hpcupsfax.cpp creates an insecure tmp file which could be exploited by symlink attacks to read/write arbitrary files. The vulnerability was corrected in 3.11.10: http://hplipopensource.com/hplip-web/release_notes.html
@maintainers: We do have =net-print/hplip-3.11.10 in tree. Is this ready for stabilization?
(In reply to comment #1) > @maintainers: We do have =net-print/hplip-3.11.10 in tree. Is this ready for > stabilization? It is never ready given the fact it supports about 2000 printers so there are always problems with some models and other things. I will open a stabilization request now.
(In reply to comment #1) > @maintainers: We do have =net-print/hplip-3.11.10 in tree. Is this ready for > stabilization? It is stabilized now on all required arches >>except ppc64<<. It would be awesome if ppc64 could follow now and stabilize =net-print/hplip-3.11.10, because then this security bug could finally proceed too.
ppc64 done
Thanks, everyone. GLSA Vote: yes.
GLSA vote: yes. Added to existing GLSA request.
This issue was resolved and addressed in GLSA 201203-17 at http://security.gentoo.org/glsa/glsa-201203-17.xml by GLSA coordinator Sean Amoss (ackle).