Bug#1110407: marked as done (hplip: CVE-2025-43023)

To: Salvatore Bonaccorso <carnil@debian.org>
Subject: Bug#1110407: marked as done (hplip: CVE-2025-43023)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Wed, 06 Aug 2025 13:49:02 +0000
Message-id: <[🔎] handler.1110407.D1110407.17544880541297555.ackdone@bugs.debian.org>
Reply-to: 1110407@bugs.debian.org
References: <aJNc8VoDmd6cl1XP@eldamar.lan> <[🔎] 175433661633.902752.12547627198795197385.reportbug@eldamar.lan>

Your message dated Wed, 6 Aug 2025 15:47:29 +0200
with message-id <aJNc8VoDmd6cl1XP@eldamar.lan>
and subject line Re: Bug#1110407: hplip: CVE-2025-43023
has caused the Debian Bug report #1110407,
regarding hplip: CVE-2025-43023
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1110407: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1110407
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: hplip: CVE-2025-43023
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Mon, 04 Aug 2025 21:43:36 +0200
Message-id: <[🔎] 175433661633.902752.12547627198795197385.reportbug@eldamar.lan>

Source: hplip
Version: 3.22.10+dfsg0-8.1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for hplip.

CVE-2025-43023[0]:
| A potential security vulnerability has been identified in the HP
| Linux Imaging and Printing Software documentation. This potential
| vulnerability is due to the use of a weak code signing key, Digital
| Signature Algorithm (DSA).

There is not much information at this time, the upstream advisory [1]
might indicate it is fixed in 3.25.2.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-43023
    https://www.cve.org/CVERecord?id=CVE-2025-43023
[1] https://support.hp.com/us-en/document/ish_12804224-12804228-16/hpsbpi04033

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

To: Adrian Bunk <bunk@debian.org>
Cc: 1110407-done@bugs.debian.org, Debian Security Team <team@security.debian.org>
Subject: Re: Bug#1110407: hplip: CVE-2025-43023
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 6 Aug 2025 15:47:29 +0200
Message-id: <aJNc8VoDmd6cl1XP@eldamar.lan>
In-reply-to: <[🔎] aJM1Xlz5ZBx0MuTD@localhost>
References: <[🔎] 175433661633.902752.12547627198795197385.reportbug@eldamar.lan> <[🔎] aJM1Xlz5ZBx0MuTD@localhost>

Hi Adrian,

On Wed, Aug 06, 2025 at 01:58:38PM +0300, Adrian Bunk wrote:
> On Mon, Aug 04, 2025 at 09:43:36PM +0200, Salvatore Bonaccorso wrote:
> > Source: hplip
> > Version: 3.22.10+dfsg0-8.1
> > Severity: important
> > Tags: security upstream
> > X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
> > 
> > Hi,
> > 
> > The following vulnerability was published for hplip.
> > 
> > CVE-2025-43023[0]:
> > | A potential security vulnerability has been identified in the HP
> > | Linux Imaging and Printing Software documentation. This potential
> > | vulnerability is due to the use of a weak code signing key, Digital
> > | Signature Algorithm (DSA).
> > 
> > There is not much information at this time, the upstream advisory [1]
> > might indicate it is fixed in 3.25.2.
> >...
> 
> This might not even be a vulnerabilty in the software.
> 
> 
> https://developers.hp.com/hp-linux-imaging-and-printing/hplipDigitalCertificate.html
> 
> HPLIP Version: 3.25.2 and above
> 
> HPLIP has implemented a process so you (the user) can optionally verify 
> that the package you are downloading is, indeed, provided by the HP 
> Linux Imaging and Printing project and has valid contents.  The process 
> to verify the package is simple and takes only a few moments.  The steps 
> are provided in detail below.
> ...
> gpg --import hplip-publickey.asc 
> ...
> gpg --verify hplip-version.run.asc hplip-<version>.run
> 
> 
> https://sourceforge.net/projects/hplip/files/hplip/3.24.4/
> 
> $ gpg --verify hplip-3.24.4.run.asc
> gpg: assuming signed data in 'hplip-3.24.4.run'
> gpg: Signature made Wed 22 May 2024 07:42:57 EEST
> gpg:                using DSA key 4ABA2F66DBD5A95894910E0673D770CDA59047B9
> gpg: Good signature from "HPLIP (HP Linux Imaging and Printing) <hplip@hp.com>" [unknown]
> 
> 
> https://sourceforge.net/projects/hplip/files/hplip/3.25.2/
> 
> $ gpg --verify hplip-3.25.2.run.asc
> gpg: assuming signed data in 'hplip-3.25.2.run'
> gpg: Signature made Thu 10 Jul 2025 13:12:30 EEST
> gpg:                using RSA key 5E4E4D24A34ECD57
> gpg: Good signature from "HPLIP (HP Linux Imaging and Printing) <hplip@hp.com>" [unknown]

Agreed, let's close the bug. I just have updated the tracker to
clarify that the CVE is assigned for the use of the DSA key for
signing the upstream installer.

Regards,
Salvatore

--- End Message ---

Reply to:

References:
- Bug#1110407: hplip: CVE-2025-43023
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: Tu factura de electricidad de Iberdrola esta lista - 4028150
Next by Date: Bug#1100755: /etc/apparmor.d/usr.sbin.cupsd: cups-daemon: Apparmor profile blocks reading /etc/paperspecs
Previous by thread: Bug#1110407: hplip: CVE-2025-43023
Next by thread: Tu factura de electricidad de Iberdrola esta lista - 4028150
Index(es):
- Date
- Thread