The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


Linux /usr/bin/lpc overflow


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Date: Thu, 4 Feb 1999 22:20:16 +0100
From: -*- Chotaire -*- <[email protected]>
To: [email protected]
Subject: Re: Linux /usr/bin/lpc overflow

On Wed, 3 Feb 1999, Denis Bucher wrote:

> Under an installation of SuSE 5.1, I found lpc 4.0.3 !
> Therefore I think 5.1 is not safe !

SuSE5.0 goes like this:

pimmelchen /usr/sbin# ls -al lpc
-r-xr-sr-x   1 root     lp          20468 Nov 25  1996 lpc
pimmelchen /usr/sbin# rpm -q -f lpc
lprold-3.0-1

It's quite interesting that I cannot determine the specific version number
of lpc itself. Am I on chronical drugs or did they forget to mention it?

The latest online version of SuSE6.0
(.S.u.S.E-disk-001.1999012511 at ftp.suse.com) tells us:

lprold-3.0.1-37.src.rpm

..which contains a 1997 version of the lpr package and a SuSE patch from
December 1998. There is a file called README.SECURITY in it saying:

This version of the line printer suite has been taken from the OpenBSD
project.  This version fixes numerous vulnerabilities which are present
in other releases of these packages.  Including those announced in
SNI-19.BSD.lpd.advisory, and numerous buffer overflow problems, present
in both the client programs and the lp daemon.

the lpc client itself is the following version:

/*      $OpenBSD: lpc.c,v 1.5 1997/01/17 16:12:37 millert Exp $ */

The SuSE patch changes the following in the lpc subdirectory:

--- lpc/cmds.c
+++ lpc/cmds.c  Tue Dec  1 21:49:38 1998
@@ -181,7 +181,7 @@
                printf("\tcannot open lock file\n");
                goto out;
        }
-       if (!getline(fp) || flock(fileno(fp), LOCK_SH|LOCK_NB) == 0) {
+       if (!lpr_getline(fp) || flock(fileno(fp), LOCK_SH|LOCK_NB) == 0) {
                (void) fclose(fp);      /* unlocks as well */
                printf("\tno daemon to abort\n");
                goto out;
@@ -1101,7 +1101,7 @@
                seteuid(uid);
                if (fp == NULL)
                        continue;
-               while (getline(fp) > 0)
+               while (lpr_getline(fp) > 0)
                        if (line[0] == 'P')
                                break;
                (void) fclose(fp);
--- lpd/lpd.c
+++ lpd/lpd.c   Wed Dec  2 19:44:13 1998
@@ -197,7 +197,7 @@
        }
 #define        mask(s) (1 << ((s) - 1))
        omask =
sigblock(mask(SIGHUP)|mask(SIGINT)|mask(SIGQUIT)|mask(SIGTERM));
-       (void) umask(07);
+       (void) umask(S_IRWXO);
        signal(SIGHUP, mcleanup);
        signal(SIGINT, mcleanup);
        signal(SIGQUIT, mcleanup);
@@ -316,6 +316,7 @@
        if (lflag)
                syslog(LOG_INFO, "exiting");
        unlink(_PATH_SOCKETNAME);
+       unlink(_PATH_MASTERLOCK);
        exit(0);
 }

@@ -481,6 +482,7 @@
                }
                else free(buf);
        }
+       cgetclose();
 }

 /*
@@ -553,7 +555,7 @@
 again:
        if (hostf) {
 #if __GNU_LIBRARY__ - 0 >= 6
-               if (!__ivaliduser(hostf, f->sin_addr.s_addr, DUMMY,
DUMMY)) {
+               if (__ivaliduser(hostf, f->sin_addr.s_addr, DUMMY, DUMMY))
{
                        (void) fclose(hostf);
                        return;
                }

I hope this information is interesting for someone. I am not in the mood
to check into it, since I never used the lpd package for known reasons :)
And by the way, reallife is calling (girls, hehe).


Regards
Chotaire

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру