From 5031afc5dbfcc3d09b9595f59130ed1b4ea0befe1fe0222866346eaf41c448a2 Mon Sep 17 00:00:00 2001 From: Johannes Meixner Date: Wed, 24 Jun 2015 14:13:45 +0000 Subject: [PATCH] Accepting request 313567 from home:jsmeix:branches:Printing HPLIP version upgrade to 3.15.6 plus band-aid fix for CVE-2015-0839 (bsc#933191) OBS-URL: https://build.opensuse.org/request/show/313567 OBS-URL: https://build.opensuse.org/package/show/Printing/hplip?expand=0&rev=117 --- change-udev-rules.diff | 28 ++++++++++++++++++---------- hplip-3.15.4.tar.gz | 3 --- hplip-3.15.4.tar.gz.asc | 7 ------- hplip-3.15.6.CVE-2015-0839.patch | 21 +++++++++++++++++++++ hplip-3.15.6.tar.gz | 3 +++ hplip-3.15.6.tar.gz.asc | 7 +++++++ hplip.changes | 26 ++++++++++++++++++++++++++ hplip.spec | 14 ++++++++++---- 8 files changed, 85 insertions(+), 24 deletions(-) delete mode 100644 hplip-3.15.4.tar.gz delete mode 100644 hplip-3.15.4.tar.gz.asc create mode 100644 hplip-3.15.6.CVE-2015-0839.patch create mode 100644 hplip-3.15.6.tar.gz create mode 100644 hplip-3.15.6.tar.gz.asc diff --git a/change-udev-rules.diff b/change-udev-rules.diff index 44ebc36..4ad8545 100644 --- a/change-udev-rules.diff +++ b/change-udev-rules.diff @@ -1,7 +1,8 @@ ---- data/rules/56-hpmud.rules.orig 2014-03-28 20:51:31.600138795 +0100 -+++ data/rules/56-hpmud.rules 2014-03-28 21:29:10.461761052 +0100 -@@ -1,9 +1,31 @@ +--- data/rules/56-hpmud.rules.orig 2015-06-07 21:25:22.000000000 +0200 ++++ data/rules/56-hpmud.rules 2015-06-24 12:35:25.000000000 +0200 +@@ -1,18 +1,50 @@ # HPLIP udev rules file. Notify console user if plugin support is required for this device. ++# +# SUSE changed: +# +# Exchanged the rule to GOTO hpmud_usb_rules if SUBSYSTEM is "usb" @@ -12,7 +13,7 @@ +# if SUBSYSTEM is not "usb" or if ENV{DEVTYPE} is not "usb_device" or if SUBSYSTEM is not "ppdev" +# to avoid that the hpmud_usb_rules are needlessly processed. +# -+# The rule to automatically "add the printer and install plugin" is disabled ++# The rule to automatically "check ... plugin status" is disabled +# because automated installation of non-free proprietary third-party software +# (here the plugin from HP) should not happen and it can cause whatever kind +# of strange behaviour see for example https://bugs.launchpad.net/bugs/1197416 @@ -20,10 +21,12 @@ +# while in contrast manual printer setup via hp-setup usually "just works" +# and it is clear for the user what goes on and in case of failure what went wrong. +# -+# Because the rule to automatically "add the printer and install plugin" ++# Because the rule to automatically "check ... plugin status" +# is also used to upload firmware into printers that need it +# see https://bugs.launchpad.net/bugs/1220628 +# a rule that only uploads firmware into printers that need it is added. ++# ++# If possible activate hpaio backend support in /etc/sane.d/dll.conf. ACTION!="add", GOTO="hpmud_rules_end" -SUBSYSTEM=="ppdev", OWNER="root", GROUP="lp", MODE="0664" @@ -34,15 +37,20 @@ LABEL="hpmud_usb_rules" -@@ -12,7 +34,10 @@ + ENV{ID_USB_INTERFACES}=="", IMPORT{builtin}="usb_id" + # ENV{ID_HPLIP}="1" is for Ubuntu udev-acl + ATTR{idVendor}=="03f0", ENV{ID_USB_INTERFACES}=="*:0701??:*|*:08????:", OWNER="root", GROUP="lp", MODE="0664", ENV{libsane_matched}="yes", ENV{hp_test}="yes", ENV{ID_HPLIP}="1" # This rule will check the smart install feature, plugin status and firmware download for the required printers. --ENV{hp_test}=="yes", PROGRAM="/bin/sh -c 'logger -p user.info loading HP Device $env{BUSNUM} $env{DEVNUM}'", RUN+="/bin/sh -c 'if [ -f /usr/bin/systemctl ]; then /usr/bin/systemctl --no-block start hplip-printer@$env{BUSNUM}:$env{DEVNUM}.service; else /usr/bin/nohup /usr/bin/python /usr/bin/hp-config_usb_printer $env{BUSNUM}:$env{DEVNUM} ; fi &'" -+#ENV{hp_test}=="yes", PROGRAM="/bin/sh -c 'logger -p user.info loading HP Device $env{BUSNUM} $env{DEVNUM}'", RUN+="/bin/sh -c 'if [ -f /usr/bin/systemctl ]; then /usr/bin/systemctl --no-block start hplip-printer@$env{BUSNUM}:$env{DEVNUM}.service; else /usr/bin/nohup /usr/bin/python /usr/bin/hp-config_usb_printer $env{BUSNUM}:$env{DEVNUM} ; fi &'" +-ENV{hp_test}=="yes", PROGRAM="/bin/sh -c 'logger -p user.info loading HP Device $env{BUSNUM} $env{DEVNUM}'", RUN+="/bin/sh -c '/usr/bin/nohup /usr/bin/hp-config_usb_printer $env{BUSNUM}:$env{DEVNUM}'" ++#ENV{hp_test}=="yes", PROGRAM="/bin/sh -c 'logger -p user.info loading HP Device $env{BUSNUM} $env{DEVNUM}'", RUN+="/bin/sh -c '/usr/bin/nohup /usr/bin/hp-config_usb_printer $env{BUSNUM}:$env{DEVNUM}'" + +# This rule uploads firmware to HP USB printer devices if needed: +ENV{hp_test}=="yes", PROGRAM="/bin/logger -p user.info udev hpmud.rules runs hp-firmware to test if HP device with USB vendor ID $attr{idVendor} and USB product ID $attr{idProduct} at USB bus ID $env{BUSNUM} and USB device ID $env{DEVNUM} needs firmware and if yes to upload it", RUN+="/usr/bin/hp-firmware -s $env{BUSNUM}:$env{DEVNUM}" ++ ++# If possible activate hpaio backend support in /etc/sane.d/dll.conf: ++ENV{libsane_matched}=="yes", RUN+="/bin/sh -c 'if test -w /etc/sane.d/dll.conf ; then sed -i -e /hpaio/d /etc/sane.d/dll.conf ; echo hpaio >>/etc/sane.d/dll.conf ; fi'" - # If sane-bankends is installed add hpaio backend support to dll.conf if needed. - ENV{sane_hpaio}=="yes", RUN+="/bin/sh -c 'grep -q ^#hpaio /etc/sane.d/dll.conf;if [ $$? -eq 0 ];then sed -i -e s/^#hpaio/hpaio/ /etc/sane.d/dll.conf;else grep -q ^hpaio /etc/sane.d/dll.conf;if [ $$? -ne 0 ];then echo hpaio >>/etc/sane.d/dll.conf;fi;fi'" + LABEL="hpmud_rules_end" ++ diff --git a/hplip-3.15.4.tar.gz b/hplip-3.15.4.tar.gz deleted file mode 100644 index 7a7bba2..0000000 --- a/hplip-3.15.4.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:a3872f17690f2bfafbe025cea524b933260c81349b91083c465600705d8c3e68 -size 21926172 diff --git a/hplip-3.15.4.tar.gz.asc b/hplip-3.15.4.tar.gz.asc deleted file mode 100644 index 16ca756..0000000 --- a/hplip-3.15.4.tar.gz.asc +++ /dev/null @@ -1,7 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1.4.11 (GNU/Linux) - -iEYEABECAAYFAlUs5JkACgkQc9dwzaWQR7kX6QCfQrjES2UQSQNadZD7kT+SyeFr -9woAoKJjGtKRmFF7tucUCxZN/uBmLsNe -=RtGm ------END PGP SIGNATURE----- diff --git a/hplip-3.15.6.CVE-2015-0839.patch b/hplip-3.15.6.CVE-2015-0839.patch new file mode 100644 index 0000000..537969e --- /dev/null +++ b/hplip-3.15.6.CVE-2015-0839.patch @@ -0,0 +1,21 @@ +From: Andreas Stieger +Date: Fri, 19 Jun 2015 13:26:52 +0200 +Subject: [PATCH] use 0xlong key ID +Upstream: via package maintainer +References: https://bugzilla.suse.com/show_bug.cgi?id=933191 CVE-2015-0839 + +Use 0xlong key ID, short of shipping the key or full fingerprint. + +Index: hplip-3.15.6/base/validation.py +=================================================================== +--- hplip-3.15.6.orig/base/validation.py ++++ hplip-3.15.6/base/validation.py +@@ -42,7 +42,7 @@ class DigiSign_Verification(object): + + + class GPG_Verification(DigiSign_Verification): +- def __init__(self, pgp_site = 'pgp.mit.edu', key = 0xA59047B9): ++ def __init__(self, pgp_site = 'pgp.mit.edu', key = 0x73D770CDA59047B9): + self.__pgp_site = pgp_site + self.__key = key + self.__gpg = utils.which('gpg',True) diff --git a/hplip-3.15.6.tar.gz b/hplip-3.15.6.tar.gz new file mode 100644 index 0000000..fcb7cdd --- /dev/null +++ b/hplip-3.15.6.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:30c513ee65aa5b342d8074ff89439c0827c35191683727335738d8bc0f9776c9 +size 21956752 diff --git a/hplip-3.15.6.tar.gz.asc b/hplip-3.15.6.tar.gz.asc new file mode 100644 index 0000000..ba5828b --- /dev/null +++ b/hplip-3.15.6.tar.gz.asc @@ -0,0 +1,7 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.11 (GNU/Linux) + +iEYEABECAAYFAlV0nCUACgkQc9dwzaWQR7l9EQCgokW2aC+oyEJx2IbcQ0MHzZFB +HZYAn2A+7AtDc6KuGCoe5THtlaVb2oUY +=OTvD +-----END PGP SIGNATURE----- diff --git a/hplip.changes b/hplip.changes index 070173b..15e620c 100644 --- a/hplip.changes +++ b/hplip.changes @@ -1,3 +1,27 @@ +------------------------------------------------------------------- +Wed Jun 24 11:48:49 CEST 2015 - jsmeix@suse.de + +- hplip-3.15.6.CVE-2015-0839.patch uses 0xlong key ID + (instead of the short key ID) for downloading the key + see https://bugs.launchpad.net/hplip/+bug/1432516 + (CVE-2015-0839 bsc#933191). +- Version upgrade to 3.15.6: + Added Support for the Following New Printers: + HP DeskJet 2130 All-in-One Printer series + HP DeskJet 2132 All-in-One Printer + HP Deskjet 2546B All-in-One Printer + HP Deskjet 2546P All-in-One Printer + HP Deskjet 2546R All-in-One Printer + HP DeskJet 3630 All-in-One Printer series + HP DeskJet 3632 All-in-One + HP Officejet 5744 e-All-in-One + Some bug fixes - in particular: + udev rules wrongly match on monitor hub, wrong invocation + of systemd unit, changes config files in udev rules + For details see + http://hplipopensource.com/hplip-web/release_notes.html +- change-udev-rules.diff: Adapted for HPLIP 3.15.6. + ------------------------------------------------------------------- Tue May 19 17:04:45 CEST 2015 - jsmeix@suse.de @@ -10,6 +34,8 @@ Tue May 19 17:04:45 CEST 2015 - jsmeix@suse.de by upstream projects in general, see "Parallel port printers" at https://en.opensuse.org/SDB:Installing_a_Printer - Version upgrade to 3.15.4: + Significant Changes: + HPLIP Plugin support for ARMv6,ARMv7 and aarch64 architectures Added Support for the Following New Printers: HP Color LaserJet Pro M252dw HP Color LaserJet Pro M252n diff --git a/hplip.spec b/hplip.spec index 5b83145..40b2c70 100644 --- a/hplip.spec +++ b/hplip.spec @@ -17,18 +17,18 @@ Name: hplip -Version: 3.15.4 +Version: 3.15.6 Release: 0 Summary: HP's Printing, Scanning, and Faxing Software License: BSD-3-Clause and GPL-2.0+ and MIT Group: Hardware/Printing Url: http://hplipopensource.com # Source0...Source9 is for sources from HP: -# URL for Source0: http://prdownloads.sourceforge.net/hplip/hplip-3.15.4.tar.gz -# URL to verify Source0: http://prdownloads.sourceforge.net/hplip/hplip-3.15.4.tar.gz.asc +# URL for Source0: http://prdownloads.sourceforge.net/hplip/hplip-3.15.6.tar.gz +# URL to verify Source0: http://prdownloads.sourceforge.net/hplip/hplip-3.15.6.tar.gz.asc # How to verify Source0 see: http://hplipopensource.com/node/327 # For example: /usr/bin/gpg --keyserver pgp.mit.edu --recv-keys 0xA59047B9 -# /usr/bin/gpg --verify hplip-3.15.4.tar.gz.asc hplip-3.15.4.tar.gz +# /usr/bin/gpg --verify hplip-3.15.6.tar.gz.asc hplip-3.15.6.tar.gz # must result: Good signature from "HPLIP (HP Linux Imaging and Printing) " Source0: http://prdownloads.sourceforge.net/hplip/hplip-%{version}.tar.gz Source1: http://prdownloads.sourceforge.net/hplip/hplip-%{version}.tar.gz.asc @@ -84,6 +84,9 @@ Patch107: hplip-udev-rules-in-usr.patch # Patch108 add_missing_includes_and_define_GNU_SOURCE.patch adds missing '#include <...>' # and missing '#define _GNU_SOURCE' see https://bugs.launchpad.net/hplip/+bug/1456590 Patch108: add_missing_includes_and_define_GNU_SOURCE.patch +# Patch109 hplip-3.15.6.CVE-2015-0839.patch uses 0xlong key ID (instead of the short key ID) +# for downloading the key (bsc#933191 and https://bugs.launchpad.net/hplip/+bug/1432516): +Patch109: hplip-3.15.6.CVE-2015-0839.patch # HPLIP's Python module cupsext.so has a build-time dependancy on the CUPS version: # It needs symbols (like ippFirstAttribute, ippNextAttribute, ippSetOperation etc) # that are defined only in libcups.so version > 1.5. For backward compatibility @@ -400,6 +403,9 @@ This sub-package is only required by developers. # Patch108 add_missing_includes_and_define_GNU_SOURCE.patch adds missing '#include <...>' # and missing '#define _GNU_SOURCE' see https://bugs.launchpad.net/hplip/+bug/1456590 %patch108 -b .add_missing_includes_and_define_GNU_SOURCE.orig +# Patch109 hplip-3.15.6.CVE-2015-0839.patch uses 0xlong key ID (instead of the short key ID) +# for downloading the key (bsc#933191 and https://bugs.launchpad.net/hplip/+bug/1432516): +%patch109 -p1 -b .CVE-2015-0839.orig %build # If AUTOMAKE='automake --foreign' is not set, autoreconf (in fact automake)