Re: L0pht Advisory: LPD, RH 4.x,5.x,6.x

[of () SECURITYFOCUS COM (Oliver Friedrichs)]

Theo de Raadt and myself spent some time back in 1997, when I worked for
SNI, identifying and fixing these vulnerabilities in the BSD derived lpd
subsystem.  All of the problems disclosed in the original SNI advisory
(now NAI) and the current l0pht advisory were solved at that point (in
the OpenBSD version). The original advisory can be found at:

http://www.nai.com/nai_labs/asp_set/advisory/20_bsd_lpd_adv.asp

At the point of the original advisory, more people started reviewing lpd,
and I believe even more problems were fixed, including a multitude of
buffer overflows.  Many other vendors were found to be vulnerable to these
problems as well, and as many as possible were contacted.  At one point
I'm sure that the general Linux lpd was also updated, but obviously this
was lost somewhere in time (and I don't know how Redhat decides what to
use).  Since most lpd implementations out there (in commercial operating
systems) are based on the BSD lpd, I would have no problem assuming that
many of these are still vulnerable.  Infact, I would suggest someone sit
down and review the changes made to the OpenBSD lpd, and make sure that
RedHat is up to date in that respect, even after this latest patch.

Oliver
securityfocus.com