hplip: CVE-2013-6427: insecure (undocumented) auto update feature

Debian Bug report logs - #731480
hplip: CVE-2013-6427: insecure (undocumented) auto update feature

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: hplip: CVE-2013-6427: insecure (undocumented) auto update feature

Date: Thu, 05 Dec 2013 22:06:24 +0100

Package: hplip
Severity: grave
Tags: security upstream

Hi,

the following vulnerability was published for hplip.

CVE-2013-6427[0]:
insecure auto update feature

SuSE decided to patch the update.py script to exit imediately, see [1]
for details. I have only verified that the hplip-data source package
in unstable indeed contains /usr/share/hplip/upgrade.py but not if
there is actually a chance to be run (as root) at one stage (thus the
severity might be argued).

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6427
    http://security-tracker.debian.org/tracker/CVE-2013-6427
[1] https://bugzilla.novell.com/show_bug.cgi?id=853405
[2] http://www.openwall.com/lists/oss-security/2013/12/05/2

Please adjust the affected versions in the BTS as needed (only
unstable verified for the source).

Regards,
Salvatore

Message #10 received at 731480@bugs.debian.org (full text, mbox, reply):

From: Marc Deslauriers <marc.deslauriers@ubuntu.com>

To: Debian Bug Tracking System <731480@bugs.debian.org>

Subject: Re: hplip: CVE-2013-6427: insecure (undocumented) auto update feature

Date: Thu, 12 Dec 2013 15:17:23 -0500

[Message part 1 (text/plain, inline)]

Package: hplip
Version: 3.13.11-1
Followup-For: Bug #731480
User: ubuntu-devel@lists.ubuntu.com
Usertags: origin-ubuntu trusty ubuntu-patch



-- Package-specific info:


*** /tmp/tmp2P2w3P/bug_body

In Ubuntu, the attached patch was applied to achieve the following:

  * debian/non-shipped-files.txt, debian/hplip.install: don't ship
    hp-upgrade and upgrade.py, as we want to use proper packaging, and want
    to prevent security issues.
    - CVE-2013-6427

Thanks for considering the patch.


-- System Information:
Debian Release: wheezy/sid
  APT prefers saucy-updates
  APT policy: (500, 'saucy-updates'), (500, 'saucy-security'), (500, 'saucy-proposed'), (500, 'saucy'), (100, 'saucy-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.11.0-15-generic (SMP w/4 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

[hplip_3.13.11-1ubuntu1.debdiff (text/x-diff, attachment)]

Message #17 received at 731480-close@bugs.debian.org (full text, mbox, reply):

From: Mark Purcell <msp@debian.org>

To: 731480-close@bugs.debian.org

Subject: Bug#731480: fixed in hplip 3.13.11-2

Date: Sun, 15 Dec 2013 12:03:45 +0000

Source: hplip
Source-Version: 3.13.11-2

We believe that the bug you reported is fixed in the latest version of
hplip, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 731480@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mark Purcell <msp@debian.org> (supplier of updated hplip package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 15 Dec 2013 18:13:44 +1100
Source: hplip
Binary: hplip hplip-data printer-driver-postscript-hp hplip-gui hplip-dbg hplip-doc hpijs-ppds printer-driver-hpijs printer-driver-hpcups libhpmud0 libhpmud-dev libsane-hpaio
Architecture: source amd64 all
Version: 3.13.11-2
Distribution: unstable
Urgency: medium
Maintainer: Debian HPIJS and HPLIP maintainers <pkg-hpijs-devel@lists.alioth.debian.org>
Changed-By: Mark Purcell <msp@debian.org>
Description: 
 hpijs-ppds - HP Linux Printing and Imaging - HPIJS PPD files
 hplip      - HP Linux Printing and Imaging System (HPLIP)
 hplip-data - HP Linux Printing and Imaging - data files
 hplip-dbg  - HP Linux Printing and Imaging - debugging information
 hplip-doc  - HP Linux Printing and Imaging - documentation
 hplip-gui  - HP Linux Printing and Imaging - GUI utilities (Qt-based)
 libhpmud-dev - HP Multi-Point Transport Driver (hpmud) development libraries
 libhpmud0  - HP Multi-Point Transport Driver (hpmud) run-time libraries
 libsane-hpaio - HP SANE backend for multi-function peripherals
 printer-driver-hpcups - HP Linux Printing and Imaging - CUPS Raster driver (hpcups)
 printer-driver-hpijs - HP Linux Printing and Imaging - printer driver (hpijs)
 printer-driver-postscript-hp - HP Printers PostScript Descriptions
Closes: 731480
Changes: 
 hplip (3.13.11-2) unstable; urgency=medium
 .
   * Urgency medium for CVE fix
   * Sync with ubuntu - thks ~marc.deslauriers
     - Fixes "CVE-2013-6427: insecure (undocumented) auto update feature"
     (Closes: #731480)
Checksums-Sha1: 
 7be384382381ecd6cf66fa10bf588087acf8faa7 2317 hplip_3.13.11-2.dsc
 d27a05a9657c0c3a5c8e37f92bf33054c37e1cb4 108305 hplip_3.13.11-2.debian.tar.gz
 2486ba332844967b2624844af315eee38623663c 138820 hplip_3.13.11-2_amd64.deb
 4ce7ad8a727857babc5d8c55ec8bd23db66aee2f 1411732 hplip-dbg_3.13.11-2_amd64.deb
 cfbb84636bca0e2b0d1dcb0fe10644266c129b26 330712 printer-driver-hpijs_3.13.11-2_amd64.deb
 5e7a2cef8e80f2ca67c2ed35a49d6057cb9abc7e 309448 printer-driver-hpcups_3.13.11-2_amd64.deb
 b0b4ef01e745f32bfcdeef7c24848c1c43e431f7 166676 libhpmud0_3.13.11-2_amd64.deb
 2d13448416eb8c2ff9fa78f095368f3869196b07 6566222 hplip-data_3.13.11-2_all.deb
 33bbf1be414d2e6f23ce3e3773d142eb80761283 80074 libhpmud-dev_3.13.11-2_amd64.deb
 89d5fddebf78d8bc8876d0ec26718e38149b3813 814156 printer-driver-postscript-hp_3.13.11-2_all.deb
 6ab49faae7ef6ea069fdf3415d4db44a75769a47 178210 libsane-hpaio_3.13.11-2_amd64.deb
 ce1f5205ccb168206d927b7360abd07dd6c0e3db 91300 hplip-gui_3.13.11-2_all.deb
 07b52fbe67e9103c93ce4be25269e8c051464c9d 661580 hplip-doc_3.13.11-2_all.deb
 0b3c553644a133ec98c9a16d8ebf0e35685360f7 163958 hpijs-ppds_3.13.11-2_all.deb
Checksums-Sha256: 
 9a0064cd97bf259aed856171915d45f6681890966d575b65bbc9f989da57070b 2317 hplip_3.13.11-2.dsc
 01320515d413fcb010702d524907b1ec9fcf3d9f36fca8873cc1e0123442a9d1 108305 hplip_3.13.11-2.debian.tar.gz
 c1f4bafd38c24cbb23315b4b686b0d3ccb45f76c33ff2dd31ccb1dfaed794197 138820 hplip_3.13.11-2_amd64.deb
 bcb82c28717018624bac4b996703ac54914a7ceda2ae9821801ef2a04df16d56 1411732 hplip-dbg_3.13.11-2_amd64.deb
 8178f7f00994ab5b05bd70043c58daa7e7116aaa5a2539e6914c68c371a1fd92 330712 printer-driver-hpijs_3.13.11-2_amd64.deb
 f0a0009165d33eb95f8bb75ad12598796a5e22673433a03df5fccbc104111f2d 309448 printer-driver-hpcups_3.13.11-2_amd64.deb
 0ad55faeff699adaeec50141c8b3ebdcfaf31f9eb432ccc1ad0f5fa66178f8b9 166676 libhpmud0_3.13.11-2_amd64.deb
 bc14a48ee56b5fb7b180b17474058a5a3390c7115591269645101334be0aac3f 6566222 hplip-data_3.13.11-2_all.deb
 dbe4ff08dcfe1180d263495af435e65715eb43a7e6b4173d8098aa4797b8d887 80074 libhpmud-dev_3.13.11-2_amd64.deb
 a4e21daef4e52f5e681502b9dda21d3b10d15bd66a9be2cf66c97caa21da0ded 814156 printer-driver-postscript-hp_3.13.11-2_all.deb
 25856a2f2b7935f2756b26c8cd213b8a2ac20e8ff23b79ffdee777764b3a7962 178210 libsane-hpaio_3.13.11-2_amd64.deb
 93c2d63bf1ab9c3449264bd492cafbd74331db770b500c8bc7a6176895b90b05 91300 hplip-gui_3.13.11-2_all.deb
 f2ff6513f89fe671fa7f801803944d082b30985c7e935bade7ea9fefee88a71b 661580 hplip-doc_3.13.11-2_all.deb
 b68222682687e976a820f3a1439cb1e74090ca2f6df0021aedda21f847967737 163958 hpijs-ppds_3.13.11-2_all.deb
Files: 
 1decfc13a635521dd842dcf3a790b695 2317 utils optional hplip_3.13.11-2.dsc
 21471782b1708034bcbaf97578e3f279 108305 utils optional hplip_3.13.11-2.debian.tar.gz
 5c1351d44dbd39d2189ceb3fae42b0ec 138820 utils optional hplip_3.13.11-2_amd64.deb
 a48a5590538a53e7638cc5105113aca8 1411732 debug extra hplip-dbg_3.13.11-2_amd64.deb
 154034732f651e7f4d6b73e3468b947d 330712 text optional printer-driver-hpijs_3.13.11-2_amd64.deb
 d532fb76239c465bc435c2aeda20a610 309448 text optional printer-driver-hpcups_3.13.11-2_amd64.deb
 7cf2a1b1ed49d9c9749fa22258d4881d 166676 libs optional libhpmud0_3.13.11-2_amd64.deb
 1ff93d78c78a3064fbc0038c5cca2e3d 6566222 utils optional hplip-data_3.13.11-2_all.deb
 05524bb02286db29660988684511377b 80074 libdevel optional libhpmud-dev_3.13.11-2_amd64.deb
 55c40c47d1df1e9ea56fb1035d8332d8 814156 utils optional printer-driver-postscript-hp_3.13.11-2_all.deb
 368fa9aafa3fa398e3f5641931a2003c 178210 libs optional libsane-hpaio_3.13.11-2_amd64.deb
 e8ac06bd1572ee3bd07441b3eebd5447 91300 utils optional hplip-gui_3.13.11-2_all.deb
 b0b908442b01d1fa360f00459234af1d 661580 doc optional hplip-doc_3.13.11-2_all.deb
 ae019e0069c9749c4053ffc816403be4 163958 utils optional hpijs-ppds_3.13.11-2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iEYEARECAAYFAlKtlMAACgkQoCzanz0IthL2pwCeMLPpkHIkn8Ch4+269+0VfVhw
cYEAniWmvZ6bERhrmEfjsrz+kIco0Vq7
=Fo5z
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.