Mandrake Linux Security Advisory : printer-drivers (MDKSA-2003:010)

This script is Copyright (C) 2004-2013 Tenable Network Security, Inc.


Synopsis :

The remote Mandrake Linux host is missing one or more security
updates.

Description :

Karol Wiesek and iDefense disovered three vulnerabilities in the
printer-drivers package and tools it installs. These vulnerabilities
allow a local attacker to empty or create any file on the filesystem.

The first vulnerability is in the mtink binary, which has a buffer
overflow in its handling of the HOME environment variable.

The second vulnerability is in the escputil binary, which has a buffer
overflow in the parsing of the --printer-name command line argument.
This is only possible when esputil is suid or sgid; in Mandrake Linux
9.0 it was sgid 'sys'. Successful exploitation will provide the
attacker with the privilege of the group 'sys'.

The third vulnerability is in the ml85p binary which contains a race
condition in the opening of a temporary file. By default this file is
installed suid root so it can be used to gain root privilege. The only
caveat is that this file is not executable by other, only by root or
group 'sys'. Using either of the two previous vulnerabilities, an
attacker can exploit one of them to obtain 'sys' privilege' and then
use that to exploit this vulnerability to gain root privilege.

MandrakeSoft encourages all users to upgrade immediately.

Aside from the security vulnerabilities, a number of bugfixes are
included in this update, for Mandrake Linux 9.0 users. GIMP-Print
4.2.5pre1, HPIJS 1.3, pnm2ppa 1.12, mtink 0.9.53, and a new foomatic
snapshot are included. For a list of the many bugfixes, please refer
to the RPM changelog.

See also :

http://www.idefense.com/advisory/01.21.03.txt

Solution :

Update the affected packages.

Risk factor :

High / CVSS Base Score : 7.2
(CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C)

Family: Mandriva Local Security Checks

Nessus Plugin ID: 13995 (mandrake_MDKSA-2003-010.nasl)

Bugtraq ID:

CVE ID: CVE-2003-0034
CVE-2003-0035
CVE-2003-0036

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now