Bugtraq mailing list archives
FreeBSD Security Advisory: FreeBSD-SA-96:18.lpr
From: security-officer () FreeBSD org (FreeBSD Security Officer)
Date: Mon, 25 Nov 1996 18:09:49 -0600
-----BEGIN PGP SIGNED MESSAGE-----
=============================================================================
FreeBSD-SA-96:18 Security Advisory
FreeBSD, Inc.
Topic: Buffer overflow in lpr
Category: core
Module: lpr
Announced: 1996-11-25
Affects: FreeBSD 2.*
Corrected: FreeBSD-current as of 1996/10/27
FreeBSD-stable as of 1996/11/01
FreeBSD only: no
Patches: ftp://freebsd.org/pub/CERT/patches/SA-96:18/
=============================================================================
I. Background
The lpr program is used to print files. It is standard software
in the FreeBSD operating system.
This advisory is based on AUSCERT's advisory AA-96.12. The FreeBSD
security-officers would like to thank AUSCERT for their efforts.
II. Problem Description
Due to its nature, the lpr program is setuid root. Unfortunately,
the program does not do sufficient bounds checking on arguments which
are supplied by users.. As a result it is possible to overwrite the
internal stack space of the program while it's executing. This can
allow an intruder to execute arbitrary code by crafting a carefully
designed argument to lpr. As lpr runs as root this allows intruders
to run arbitrary commands as root.
III. Impact
Local users can gain root privileges.
IV. Workaround
AUSCERT has developed a wrapper to help prevent lpr being exploited
using this vulnerability. This wrapper, including installation
instructions, can be found in
ftp://ftp.auscert.org.au/pub/auscert/advisory/
AA-96.12.lpr.buffer.overrun.vul
V. Solution
Apply one of the following patches. Patches are provided for
FreeBSD-current (before 1996/10/27) (SA-96:18-solution.current)
FreeBSD-2.0.5, FreeBSD-2.1.0, FreeBSD-2.1.5 and
FreeBSd-stable (before 1996/11/01) (SA-96:18-solution.2xx)
Patches can be found on ftp://freebsd.org/pub/CERT/patches/SA-96:18
=============================================================================
FreeBSD, Inc.
Web Site: http://www.freebsd.org/
Confidential contacts: security-officer () freebsd org
PGP Key: ftp://freebsd.org/pub/CERT/public_key.asc
Security notifications: security-notifications () freebsd org
Security public discussion: security () freebsd org
Notice: Any patches in this document may not apply cleanly due to
modifications caused by digital signature or mailer software.
Please reference the URL listed at the top of this document
for original copies of all patches if necessary.
=============================================================================
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBMpn2wlUuHi5z0oilAQGjhgP/XON+ydyxEm2eiY87pmdLhlF3Qwz//YRB
MtoVrr2PffZ4FKXCcpQbG30F9AYDL0ZD19Uo89g8rzOfKhhwanFdvixqoGAr15h0
jyLdLv0YoStbehBuyMUHebUplctYmTpHskz0Zhv0OOVtlUuCgh0Y2V4WfZI6RVsu
0B3ZMw8JRQo=
=cw23
-----END PGP SIGNATURE-----
Current thread:
- Re: Futile rexecd holes, (continued)
- Re: Futile rexecd holes Roger Espel Llima (Nov 19)
- Irix: new LicenseManager is safe? No way Yuri Volobuev (Nov 22)
- Re: Futile rexecd holes Jon Peatfield (Nov 22)
- Administratrivia Aleph One (Nov 22)
- Administratrivia Scriptors of DOOM (Nov 23)
- A Stupid script. Efrain Torres (Nov 22)
- A Stupid script. Aleph One (Nov 24)
- AIX lquerypv Aleph One (Nov 25)
- lquerypv fix Troy Bollinger (Nov 25)
- Security Problems in XMCD David J. Meltzer (Nov 25)
- FreeBSD Security Advisory: FreeBSD-SA-96:18.lpr FreeBSD Security Officer (Nov 25)
- Digital FW2.0 question Peter Dieth (Nov 26)
- Re: Digital FW2.0 question Alan Cox (Nov 27)
- Re: FreeBSD Security Advisory: FreeBSD-SA-96:18.lpr Warner Losh (Nov 26)
- XMCD v2.1 released (was: Security Problems in XMCD) Xmcd Admin (Nov 25)
- Security Problems in XMCD 2.1 David J. Meltzer (Nov 26)
- Re: Security Problems in XMCD 2.1 Theo Van Dinter (Nov 26)
- Re: Security Problems in XMCD 2.1 Jim Dennis (Nov 26)
- Re: Security Problems in XMCD 2.1 Alan Cox (Nov 27)
- Administratriva Aleph One (Nov 26)
- A security issue of a different kind. Alan Brown (Nov 26)