Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 494080

Summary: <net-print/hplip-3.14.10: Man-in-the-middle vulnerability, arbitrary code execution (CVE-2013-6427)
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: billie, printing
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B2 [noglsa]
Package list:
Runtime testing required: ---
Bug Depends on: 497722    
Bug Blocks:    

Description GLSAMaker/CVETool Bot gentoo-dev 2013-12-12 18:45:09 UTC 
CVE-2013-6427 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6427):
  upgrade.py in the hp-upgrade service in HP Linux Imaging and Printing
  (HPLIP) 3.x through 3.13.11 launches a program from an http URL, which
  allows man-in-the-middle attackers to execute arbitrary code by gaining
  control over the client-server data stream.


@maintainers: okay to stable 3.11.1-r1? (We can hold off a bit to see if a fix for bug 492712 comes along)
Comment 1 Daniel Pielmeier gentoo-dev 2014-01-10 19:57:46 UTC 
> @maintainers: okay to stable 3.11.1-r1? (We can hold off a bit to see if a
> fix for bug 492712 comes along)

3.11.1-r1 does not fix this issue, but I have committed 3.14.1 which should. Stabilization for 3.13.9 is currently in the works (bug #484474). I will close this one and open a new one for 3.14.1.
Comment 2 Aaron Bauman (RETIRED) gentoo-dev 2016-03-22 09:48:20 UTC 
Over 2 years old and package has been stabilized for quite some time.