Create debugging files securely (CVE-2011-2722, bug #725830).

hplip-CVE-2011-2722.patch

@@ -0,0 +1,21 @@
+diff -up hplip-3.11.7/prnt/hpijs/hpcupsfax.cpp.CVE-2011-2722 hplip-3.11.7/prnt/hpijs/hpcupsfax.cpp
+--- hplip-3.11.7/prnt/hpijs/hpcupsfax.cpp.CVE-2011-2722	2011-07-29 10:21:37.404874641 +0100
++++ hplip-3.11.7/prnt/hpijs/hpcupsfax.cpp	2011-07-29 10:28:10.071298117 +0100
+@@ -625,8 +625,15 @@ int send_data_to_stdout(int fromFD)
+     fp = NULL;
+     if (iLogLevel & SAVE_PCL_FILE)
+     {
+-        fp = fopen ("/tmp/hpcupsfax.out", "w");
+-        system ("chmod 666 /tmp/hpcupsfax.out");
++	int fd;
++
++	unlink ("/tmp/hpcupsfax.out");
++	fd = open ("/tmp/hpcupsfax.out", O_WRONLY | O_CREAT | O_EXCL,
++		   S_IRUSR | S_IWUSR | S_IRGRP);
++	if (fd != -1)
++	{
++	    fp = fdopen (fd, "w");
++	}
+     }
+     
+     while ((len = read (fromFD, pTmp, iSize)) > 0)

hplip.spec

@@ -1,7 +1,7 @@
 Summary: HP Linux Imaging and Printing Project
 Name: hplip
 Version: 3.11.7
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: GPLv2+ and MIT
 Group: System Environment/Daemons
 Conflicts: system-config-printer < 0.6.132
@@ -44,6 +44,7 @@ Patch33: hplip-dbus-threads.patch
 Patch34: hplip-notification-exception.patch
 Patch35: hplip-CVE-2010-4267.patch
 Patch36: hplip-wifisetup.patch
+Patch37: hplip-CVE-2011-2722.patch
 
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
@@ -290,6 +291,7 @@ done
 
 # Avoid KeyError in ui4/wifisetupdialog.py (bug #680939).
 %patch36 -p1 -b .wifisetup
+%patch37 -p1 -b .CVE-2011-2722
 
 sed -i.duplex-constraints \
     -e 's,\(UIConstraints.* \*Duplex\),//\1,' \
@@ -523,6 +525,9 @@ fi
 %postun libs -p /sbin/ldconfig
 
 %changelog
+* Thu Aug 18 2011 Tim Waugh <twaugh@redhat.com> 3.11.7-2
+- Create debugging files securely (CVE-2011-2722, bug #725830).
+
 * Mon Jul 25 2011 Jiri Popelka <jpopelka@redhat.com> 3.11.7-1
 - 3.11.7