Wheezy update of hplip for CVE-2015-0839

Didier 'OdyX' Raboud Tue, 27 Dec 2016 05:22:36 -0800

Dear LTS Team,

I'd like to get CVE-2015-0839 fixed in wheezy, it's a no-DSA issue, and
security team members suggested to get it fixed in stable and oldstable.


This bug is a simple 'fetching gpg key from keyservers with a short
keyid' problem, and upstream's fix is to use the full fingerprint.

The debdiff is attached, can I upload as -is ?

Cheers,
        OdyX

diff -Nru hplip-3.12.6/debian/changelog hplip-3.12.6/debian/changelog
--- hplip-3.12.6/debian/changelog	2013-12-10 13:54:58.000000000 +0100
+++ hplip-3.12.6/debian/changelog	2016-12-27 09:37:04.000000000 +0100
@@ -1,3 +1,11 @@
+hplip (3.12.6-3.1+deb7u2) stable-security; urgency=medium
+
+  * Adapt CVE-2015-0839 fix from upstream's 3.15.7: use full gpg key
+    fingerprint when fetching key from keyservers
+    (Closes: #787353, LP: #1432516)
+
+ -- Didier Raboud <o...@debian.org>  Tue, 27 Dec 2016 09:37:04 +0100
+
 hplip (3.12.6-3.1+deb7u1) stable-security; urgency=low
 
   * CVE-2013-4325 CVE-2013-6402 CVE-2013-6427
diff -Nru hplip-3.12.6/debian/patches/cve-2015-0839-insecure-binary-driver-verification.patch hplip-3.12.6/debian/patches/cve-2015-0839-insecure-binary-driver-verification.patch
--- hplip-3.12.6/debian/patches/cve-2015-0839-insecure-binary-driver-verification.patch	1970-01-01 01:00:00.000000000 +0100
+++ hplip-3.12.6/debian/patches/cve-2015-0839-insecure-binary-driver-verification.patch	2016-12-27 09:37:04.000000000 +0100
@@ -0,0 +1,18 @@
+Description: Use the full key fingerprint, to fix insecure binary driver verification
+Bug-CVE: CVE-2015-0839
+Bug-Upstream: https://bugs.launchpad.net/hplip/+bug/1432516
+Bug-Debian: https://bugs.debian.org/787353
+Origin: vendor
+Last-Update: 2015-07-15
+
+--- a/installer/core_install.py
++++ b/installer/core_install.py
+@@ -2227,7 +2227,7 @@
+         gpg = utils.which('gpg')
+         if gpg:
+             gpg = os.path.join(gpg, 'gpg')
+-            cmd = '%s --no-permission-warning --keyserver pgp.mit.edu --recv-keys 0xA59047B9' % gpg
++            cmd = '%s --no-permission-warning --keyserver pgp.mit.edu --recv-keys 0x4ABA2F66DBD5A95894910E0673D770CDA59047B9' % gpg
+             log.info("Receiving digital keys: %s" % cmd)
+             status, output = self.run(cmd)
+             log.debug(output)
diff -Nru hplip-3.12.6/debian/patches/series hplip-3.12.6/debian/patches/series
--- hplip-3.12.6/debian/patches/series	2013-12-10 13:51:44.000000000 +0100
+++ hplip-3.12.6/debian/patches/series	2016-12-27 09:37:04.000000000 +0100
@@ -30,3 +30,4 @@
 CVE-2013-4325.patch
 CVE-2013-6402.patch
 CVE-2013-6427.patch
+cve-2015-0839-insecure-binary-driver-verification.patch

signature.asc
Description: This is a digitally signed message part.

Wheezy update of hplip for CVE-2015-0839

Reply via email to