Bug#635549: [Pkg-hpijs-devel] Bug#635549: #635549: Two hplip security issues
On Sat, 26 Nov 2011 04:38:19 Moritz Mühlenhoff wrote: > CVE-2011-2722 itself doesn't warrant a DSA. Could the hplip maintainers > please fix this through a point update? > http://www.debian.org/doc/manuals/developers-reference/pkgs.html#upload-sta > ble Moritz and odyx, Thanks for chasing this down. I should be able to upload something this week. Mark signature.asc Description: This is a digitally signed message part.
Re: [Pkg-hpijs-devel] Bug#649991: Please rename the hplip packages to the printer-driver- convention
On Fri, 25 Nov 2011 21:49:57 Didier Raboud wrote: > Okay, we need to get this done. > > Please: > > * rename hpijs to printer-driver-hpijs; > * rename hplip-cups to printer-driver-hpcups; odyx, No problems. > I can provide patches if wanted, but unfortunately, the svn repository > pointed at by the Vcs-* fields of the package is clearly outdated. Vcs-Svn: is still good. (debcheckout and friends still work) Vcs-Browser: was broken by changes at the Debian end and it would be nice if they could just symlink the old URL rather than all packages in the archive having to update. Mark signature.asc Description: This is a digitally signed message part.
Bug#635549: #635549: Two hplip security issues
On Fri, Nov 25, 2011 at 02:04:44PM +0100, Didier Raboud wrote: > Le vendredi, 25 novembre 2011 12.16:06, Didier Raboud a écrit : > > > > > > 2. Insecure tempfile handling: > > > https://bugzilla.novell.com/show_bug.cgi?id=704608 > > > https://bugs.launchpad.net/hplip/+bug/809904 > > > This is CVE-2011-2722 > > > > This seems to be fixed in 3.11.10, hence again, only stable is affected. > > The attached dpatch against the version currently in stable does fix that bug. > > As for oldstable, I couldn't find any occurence of this bug in the source > code. CVE-2011-2722 itself doesn't warrant a DSA. Could the hplip maintainers please fix this through a point update? http://www.debian.org/doc/manuals/developers-reference/pkgs.html#upload-stable Cheers, Moritz -- To UNSUBSCRIBE, email to debian-printing-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/2025173819.GB3587@pisco.westfalen.local
Bug#635549: #635549: Two hplip security issues
On Fri, Nov 25, 2011 at 12:22:24PM +0100, Didier Raboud wrote: > Le vendredi, 25 novembre 2011 12.16:06, Didier Raboud a écrit : > > found 635549 3.10.6-2 > > notfound 635549 3.11.10 > > thanks > > > > Hi Moritz, > > > > Le mardi, 26 juillet 2011 23.07:01, Moritz Muehlenhoff a écrit : > > > Two security issues have been reported in hplip: > > > > > > 1. Shell command injection in foomatic-rip-hplip: > > > https://bugzilla.novell.com/show_bug.cgi?id=698451 > > > This is CVE-2011-2697 > > > > As far as I can see, the culprit file is foomatic-rip-hplip, which is only > > shipped in hplip-ppds, and only in stable; testing and unstable versions > > rely on the fixed foomatic-rip from the foomatic-filters package. > > Hmm. Wrong. > > usr/lib/cups/filter/foomatic-rip-hplip (supposedly culprit file) is already a > symlink to usr/lib/cups/filter/foomatic-rip in the stable package. So this > CVE > doesn't affect any version bigger than what is in stable Confirmed. I've updated the security tracker. However, we still need to update foomatic-filters to secure Squeeze. Since you're also part of the maintainer group for foomatic-filters, could you investigate/ prepare fixed packages for these two issues in foomatic-filters? http://security-tracker.debian.org/tracker/CVE-2011-2697 http://security-tracker.debian.org/tracker/CVE-2011-2964 A side note for CVE-2011-2697: There two implementation of the affected filter: the version from foomatic-filters 4.0 is written in C and has been assigned CVE-2011-2964 and the version in foomatic-filters 3.x is written in Perl and has been assigned CVE-2011-2697 Cheers, Moritz -- To UNSUBSCRIBE, email to debian-printing-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/2025173629.GA3587@pisco.westfalen.local
Bug#635549: Stable update of hplip for CVE-2011-2722 (#635549) ?
Dear Release Team,
after taking a closer look to #635549 and an IRC chat with the Security
people, I propose to upload hplip to stable with the following changelog
entry:
hplip (3.10.6-2+squeeze0) stable; urgency=low
* Fix CVE-2011-2722 "Insecure tempfile handling" by patching the culprit
code out. (Closes: #635549)
-- Didier Raboud Fri, 25 Nov 2011 14:53:50 +0100
Debdiff and dpatch are attached; please comment.
Cheers,
--
OdyX
diff -u hplip-3.10.6/debian/changelog hplip-3.10.6/debian/changelog
--- hplip-3.10.6/debian/changelog
+++ hplip-3.10.6/debian/changelog
@@ -1,3 +1,10 @@
+hplip (3.10.6-2+squeeze0) stable; urgency=low
+
+ * Fix CVE-2011-2722 "Insecure tempfile handling" by patching the culprit
+code out. (Closes: #635549)
+
+ -- Didier Raboud Fri, 25 Nov 2011 14:53:50 +0100
+
hplip (3.10.6-2) unstable; urgency=high
* SECURITY UPDATE: denial of service and possible arbitrary code
diff -u hplip-3.10.6/debian/patches/00list hplip-3.10.6/debian/patches/00list
--- hplip-3.10.6/debian/patches/00list
+++ hplip-3.10.6/debian/patches/00list
@@ -22,0 +23 @@
+CVE-2011-2722.dpatch
only in patch2:
unchanged:
--- hplip-3.10.6.orig/debian/patches/CVE-2011-2722.dpatch
+++ hplip-3.10.6/debian/patches/CVE-2011-2722.dpatch
@@ -0,0 +1,51 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## CVE-2011-2722.dpatch by Didier Raboud
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Fix "Insecure tempfile handling" CVE-2011-2722 by backporting from
+## DP: 3.11.10 the removal of the culprit code by upstream.
+#
+# Bug-Debian: http://bugs.debian.org/635549
+# Author: Didier Raboud
+
+@DPATCH@
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' hplip-3.10.6~/prnt/hpijs/hpcupsfax.cpp hplip-3.10.6/prnt/hpijs/hpcupsfax.cpp
+--- hplip-3.10.6~/prnt/hpijs/hpcupsfax.cpp 2010-07-19 04:15:17.0 +0200
hplip-3.10.6/prnt/hpijs/hpcupsfax.cpp 2011-11-25 13:13:29.0 +0100
+@@ -582,7 +582,6 @@
+ int iSize, i;
+ int len;
+ BYTE*pTmp = NULL;
+-FILE*fp = NULL;
+
+ iSize = lseek (fromFD, 0, SEEK_END);
+ lseek (fromFD, 0, SEEK_SET);
+@@ -602,28 +601,12 @@
+ }
+ }
+
+-fp = NULL;
+-if (iLogLevel & SAVE_PCL_FILE)
+-{
+-fp = fopen ("/tmp/hpcupsfax.out", "w");
+-system ("chmod 666 /tmp/hpcupsfax.out");
+-}
+-
+ while ((len = read (fromFD, pTmp, iSize)) > 0)
+ {
+ write (STDOUT_FILENO, pTmp, len);
+-if (iLogLevel & SAVE_PCL_FILE && fp)
+-{
+-fwrite (pTmp, 1, len, fp);
+-}
+ }
+ free (pTmp);
+
+-if (fp)
+-{
+-fclose (fp);
+-}
+-
+ return 0;
+ }
+
CVE-2011-2722.dpatch
Description: application/shellscript
signature.asc
Description: This is a digitally signed message part.
Bug#635549: #635549: Two hplip security issues
Le vendredi, 25 novembre 2011 12.22:24, Didier Raboud a écrit : > > Le mardi, 26 juillet 2011 23.07:01, Moritz Muehlenhoff a écrit : > > > > > > 1. Shell command injection in foomatic-rip-hplip: > > > https://bugzilla.novell.com/show_bug.cgi?id=698451 > > > This is CVE-2011-2697 > > > > As far as I can see, the culprit file is foomatic-rip-hplip, which is > > only shipped in hplip-ppds, and only in stable; testing and unstable > > versions rely on the fixed foomatic-rip from the foomatic-filters > > package. > usr/lib/cups/filter/foomatic-rip-hplip (supposedly culprit file) is already > a symlink to usr/lib/cups/filter/foomatic-rip in the stable package. So > this CVE doesn't affect any version bigger than what is in stable And foomatic-rip-hplip is not in oldstable either, so it seems CVE-2011-2697 doesn't affect any currently released hplip. Cheers, -- OdyX signature.asc Description: This is a digitally signed message part.
Bug#635549: #635549: Two hplip security issues
Le vendredi, 25 novembre 2011 12.16:06, Didier Raboud a écrit : > > > > 2. Insecure tempfile handling: > > https://bugzilla.novell.com/show_bug.cgi?id=704608 > > https://bugs.launchpad.net/hplip/+bug/809904 > > This is CVE-2011-2722 > > This seems to be fixed in 3.11.10, hence again, only stable is affected. The attached dpatch against the version currently in stable does fix that bug. As for oldstable, I couldn't find any occurence of this bug in the source code. Cheers, OdyX CVE-2011-2722.dpatch Description: application/shellscript signature.asc Description: This is a digitally signed message part.
Bug#649999: /usr/bin/hp-plugin: hp-plugin generates broken udev files
Package: hplip
Version: 3.11.10-1
File: /usr/bin/hp-plugin
Severity: important
I have a LaserJet 1018 printer which requires a firmware upload before
functioning. The hp-plugin downloaded this firmware and also installed udev
rules to upload it, but those rules do not work:
Nov 25 13:23:00 wallach udevd[282]: unknown key 'SYSFS{idVendor}' in
/etc/udev/rules.d/86-hpmud-hp_laserjet_1018.rules:6
Nov 25 13:23:00 wallach udevd[282]: invalid rule
'/etc/udev/rules.d/86-hpmud-hp_laserjet_1018.rules:6'
(and many similar errors for other printer models)
-- Package-specific info:
HP Linux Imaging and Printing System (ver. 3.11.10)
Dependency/Version Check Utility ver. 14.3
Copyright (c) 2001-9 Hewlett-Packard Development Company, LP
This software comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to distribute it
under certain conditions. See COPYING file for more details.
Note: hp-check can be run in three modes:
1. Compile-time check mode (-c or --compile): Use this mode before compiling
the HPLIP supplied tarball (.tar.gz or .run) to determine if the proper
dependencies are installed to successfully compile HPLIP.
2. Run-time check mode (-r or --run): Use this mode to determine if a distro
supplied package (.deb, .rpm, etc) or an already built HPLIP supplied tarball
has the proper dependencies installed to
successfully run.
3. Both compile- and run-time check mode (-b or --both) (Default): This mode
will check both of the above cases (both compile- and run-time dependencies).
Saving output in log file: hp-check.log
Initializing. Please wait...
---
| SYSTEM INFO |
---
Basic system information:
Linux wallach 3.1.0-1-amd64 #1 SMP Mon Nov 14 08:02:25 UTC 2011 x86_64 GNU/Linux
Distribution:
debian unstable
Checking Python version...
OK, version 2.7.2 installed
Checking PyQt 4.x version...
error: NOT FOUND OR FAILED TO LOAD!
Checking for CUPS...
Status: scheduler is running
Version: 1.5.0
error_log is set to level: warn
Checking for dbus/python-dbus...
dbus daemon is running.
python-dbus version: 0.84.0
| RUNTIME DEPENDENCIES |
Checking for dependency: CUPS - Common Unix Printing System...
OK, found.
Checking for dependency: GhostScript - PostScript and PDF language interpreter
and previewer...
OK, found.
Checking for dependency: PIL - Python Imaging Library (required for commandline
scanning with hp-scan)...
OK, found.
Checking for dependency: PolicyKit - Administrative policy framework...
OK, found.
Checking for dependency: PyQt 4 DBus - DBus Support for PyQt4...
error: NOT FOUND! This is a REQUIRED/RUNTIME ONLY dependency. Please make sure
that this dependency is installed before installing or running HPLIP.
Checking for dependency: Python DBus - Python bindings for DBus...
OK, found.
Checking for dependency: Python libnotify - Python bindings for the libnotify
Desktop notifications...
OK, found.
Checking for dependency: Python XML libraries...
OK, found.
Checking for dependency: Python 2.3 or greater - Required for fax
functionality...
OK, found.
Checking for dependency: Reportlab - PDF library for Python...
warning: NOT FOUND! This is an OPTIONAL/RUNTIME ONLY dependency. Some HPLIP
functionality may not function properly.
Checking for dependency: SANE - Scanning library...
OK, found.
Checking for dependency: scanimage - Shell scanning program...
OK, found.
Checking for dependency: xsane - Graphical scanner frontend for SANE...
OK, found.
--
| HPLIP INSTALLATION |
--
Currently installed HPLIP version...
HPLIP 3.11.10 currently installed in '/usr/share/hplip'.
Current contents of '/etc/hp/hplip.conf' file:
# hplip.conf. Generated from hplip.conf.in by configure.
[hplip]
version=3.11.10
[dirs]
home=/usr/share/hplip
run=/var/run
ppd=/usr/share/ppd/hplip/HP
ppdbase=/usr/share/ppd/hplip
doc=/usr/share/doc/hplip-doc/HTML
icon=no
cupsbackend=/usr/lib/cups/backend
cupsfilter=/usr/lib/cups/filter
drv=/usr/share/cups/drv
# Following values are determined at configure time and cannot be changed.
[configure]
network-build=yes
pp-build=yes
gui-build=yes
scanner-build=yes
fax-build=yes
dbus-build=yes
cups11-build=no
doc-build=yes
shadow-build=no
hpijs-install=yes
foomatic-drv-install=yes
foomatic-ppd-install=yes
foomatic-rip-hplip-install=no
hpcups-install=yes
cups-drv-install=yes
cups-ppd-install=no
internal-tag=3.11.10
restricted-build=no
ui-toolkit=qt4
qt3=no
qt4=yes
policy-kit=yes
hpijs-only-build=no
lite-build=no
udev-acl-rules=yes
hpcups-only-build=no
hpijs-only-build=no
Current contents of '/var/lib/hp/hplip.state' file:
[plugin]
installed = 1
eula = 1
Current contents of '~/.
Bug#635549: marked as done (Two security issues)
Your message dated Fri, 25 Nov 2011 13:23:10 +0100 with message-id <20251323.19384.o...@debian.org> and subject line Re: #635549: Two hplip security issues has caused the Debian Bug report #635549, regarding Two security issues to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 635549: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=635549 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: hplip Severity: grave Tags: security Two security issues have been reported in hplip: 1. Shell command injection in foomatic-rip-hplip: https://bugzilla.novell.com/show_bug.cgi?id=698451 This is CVE-2011-2697 2. Insecure tempfile handling: https://bugzilla.novell.com/show_bug.cgi?id=704608 https://bugs.launchpad.net/hplip/+bug/809904 This is CVE-2011-2722 This should be fixed in a DSA, could you prepared updated packages? Cheers, Moritz -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.0.0-1-amd64 (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash --- End Message --- --- Begin Message --- Version: 3.11.10-1 Le vendredi, 25 novembre 2011 12.16:06, Didier Raboud a écrit : > As far as I can see, the culprit file is foomatic-rip-hplip, which is only > shipped in hplip-ppds, and only in stable; testing and unstable versions > rely on the fixed foomatic-rip from the foomatic-filters package. (…) > This seems to be fixed in 3.11.10, hence again, only stable is affected. Meh. So it's "-done" in the version currently in testing. -- OdyX signature.asc Description: This is a digitally signed message part. --- End Message ---
Processed: found 635549 in 3.10.6-2
Processing commands for cont...@bugs.debian.org: > found 635549 3.10.6-2 Bug #635549 [hplip] Two security issues Bug Marked as found in versions hplip/3.10.6-2. > thanks Stopping processing here. Please contact me if you need assistance. -- 635549: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=635549 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-printing-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/handler.s.c.13463429936.transcr...@bugs.debian.org
Bug#635549: #635549: Two hplip security issues
Le vendredi, 25 novembre 2011 12.16:06, Didier Raboud a écrit : > found 635549 3.10.6-2 > notfound 635549 3.11.10 > thanks > > Hi Moritz, > > Le mardi, 26 juillet 2011 23.07:01, Moritz Muehlenhoff a écrit : > > Two security issues have been reported in hplip: > > > > 1. Shell command injection in foomatic-rip-hplip: > > https://bugzilla.novell.com/show_bug.cgi?id=698451 > > This is CVE-2011-2697 > > As far as I can see, the culprit file is foomatic-rip-hplip, which is only > shipped in hplip-ppds, and only in stable; testing and unstable versions > rely on the fixed foomatic-rip from the foomatic-filters package. Hmm. Wrong. usr/lib/cups/filter/foomatic-rip-hplip (supposedly culprit file) is already a symlink to usr/lib/cups/filter/foomatic-rip in the stable package. So this CVE doesn't affect any version bigger than what is in stable -- OdyX signature.asc Description: This is a digitally signed message part.
Bug#635549: #635549: Two hplip security issues
found 635549 3.10.6-2 notfound 635549 3.11.10 thanks Hi Moritz, Le mardi, 26 juillet 2011 23.07:01, Moritz Muehlenhoff a écrit : > > Two security issues have been reported in hplip: > > 1. Shell command injection in foomatic-rip-hplip: > https://bugzilla.novell.com/show_bug.cgi?id=698451 > This is CVE-2011-2697 As far as I can see, the culprit file is foomatic-rip-hplip, which is only shipped in hplip-ppds, and only in stable; testing and unstable versions rely on the fixed foomatic-rip from the foomatic-filters package. > 2. Insecure tempfile handling: > https://bugzilla.novell.com/show_bug.cgi?id=704608 > https://bugs.launchpad.net/hplip/+bug/809904 > This is CVE-2011-2722 This seems to be fixed in 3.11.10, hence again, only stable is affected. > This should be fixed in a DSA, could you prepared updated > packages? I will try to, but would be happier if the HPLIP team could do this security upload themselves (4 months without a single response; meh). Cheers, -- OdyX signature.asc Description: This is a digitally signed message part.
Bug#649991: Please rename the hplip packages to the printer-driver- convention
Source: hplip Version: 3.11.10-1 Severity: important Le vendredi, 4 novembre 2011 13.26:15, Didier Raboud a écrit : > Till Kamppeter wrote: > > The PostScript printer PPDs are also a driver package, for the > > PostScript printers. Therefore the PPDs must get into a > > printer-driver-... package, too. > > Same reasoning as for gutenprint. printer-driver-* for "the driver that > works with cups", others would stay untouched (and kept out of the > "default" printing stack installed). Okay, we need to get this done. Please: * rename hpijs to printer-driver-hpijs; * rename hplip-cups to printer-driver-hpcups; I can provide patches if wanted, but unfortunately, the svn repository pointed at by the Vcs-* fields of the package is clearly outdated. Cheers, -- OdyX signature.asc Description: This is a digitally signed message part.
