Bug 32701

Summary: hplip security issues in `hpps` program due to fixed /tmp path usage in prnt/hpps/hppsfilter.c
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, geiger.david68210, mageia, marja11, sysadmin-bugs
Version: 9Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA9-32-OK MGA9-64-OK
Source RPM: hplip-3.23.8-2.mga10.src.rpm CVE:
Status comment: fixed in 3.23.12

Description Nicolas Salguero 2024-01-08 10:19:38 CET 
That issue was announced here:
https://www.openwall.com/lists/oss-security/2023/11/17/1

It is fixed in 3.23.12:
https://www.openwall.com/lists/oss-security/2024/01/04/1

Mageia 9 is also affected.
Nicolas Salguero 2024-01-08 10:20:02 CET

Whiteboard: (none) => MGA9TOO
Source RPM: (none) => hplip-3.23.8-2.mga10.src.rpm

Comment 1 Lewis Smith 2024-01-08 21:19:17 CET 
Different people maintain HPLIP, so assigning globally; but CC'ing DavidG who put up our latest version.

Status comment: (none) => fixed in 3.23.12
CC: (none) => geiger.david68210
Assignee: bugsquad => pkg-bugs

Comment 2 David GEIGER 2024-01-09 22:49:28 CET 
Assigning to QA,

Packages in 9/Core/Updates_testing:
======================
hplip-3.22.10-4.1.mga9
hplip-doc-3.22.10-4.1.mga9
hplip-gui-3.22.10-4.1.mga9
hplip-hpijs-3.22.10-4.1.mga9
hplip-hpijs-ppds-3.22.10-4.1.mga9
hplip-model-data-3.22.10-4.1.mga9
lib64hpip0-3.22.10-4.1.mga9
lib64hpip0-devel-3.22.10-4.1.mga9
lib64sane-hpaio1-3.22.10-4.1.mga9
libhpip0-3.22.10-4.1.mga9
libhpip0-devel-3.22.10-4.1.mga9
libsane-hpaio1-3.22.10-4.1.mga9

From SRPMS:
hplip-3.22.10-4.1.mga9.src.rpm

Assignee: pkg-bugs => qa-bugs

PC LX 2024-01-10 00:19:01 CET

CC: (none) => mageia

Comment 3 Marja Van Waes 2024-01-10 13:28:13 CET 
Advisory with SRPM from comment 2 added to SVN. Please remove the "advisory" keyword if it needs to be changed. It also helps when obsolete advisories are tagged as "obsolete"

Keywords: (none) => advisory
CC: (none) => marja11

Comment 4 Marja Van Waes 2024-01-10 13:30:48 CET 
Setting version to 9, because hplip-3.23.12-1.mga10 with the fix was pushed to cauldron.

Whiteboard: MGA9TOO => (none)
Version: Cauldron => 9

Comment 5 Thomas Andrews 2024-01-12 01:13:12 CET 
I happened to have a new install of Mga9-64 that didn't have any printers yet. 

I used qarepo to get the hplip packages, then proceeded to use MCC to set up my printers. It installed system-config-printer and related packages, including task-printing-hp with the updated packages, with no issues.

Then I installed my three printers, a Color Laserjet CP1215(usb), a Deskjet 5650(usb), and an Envy Photo 7858(networked), printing a test page for each. Finally, I checked the 7858's scanner install, installing sane and related packages.

Leaving MCC, I successfully printed a page from each printer, and scanned a page with the scanner. That's about all I can do, and everything seemed OK.

CC: (none) => andrewsfarm

Comment 6 Thomas Andrews 2024-01-15 19:42:30 CET 
Mga9-32 Xfce on Foolishness, my Dell Inspiron 5100. I performed essentially the same tests as in comment 5, with the same results.

Giving this two OKs, and validating.

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update
Whiteboard: (none) => MGA9-32-OK MGA9-64-OK

Comment 7 Mageia Robot 2024-01-16 10:40:22 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0013.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED