Your message dated Tue, 23 Oct 2007 15:03:35 +0000 with message-id <E1IkLI7-0006WS-LH@ries.debian.org> and subject line Bug#447341: fixed in hplip 1.6.10-4.3 has caused the attached Bug report to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database)
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: CVE-2007-5208 arbitrary command execution via unfiltered from address
- From: Nico Golde <nion@debian.org>
- Date: Sat, 20 Oct 2007 11:58:37 +0200
- Message-id: <[🔎] 20071020095837.GA13877@ngolde.de>
Package: hplip Version: 1.6.10-3 Severity: grave Tags: security patch Hi, the following CVE (Common Vulnerabilities & Exposures) id was published for hplip. CVE-2007-5208[0]: | hpssd in Hewlett-Packard Linux Imaging and Printing Project (hplip) | 1.x and 2.x before 2.7.10 allows context-dependent attackers to | execute arbitrary commands via shell metacharacters in a from address, | which is not properly handled when invoking sendmail. If you fix this vulnerability please also include the CVE id in your changelog entry. You can find a patch on: http://launchpadlibrarian.net/9737865/90_subprocess_replacement.dpatch For further information: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5208 Kind regards Nico -- Nico Golde - http://ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.Attachment: pgpgHv70GgItZ.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
- To: 447341-close@bugs.debian.org
- Subject: Bug#447341: fixed in hplip 1.6.10-4.3
- From: Nico Golde <nion@debian.org>
- Date: Tue, 23 Oct 2007 15:03:35 +0000
- Message-id: <E1IkLI7-0006WS-LH@ries.debian.org>
Source: hplip Source-Version: 1.6.10-4.3 We believe that the bug you reported is fixed in the latest version of hplip, which is due to be installed in the Debian FTP archive: hpijs-ppds_2.6.10+1.6.10-4.3_all.deb to pool/main/h/hplip/hpijs-ppds_2.6.10+1.6.10-4.3_all.deb hpijs_2.6.10+1.6.10-4.3_i386.deb to pool/main/h/hplip/hpijs_2.6.10+1.6.10-4.3_i386.deb hplip-data_1.6.10-4.3_all.deb to pool/main/h/hplip/hplip-data_1.6.10-4.3_all.deb hplip-dbg_1.6.10-4.3_i386.deb to pool/main/h/hplip/hplip-dbg_1.6.10-4.3_i386.deb hplip-doc_1.6.10-4.3_all.deb to pool/main/h/hplip/hplip-doc_1.6.10-4.3_all.deb hplip_1.6.10-4.3.diff.gz to pool/main/h/hplip/hplip_1.6.10-4.3.diff.gz hplip_1.6.10-4.3.dsc to pool/main/h/hplip/hplip_1.6.10-4.3.dsc hplip_1.6.10-4.3_i386.deb to pool/main/h/hplip/hplip_1.6.10-4.3_i386.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 447341@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Nico Golde <nion@debian.org> (supplier of updated hplip package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Mon, 22 Oct 2007 10:31:55 +0200 Source: hplip Binary: hpijs hplip-data hpijs-ppds hplip hplip-doc hplip-dbg Architecture: source all i386 Version: 1.6.10-4.3 Distribution: unstable Urgency: high Maintainer: Henrique de Moraes Holschuh <hmh@debian.org> Changed-By: Nico Golde <nion@debian.org> Description: hpijs - HP Linux Printing and Imaging - gs IJS driver (hpijs) hpijs-ppds - HP Linux Printing and Imaging - HPIJS PPD files hplip - HP Linux Printing and Imaging System (HPLIP) hplip-data - HP Linux Printing and Imaging - data files hplip-dbg - HP Linux Printing and Imaging - debugging information hplip-doc - HP Linux Printing and Imaging - documentation Closes: 447341 Changes: hplip (1.6.10-4.3) unstable; urgency=high . * Non-maintainer upload by testing security team. * Included CVE-2007-5208.dpatch to fix arbitrary command execution in hpssd via crafted from address because of missing sanitization (CVE-2007-5208) (Closes: #447341). Files: 094ed210c3e1374d2c9e068c641a00ee 887 utils optional hplip_1.6.10-4.3.dsc b2651411d5f37b2bd99337546990dd1e 257667 utils optional hplip_1.6.10-4.3.diff.gz f40a568a2e2f3c7a1654d0474261d78a 1770786 utils optional hpijs-ppds_2.6.10+1.6.10-4.3_all.deb c11cd71b7be641a405a5e7ca4995f5bc 6293596 utils optional hplip-data_1.6.10-4.3_all.deb 2a3dbd90fdf501de5dcd0811bc8329cd 1620382 doc optional hplip-doc_1.6.10-4.3_all.deb ad73bce3e5307892ea791e6210a953a2 345666 text optional hpijs_2.6.10+1.6.10-4.3_i386.deb 183ce57f0381efe640450d0283e8a5c0 567272 utils optional hplip_1.6.10-4.3_i386.deb cfe0d661472fb502b0e2539c054e47c3 820162 utils extra hplip-dbg_1.6.10-4.3_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHHgdeHYflSXNkfP8RAmDiAKCREhxx6FS741kRH5JJBWnJLz3rcwCfSiwv NL4m5BK9IPeHTjTNZ90rQd0= =6B1e -----END PGP SIGNATURE-----
--- End Message ---