lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 19 Nov 2008 15:36:02 -0500
From: Marc Deslauriers <marc.deslauriers@...onical.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: [USN-674-1] HPLIP vulnerabilities

===========================================================
Ubuntu Security Notice USN-674-1          November 19, 2008
hplip vulnerabilities
CVE-2008-2940, CVE-2008-2941
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 7.10
Ubuntu 8.04 LTS

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
  hplip                           0.9.7-4ubuntu1.1

Ubuntu 7.10:
  hplip                           2.7.7.dfsg.1-0ubuntu5.1

Ubuntu 8.04 LTS:
  hplip                           2.8.2-0ubuntu8.1

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

It was discovered that the hpssd tool of hplip did not validate
privileges in the alert-mailing function. A local attacker could
exploit this to gain privileges and send e-mail messages from the
account of the hplip user. This update alters hplip behaviour by
preventing users from setting alerts and by moving alert configuration
to a root-controlled /etc/hp/alerts.conf file. (CVE-2008-2940)

It was discovered that the hpssd tool of hplip did not correctly
handle certain commands. A local attacker could use a specially
crafted packet to crash hpssd, leading to a denial of service.
(CVE-2008-2941)


Updated packages for Ubuntu 6.06 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_0.9.7-4ubuntu1.1.diff.gz
      Size/MD5:   226218 b1befe142df70e2be0aacca378bff4c6
    http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_0.9.7-4ubuntu1.1.dsc
      Size/MD5:      805 44d5c87af34218551c39719f0d902ec6
    http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_0.9.7.orig.tar.gz
      Size/MD5:  9705231 d2ee27d7c347f549306a880561c5030a

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip-data_0.9.7-4ubuntu1.1_all.deb
      Size/MD5:  6318286 e92776a847c4dccb78e46e040cc4f37c
    http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip-ppds_0.9.7-4ubuntu1.1_all.deb
      Size/MD5:   391422 94a290c3c58d7cfde62719871a4206cb

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hpijs_2.1.7+0.9.7-4ubuntu1.1_amd64.deb
      Size/MD5:   296914 7c2b35446a74ace8600ebd7bc0bcf7ff
    http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_0.9.7-4ubuntu1.1_amd64.deb
      Size/MD5:   479454 07cbfe505c55c27c12220c8f18d6e4f0

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hpijs_2.1.7+0.9.7-4ubuntu1.1_i386.deb
      Size/MD5:   280204 e3941e3f4fdb6c0d6ad16d50de90b469
    http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_0.9.7-4ubuntu1.1_i386.deb
      Size/MD5:   461862 11e44e329aff35e9684ee0761c44d8ee

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hpijs_2.1.7+0.9.7-4ubuntu1.1_powerpc.deb
      Size/MD5:   299864 ad75271b2f55cc54f58410788e884d26
    http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_0.9.7-4ubuntu1.1_powerpc.deb
      Size/MD5:   486720 84acd213608e444cd108511579f6e19f

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hpijs_2.1.7+0.9.7-4ubuntu1.1_sparc.deb
      Size/MD5:   280186 ab1b58f5fb3fa17ece320035716498fa
    http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_0.9.7-4ubuntu1.1_sparc.deb
      Size/MD5:   464572 1f2f60151bc92e6cdc7da921e53f35e2

Updated packages for Ubuntu 7.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_2.7.7.dfsg.1-0ubuntu5.1.diff.gz
      Size/MD5:   149557 1adc73a32fbce24a03682309f23d6a50
    http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_2.7.7.dfsg.1-0ubuntu5.1.dsc
      Size/MD5:     1064 180d4951171a12dc0b4e6b51963261ae
    http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_2.7.7.dfsg.1.orig.tar.gz
      Size/MD5: 14361049 ae5165d46413db8119979f5b3345f7a5

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip-data_2.7.7.dfsg.1-0ubuntu5.1_all.deb
      Size/MD5:  6897850 1cab82d64fedbb70076f1434d475d273
    http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip-doc_2.7.7.dfsg.1-0ubuntu5.1_all.deb
      Size/MD5:  4146758 7bf2d5554996cc17c60258de446eb8c6
    http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip-gui_2.7.7.dfsg.1-0ubuntu5.1_all.deb
      Size/MD5:   117522 85cd5e8a8d8ba35e7140a41fdc379c7c
    http://security.ubuntu.com/ubuntu/pool/universe/h/hplip/hpijs-ppds_2.7.7+2.7.7.dfsg.1-0ubuntu5.1_all.deb
      Size/MD5:   479918 c545f959d38b34dc32a93adc73461615

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hpijs_2.7.7+2.7.7.dfsg.1-0ubuntu5.1_amd64.deb
      Size/MD5:   341468 79cb90ac94af0792c0f9e2089a60db64
    http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip-dbg_2.7.7.dfsg.1-0ubuntu5.1_amd64.deb
      Size/MD5:   769990 cf835a70a0fa51078b80ad190ab1cec7
    http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_2.7.7.dfsg.1-0ubuntu5.1_amd64.deb
      Size/MD5:   302976 162ce78f2534152bd0e2ed33051619a2

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hpijs_2.7.7+2.7.7.dfsg.1-0ubuntu5.1_i386.deb
      Size/MD5:   334576 dd39560300fdda88c16a252b46ef2b7b
    http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip-dbg_2.7.7.dfsg.1-0ubuntu5.1_i386.deb
      Size/MD5:   747196 36d127560c5eba40354698a0eef1777a
    http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_2.7.7.dfsg.1-0ubuntu5.1_i386.deb
      Size/MD5:   290354 df91f0e8b2d97b2aca110f3541952044

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/h/hplip/hpijs_2.7.7+2.7.7.dfsg.1-0ubuntu5.1_lpia.deb
      Size/MD5:   337694 43391f12453f206b9f225e081e669417
    http://ports.ubuntu.com/pool/main/h/hplip/hplip-dbg_2.7.7.dfsg.1-0ubuntu5.1_lpia.deb
      Size/MD5:   925968 72d12b2e01a56317ed133fe9d4461191
    http://ports.ubuntu.com/pool/main/h/hplip/hplip_2.7.7.dfsg.1-0ubuntu5.1_lpia.deb
      Size/MD5:   290174 2543c28b0990cddae6edd78988465b4c

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hpijs_2.7.7+2.7.7.dfsg.1-0ubuntu5.1_powerpc.deb
      Size/MD5:   348144 2635fbbe0d26218e328e5a65f6739ee1
    http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip-dbg_2.7.7.dfsg.1-0ubuntu5.1_powerpc.deb
      Size/MD5:   784396 db9c4e4175812910e690b6d93c78c484
    http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_2.7.7.dfsg.1-0ubuntu5.1_powerpc.deb
      Size/MD5:   319062 fa76d41aeb82c0bd14565aa7046d3673

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hpijs_2.7.7+2.7.7.dfsg.1-0ubuntu5.1_sparc.deb
      Size/MD5:   332584 0871e23022a68750c75c8354e887e064
    http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip-dbg_2.7.7.dfsg.1-0ubuntu5.1_sparc.deb
      Size/MD5:   717140 8034edab3f572315e082918033eb41ef
    http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_2.7.7.dfsg.1-0ubuntu5.1_sparc.deb
      Size/MD5:   289462 53750500e86a4179592d9ee97def4770

Updated packages for Ubuntu 8.04 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_2.8.2-0ubuntu8.1.diff.gz
      Size/MD5:    77238 6b40ac2c31a1751ba48997077ca2c9dc
    http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_2.8.2-0ubuntu8.1.dsc
      Size/MD5:     1317 b66ad37ff2a0bdd9b7cb903e9887fe50
    http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_2.8.2.orig.tar.gz
      Size/MD5: 14195737 ea57b92483622d3eae359994c5fd3dc3

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hpijs-ppds_2.8.2+2.8.2-0ubuntu8.1_all.deb
      Size/MD5:  1529318 c5a1b517bc403570513f27a1f15341b8
    http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip-data_2.8.2-0ubuntu8.1_all.deb
      Size/MD5:  7019114 8f55c60778ef6f7e075803152a313496
    http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip-doc_2.8.2-0ubuntu8.1_all.deb
      Size/MD5:  4167440 2cdbd923c549fe09c8436ff36bf73a1a
    http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip-gui_2.8.2-0ubuntu8.1_all.deb
      Size/MD5:   128378 d4f8e634314c25160cee0bc44b6c55eb

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hpijs_2.8.2+2.8.2-0ubuntu8.1_amd64.deb
      Size/MD5:   382262 5c2e135b7ea35a6202d0b087820a84e5
    http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip-dbg_2.8.2-0ubuntu8.1_amd64.deb
      Size/MD5:   811692 2babafedcd53a956049591f84d6b5664
    http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_2.8.2-0ubuntu8.1_amd64.deb
      Size/MD5:   320852 3709f156c5528d77d70584da2385812b

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hpijs_2.8.2+2.8.2-0ubuntu8.1_i386.deb
      Size/MD5:   374220 e8c891f92d1219bdfa178a8eb533215f
    http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip-dbg_2.8.2-0ubuntu8.1_i386.deb
      Size/MD5:   788090 79b9fb3adfe38464311e6689ff634c35
    http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_2.8.2-0ubuntu8.1_i386.deb
      Size/MD5:   308622 64477942b624ef3cf98921e3535cc473

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/h/hplip/hpijs_2.8.2+2.8.2-0ubuntu8.1_lpia.deb
      Size/MD5:   377036 984d300fa15fef7eb813e6e280034a16
    http://ports.ubuntu.com/pool/main/h/hplip/hplip-dbg_2.8.2-0ubuntu8.1_lpia.deb
      Size/MD5:   794452 7bbf76dce03cee5b2ba7363cfecb5f70
    http://ports.ubuntu.com/pool/main/h/hplip/hplip_2.8.2-0ubuntu8.1_lpia.deb
      Size/MD5:   307612 47ae3e6082e1dff01384e8834a959ee6

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/h/hplip/hpijs_2.8.2+2.8.2-0ubuntu8.1_powerpc.deb
      Size/MD5:   388358 197034b9a89bfa7f403ed908f010cb2b
    http://ports.ubuntu.com/pool/main/h/hplip/hplip-dbg_2.8.2-0ubuntu8.1_powerpc.deb
      Size/MD5:   824638 01210ff766c493113fb780f6b52ce047
    http://ports.ubuntu.com/pool/main/h/hplip/hplip_2.8.2-0ubuntu8.1_powerpc.deb
      Size/MD5:   336824 c97c1e1e8a8f328bc611ec46214aca74

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/h/hplip/hpijs_2.8.2+2.8.2-0ubuntu8.1_sparc.deb
      Size/MD5:   371516 0db0e7f4c0e10948819fdc3ca509e19f
    http://ports.ubuntu.com/pool/main/h/hplip/hplip-dbg_2.8.2-0ubuntu8.1_sparc.deb
      Size/MD5:   755764 1529e25d7ee099815219ac63e12a2949
    http://ports.ubuntu.com/pool/main/h/hplip/hplip_2.8.2-0ubuntu8.1_sparc.deb
      Size/MD5:   306928 8e4e046d41c6f0efe22ce02409b90666



Download attachment "signature.asc" of type "application/pgp-signature" (198 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists