Bug#725876: marked as done (hplip: CVE-2013-6402: insecure temporary files handling in pkit.py)

To: Salvatore Bonaccorso <carnil@debian.org>
Subject: Bug#725876: marked as done (hplip: CVE-2013-6402: insecure temporary files handling in pkit.py)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Tue, 14 Jan 2014 12:21:20 +0000
Message-id: <[🔎] handler.725876.D725876.13897019506531.ackdone@bugs.debian.org>
References: <E1W32xZ-0004vm-5r@franck.debian.org> <CAA7hUgEc2cHKYQXHHghOc+0oY7t=Vtfs3OsE356UVSVEZJhUww@mail.gmail.com>

Your message dated Tue, 14 Jan 2014 12:19:09 +0000
with message-id <E1W32xZ-0004vm-5r@franck.debian.org>
and subject line Bug#725876: fixed in hplip 3.13.11-2.1
has caused the Debian Bug report #725876,
regarding hplip: CVE-2013-6402: insecure temporary files handling in pkit.py
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
725876: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=725876
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: hplip: insecure temporary files handling in pkit.py

From: Raphael Geissert <geissert@debian.org>

Date: Wed, 9 Oct 2013 16:27:48 +0200

Message-id: <CAA7hUgEc2cHKYQXHHghOc+0oY7t=Vtfs3OsE356UVSVEZJhUww@mail.gmail.com>
Package: hplip
Version: 3.12.6-3
Tags: security

(Please adjust severity as necessary)

Hi,

pkit.py seems to create a log file at /tmp/hp-pkservice.log and I
believe it is done as root, making it a nice vector for a symlink
attack. I only took a quick look at it, so I might be missing
something.
Could you please confirm the report?

Thanks,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net
--- End Message ---

--- Begin Message ---

To: 725876-close@bugs.debian.org
Subject: Bug#725876: fixed in hplip 3.13.11-2.1
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 14 Jan 2014 12:19:09 +0000
Message-id: <E1W32xZ-0004vm-5r@franck.debian.org>

Source: hplip
Source-Version: 3.13.11-2.1

We believe that the bug you reported is fixed in the latest version of
hplip, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 725876@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated hplip package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 12 Jan 2014 10:59:12 +0100
Source: hplip
Binary: hplip hplip-data printer-driver-postscript-hp hplip-gui hplip-dbg hplip-doc hpijs-ppds printer-driver-hpijs printer-driver-hpcups libhpmud0 libhpmud-dev libsane-hpaio
Architecture: source all amd64
Version: 3.13.11-2.1
Distribution: unstable
Urgency: medium
Maintainer: Debian HPIJS and HPLIP maintainers <pkg-hpijs-devel@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description: 
 hpijs-ppds - HP Linux Printing and Imaging - HPIJS PPD files
 hplip      - HP Linux Printing and Imaging System (HPLIP)
 hplip-data - HP Linux Printing and Imaging - data files
 hplip-dbg  - HP Linux Printing and Imaging - debugging information
 hplip-doc  - HP Linux Printing and Imaging - documentation
 hplip-gui  - HP Linux Printing and Imaging - GUI utilities (Qt-based)
 libhpmud-dev - HP Multi-Point Transport Driver (hpmud) development libraries
 libhpmud0  - HP Multi-Point Transport Driver (hpmud) run-time libraries
 libsane-hpaio - HP SANE backend for multi-function peripherals
 printer-driver-hpcups - HP Linux Printing and Imaging - CUPS Raster driver (hpcups)
 printer-driver-hpijs - HP Linux Printing and Imaging - printer driver (hpijs)
 printer-driver-postscript-hp - HP Printers PostScript Descriptions
Closes: 725876
Changes: 
 hplip (3.13.11-2.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * Add CVE-2013-6402.patch patch.
     CVE-2013-6402: Fix insecure temporary files handling in pkit.py.
     (Closes: #725876)
   * Add missing dh_bugfiles invocation in binary-indep target
Checksums-Sha1: 
 865de0288b21c0eaf248e51aa05e0eb6cefa8b89 2948 hplip_3.13.11-2.1.dsc
 862ac81873114900db35656c4b7d253b1dec75df 108898 hplip_3.13.11-2.1.debian.tar.gz
 9a7907a034b74689274b64d4422e924a5094cc5a 6567468 hplip-data_3.13.11-2.1_all.deb
 22ddd65df4c0b5adcb4763219cc17245ff57e7a6 813822 printer-driver-postscript-hp_3.13.11-2.1_all.deb
 8cdee642fc45cc1a6a1a183a98cf40d3851e0c99 90732 hplip-gui_3.13.11-2.1_all.deb
 52a38be5e017ba70a9654e6e27385ab34d53b945 661698 hplip-doc_3.13.11-2.1_all.deb
 9fd2d7606b30779f5b7573f148c1cf4ede211fa7 165004 hpijs-ppds_3.13.11-2.1_all.deb
 4f31bff1ca134d58f44339340608d4bbabee0ba9 138532 hplip_3.13.11-2.1_amd64.deb
 239f5f2bfe27576b70d22a45af52d886c3cd80e9 1412632 hplip-dbg_3.13.11-2.1_amd64.deb
 2e4f6573184f8c3d0cfae12d2d1134144fac45b6 330940 printer-driver-hpijs_3.13.11-2.1_amd64.deb
 c115bba4ab0884b2e7db2d74a061663db67b0891 310344 printer-driver-hpcups_3.13.11-2.1_amd64.deb
 b81eb7e8b3cf327cc2ea3c0ecafd2650ec73afd3 166760 libhpmud0_3.13.11-2.1_amd64.deb
 5584a1e6c39fe608fa9d37e9c46c82f6741559a1 80200 libhpmud-dev_3.13.11-2.1_amd64.deb
 a9d34c7b6c543e3adf894da6bc501a34d25ab07a 178290 libsane-hpaio_3.13.11-2.1_amd64.deb
Checksums-Sha256: 
 c828c25d101d0252c33a2d472ed6a46eb62652c2dcfa434d2084f10fa656ab40 2948 hplip_3.13.11-2.1.dsc
 c6276e1833db4a1e532a843dbc07e7a64d2f4f901cd723d5d00deb8668b7f25b 108898 hplip_3.13.11-2.1.debian.tar.gz
 150793ce60d83add1cb7163b936585ae0c24ea2f9b6ca47d0533f83bdac72798 6567468 hplip-data_3.13.11-2.1_all.deb
 d9c85ac7ff7be34092c32c8eb3bc167900c6fae912aa792e5dd373dfe3ab508e 813822 printer-driver-postscript-hp_3.13.11-2.1_all.deb
 c0296c691ce8b08d05a295f39aa6472b0ff177fe1e9495ea77ad3c59d216681c 90732 hplip-gui_3.13.11-2.1_all.deb
 8a7cc4c951497958f92dd333d0ec958693f92cb1b0daff2885417072f6217949 661698 hplip-doc_3.13.11-2.1_all.deb
 15a096e5db64df7b4516fa278078338f393a5795e559b97d1c5bac92b702b2db 165004 hpijs-ppds_3.13.11-2.1_all.deb
 d4238876492d2abc4d96292c56b3d9a7bec6c034a54b3f8b38c74474e553ee70 138532 hplip_3.13.11-2.1_amd64.deb
 95c157e874e0087cfe4bb8689bbf7b5f22e672d6d764b24d714ff50fccde0e51 1412632 hplip-dbg_3.13.11-2.1_amd64.deb
 236417460d6cae8534abbe535f841319c48475480da43d7b85960f6be366069d 330940 printer-driver-hpijs_3.13.11-2.1_amd64.deb
 0d876fc6b00fc3be87c53c15fc66e275608aacc0f1ed2cd989983e382369a5e3 310344 printer-driver-hpcups_3.13.11-2.1_amd64.deb
 be47f9447043f5869ef35616aec8bc3dddfd11cbb48ba2d9e9e7db6d70c60004 166760 libhpmud0_3.13.11-2.1_amd64.deb
 7df869b1a9e57b077320562d28768d63709a334c1aaf0e4a8f284d71fe1532f3 80200 libhpmud-dev_3.13.11-2.1_amd64.deb
 bb7a40cf817b53a9810233a7d55ef626eb063b77fc2d0d48c8ad570ec36d3192 178290 libsane-hpaio_3.13.11-2.1_amd64.deb
Files: 
 c1503716357304732bdc616de3756c07 2948 utils optional hplip_3.13.11-2.1.dsc
 fc240f10948c494cde8b3986a302db59 108898 utils optional hplip_3.13.11-2.1.debian.tar.gz
 846beba961e43f100f9929fa0c28ad8a 6567468 utils optional hplip-data_3.13.11-2.1_all.deb
 94831cc59810fae706d6582264ea6fa8 813822 utils optional printer-driver-postscript-hp_3.13.11-2.1_all.deb
 ecb812af4e81ccc573eff6eae1900236 90732 utils optional hplip-gui_3.13.11-2.1_all.deb
 846e397d80edee3f823a9f1c256e395c 661698 doc optional hplip-doc_3.13.11-2.1_all.deb
 a547d979d4dc239ded4a43f5cfd3dfb6 165004 utils optional hpijs-ppds_3.13.11-2.1_all.deb
 3b22cbc3d10e01d6f9e7f5ea33bf2f9a 138532 utils optional hplip_3.13.11-2.1_amd64.deb
 3f29bea3b834a0e49fb5cae4bb39df79 1412632 debug extra hplip-dbg_3.13.11-2.1_amd64.deb
 dd7d5e2673d934dab4a012c63a132591 330940 text optional printer-driver-hpijs_3.13.11-2.1_amd64.deb
 97347c93fdf112283d951a575a97ae6a 310344 text optional printer-driver-hpcups_3.13.11-2.1_amd64.deb
 70ac217ad35bbf9ca1d545e5d136cf03 166760 libs optional libhpmud0_3.13.11-2.1_amd64.deb
 96088911d6fca1087279197313a5e8b5 80200 libdevel optional libhpmud-dev_3.13.11-2.1_amd64.deb
 e3fe948a44109b2bd68c4a8b7421dcbb 178290 libs optional libsane-hpaio_3.13.11-2.1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJS0oHSAAoJEAVMuPMTQ89EhvcP/iqO67dWs1YoobiZFySb+pG6
jJlKeT88lQFc1LH2ifT31/oeMuEKW2E/YA5DIDN+P32OGQwTMRLCiUpnJjUhn1Ro
nTKPNXvIdjGgPT5eQUlW7coHt3AEsjJ045jQXqgrNjmp7y0knQEAMPVnki3nDYVr
uFKpBzMcDlIg/1VtFmNvsf/VkDZsXXFHVZRy7WGLfvHnTwoXl323jObiYx/bdZr5
Yg2mFLyHy0xIfkeVAI0/fX1/lRjerMzmNMDpLZ8uU+LQ8YEvH0jajpo9Y57YIme9
fTsFEHllZ13PUoPVrDfhtw/W4NRiu3Htrc6tzsmDTWuGUJ5M9i1L+RV/zheauM98
H8MU0Xs/vfQbys4T2TDJHUtSF8Xv/T76UsnsLvbWE1Z+gMWTfU3d6O3l4ShpcTSc
tIgAIBCgjVZPo+DAUBoxxJ86WbdawJvr6bvxlxzikodEKa1YPsOV494KYYtKjiRL
ZK3jAFsV/rc2pk8uDkQI88N5i+cWvpx0fn5cpKZOUDx463ztPP1DfK0gLn2g72wt
F/DZId+YZJFA0rz+A28/4ZJgpqc8qPAFxSs3r74HpgtK1W1PVGMMkCXcgnRPwMhj
iA2J+GGgr9SD11Oy0AgavZLcuylHe2MO5GPRN4iIcuwxYxPM+4qS1VqxWqAQ6mWU
HQ24kkVKhSDjJkH2gw9S
=ffWe
-----END PGP SIGNATURE-----

--- End Message ---

Reply to:

Prev by Date: Accepted hplip 3.13.11-2.1 (source all amd64)
Next by Date: Bug#712512: Problem remains
Previous by thread: Accepted hplip 3.13.11-2.1 (source all amd64)
Next by thread: Bug#735313: cups-daemon: Please install AppArmor profile
Index(es):
- Date
- Thread