It was reported that the hp-plugin utility, included in the hplip package, downloads a binary driver and verifies it via a key specified by the key's short ID: Downloading plug-in: [\ ] 0% Receiving digital keys: /bin/gpg --homedir /home/test/.hplip/.gnupg --no-permission-warning --keyserver pgp.mit.edu --recv-keys 0xA59047B9 A man-in-the-middle attacker could use this flaw to generate a key with the expected short ID and trick a user into downloading a malicious binary. Original report: http://seclists.org/oss-sec/2015/q2/581
Created hplip tracking bugs for this issue: Affects: fedora-all [bug 1227253]
Statement: This issue affects the version of hplip as shipped with Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this issue as having Low security impact, a future update may address this flaw. Furthermore there is currently no upstream patch available to address this issue.
hplip-3.15.7-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
hplip-3.14.10-9.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2015-0839