HPLIP: Multiple vulnerabilities
1.
Gentoo Linux Security Advisory
Version Information
| Advisory Reference |
GLSA 201203-17 / hplip |
| Release Date |
March 16, 2012 |
| Latest Revision |
March 16, 2012: 1 |
| Impact |
high |
| Exploitable |
local, remote |
| Package |
Vulnerable versions |
Unaffected versions |
Architecture(s) |
| net-print/hplip |
<
3.11.10 |
>=
3.11.10 |
All supported architectures
|
Related bugreports:
#352085, #388655
Synopsis
Multiple vulnerabilities have been found in HPLIP, the worst of
which may allow execution of arbitrary code.
2.
Impact Information
Background
The Hewlett-Packard Linux Imaging and Printing system (HPLIP) provides
drivers for HP's inkjet and laser printers, scanners and fax machines.
Description
Two vulnerabilities have been found in HPLIP:
- The "hpmud_get_pml()" function in pml.c contains a boundary error
which could cause a stack-based buffer overflow (CVE-2010-4267).
- The "send_data_to_stdout()" function in hpcupsfax.cpp creates
insecure temporary files (CVE-2011-2722).
Impact
A remote attacker might send specially crafted SNMP reponses, possibly
resulting in execution of arbitrary code or a Denial of Service
condition. Furthermore, a local attacker could perform symlink attacks to
overwrite arbitrary files.
3.
Resolution Information
Workaround
There is no known workaround at this time.
Resolution
All HPLIP users should upgrade to the latest version:
Code Listing 3.1: Resolution |
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-print/hplip-3.11.10"
|
4.
References
|
