Bug#731480: hplip: CVE-2013-6427: insecure (undocumented) auto update feature

To: Debian Bug Tracking System <731480@bugs.debian.org>
Subject: Bug#731480: hplip: CVE-2013-6427: insecure (undocumented) auto update feature
From: Marc Deslauriers <marc.deslauriers@ubuntu.com>
Date: Thu, 12 Dec 2013 15:17:23 -0500
Message-id: <[🔎] 20131212201723.14106.16593.reportbug@mdlinux>
Reply-to: Marc Deslauriers <marc.deslauriers@ubuntu.com>, 731480@bugs.debian.org

Package: hplip
Version: 3.13.11-1
Followup-For: Bug #731480
User: ubuntu-devel@lists.ubuntu.com
Usertags: origin-ubuntu trusty ubuntu-patch



-- Package-specific info:


*** /tmp/tmp2P2w3P/bug_body

In Ubuntu, the attached patch was applied to achieve the following:

  * debian/non-shipped-files.txt, debian/hplip.install: don't ship
    hp-upgrade and upgrade.py, as we want to use proper packaging, and want
    to prevent security issues.
    - CVE-2013-6427

Thanks for considering the patch.


-- System Information:
Debian Release: wheezy/sid
  APT prefers saucy-updates
  APT policy: (500, 'saucy-updates'), (500, 'saucy-security'), (500, 'saucy-proposed'), (500, 'saucy'), (100, 'saucy-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.11.0-15-generic (SMP w/4 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

diff -Nru hplip-3.13.11/debian/changelog hplip-3.13.11/debian/changelog
diff -Nru hplip-3.13.11/debian/hplip.install hplip-3.13.11/debian/hplip.install
--- hplip-3.13.11/debian/hplip.install	2013-12-09 13:56:43.000000000 -0500
+++ hplip-3.13.11/debian/hplip.install	2013-12-12 14:52:12.000000000 -0500
@@ -22,7 +22,6 @@
 usr/bin/hp-testpage
 usr/bin/hp-timedate
 usr/bin/hp-unload
-usr/bin/hp-upgrade
 usr/sbin/hpssd
 usr/lib/cups/backend
 usr/lib/cups/filter/pstotiff
diff -Nru hplip-3.13.11/debian/non-shipped-files.txt hplip-3.13.11/debian/non-shipped-files.txt
--- hplip-3.13.11/debian/non-shipped-files.txt	2013-09-12 07:03:24.000000000 -0400
+++ hplip-3.13.11/debian/non-shipped-files.txt	2013-12-12 14:42:27.000000000 -0500
@@ -1,6 +1,7 @@
 etc/sane.d/dll.conf
 usr/share/hplip/check
 usr/share/hplip/install.py
+usr/share/hplip/upgrade.py
 usr/share/doc/hplip/README_LIBJPG
 usr/share/doc/hplip/hpijs_readme.html
 usr/share/doc/hplip/gs_hpijs.png
@@ -16,4 +17,5 @@
 usr/lib/libhpip.la
 usr/lib/systemd/system/hplip-printer@.service
 usr/bin/hp-uninstall
+usr/bin/hp-upgrade
 usr/share/ppd/hplip/HP/hp-color_inkjet_cp1700-hpijs.ppd.gz

Reply to:

Prev by Date: Processed: submitter 597929, submitter 648264, submitter 661242, submitter 662892, submitter 673648 ...
Next by Date: Bug#727758: marked as done (cups segfaults in libdbus)
Previous by thread: Bug#731480: marked as done (hplip: CVE-2013-6427: insecure (undocumented) auto update feature)
Next by thread: Bug#716744: marked as done (cups-filters: Depends on ttf-dejavu, a transitional package)
Index(es):
- Date
- Thread