Summary: | <net-print/hplip-3.14.1 : insecure temporary file handling in pkit.py (CVE-2013-6402) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | billie, printing |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1035243 | ||
Whiteboard: | B4 [noglsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 497722 | ||
Bug Blocks: |
Description
Agostino Sarubbo
2013-11-27 17:17:34 UTC
I have bumped hplip to 3.14.1 which should fix the issue. Stabilization for 3.13.9 is currently in the works (bug #484474). I will close this one and open a new one for 3.14.1. (In reply to Daniel Pielmeier from comment #1) > I have bumped hplip to 3.14.1 which should fix the issue. > Stabilization for 3.13.9 is currently in the works (bug #484474). I will > close this one and open a new one for 3.14.1. If you are stabilizing for security and the bug is fixed in version 3.14.1 we can stabilize as part of this bug when you are ready. CVE-2013-6402 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6402): base/pkit.py in HP Linux Imaging and Printing (HPLIP) through 3.13.11 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/hp-pkservice.log temporary file. CVE-2013-6402 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6402): base/pkit.py in HP Linux Imaging and Printing (HPLIP) through 3.13.11 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/hp-pkservice.log temporary file. Fixed versions have been stabilized. Vulnerable versions have been removed. @ glsa coordinators: Please vote. Vote: NO. GLSA Vote: No |