CVE-2013-6427

Priority
Low
Description
upgrade.py in the hp-upgrade service in HP Linux Imaging and Printing
(HPLIP) 3.x through 3.13.11 launches a program from an http URL, which
allows man-in-the-middle attackers to execute arbitrary code by gaining
control over the client-server data stream.
References
Bugs
Notes
mdeslaur> Precise and earlier don't have the upgrade.py file.
mdeslaur> In Quantal, Raring, Saucy and Trusty, upgrade.py actually bails
mdeslaur> out because the specific ubuntu version isn't marked as
mdeslaur> "supported" in distros.dat, so even if this script is run as
mdeslaur> root, it doesn't do anything, thankfully.
Assigned-to
mdeslaur
Package
Source: hplip (LP Ubuntu Debian)
Upstream:needed
Ubuntu 10.04 LTS (Lucid Lynx):not-affected (code not present)
Ubuntu 12.04 LTS (Precise Pangolin):not-affected (code not present)
Ubuntu 12.10 (Quantal Quetzal):released (3.12.6-3ubuntu4.3)
Ubuntu 13.04 (Raring Ringtail):ignored (reached end-of-life)
Ubuntu 13.10 (Saucy Salamander):released (3.13.9-1ubuntu0.1)
Ubuntu 14.04 LTS (Trusty Tahr):released (3.13.11-1ubuntu1)
More Information

Valid XHTML 1.0 Strict

Updated: 2014-01-21 15:14:34 UTC (commit 7666)