USN-674-1: HPLIP vulnerabilities

Ubuntu Security Notice USN-674-1

19th November, 2008

hplip vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 8.04 LTS
  • Ubuntu 7.10
  • Ubuntu 6.06 LTS

Software description

  • hplip

Details

It was discovered that the hpssd tool of hplip did not validate
privileges in the alert-mailing function. A local attacker could
exploit this to gain privileges and send e-mail messages from the
account of the hplip user. This update alters hplip behaviour by
preventing users from setting alerts and by moving alert configuration
to a root-controlled /etc/hp/alerts.conf file. (CVE-2008-2940)

It was discovered that the hpssd tool of hplip did not correctly
handle certain commands. A local attacker could use a specially
crafted packet to crash hpssd, leading to a denial of service.
(CVE-2008-2941)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 8.04 LTS:
hplip 2.8.2-0ubuntu8.1
Ubuntu 7.10:
hplip 2.7.7.dfsg.1-0ubuntu5.1
Ubuntu 6.06 LTS:
hplip 0.9.7-4ubuntu1.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system upgrade is sufficient to effect the
necessary changes.

References

CVE-2008-2940, CVE-2008-2941