Bugtraq mailing list archives
Re: Linux /usr/bin/lpc overflow
From: chotaire () HOTMAIL COM (-*- Chotaire -*-)
Date: Thu, 4 Feb 1999 22:20:16 +0100
On Wed, 3 Feb 1999, Denis Bucher wrote:
Under an installation of SuSE 5.1, I found lpc 4.0.3 ! Therefore I think 5.1 is not safe !
SuSE5.0 goes like this: pimmelchen /usr/sbin# ls -al lpc -r-xr-sr-x 1 root lp 20468 Nov 25 1996 lpc pimmelchen /usr/sbin# rpm -q -f lpc lprold-3.0-1 It's quite interesting that I cannot determine the specific version number of lpc itself. Am I on chronical drugs or did they forget to mention it? The latest online version of SuSE6.0 (.S.u.S.E-disk-001.1999012511 at ftp.suse.com) tells us: lprold-3.0.1-37.src.rpm ..which contains a 1997 version of the lpr package and a SuSE patch from December 1998. There is a file called README.SECURITY in it saying: This version of the line printer suite has been taken from the OpenBSD project. This version fixes numerous vulnerabilities which are present in other releases of these packages. Including those announced in SNI-19.BSD.lpd.advisory, and numerous buffer overflow problems, present in both the client programs and the lp daemon. the lpc client itself is the following version: /* $OpenBSD: lpc.c,v 1.5 1997/01/17 16:12:37 millert Exp $ */ The SuSE patch changes the following in the lpc subdirectory: --- lpc/cmds.c +++ lpc/cmds.c Tue Dec 1 21:49:38 1998 @@ -181,7 +181,7 @@ printf("\tcannot open lock file\n"); goto out; } - if (!getline(fp) || flock(fileno(fp), LOCK_SH|LOCK_NB) == 0) { + if (!lpr_getline(fp) || flock(fileno(fp), LOCK_SH|LOCK_NB) == 0) { (void) fclose(fp); /* unlocks as well */ printf("\tno daemon to abort\n"); goto out; @@ -1101,7 +1101,7 @@ seteuid(uid); if (fp == NULL) continue; - while (getline(fp) > 0) + while (lpr_getline(fp) > 0) if (line[0] == 'P') break; (void) fclose(fp); --- lpd/lpd.c +++ lpd/lpd.c Wed Dec 2 19:44:13 1998 @@ -197,7 +197,7 @@ } #define mask(s) (1 << ((s) - 1)) omask = sigblock(mask(SIGHUP)|mask(SIGINT)|mask(SIGQUIT)|mask(SIGTERM)); - (void) umask(07); + (void) umask(S_IRWXO); signal(SIGHUP, mcleanup); signal(SIGINT, mcleanup); signal(SIGQUIT, mcleanup); @@ -316,6 +316,7 @@ if (lflag) syslog(LOG_INFO, "exiting"); unlink(_PATH_SOCKETNAME); + unlink(_PATH_MASTERLOCK); exit(0); } @@ -481,6 +482,7 @@ } else free(buf); } + cgetclose(); } /* @@ -553,7 +555,7 @@ again: if (hostf) { #if __GNU_LIBRARY__ - 0 >= 6 - if (!__ivaliduser(hostf, f->sin_addr.s_addr, DUMMY, DUMMY)) { + if (__ivaliduser(hostf, f->sin_addr.s_addr, DUMMY, DUMMY)) { (void) fclose(hostf); return; } I hope this information is interesting for someone. I am not in the mood to check into it, since I never used the lpd package for known reasons :) And by the way, reallife is calling (girls, hehe). Regards Chotaire
Current thread:
- Linux /usr/bin/lpc overflow xnec () INFERNO TUSCULUM EDU (Feb 02)
- <Possible follow-ups>
- Re: Linux /usr/bin/lpc overflow Denis Bucher (Feb 03)
- Cyrix bug: freeze in hell, badboy Ragnar Hojland Espinosa (Feb 04)
- Re: Cyrix bug: freeze in hell, badboy Aaron Lehmann (Feb 05)
- Re: Linux /usr/bin/lpc overflow Simon Karpen (Feb 04)
- Cyrix bug: freeze in hell, badboy Ragnar Hojland Espinosa (Feb 04)
- Re: Linux /usr/bin/lpc overflow -*- Chotaire -*- (Feb 04)