Re: Linux /usr/bin/lpc overflow

From: -*- Chotaire -*- (chotaireat_private)
Date: Thu Feb 04 1999 - 13:20:16 PST

Next message: Aviram Jenik: "Re: open socket in java"

Previous message: Crispin Cowan: "Re: Buffer overflow and OS/390"
Maybe in reply to: xnecat_private: "Linux /usr/bin/lpc overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 3 Feb 1999, Denis Bucher wrote:

> Under an installation of SuSE 5.1, I found lpc 4.0.3 !
> Therefore I think 5.1 is not safe !

SuSE5.0 goes like this:

pimmelchen /usr/sbin# ls -al lpc
-r-xr-sr-x   1 root     lp          20468 Nov 25  1996 lpc
pimmelchen /usr/sbin# rpm -q -f lpc
lprold-3.0-1

It's quite interesting that I cannot determine the specific version number
of lpc itself. Am I on chronical drugs or did they forget to mention it?

The latest online version of SuSE6.0
(.S.u.S.E-disk-001.1999012511 at ftp.suse.com) tells us:

lprold-3.0.1-37.src.rpm

..which contains a 1997 version of the lpr package and a SuSE patch from
December 1998. There is a file called README.SECURITY in it saying:

This version of the line printer suite has been taken from the OpenBSD
project.  This version fixes numerous vulnerabilities which are present
in other releases of these packages.  Including those announced in
SNI-19.BSD.lpd.advisory, and numerous buffer overflow problems, present
in both the client programs and the lp daemon.

the lpc client itself is the following version:

/*      $OpenBSD: lpc.c,v 1.5 1997/01/17 16:12:37 millert Exp $ */

The SuSE patch changes the following in the lpc subdirectory:

--- lpc/cmds.c
+++ lpc/cmds.c  Tue Dec  1 21:49:38 1998
@@ -181,7 +181,7 @@
                printf("\tcannot open lock file\n");
                goto out;
        }
-       if (!getline(fp) || flock(fileno(fp), LOCK_SH|LOCK_NB) == 0) {
+       if (!lpr_getline(fp) || flock(fileno(fp), LOCK_SH|LOCK_NB) == 0) {
                (void) fclose(fp);      /* unlocks as well */
                printf("\tno daemon to abort\n");
                goto out;
@@ -1101,7 +1101,7 @@
                seteuid(uid);
                if (fp == NULL)
                        continue;
-               while (getline(fp) > 0)
+               while (lpr_getline(fp) > 0)
                        if (line[0] == 'P')
                                break;
                (void) fclose(fp);
--- lpd/lpd.c
+++ lpd/lpd.c   Wed Dec  2 19:44:13 1998
@@ -197,7 +197,7 @@
        }
 #define        mask(s) (1 << ((s) - 1))
        omask =
sigblock(mask(SIGHUP)|mask(SIGINT)|mask(SIGQUIT)|mask(SIGTERM));
-       (void) umask(07);
+       (void) umask(S_IRWXO);
        signal(SIGHUP, mcleanup);
        signal(SIGINT, mcleanup);
        signal(SIGQUIT, mcleanup);
@@ -316,6 +316,7 @@
        if (lflag)
                syslog(LOG_INFO, "exiting");
        unlink(_PATH_SOCKETNAME);
+       unlink(_PATH_MASTERLOCK);
        exit(0);
 }

@@ -481,6 +482,7 @@
                }
                else free(buf);
        }
+       cgetclose();
 }

 /*
@@ -553,7 +555,7 @@
 again:
        if (hostf) {
 #if __GNU_LIBRARY__ - 0 >= 6
-               if (!__ivaliduser(hostf, f->sin_addr.s_addr, DUMMY,
DUMMY)) {
+               if (__ivaliduser(hostf, f->sin_addr.s_addr, DUMMY, DUMMY))
{
                        (void) fclose(hostf);
                        return;
                }

I hope this information is interesting for someone. I am not in the mood
to check into it, since I never used the lpd package for known reasons :)
And by the way, reallife is calling (girls, hehe).

Regards
Chotaire

Next message: Aviram Jenik: "Re: open socket in java"
Previous message: Crispin Cowan: "Re: Buffer overflow and OS/390"
Maybe in reply to: xnecat_private: "Linux /usr/bin/lpc overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:32:41 PDT