First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 195565
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Robert Buchholz <rbu@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 195565 depends on: Show dependency tree
Bug 195565 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2007-10-12 01:04 0000 
hplip's hpssd allows local (or remote, if configured) users to execute
arbitrary commands as root.

Our current stable and the last release are vulnerable, I couldn't find a
public repository. A patch is available at the URL.

------- Comment #1 From Robert Buchholz 2007-10-12 01:07:09 0000 ------- 
Denis and printing, please advise.

------- Comment #2 From Denis Dupeyron 2007-10-12 09:11:15 0000 ------- 
(In reply to comment #1)
> Denis and printing, please advise.

I'm having a real life emergency since a few days, but I'll send this at the
top of my Gentoo TODO list. I should be able to look into this later today (not
before 2000 UTC though).

I've had a quick look at the patch though, and it applies in a cleanish way on
the 2.x series, but not on the 1.x series. So I'll have to manually create a
patch for the 1.x stuff. This should be easy. About the security issue itself,
it's far beyond my understanding so I'll have to trust the Red Hat people
unless somebody else knows better.

Denis.

------- Comment #3 From Sune Kloppenborg Jeppesen 2007-10-17 19:25:28 0000 ------- 
Any news on this one?

------- Comment #4 From Denis Dupeyron 2007-10-18 13:07:15 0000 ------- 
I've just fixed the new 2.x branch. I'm now proceeding to look into the old
stuff.

Upstream says the fix will be in 2.7.10.

Denis.

------- Comment #5 From Denis Dupeyron 2007-10-18 20:31:07 0000 ------- 
Old 1.x branch is now cleaned-up and fixed too. Security, feel free to
stabilize hplip-1.7.4a-r2 and close this bug whenever you want.

Denis.

------- Comment #6 From Sune Kloppenborg Jeppesen 2007-10-18 20:36:09 0000 ------- 
Thx Denis.

Arches please test and mark stable. Target keywords are:

hplip-1.7.4a-r2.ebuild:KEYWORDS="amd64 ppc ~ppc64 x86"

------- Comment #7 From Christian Faulhammer 2007-10-19 21:03:43 0000 ------- 
x86 stable

------- Comment #8 From Tobias Scherbaum 2007-10-20 20:02:10 0000 ------- 
ppc stable

------- Comment #9 From Steve Dibb 2007-10-21 20:27:27 0000 ------- 
amd64 stable

------- Comment #10 From Robert Buchholz 2007-10-21 20:39:45 0000 ------- 
GLSA request filed.

------- Comment #11 From Denis Dupeyron 2007-10-21 21:40:36 0000 ------- 
Old ebuild removed after stabilization. All that's left in the tree is now
clean.

Denis.

------- Comment #12 From Raphael Marichez 2007-10-24 22:16:33 0000 ------- 
GLSA 200710-26, thanks everybody!
First Last Prev Next    No search results available      Search page      Enter new bug