USN-674-1: HPLIP vulnerabilities

19 November 2008

hplip vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 8.04 LTS
  • Ubuntu 7.10
  • Ubuntu 6.06 LTS

Software Description

  • hplip

Details

It was discovered that the hpssd tool of hplip did not validate privileges in the alert-mailing function. A local attacker could exploit this to gain privileges and send e-mail messages from the account of the hplip user. This update alters hplip behaviour by preventing users from setting alerts and by moving alert configuration to a root-controlled /etc/hp/alerts.conf file. (CVE-2008-2940)

It was discovered that the hpssd tool of hplip did not correctly handle certain commands. A local attacker could use a specially crafted packet to crash hpssd, leading to a denial of service. (CVE-2008-2941)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 8.04 LTS
hplip - 2.8.2-0ubuntu8.1
Ubuntu 7.10
hplip - 2.7.7.dfsg.1-0ubuntu5.1
Ubuntu 6.06 LTS
hplip - 0.9.7-4ubuntu1.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system upgrade is sufficient to effect the necessary changes.

References