Accepting request 209404 from home:jsmeix:branches:Printing

disabled hp-upgrade/upgrade.py for security reasons (bnc#853405)

OBS-URL: https://build.opensuse.org/request/show/209404
OBS-URL: https://build.opensuse.org/package/show/Printing/hplip?expand=0&rev=86

disable_hp-upgrade.patch

@@ -0,0 +1,14 @@
+--- upgrade.py.orig	2013-10-31 12:46:54.000000000 +0100
++++ upgrade.py	2013-12-04 14:58:03.000000000 +0100
+@@ -134,6 +134,11 @@ except getopt.GetoptError, e:
+ if os.getenv("HPLIP_DEBUG"):
+     log.set_level('debug')
+ 
++
++log.error("HPLIP upgrade is disabled by openSUSE for security reasons, see https://bugzilla.novell.com/show_bug.cgi?id=853405 - if you like to upgrade HPLIP, use an openSUSE software package manager like YaST or zypper.")
++clean_exit(1)
++
++
+ for o, a in opts:
+     if o in ('-h', '--help'):
+         usage()

hplip.changes

@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Wed Dec  4 14:25:51 CET 2013 - jsmeix@suse.de
+
+- disable_hp-upgrade.patch disables hp-upgrade/upgrade.py for
+  security reasons (bnc#853405). To upgrade HPLIP an openSUSE
+  software package manager like YaST or zypper should be used.
+
 -------------------------------------------------------------------
 Tue Nov 26 19:33:01 UTC 2013 - mailaender@opensuse.org
 

hplip.spec

@@ -114,6 +114,10 @@ Patch104:       do_not_open_mdns_port.diff
 # the add_group function that would add the groups ('lp') to user which
 # would cause security issues see https://bugs.launchpad.net/bugs/1197416
 # which is no longer needed because there is no longer that "chgrp" stuff in HPLIP version 3.13.10.
+# Patch106 disable_hp-upgrade.patch disables hp-upgrade/upgrade.py for security reasons,
+# see https://bugzilla.novell.com/show_bug.cgi?id=853405
+# To upgrade HPLIP an openSUSE software package manager like YaST or zypper should be used.
+Patch106:       disable_hp-upgrade.patch
 # Install into this non-root directory (required when norootforbuild is used):
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 PreReq:         coreutils
@@ -125,7 +129,8 @@ PreReq:         /usr/bin/find
 # The exact matching version-release of the sub-package is available on the same
 # repository where the main-package is (compare the "Recommends: hplip" entry below).
 Requires:       %{name}-hpijs = %{version}-%{release}
-# Same rationale for the sane subpackage.
+# Require the exact matching version-release of the sane sub-package to make sure
+# to have the exact matching version of libsane-hpaio installed:
 Requires:       %{name}-sane = %{version}-%{release}
 # Because foomatic-rip-hplip has CVE-2011-2697 (bnc#698451)
 # plus a leftover in CVE-2004-0801 (bnc#59233)
@@ -318,7 +323,11 @@ with the scan drivers in HPLIP for standard HP all-in-one printers.
 %package devel
 Summary:        Development files for hplip
 Group:          Development/Languages/C and C++
+# Require the exact matching version-release of the hpijs sub-package to make sure
+# to have the exact matching version of libhpip and libhpmud installed:
 Requires:       %{name}-hpijs = %{version}-%{release}
+# Require the exact matching version-release of the sane sub-package to make sure
+# to have the exact matching version of libsane-hpaio installed:
 Requires:       %{name}-sane = %{version}-%{release}
 
 %description devel
@@ -338,6 +347,10 @@ This sub-package is only required by developers.
 # in distros.dat for SUSE distros to avoid security issues when ports in the firewall
 # get opened. see https://bugs.launchpad.net/bugs/426161
 %patch104 -b .do_not_open_mdns_port.orig
+# Patch106 disable_hp-upgrade.patch disables hp-upgrade/upgrade.py for security reasons,
+# see https://bugzilla.novell.com/show_bug.cgi?id=853405
+# To upgrade HPLIP an openSUSE software package manager like YaST or zypper should be used.
+%patch106 -b .disable_hp-upgrade.orig
 
 %build
 # If AUTOMAKE='automake --foreign' is not set, autoreconf (in fact automake)