Samsung SCX-4200 printer driver security risk

Just to show what not to do when writing drivers, this just in from LWN:

A LinuxFR reader has sent out an alert (in French) about the Samsung SCX-4200 printer driver for Linux. It appears that the driver author had some trouble with the Linux permission model; the response was to make a few applications run setuid root. A quick look at the install script shows that the affected programs are xsane, xscanimage, and the major OpenOffice.org components. The script also replaces some CUPS executables and does some other fun things. This seems like code to avoid for anybody wanting to run a remotely secure system.

Ugh.

Leave a Reply

Your email address will not be published. Required fields are marked *