[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#849467: jessie-pu: package hplip/3.14.6-1+deb8u1

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

Dear RT,

I'd like to get CVE-2015-0839 fixed in jessie, it's a no-DSA issue, and
security team members suggested to get it fixed through stable updates.

This bug is a simple 'fetching gpg key from keyservers with a short
keyid' problem, and upstream's fix is to use the full fingerprint.

The debdiff is attached.

Cheers,
	OdyX

diff -Nru hplip-3.14.6/debian/changelog hplip-3.14.6/debian/changelog
--- hplip-3.14.6/debian/changelog	2014-06-15 09:24:19.000000000 +0200
+++ hplip-3.14.6/debian/changelog	2016-12-27 09:13:54.000000000 +0100
@@ -1,3 +1,11 @@
+hplip (3.14.6-1+deb8u1) stable; urgency=medium
+
+  * Backport CVE-2015-0839 fix from upstream's 3.15.7: use full gpg key
+    fingerprint when fetching key from keyservers
+    (Closes: #787353, LP: #1432516)
+
+ -- Didier Raboud <odyx@debian.org>  Tue, 27 Dec 2016 09:13:54 +0100
+
 hplip (3.14.6-1) unstable; urgency=low
 
   * New upstream release
diff -Nru hplip-3.14.6/debian/patches/cve-2015-0839-insecure-binary-driver-verification.patch hplip-3.14.6/debian/patches/cve-2015-0839-insecure-binary-driver-verification.patch
--- hplip-3.14.6/debian/patches/cve-2015-0839-insecure-binary-driver-verification.patch	1970-01-01 01:00:00.000000000 +0100
+++ hplip-3.14.6/debian/patches/cve-2015-0839-insecure-binary-driver-verification.patch	2016-12-27 09:10:11.000000000 +0100
@@ -0,0 +1,19 @@
+Description: Use the full key fingerprint, to fix insecure binary driver verification
+Bug-CVE: CVE-2015-0839
+Bug-Upstream: https://bugs.launchpad.net/hplip/+bug/1432516
+Bug-Debian: https://bugs.debian.org/787353
+Origin: vendor
+Last-Update: 2015-07-15
+
+--- a/base/validation.py
++++ b/base/validation.py
+@@ -40,8 +40,7 @@
+ 
+ 
+ class GPG_Verification(DigiSign_Verification):
+-
+-    def __init__(self, pgp_site = 'pgp.mit.edu', key = 0xA59047B9):
++    def __init__(self, pgp_site = 'pgp.mit.edu', key = 0x4ABA2F66DBD5A95894910E0673D770CDA59047B9):
+         self.__pgp_site = pgp_site
+         self.__key = key
+         self.__gpg = utils.which('gpg',True)
diff -Nru hplip-3.14.6/debian/patches/series hplip-3.14.6/debian/patches/series
--- hplip-3.14.6/debian/patches/series	2014-04-04 17:05:13.000000000 +0200
+++ hplip-3.14.6/debian/patches/series	2016-12-27 09:04:13.000000000 +0100
@@ -18,3 +18,4 @@
 #hp-mkuri-libnotify-so-4-support.dpatch
 hpaio-option-duplex.diff
 musb-c-do-not-crash-on-usb-failure.patch
+cve-2015-0839-insecure-binary-driver-verification.patch
Reply to: