Hi, attached is a patch for an NMU which should fix this vulnerability. It will be also archived on: http://people.debian.org/~nion/nmu-diff/hplip-1.6.10-4.2_1.6.10-4.3.patch
Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
diff -u hplip-1.6.10/debian/changelog hplip-1.6.10/debian/changelog
--- hplip-1.6.10/debian/changelog
+++ hplip-1.6.10/debian/changelog
@@ -1,3 +1,12 @@
+hplip (1.6.10-4.3) unstable; urgency=high
+
+ * Non-maintainer upload by testing security team.
+ * Included CVE-2007-5208.dpatch to fix
+ arbitrary command execution in hpssd via crafted from address
+ because of missing sanitization (CVE-2007-5208) (Closes: #447341).
+
+ -- Nico Golde <[EMAIL PROTECTED]> Mon, 22 Oct 2007 10:31:55 +0200
+
hplip (1.6.10-4.2) unstable; urgency=low
* Non-maintainer upload.
only in patch2:
unchanged:
--- hplip-1.6.10.orig/debian/patches/CVE-2007-5208.dpatch
+++ hplip-1.6.10/debian/patches/CVE-2007-5208.dpatch
@@ -0,0 +1,55 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## CVE-2007-5208.dpatch by Nico Golde <[EMAIL PROTECTED]>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
[EMAIL PROTECTED]@
+diff -urNad hplip-1.6.10~/hpssd.py hplip-1.6.10/hpssd.py
+--- hplip-1.6.10~/hpssd.py 2006-10-03 21:55:01.000000000 +0200
++++ hplip-1.6.10/hpssd.py 2007-10-22 13:44:45.000000000 +0200
+@@ -53,7 +53,7 @@
+
+ # Std Lib
+ import sys, socket, os, os.path, signal, getopt, glob, time, select
+-import popen2, threading, gettext, re, xml.parsers.expat, fcntl
++import subprocess, threading, gettext, re, xml.parsers.expat, fcntl
+ import cStringIO, pwd
+
+ from errno import EALREADY, EINPROGRESS, EWOULDBLOCK, ECONNRESET, \
+@@ -1383,21 +1383,23 @@
+
+ if sendmail:
+ sendmail = os.path.join(sendmail, 'sendmail')
+- sendmail += ' -t -r %s' % self.from_address
++ cmd = [sendmail,'-t','-r',self.from_address]
+
+- log.debug(sendmail)
+- std_out, std_in, std_err = popen2.popen3(sendmail)
+- log.debug(repr(self.message))
+- std_in.write(self.message)
+- std_in.close()
++ log.debug(repr(cmd))
++ err = None
++ try:
++ sp = subprocess.Popen(cmd, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
++ std_out, std_err = sp.communicate(self.message)
++ log.debug(repr(self.message))
++ if std_err != '':
++ err = std_err
+
+- r, w, e = select.select([std_err], [], [], 2.0)
++ except OSError, e:
++ err = str(e)
+
+- if r:
+- err = std_err.read()
+- if err:
+- log.error(repr(err))
+- self.result = ERROR_TEST_EMAIL_FAILED
++ if err:
++ log.error(repr(err))
++ self.result = ERROR_TEST_EMAIL_FAILED
+
+ else:
+ log.error("Mail send failed. sendmail not found.")
pgpgatT5QXQN8.pgp
Description: PGP signature

