CVE-2013-6427
Published: 9 December 2013
upgrade.py in the hp-upgrade service in HP Linux Imaging and Printing (HPLIP) 3.x through 3.13.11 launches a program from an http URL, which allows man-in-the-middle attackers to execute arbitrary code by gaining control over the client-server data stream.
Notes
Author | Note |
---|---|
mdeslaur | Precise and earlier don't have the upgrade.py file. In Quantal, Raring, Saucy and Trusty, upgrade.py actually bails out because the specific ubuntu version isn't marked as "supported" in distros.dat, so even if this script is run as root, it doesn't do anything, thankfully. |