Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 485904 (CVE-2013-4325) - <net-print/hplip-3.14.1: Polkit race condition (CVE-2013-4325)
Summary: <net-print/hplip-3.14.1: Polkit race condition (CVE-2013-4325)
Alias: CVE-2013-4325
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
Whiteboard: B1 [glsa]
Depends on: 484474 497722
Blocks: 485328
  Show dependency tree
Reported: 2013-09-24 22:37 UTC by GLSAMaker/CVETool Bot
Modified: 2014-06-26 22:59 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2013-09-24 22:37:23 UTC
CVE-2013-4325 (
  The check_permission_v1 function in base/ in HP Linux Imaging and
  Printing (HPLIP) through 3.13.9 does not properly use D-Bus for
  communication with a polkit authority, which allows local users to bypass
  intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject
  race condition via a (1) setuid process or (2) pkexec process.

Red Hat's patch:
Comment 1 Daniel Pielmeier gentoo-dev 2013-09-28 10:19:03 UTC
+*hplip-3.13.9 (28 Sep 2013)
+  28 Sep 2013; Daniel Pielmeier <> +hplip-3.13.9.ebuild:
+  Version bump. Includes Red Hat's patch to fix CVE-2013-4325.
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2014-03-14 01:31:05 UTC
Stabilized and cleaned up as part of Bug 497722.

Arhes and Maintainers thank you for your work.

Added to existing GLSA Draf.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2014-06-26 22:59:52 UTC
This issue was resolved and addressed in
 GLSA 201406-27 at
by GLSA coordinator Chris Reffett (creffett).