** Please note that this issue is confidential and no information should be disclosed until it is made public, see "Whiteboard" for a date ** Marc Schoenefeld of the Red Hat Security Response Team reported the following vulnerabilities: [CVE-2008-2940] hpssd of hplip allows unprivileged user to trigger alert mail [CVE-2008-2941] hplip hpssd.py Denial-Of-Service parsing vulnerability The code in 2.8.4 has replaced hpssd with another daemon, that does not seem to suffer from these vulnerabilities.
Denis, are you ok with me opening a public bug for regular stabilization of =net-print/hplip-2.8.5 ? If you want to do so yourself, please mark it as a blocker of this bug.
(In reply to comment #1) > Denis, are you ok with me opening a public bug for regular stabilization of > =net-print/hplip-2.8.5 ? If you want to do so yourself, please mark it as a > blocker of this bug. You can go ahead. However I would much prefer we stabilize 2.8.6b instead. It's a bit fresh but the ebuild and the package itself fix a lot of bugs and add a lot of printers. Also upstream is of above average quality. If it's OK with everybody I'm ready to pick up the pieces in case something breaks. Denis.
Hold on, I'll do it because there's an issue with a dropped keyword. Denis.
Arch Security Liaisons: Please make sure =net-print/hplip-2.8.6b is getting stable on your arch due in bug 233968. Target keywords : "amd64 ppc ppc64 x86" CC'ing current Liaisons: amd64 : keytoaster ppc : dertobi123 ppc64 : corsair x86 : tsunam
There are a few stabilizations required to fix this, and even one keywording. I have created all the necessary bugs and set them as blockers of #233968 (see dep graph). Please security liaisons, make sure you go through all of them. Thanks in advance, Denis.
Adding maekke for x86
Public via $URL, all stable. CVE-2008-2940: The alert-mailing implementation in HP Linux Imaging and Printing (HPLIP) 1.6.7 allows local users to gain privileges and send e-mail messages from the root account via vectors related to the setalerts message, and lack of validation of the device URI associated with an event message. CVE-2008-2941: The hpssd message parser in hpssd.py in HP Linux Imaging and Printing (HPLIP) 1.6.7 allows local users to cause a denial of service (process stop) via a crafted packet, as demonstrated by sending "msg=0" to TCP port 2207.
Calchan, can you clarify: Does this daemon run on clients with HP printers attached, or is it also used on remote printing servers?
(In reply to comment #8) > Calchan, can you clarify: Does this daemon run on clients with HP printers > attached, or is it also used on remote printing servers? I know it's mandatory for fax and optional for other features. I'm going to investigate if it's used in all cases in our installs. Denis.
Calchan: Ping, any news on your investigation?
(In reply to comment #10) > Calchan: Ping, any news on your investigation? Yes. Sorry I answered Robert in private at the time. The answer is that it can be used for both servers and clients depending on the situation. All work was done there though, and this bug should be closed. I let the security team decide when they want to do so as they opened it and own it. Today all versions of hplip in the tree are safe regarding this bug. Denis.
Let's close this NOGLSA.
Okay.
