From ${URL} : It was reported that the hp-plugin utility, included in the hplip package, downloads a binary driver and verifies it via a key specified by the key's short ID: Downloading plug-in: [\ ] 0% Receiving digital keys: /bin/gpg --homedir /home/test/.hplip/.gnupg --no-permission-warning --keyserver pgp.mit.edu --recv-keys 0xA59047B9 A man-in-the-middle attacker could use this flaw to generate a key with the expected short ID and trick a user into downloading a malicious binary. Original report: http://seclists.org/oss-sec/2015/q2/581 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
In the new release of HPLIP, 3.15.7, upstream has changed the verification to be based on fingerprint instead of key id, see https://bugs.launchpad.net/hplip/+bug/1432516/comments/7 v3.15.7 landed in Gentoo repository via https://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/net-print/hplip/hplip-3.15.7.ebuild?view=log Current stable version is =net-print/hplip-3.16.3, vulnerable versions are already removed. @ Security: Please vote!
GLSA Vote: No