diff -Nru hplip-3.14.3/debian/changelog hplip-3.14.3/debian/changelog --- hplip-3.14.3/debian/changelog 2014-04-04 14:59:23.000000000 +0000 +++ hplip-3.14.3/debian/changelog 2015-07-30 12:45:42.000000000 +0000 @@ -1,3 +1,29 @@ +hplip (3.14.3-0ubuntu3.4) trusty-security; urgency=medium + + * SECURITY UPDATE: insecure use of short gpg key id + - debian/patches/CVE-2015-0839.patch: use long key id in + base/validation.py, base/utils.py, installer/pluginhandler.py. + - CVE-2015-0839 + * This package does _not_ contain the changes from 3.14.3-0ubuntu3.3 in + trusty-proposed. + + -- Marc Deslauriers Thu, 30 Jul 2015 08:30:50 -0400 + +hplip (3.14.3-0ubuntu3.2) trusty-proposed; urgency=low + + * debian/rules: Corrected copy-and-paste error in previous release which + deactivated hpcups printer support completely (LP: #1311697). + + -- Till Kamppeter Wed, 7 May 2014 12:40:00 +0200 + +hplip (3.14.3-0ubuntu3.1) trusty-proposed; urgency=low + + * debian/rules: Remove hpcups support for the HP Officejet Pro K550 as it is + known to not work. This way hpijs (which works) will be used (LP: #981473, + LP: #1311697). + + -- Till Kamppeter Tue, 29 Apr 2014 12:06:00 +0200 + hplip (3.14.3-0ubuntu3) trusty; urgency=low * debian/patches/musb-c-do-not-crash-on-usb-failure.patch: Make sure that diff -Nru hplip-3.14.3/debian/control hplip-3.14.3/debian/control --- hplip-3.14.3/debian/control 2014-01-09 19:59:12.000000000 +0000 +++ hplip-3.14.3/debian/control 2015-07-30 12:32:24.000000000 +0000 @@ -1,7 +1,8 @@ Source: hplip Section: utils Priority: optional -Maintainer: Debian HPIJS and HPLIP maintainers +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Debian HPIJS and HPLIP maintainers Uploaders: Mark Purcell , Till Kamppeter Build-Depends: libcups2-dev, libcupsimage2-dev, libsane-dev, libsnmp-dev, libjpeg-dev, libusb-1.0-0-dev [linux-any], libusb2-dev [kfreebsd-any], libusb-dev [!linux-any !kfreebsd-any], diff -Nru hplip-3.14.3/debian/patches/CVE-2015-0839.patch hplip-3.14.3/debian/patches/CVE-2015-0839.patch --- hplip-3.14.3/debian/patches/CVE-2015-0839.patch 1970-01-01 00:00:00.000000000 +0000 +++ hplip-3.14.3/debian/patches/CVE-2015-0839.patch 2015-07-30 12:45:10.000000000 +0000 @@ -0,0 +1,43 @@ +Description: fix insecure use of short gpg key id +Origin: backport, from hplip 3.15.7 tarball +Bug: https://bugs.launchpad.net/bugs/1432516 + +Index: hplip-3.14.3/base/validation.py +=================================================================== +--- hplip-3.14.3.orig/base/validation.py 2015-07-30 08:30:44.407680044 -0400 ++++ hplip-3.14.3/base/validation.py 2015-07-30 08:30:44.403679996 -0400 +@@ -48,7 +48,7 @@ + + + class GPG_Verification(DigiSign_Verification): +- def __init__(self, pgp_site = 'pgp.mit.edu', key = 0xA59047B9): ++ def __init__(self, pgp_site = 'pgp.mit.edu', key = 0x4ABA2F66DBD5A95894910E0673D770CDA59047B9): + self.__pgp_site = pgp_site + self.__key = key + self.__gpg = utils.which('gpg',True) +Index: hplip-3.14.3/base/utils.py +=================================================================== +--- hplip-3.14.3.orig/base/utils.py 2015-07-30 08:23:01.000000000 -0400 ++++ hplip-3.14.3/base/utils.py 2015-07-30 08:45:04.589780076 -0400 +@@ -2262,7 +2262,7 @@ + + gpg = which('gpg',True) + if gpg: +- cmd = '%s --no-permission-warning --keyserver pgp.mit.edu --recv-keys 0xA59047B9' % gpg ++ cmd = '%s --no-permission-warning --keyserver pgp.mit.edu --recv-keys 0x4ABA2F66DBD5A95894910E0673D770CDA59047B9' % gpg + if passwordObj: + cmd = passwordObj.getAuthCmd()%cmd + +Index: hplip-3.14.3/installer/pluginhandler.py +=================================================================== +--- hplip-3.14.3.orig/installer/pluginhandler.py 2014-03-06 00:08:35.000000000 -0500 ++++ hplip-3.14.3/installer/pluginhandler.py 2015-07-30 08:44:55.761677187 -0400 +@@ -238,7 +238,7 @@ + + gpg = utils.which('gpg',True) + if gpg: +- cmd = '%s --no-permission-warning --keyserver pgp.mit.edu --recv-keys 0xA59047B9' % gpg ++ cmd = '%s --no-permission-warning --keyserver pgp.mit.edu --recv-keys 0x4ABA2F66DBD5A95894910E0673D770CDA59047B9' % gpg + log.info("Receiving digital keys: %s" % cmd) + status, output = utils.run(cmd) + log.debug(output) diff -Nru hplip-3.14.3/debian/patches/series hplip-3.14.3/debian/patches/series --- hplip-3.14.3/debian/patches/series 2014-04-04 14:55:54.000000000 +0000 +++ hplip-3.14.3/debian/patches/series 2015-07-30 12:30:43.000000000 +0000 @@ -18,3 +18,4 @@ #hp-mkuri-libnotify-so-4-support.dpatch hpaio-option-duplex.diff musb-c-do-not-crash-on-usb-failure.patch +CVE-2015-0839.patch diff -Nru hplip-3.14.3/debian/rules hplip-3.14.3/debian/rules --- hplip-3.14.3/debian/rules 2014-03-27 16:46:53.000000000 +0000 +++ hplip-3.14.3/debian/rules 2014-05-07 10:57:55.000000000 +0000 @@ -176,6 +176,13 @@ # 487695) sh debian/local/make-duplex-page-sizes-default.sh $(PKGTMP)/usr/share/cups/drv/hpcups.drv + # Remove hpcups support for the HP Officejet Pro K550 as it is known + # to not work. This way hpijs (which works) will be used (Ubuntu bugs + # #981473, #1311697) + perl -e '$$content = join("", <>); $$content =~ s:^\s*\{[^\n]*?\n[^\n]*?pro.k550.*?\}\s*\n::ism; print $$content' $(PKGTMP)/usr/share/cups/drv/hpcups.drv > $(PKGTMP)/usr/share/cups/drv/hpcups.drv.new + rm $(PKGTMP)/usr/share/cups/drv/hpcups.drv + mv $(PKGTMP)/usr/share/cups/drv/hpcups.drv.new $(PKGTMP)/usr/share/cups/drv/hpcups.drv + # Modify all Ghostscript command lines to have the "-dNOINTERPOLATE" # coomand line option. This makes rendering the pages much faster perl -p -i -e "s/(\-sDEVICE=)/-dNOINTERPOLATE \1/" $(PKGTMP)/usr/share/cups/drv/hpijs.drv $(PKGTMP)/usr/lib/cups/filter/pstotiff