==========================================================================
Ubuntu Security Notice USN-2085-1
January 21, 2014
hplip vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
– Ubuntu 13.10
– Ubuntu 12.10
– Ubuntu 12.04 LTS
– Ubuntu 10.04 LTS
Summary:
Several security issues were fixed in HPLIP.
Software Description:
– hplip: HP Linux Printing and Imaging System (HPLIP)
Details:
It was discovered that the HPLIP Polkit daemon incorrectly handled
temporary files. A local attacker could possibly use this issue to
overwrite arbitrary files. In the default installation of Ubuntu 12.04 LTS
and higher, this should be prevented by the Yama link restrictions.
(CVE-2013-6402)
It was discovered that HPLIP contained an upgrade tool that would download
code in an unsafe fashion. If a remote attacker were able to perform a
man-in-the-middle attack, this flaw could be exploited to execute arbitrary
code. (CVE-2013-6427)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 13.10:
hplip 3.13.9-1ubuntu0.1
Ubuntu 12.10:
hplip 3.12.6-3ubuntu4.3
Ubuntu 12.04 LTS:
hplip 3.12.2-1ubuntu3.4
Ubuntu 10.04 LTS:
hplip 3.10.2-2ubuntu2.5
In general, a standard system update will make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-2085-1
CVE-2013-6402, CVE-2013-6427
Package Information:
https://launchpad.net/ubuntu/+source/hplip/3.13.9-1ubuntu0.1
https://launchpad.net/ubuntu/+source/hplip/3.12.6-3ubuntu4.3
https://launchpad.net/ubuntu/+source/hplip/3.12.2-1ubuntu3.4
https://launchpad.net/ubuntu/+source/hplip/3.10.2-2ubuntu2.5
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird – http://www.enigmail.net/
iQIcBAEBCgAGBQJS3oj2AAoJEGVp2FWnRL6T7kQP/0YoJdWnH0gTUQ7ZljRO/iH4
Mbr6rDlo+taMQv1pceb/rD/lkVJCOtPEKHnlA/Bw5GBLxmq1npeSWmwsEEOtghrd
hjN3ELdNxLuJiMnDHFpoagMt41lRS+oULYO8A/bq85srSWgZALZ9gLQhhWtMbBdh
OY52B/+dgrOAqZsc9B83SPxaKoRJbVIJiZxq/xFOUBlfzCruxQiRM2f7p/Z6F3DR
zKmUvJCjBltCUZfpeBXx/13e53Rbr2lbe2hrRwbfCQZN39Jj6sXGAfuJAzpMaNiQ
WdjuTEsu05+2OEhfRu8aP0bN7i7tXf99sVz+95pXij/5fn7P5klqNy2v5WE+hY5I
5FApt43xauuxDcsWcT9jZ0Mh1RbxKq6gdvDvae6VP/Mm4kauEl/kctPCexbspNnV
n333ojfescfxS1tARHhwVZ+s2vSm8V7brcJV1Z2D6Eqp8Ms6gGD5mvAS65mxTp2Z
RSsXx5BPddB5bU74u2G2Br/vxYw03kZJEYmOByIOgHV38F3cOXNLECEafU4v4zR/
zH59bo2HUF8GjoZsNfpNlP0uUBxF+zVTbHTRTUZewPY+m5VZy+5BUT0+91UPtmM6
+Ia5YQoR92/Hg2dMDU0Eeik6vdN8/kbaf3YVBlW9bHR6zz3lM2vWc55Y8MAkc7kC
lcLnM7AtDg/qhK6vlCLL
=cbyp
—–END PGP SIGNATURE—–
—