[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#849467: marked as done (jessie-pu: package hplip/3.14.6-1+deb8u1)

Your message dated Sat, 14 Jan 2017 12:37:03 +0000
with message-id <1484397423.1091.25.camel@adam-barratt.org.uk>
and subject line Closing requests included in today's point release
has caused the Debian Bug report #849467,
regarding jessie-pu: package hplip/3.14.6-1+deb8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
849467: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=849467
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

Dear RT,

I'd like to get CVE-2015-0839 fixed in jessie, it's a no-DSA issue, and
security team members suggested to get it fixed through stable updates.

This bug is a simple 'fetching gpg key from keyservers with a short
keyid' problem, and upstream's fix is to use the full fingerprint.

The debdiff is attached.

Cheers,
	OdyX

diff -Nru hplip-3.14.6/debian/changelog hplip-3.14.6/debian/changelog
--- hplip-3.14.6/debian/changelog	2014-06-15 09:24:19.000000000 +0200
+++ hplip-3.14.6/debian/changelog	2016-12-27 09:13:54.000000000 +0100
@@ -1,3 +1,11 @@
+hplip (3.14.6-1+deb8u1) stable; urgency=medium
+
+  * Backport CVE-2015-0839 fix from upstream's 3.15.7: use full gpg key
+    fingerprint when fetching key from keyservers
+    (Closes: #787353, LP: #1432516)
+
+ -- Didier Raboud <odyx@debian.org>  Tue, 27 Dec 2016 09:13:54 +0100
+
 hplip (3.14.6-1) unstable; urgency=low
 
   * New upstream release
diff -Nru hplip-3.14.6/debian/patches/cve-2015-0839-insecure-binary-driver-verification.patch hplip-3.14.6/debian/patches/cve-2015-0839-insecure-binary-driver-verification.patch
--- hplip-3.14.6/debian/patches/cve-2015-0839-insecure-binary-driver-verification.patch	1970-01-01 01:00:00.000000000 +0100
+++ hplip-3.14.6/debian/patches/cve-2015-0839-insecure-binary-driver-verification.patch	2016-12-27 09:10:11.000000000 +0100
@@ -0,0 +1,19 @@
+Description: Use the full key fingerprint, to fix insecure binary driver verification
+Bug-CVE: CVE-2015-0839
+Bug-Upstream: https://bugs.launchpad.net/hplip/+bug/1432516
+Bug-Debian: https://bugs.debian.org/787353
+Origin: vendor
+Last-Update: 2015-07-15
+
+--- a/base/validation.py
++++ b/base/validation.py
+@@ -40,8 +40,7 @@
+ 
+ 
+ class GPG_Verification(DigiSign_Verification):
+-
+-    def __init__(self, pgp_site = 'pgp.mit.edu', key = 0xA59047B9):
++    def __init__(self, pgp_site = 'pgp.mit.edu', key = 0x4ABA2F66DBD5A95894910E0673D770CDA59047B9):
+         self.__pgp_site = pgp_site
+         self.__key = key
+         self.__gpg = utils.which('gpg',True)
diff -Nru hplip-3.14.6/debian/patches/series hplip-3.14.6/debian/patches/series
--- hplip-3.14.6/debian/patches/series	2014-04-04 17:05:13.000000000 +0200
+++ hplip-3.14.6/debian/patches/series	2016-12-27 09:04:13.000000000 +0100
@@ -18,3 +18,4 @@
 #hp-mkuri-libnotify-so-4-support.dpatch
 hpaio-option-duplex.diff
 musb-c-do-not-crash-on-usb-failure.patch
+cve-2015-0839-insecure-binary-driver-verification.patch

--- End Message ---
--- Begin Message --- 
Version: 8.7

Hi,

Each of these bugs refers to an update that was included in today's 8.7
point release.

Regards,

Adam

--- End Message ---
Reply to: