Gentoo Archives: gentoo-announce

From: Sean Amoss <ackle@g.o>
To: gentoo-announce@g.o
Subject: [gentoo-announce] [ GLSA 201203-17 ] HPLIP: Multiple vulnerabilities
Date: Fri, 16 Mar 2012 12:40:50
Message-Id: 4F6333C9.9070509@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 201203-17
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: High
8 Title: HPLIP: Multiple vulnerabilities
9 Date: March 16, 2012
10 Bugs: #352085, #388655
11 ID: 201203-17
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 Multiple vulnerabilities have been found in HPLIP, the worst of which
19 may allow execution of arbitrary code.
20
21 Background
22 ==========
23
24 The Hewlett-Packard Linux Imaging and Printing system (HPLIP) provides
25 drivers for HP's inkjet and laser printers, scanners and fax machines.
26
27 Affected packages
28 =================
29
30 -------------------------------------------------------------------
31 Package / Vulnerable / Unaffected
32 -------------------------------------------------------------------
33 1 net-print/hplip < 3.11.10 >= 3.11.10
34
35 Description
36 ===========
37
38 Two vulnerabilities have been found in HPLIP:
39
40 * The "hpmud_get_pml()" function in pml.c contains a boundary error
41 which could cause a stack-based buffer overflow (CVE-2010-4267).
42 * The "send_data_to_stdout()" function in hpcupsfax.cpp creates
43 insecure temporary files (CVE-2011-2722).
44
45 Impact
46 ======
47
48 A remote attacker might send specially crafted SNMP reponses, possibly
49 resulting in execution of arbitrary code or a Denial of Service
50 condition. Furthermore, a local attacker could perform symlink attacks
51 to overwrite arbitrary files.
52
53 Workaround
54 ==========
55
56 There is no known workaround at this time.
57
58 Resolution
59 ==========
60
61 All HPLIP users should upgrade to the latest version:
62
63 # emerge --sync
64 # emerge --ask --oneshot --verbose ">=net-print/hplip-3.11.10"
65
66 References
67 ==========
68
69 [ 1 ] CVE-2010-4267
70 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4267
71 [ 2 ] CVE-2011-2722
72 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2722
73
74 Availability
75 ============
76
77 This GLSA and any updates to it are available for viewing at
78 the Gentoo Security Website:
79
80 http://security.gentoo.org/glsa/glsa-201203-17.xml
81
82 Concerns?
83 =========
84
85 Security is a primary focus of Gentoo Linux and ensuring the
86 confidentiality and security of our users' machines is of utmost
87 importance to us. Any security concerns should be addressed to
88 security@g.o or alternatively, you may file a bug at
89 https://bugs.gentoo.org.
90
91 License
92 =======
93
94 Copyright 2012 Gentoo Foundation, Inc; referenced text
95 belongs to its owner(s).
96
97 The contents of this document are licensed under the
98 Creative Commons - Attribution / Share Alike license.
99
100 http://creativecommons.org/licenses/by-sa/2.5

Attachments

File name MIME type
signature.asc application/pgp-signature