32701 – hplip security issues in `hpps` program due to fixed /tmp path usage in prnt/hpps/hppsfilter.c

Bug 32701 - hplip security issues in `hpps` program due to fixed /tmp path usage in prnt/hpps/hppsfilter.c

Summary: hplip security issues in `hpps` program due to fixed /tmp path usage in prnt/...

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-32-OK MGA9-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2024-01-08 10:19 CET by Nicolas Salguero
Modified:	2024-01-16 10:40 CET (History)
CC List:	5 users (show)

See Also:
Source RPM:	hplip-3.23.8-2.mga10.src.rpm
CVE:
Status comment:	fixed in 3.23.12

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2024-01-08 10:19:38 CET

That issue was announced here:
https://www.openwall.com/lists/oss-security/2023/11/17/1

It is fixed in 3.23.12:
https://www.openwall.com/lists/oss-security/2024/01/04/1

Mageia 9 is also affected.

Nicolas Salguero 2024-01-08 10:20:02 CET

Whiteboard: (none) => MGA9TOO
Source RPM: (none) => hplip-3.23.8-2.mga10.src.rpm

Comment 1 Lewis Smith 2024-01-08 21:19:17 CET

Different people maintain HPLIP, so assigning globally; but CC'ing DavidG who put up our latest version.

Status comment: (none) => fixed in 3.23.12
CC: (none) => geiger.david68210
Assignee: bugsquad => pkg-bugs

Comment 2 David GEIGER 2024-01-09 22:49:28 CET

Assigning to QA,

Packages in 9/Core/Updates_testing:
======================
hplip-3.22.10-4.1.mga9
hplip-doc-3.22.10-4.1.mga9
hplip-gui-3.22.10-4.1.mga9
hplip-hpijs-3.22.10-4.1.mga9
hplip-hpijs-ppds-3.22.10-4.1.mga9
hplip-model-data-3.22.10-4.1.mga9
lib64hpip0-3.22.10-4.1.mga9
lib64hpip0-devel-3.22.10-4.1.mga9
lib64sane-hpaio1-3.22.10-4.1.mga9
libhpip0-3.22.10-4.1.mga9
libhpip0-devel-3.22.10-4.1.mga9
libsane-hpaio1-3.22.10-4.1.mga9

From SRPMS:
hplip-3.22.10-4.1.mga9.src.rpm

Assignee: pkg-bugs => qa-bugs

PC LX 2024-01-10 00:19:01 CET

CC: (none) => mageia

Comment 3 Marja Van Waes 2024-01-10 13:28:13 CET

Advisory with SRPM from comment 2 added to SVN. Please remove the "advisory" keyword if it needs to be changed. It also helps when obsolete advisories are tagged as "obsolete"

Keywords: (none) => advisory
CC: (none) => marja11

Comment 4 Marja Van Waes 2024-01-10 13:30:48 CET

Setting version to 9, because hplip-3.23.12-1.mga10 with the fix was pushed to cauldron.

Whiteboard: MGA9TOO => (none)
Version: Cauldron => 9

Comment 5 Thomas Andrews 2024-01-12 01:13:12 CET

I happened to have a new install of Mga9-64 that didn't have any printers yet. 

I used qarepo to get the hplip packages, then proceeded to use MCC to set up my printers. It installed system-config-printer and related packages, including task-printing-hp with the updated packages, with no issues.

Then I installed my three printers, a Color Laserjet CP1215(usb), a Deskjet 5650(usb), and an Envy Photo 7858(networked), printing a test page for each. Finally, I checked the 7858's scanner install, installing sane and related packages.

Leaving MCC, I successfully printed a page from each printer, and scanned a page with the scanner. That's about all I can do, and everything seemed OK.

CC: (none) => andrewsfarm

Comment 6 Thomas Andrews 2024-01-15 19:42:30 CET

Mga9-32 Xfce on Foolishness, my Dell Inspiron 5100. I performed essentially the same tests as in comment 5, with the same results.

Giving this two OKs, and validating.

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update
Whiteboard: (none) => MGA9-32-OK MGA9-64-OK

Comment 7 Mageia Robot 2024-01-16 10:40:22 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0013.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.