Bug#1110407: hplip: CVE-2025-43023
On Mon, Aug 04, 2025 at 09:43:36PM +0200, Salvatore Bonaccorso wrote:
> Source: hplip
> Version: 3.22.10+dfsg0-8.1
> Severity: important
> Tags: security upstream
> X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
>
> Hi,
>
> The following vulnerability was published for hplip.
>
> CVE-2025-43023[0]:
> | A potential security vulnerability has been identified in the HP
> | Linux Imaging and Printing Software documentation. This potential
> | vulnerability is due to the use of a weak code signing key, Digital
> | Signature Algorithm (DSA).
>
> There is not much information at this time, the upstream advisory [1]
> might indicate it is fixed in 3.25.2.
>...
This might not even be a vulnerabilty in the software.
https://developers.hp.com/hp-linux-imaging-and-printing/hplipDigitalCertificate.html
HPLIP Version: 3.25.2 and above
HPLIP has implemented a process so you (the user) can optionally verify
that the package you are downloading is, indeed, provided by the HP
Linux Imaging and Printing project and has valid contents. The process
to verify the package is simple and takes only a few moments. The steps
are provided in detail below.
...
gpg --import hplip-publickey.asc
...
gpg --verify hplip-version.run.asc hplip-<version>.run
https://sourceforge.net/projects/hplip/files/hplip/3.24.4/
$ gpg --verify hplip-3.24.4.run.asc
gpg: assuming signed data in 'hplip-3.24.4.run'
gpg: Signature made Wed 22 May 2024 07:42:57 EEST
gpg: using DSA key 4ABA2F66DBD5A95894910E0673D770CDA59047B9
gpg: Good signature from "HPLIP (HP Linux Imaging and Printing) <hplip@hp.com>" [unknown]
https://sourceforge.net/projects/hplip/files/hplip/3.25.2/
$ gpg --verify hplip-3.25.2.run.asc
gpg: assuming signed data in 'hplip-3.25.2.run'
gpg: Signature made Thu 10 Jul 2025 13:12:30 EEST
gpg: using RSA key 5E4E4D24A34ECD57
gpg: Good signature from "HPLIP (HP Linux Imaging and Printing) <hplip@hp.com>" [unknown]
> Regards,
> Salvatore
cu
Adrian
Reply to: