Package: release.debian.org Severity: normal Tags: jessie User: release.debian....@packages.debian.org Usertags: pu
Dear RT, I'd like to get CVE-2015-0839 fixed in jessie, it's a no-DSA issue, and security team members suggested to get it fixed through stable updates. This bug is a simple 'fetching gpg key from keyservers with a short keyid' problem, and upstream's fix is to use the full fingerprint. The debdiff is attached. Cheers, OdyX
diff -Nru hplip-3.14.6/debian/changelog hplip-3.14.6/debian/changelog --- hplip-3.14.6/debian/changelog 2014-06-15 09:24:19.000000000 +0200 +++ hplip-3.14.6/debian/changelog 2016-12-27 09:13:54.000000000 +0100 @@ -1,3 +1,11 @@ +hplip (3.14.6-1+deb8u1) stable; urgency=medium + + * Backport CVE-2015-0839 fix from upstream's 3.15.7: use full gpg key + fingerprint when fetching key from keyservers + (Closes: #787353, LP: #1432516) + + -- Didier Raboud <o...@debian.org> Tue, 27 Dec 2016 09:13:54 +0100 + hplip (3.14.6-1) unstable; urgency=low * New upstream release diff -Nru hplip-3.14.6/debian/patches/cve-2015-0839-insecure-binary-driver-verification.patch hplip-3.14.6/debian/patches/cve-2015-0839-insecure-binary-driver-verification.patch --- hplip-3.14.6/debian/patches/cve-2015-0839-insecure-binary-driver-verification.patch 1970-01-01 01:00:00.000000000 +0100 +++ hplip-3.14.6/debian/patches/cve-2015-0839-insecure-binary-driver-verification.patch 2016-12-27 09:10:11.000000000 +0100 @@ -0,0 +1,19 @@ +Description: Use the full key fingerprint, to fix insecure binary driver verification +Bug-CVE: CVE-2015-0839 +Bug-Upstream: https://bugs.launchpad.net/hplip/+bug/1432516 +Bug-Debian: https://bugs.debian.org/787353 +Origin: vendor +Last-Update: 2015-07-15 + +--- a/base/validation.py ++++ b/base/validation.py +@@ -40,8 +40,7 @@ + + + class GPG_Verification(DigiSign_Verification): +- +- def __init__(self, pgp_site = 'pgp.mit.edu', key = 0xA59047B9): ++ def __init__(self, pgp_site = 'pgp.mit.edu', key = 0x4ABA2F66DBD5A95894910E0673D770CDA59047B9): + self.__pgp_site = pgp_site + self.__key = key + self.__gpg = utils.which('gpg',True) diff -Nru hplip-3.14.6/debian/patches/series hplip-3.14.6/debian/patches/series --- hplip-3.14.6/debian/patches/series 2014-04-04 17:05:13.000000000 +0200 +++ hplip-3.14.6/debian/patches/series 2016-12-27 09:04:13.000000000 +0100 @@ -18,3 +18,4 @@ #hp-mkuri-libnotify-so-4-support.dpatch hpaio-option-duplex.diff musb-c-do-not-crash-on-usb-failure.patch +cve-2015-0839-insecure-binary-driver-verification.patch