=========================================================== Ubuntu Security Notice USN-674-1 November 19, 2008 hplip vulnerabilities CVE-2008-2940, CVE-2008-2941 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 7.10 Ubuntu 8.04 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: hplip 0.9.7-4ubuntu1.1 Ubuntu 7.10: hplip 2.7.7.dfsg.1-0ubuntu5.1 Ubuntu 8.04 LTS: hplip 2.8.2-0ubuntu8.1 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: It was discovered that the hpssd tool of hplip did not validate privileges in the alert-mailing function. A local attacker could exploit this to gain privileges and send e-mail messages from the account of the hplip user. This update alters hplip behaviour by preventing users from setting alerts and by moving alert configuration to a root-controlled /etc/hp/alerts.conf file. (CVE-2008-2940) It was discovered that the hpssd tool of hplip did not correctly handle certain commands. A local attacker could use a specially crafted packet to crash hpssd, leading to a denial of service. (CVE-2008-2941) Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_0.9.7-4ubuntu1.1.diff.gz Size/MD5: 226218 b1befe142df70e2be0aacca378bff4c6 http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_0.9.7-4ubuntu1.1.dsc Size/MD5: 805 44d5c87af34218551c39719f0d902ec6 http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_0.9.7.orig.tar.gz Size/MD5: 9705231 d2ee27d7c347f549306a880561c5030a Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip-data_0.9.7-4ubuntu1.1_all.deb Size/MD5: 6318286 e92776a847c4dccb78e46e040cc4f37c http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip-ppds_0.9.7-4ubuntu1.1_all.deb Size/MD5: 391422 94a290c3c58d7cfde62719871a4206cb amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hpijs_2.1.7+0.9.7-4ubuntu1.1_amd64.deb Size/MD5: 296914 7c2b35446a74ace8600ebd7bc0bcf7ff http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_0.9.7-4ubuntu1.1_amd64.deb Size/MD5: 479454 07cbfe505c55c27c12220c8f18d6e4f0 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hpijs_2.1.7+0.9.7-4ubuntu1.1_i386.deb Size/MD5: 280204 e3941e3f4fdb6c0d6ad16d50de90b469 http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_0.9.7-4ubuntu1.1_i386.deb Size/MD5: 461862 11e44e329aff35e9684ee0761c44d8ee powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hpijs_2.1.7+0.9.7-4ubuntu1.1_powerpc.deb Size/MD5: 299864 ad75271b2f55cc54f58410788e884d26 http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_0.9.7-4ubuntu1.1_powerpc.deb Size/MD5: 486720 84acd213608e444cd108511579f6e19f sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hpijs_2.1.7+0.9.7-4ubuntu1.1_sparc.deb Size/MD5: 280186 ab1b58f5fb3fa17ece320035716498fa http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_0.9.7-4ubuntu1.1_sparc.deb Size/MD5: 464572 1f2f60151bc92e6cdc7da921e53f35e2 Updated packages for Ubuntu 7.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_2.7.7.dfsg.1-0ubuntu5.1.diff.gz Size/MD5: 149557 1adc73a32fbce24a03682309f23d6a50 http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_2.7.7.dfsg.1-0ubuntu5.1.dsc Size/MD5: 1064 180d4951171a12dc0b4e6b51963261ae http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_2.7.7.dfsg.1.orig.tar.gz Size/MD5: 14361049 ae5165d46413db8119979f5b3345f7a5 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip-data_2.7.7.dfsg.1-0ubuntu5.1_all.deb Size/MD5: 6897850 1cab82d64fedbb70076f1434d475d273 http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip-doc_2.7.7.dfsg.1-0ubuntu5.1_all.deb Size/MD5: 4146758 7bf2d5554996cc17c60258de446eb8c6 http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip-gui_2.7.7.dfsg.1-0ubuntu5.1_all.deb Size/MD5: 117522 85cd5e8a8d8ba35e7140a41fdc379c7c http://security.ubuntu.com/ubuntu/pool/universe/h/hplip/hpijs-ppds_2.7.7+2.7.7.dfsg.1-0ubuntu5.1_all.deb Size/MD5: 479918 c545f959d38b34dc32a93adc73461615 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hpijs_2.7.7+2.7.7.dfsg.1-0ubuntu5.1_amd64.deb Size/MD5: 341468 79cb90ac94af0792c0f9e2089a60db64 http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip-dbg_2.7.7.dfsg.1-0ubuntu5.1_amd64.deb Size/MD5: 769990 cf835a70a0fa51078b80ad190ab1cec7 http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_2.7.7.dfsg.1-0ubuntu5.1_amd64.deb Size/MD5: 302976 162ce78f2534152bd0e2ed33051619a2 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hpijs_2.7.7+2.7.7.dfsg.1-0ubuntu5.1_i386.deb Size/MD5: 334576 dd39560300fdda88c16a252b46ef2b7b http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip-dbg_2.7.7.dfsg.1-0ubuntu5.1_i386.deb Size/MD5: 747196 36d127560c5eba40354698a0eef1777a http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_2.7.7.dfsg.1-0ubuntu5.1_i386.deb Size/MD5: 290354 df91f0e8b2d97b2aca110f3541952044 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/h/hplip/hpijs_2.7.7+2.7.7.dfsg.1-0ubuntu5.1_lpia.deb Size/MD5: 337694 43391f12453f206b9f225e081e669417 http://ports.ubuntu.com/pool/main/h/hplip/hplip-dbg_2.7.7.dfsg.1-0ubuntu5.1_lpia.deb Size/MD5: 925968 72d12b2e01a56317ed133fe9d4461191 http://ports.ubuntu.com/pool/main/h/hplip/hplip_2.7.7.dfsg.1-0ubuntu5.1_lpia.deb Size/MD5: 290174 2543c28b0990cddae6edd78988465b4c powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hpijs_2.7.7+2.7.7.dfsg.1-0ubuntu5.1_powerpc.deb Size/MD5: 348144 2635fbbe0d26218e328e5a65f6739ee1 http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip-dbg_2.7.7.dfsg.1-0ubuntu5.1_powerpc.deb Size/MD5: 784396 db9c4e4175812910e690b6d93c78c484 http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_2.7.7.dfsg.1-0ubuntu5.1_powerpc.deb Size/MD5: 319062 fa76d41aeb82c0bd14565aa7046d3673 sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hpijs_2.7.7+2.7.7.dfsg.1-0ubuntu5.1_sparc.deb Size/MD5: 332584 0871e23022a68750c75c8354e887e064 http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip-dbg_2.7.7.dfsg.1-0ubuntu5.1_sparc.deb Size/MD5: 717140 8034edab3f572315e082918033eb41ef http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_2.7.7.dfsg.1-0ubuntu5.1_sparc.deb Size/MD5: 289462 53750500e86a4179592d9ee97def4770 Updated packages for Ubuntu 8.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_2.8.2-0ubuntu8.1.diff.gz Size/MD5: 77238 6b40ac2c31a1751ba48997077ca2c9dc http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_2.8.2-0ubuntu8.1.dsc Size/MD5: 1317 b66ad37ff2a0bdd9b7cb903e9887fe50 http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_2.8.2.orig.tar.gz Size/MD5: 14195737 ea57b92483622d3eae359994c5fd3dc3 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hpijs-ppds_2.8.2+2.8.2-0ubuntu8.1_all.deb Size/MD5: 1529318 c5a1b517bc403570513f27a1f15341b8 http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip-data_2.8.2-0ubuntu8.1_all.deb Size/MD5: 7019114 8f55c60778ef6f7e075803152a313496 http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip-doc_2.8.2-0ubuntu8.1_all.deb Size/MD5: 4167440 2cdbd923c549fe09c8436ff36bf73a1a http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip-gui_2.8.2-0ubuntu8.1_all.deb Size/MD5: 128378 d4f8e634314c25160cee0bc44b6c55eb amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hpijs_2.8.2+2.8.2-0ubuntu8.1_amd64.deb Size/MD5: 382262 5c2e135b7ea35a6202d0b087820a84e5 http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip-dbg_2.8.2-0ubuntu8.1_amd64.deb Size/MD5: 811692 2babafedcd53a956049591f84d6b5664 http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_2.8.2-0ubuntu8.1_amd64.deb Size/MD5: 320852 3709f156c5528d77d70584da2385812b i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hpijs_2.8.2+2.8.2-0ubuntu8.1_i386.deb Size/MD5: 374220 e8c891f92d1219bdfa178a8eb533215f http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip-dbg_2.8.2-0ubuntu8.1_i386.deb Size/MD5: 788090 79b9fb3adfe38464311e6689ff634c35 http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_2.8.2-0ubuntu8.1_i386.deb Size/MD5: 308622 64477942b624ef3cf98921e3535cc473 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/h/hplip/hpijs_2.8.2+2.8.2-0ubuntu8.1_lpia.deb Size/MD5: 377036 984d300fa15fef7eb813e6e280034a16 http://ports.ubuntu.com/pool/main/h/hplip/hplip-dbg_2.8.2-0ubuntu8.1_lpia.deb Size/MD5: 794452 7bbf76dce03cee5b2ba7363cfecb5f70 http://ports.ubuntu.com/pool/main/h/hplip/hplip_2.8.2-0ubuntu8.1_lpia.deb Size/MD5: 307612 47ae3e6082e1dff01384e8834a959ee6 powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/h/hplip/hpijs_2.8.2+2.8.2-0ubuntu8.1_powerpc.deb Size/MD5: 388358 197034b9a89bfa7f403ed908f010cb2b http://ports.ubuntu.com/pool/main/h/hplip/hplip-dbg_2.8.2-0ubuntu8.1_powerpc.deb Size/MD5: 824638 01210ff766c493113fb780f6b52ce047 http://ports.ubuntu.com/pool/main/h/hplip/hplip_2.8.2-0ubuntu8.1_powerpc.deb Size/MD5: 336824 c97c1e1e8a8f328bc611ec46214aca74 sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/h/hplip/hpijs_2.8.2+2.8.2-0ubuntu8.1_sparc.deb Size/MD5: 371516 0db0e7f4c0e10948819fdc3ca509e19f http://ports.ubuntu.com/pool/main/h/hplip/hplip-dbg_2.8.2-0ubuntu8.1_sparc.deb Size/MD5: 755764 1529e25d7ee099815219ac63e12a2949 http://ports.ubuntu.com/pool/main/h/hplip/hplip_2.8.2-0ubuntu8.1_sparc.deb Size/MD5: 306928 8e4e046d41c6f0efe22ce02409b90666