Your message dated Thu, 25 Oct 2007 19:17:04 +0000 with message-id <E1Il8CW-0004Y3-9R@ries.debian.org> and subject line Bug#447341: fixed in hplip 1.6.10-4.2+lenny1 has caused the attached Bug report to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database)
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: CVE-2007-5208 arbitrary command execution via unfiltered from address
- From: Nico Golde <nion@debian.org>
- Date: Sat, 20 Oct 2007 11:58:37 +0200
- Message-id: <[🔎] 20071020095837.GA13877@ngolde.de>
Package: hplip Version: 1.6.10-3 Severity: grave Tags: security patch Hi, the following CVE (Common Vulnerabilities & Exposures) id was published for hplip. CVE-2007-5208[0]: | hpssd in Hewlett-Packard Linux Imaging and Printing Project (hplip) | 1.x and 2.x before 2.7.10 allows context-dependent attackers to | execute arbitrary commands via shell metacharacters in a from address, | which is not properly handled when invoking sendmail. If you fix this vulnerability please also include the CVE id in your changelog entry. You can find a patch on: http://launchpadlibrarian.net/9737865/90_subprocess_replacement.dpatch For further information: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5208 Kind regards Nico -- Nico Golde - http://ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.Attachment: pgpeFRZCSvZv0.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
- To: 447341-close@bugs.debian.org
- Subject: Bug#447341: fixed in hplip 1.6.10-4.2+lenny1
- From: Nico Golde <nion@debian.org>
- Date: Thu, 25 Oct 2007 19:17:04 +0000
- Message-id: <E1Il8CW-0004Y3-9R@ries.debian.org>
Source: hplip Source-Version: 1.6.10-4.2+lenny1 We believe that the bug you reported is fixed in the latest version of hplip, which is due to be installed in the Debian FTP archive: hpijs-ppds_2.6.10+1.6.10-4.2+lenny1_all.deb to pool/main/h/hplip/hpijs-ppds_2.6.10+1.6.10-4.2+lenny1_all.deb hpijs_2.6.10+1.6.10-4.2+lenny1_i386.deb to pool/main/h/hplip/hpijs_2.6.10+1.6.10-4.2+lenny1_i386.deb hplip-data_1.6.10-4.2+lenny1_all.deb to pool/main/h/hplip/hplip-data_1.6.10-4.2+lenny1_all.deb hplip-dbg_1.6.10-4.2+lenny1_i386.deb to pool/main/h/hplip/hplip-dbg_1.6.10-4.2+lenny1_i386.deb hplip-doc_1.6.10-4.2+lenny1_all.deb to pool/main/h/hplip/hplip-doc_1.6.10-4.2+lenny1_all.deb hplip_1.6.10-4.2+lenny1.diff.gz to pool/main/h/hplip/hplip_1.6.10-4.2+lenny1.diff.gz hplip_1.6.10-4.2+lenny1.dsc to pool/main/h/hplip/hplip_1.6.10-4.2+lenny1.dsc hplip_1.6.10-4.2+lenny1_i386.deb to pool/main/h/hplip/hplip_1.6.10-4.2+lenny1_i386.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 447341@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Nico Golde <nion@debian.org> (supplier of updated hplip package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Mon, 22 Oct 2007 10:31:55 +0200 Source: hplip Binary: hpijs hplip-data hpijs-ppds hplip hplip-doc hplip-dbg Architecture: source all i386 Version: 1.6.10-4.2+lenny1 Distribution: testing-security Urgency: high Maintainer: Henrique de Moraes Holschuh <hmh@debian.org> Changed-By: Nico Golde <nion@debian.org> Description: hpijs - HP Linux Printing and Imaging - gs IJS driver (hpijs) hpijs-ppds - HP Linux Printing and Imaging - HPIJS PPD files hplip - HP Linux Printing and Imaging System (HPLIP) hplip-data - HP Linux Printing and Imaging - data files hplip-dbg - HP Linux Printing and Imaging - debugging information hplip-doc - HP Linux Printing and Imaging - documentation Closes: 447341 Changes: hplip (1.6.10-4.2+lenny1) testing-security; urgency=high . * Non-maintainer upload by testing security team. * Included CVE-2007-5208.dpatch to fix arbitrary command execution in hpssd via crafted from address because of missing sanitization (CVE-2007-5208) (Closes: #447341). Files: 96b66cfec0be1cd061bc03f47da0862f 901 utils optional hplip_1.6.10-4.2+lenny1.dsc 01519018343978776fe4acfbdb7cb6df 10561620 utils optional hplip_1.6.10.orig.tar.gz 4a5ebc1dcba8eb3db1439af713b17571 251716 utils optional hplip_1.6.10-4.2+lenny1.diff.gz aeac225ba4b17f030dd5d03cf1e2a892 1759584 utils optional hpijs-ppds_2.6.10+1.6.10-4.2+lenny1_all.deb 0d068c678b8735d51ecdcb89a6198ccf 6294014 utils optional hplip-data_1.6.10-4.2+lenny1_all.deb 0bf977ecd2e7d7205060c1a7dcee629d 1617880 doc optional hplip-doc_1.6.10-4.2+lenny1_all.deb 774656e689b1ae916bf8a95effbc1ff6 345310 text optional hpijs_2.6.10+1.6.10-4.2+lenny1_i386.deb 8a7bac4f58cc2517d84c26faab97c29b 568794 utils optional hplip_1.6.10-4.2+lenny1_i386.deb 37d107e3515900d52ce981bc6e5e6200 821722 utils extra hplip-dbg_1.6.10-4.2+lenny1_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHIHyNHYflSXNkfP8RAr9fAJ9sjeonLJI4TvZnWUrHbNzEEwnYpgCgpQGE XrIDdX3JiboV8Hf7iNPO1nI= =/z43 -----END PGP SIGNATURE-----
--- End Message ---