From $URL : It was found that /var/log/hp and /var/log/hp/tmp are both world-writeable in hplip 3.12.x. This flaw could be used to delete log files from the /var/log/hp directory. Because of these open permissions, an attacker could also conduct symlink attack on /var/log/hp/tmp/hpijs_*.out to overwrite an arbitrary file with the privileges of the process running the HP CUPS fax filter. This flaw has been assigned CVE-2012-6108.
It seems that this only affects hplip-3.12.11. For hplip-3.12.10a and hplip-3.13.2 the mentioned directories are not world-writable. hplip-3.12.10a drwxrwxr-x 3 root lp 4096 21. Feb 19:10 . drwxr-xr-x 13 root root 4096 21. Feb 19:10 .. drwxrwxr-t 2 root lp 4096 21. Feb 19:10 tmp hplip-3.12.11 drwxrwxrwx 3 root lp 4096 21. Feb 19:17 . drwxr-xr-x 13 root root 4096 21. Feb 19:17 .. drwxrwxrwt 2 root lp 4096 21. Feb 19:17 tmp hplip-3.13.2 drwxrwxr-- 3 root lp 4096 21. Feb 19:24 . drwxr-xr-x 13 root root 4096 21. Feb 19:24 .. drwxrwxr-T 2 root lp 4096 21. Feb 19:24 tmp I have removed the vulnerable version however updating from hplip-3.12.11 to hplip-3.13.2 does not change the permissions as they are only correct for a new install without /var/log/hp being present. To ensure correct permissions when upgrading I have added hplip-3.13.2-r1 which removes /var/tmp/hp in pgk_preinst.
(In reply to comment #1) Thanks, Daniel! Is hplip-3.13.2-r1 ready for stabilization?
(In reply to comment #2) > (In reply to comment #1) > > Thanks, Daniel! Is hplip-3.13.2-r1 ready for stabilization? We can stabilize hplip-3.13.2-r1, but do we have to? Current stable is hplip-3.12.10a which is fine and the only vulnerable version in tree is gone. Am I missing something?
(In reply to comment #1) > For hplip-3.12.10a and > hplip-3.13.2 the mentioned directories are not world-writable. Ah, I went over that part too quickly. Closing noglsa for ~arch only issue.
CVE-2012-6108 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6108): HP Linux Imaging and Printing (HPLIP) before 3.13.2 uses world-writable permissions for /var/log/hp and /var/log/hp/tmp, which allows local users to delete log files via standard filesystem operations.