Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 551142 (CVE-2015-0839) - <net-print/hplip-3.15.7: hp-plugin verified binary download with short key ID
Summary: <net-print/hplip-3.15.7: hp-plugin verified binary download with short key ID
Alias: CVE-2015-0839
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [noglsa]
Depends on:
Reported: 2015-06-04 07:15 UTC by Agostino Sarubbo
Modified: 2016-11-23 14:25 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-06-04 07:15:40 UTC
From ${URL} :

It was reported that the hp-plugin utility, included in the hplip package, downloads a binary 
driver and verifies it via a key specified by the key's short ID:

Downloading plug-in: [\                                   ] 0% Receiving digital keys: /bin/gpg 
--homedir /home/test/.hplip/.gnupg --no-permission-warning --keyserver --recv-keys 

A man-in-the-middle attacker could use this flaw to generate a key with the expected short ID and 
trick a user into downloading a malicious binary.

Original report:

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-22 17:31:08 UTC
In the new release of HPLIP, 3.15.7, upstream has changed the verification to be based on fingerprint instead of key id, see

v3.15.7 landed in Gentoo repository via

Current stable version is =net-print/hplip-3.16.3, vulnerable versions are already removed.

@ Security: Please vote!
Comment 2 Aaron Bauman (RETIRED) gentoo-dev 2016-11-23 14:25:04 UTC
GLSA Vote: No