.d
      Show
      Feature, enhancement: `Foomatic-Rip` filter rejects values of PPD options `FoomaticRipCommandLine`, `FoomaticRipCommandLinePDF`, and `FoomaticRipOptionSetting` which are not among hashed values listed in files in directories`/etc/foomatic/hashes.d` and `/usr/share/foomatic/hashes.d` by default. Customers are expected to run the tool `foomatic-hash` for newly installed printers, review its findings and if they approve the findings are not malicious, allow the values by moving the file with hashes into `/etc/foomatic/hashes.d`. See `man foomatic-rip` and `man foomatic-hash` for more info. The previously installed printers will allowed during upgrade, however it is highly recommended to review found values in the file beginning with `foomatic.` at the directory `/var/tmp`. Reason: Values of PPD options `FoomaticRipCommandLine`, `FoomaticRipCommandLinePDF`, and `FoomaticRipOptionSetting` are targets of possible exploits because the values are used to compose a bash command, which is applied on a file in filter chain during printing. Based on the previous behavior and considering the existing installations, mechanism to allow specific option values was implemented and included in RHEL. Result: The existing installations with `foomatic-rip` will be allowed during upgrade and customers are advised to review findings in the file beginning with `/var/tmp/foomatic`. If they find anything malicious in the output, it is highly recommended to reinstall the affected printer with different driver. Any new printer installations which uses `foomatic-rip` and contains unknown values of the mentioned PPD options, customer is required to run the tool `foomatic-hash` on the newly installed printer, review the findings, and move the file with hashes into the directory `/etc/foomatic/hashes.d` if they accept the findings. Example commands: (scan the PPD of new printer called `printer` - found values are in `file_to_review`, final hashes in `local_hashes`) $ sudo foomatic-hash --ppd /etc/cups/ppd/printer.ppd file_to_review local_hashes (review file `file_to_review`, and if values are not malicious, copy `local_hashes` to the directory) $ sudo cp local_hashes /etc/foomatic/hashes.d
    • Proposed
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      CVE-2024-47177 shows possible exploit in foomatic-rip filter if other vulnerability is exploited to get control over installed drivers or driver generators, which would give an attacker a way how to taint a PPD file with problematic values for FoomaticRIPCommandLine* keywords, which are later run as command during file processing in printing process.

      To prevent this issue, foomatic-rip filter will reject all values by default unless the value is allowed by adding the value's hash into a specific file, which foomatic-rip will read when running.

      Acceptance criteria:

      • foomatic-rip filter rejects any FoomaticRIPCommandLine* values in default configuration,
      • foomatic-rip reads allowed values from files at /usr/share/foomatic/hashes.d and /etc/foomatic/hashes.d,
      • foomatic-hash tool scans presented PPD file (or location - RHEL 10 only) and finds values of FoomaticRIPCommandLine* keywords and save them into file for review and hashes contents of input file line by line by using the hash SHA-256.

              zdohnal@redhat.com Zdenek Dohnal
              zdohnal@redhat.com Zdenek Dohnal
              Zdenek Dohnal Zdenek Dohnal
              Petr Dancak Petr Dancak
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated: