Bugtraq mailing list archives

Format strings: bug #1: BSD-lpr

From: Chris Evans <chris () SCARY BEASTS ORG>
Date: Tue, 26 Sep 2000 00:57:04 +0100

Hi,

INTRO
-----

Welcome to a short series of security bugs, all involving mistakes with
"user supplied format strings". This class of bug is very popular on
Bugtraq at the moment, so what an ideal time for a few examples.

BSD-lpr
-------

If we look into

lpr/lpd/printjob.c, we can find the following two lines of code

        if ((s = checkremote()))
                syslog(LOG_WARNING, s);

This is a classic format string mistake.

It may not be exploitable, because the failure strings returned by
checkremote() in lpr/common_source/common.c, do not contain much data that
a user could control.

However, it illustrates that format string bugs creep in everywhere, even
in code that gets syslog() calls correct the majority of the time, as is
the case with BSD-lpr.

Fix
---

OpenBSD ship BSD-lpr. Not only have they already fixed this in their CVS,
but they also offer web indexed CVS. They caught it independently as part
of their "format strings" audit.

http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/lpr/lpd/printjob.c?r1=1.19&r2=1.20

Conclusion
----------

The next format string bug in the series will be much more interesting.

Cheers
Chris

Current thread:

Format strings: bug #1: BSD-lpr Chris Evans (Sep 25)
- Re: Format strings: bug #1: BSD-lpr Kris Kennaway (Sep 27)
- Re: Format strings: bug #1: BSD-lpr Sean Winn (Sep 27)
  - Re: Format strings: bug #1: BSD-lpr Sean Winn (Sep 27)
- Re: Format strings: bug #1: BSD-lpr Jouko Pynn?nen (Sep 27)
  - Re: Format strings: bug #1: BSD-lpr Valdis Kletnieks (Sep 27)