3571e53040
patches for easier mirroring, to eliminate a special copy, to make www.freebsd.org/security a full copy of security.freebsd.org and be eventually be the same. For now files are just sitting there. The symlinks are missing. Discussed on: www (repository location) Discussed with: simon (so)
99 lines
3.3 KiB
Text
99 lines
3.3 KiB
Text
-----BEGIN PGP SIGNED MESSAGE-----
|
|
|
|
=============================================================================
|
|
FreeBSD-SA-97:02 Security Advisory
|
|
FreeBSD, Inc.
|
|
|
|
Topic: Buffer overflow in lpd
|
|
|
|
Category: core
|
|
Module: lpd
|
|
Announced: 1997-03-26
|
|
Affects: FreeBSD 2.1.7 and earlier and FreeBSD 2.2 snapshots
|
|
before 1997/02/25 suffer from this problem.
|
|
Corrected: FreeBSD-current as of 1997/02/25
|
|
FreeBSD 2.2 as of 1997/02/25
|
|
FreeBSD 2.1.x as of 1997/02/25
|
|
FreeBSD only: yes
|
|
|
|
Patches: ftp://freebsd.org/pub/CERT/patches/SA-97:02/
|
|
|
|
=============================================================================
|
|
|
|
I. Background
|
|
|
|
The lpd program is used to print local and remote print jobs. It
|
|
is standard software in the FreeBSD operating system.
|
|
|
|
II. Problem Description
|
|
|
|
The lpd program runs as root. A remote attacker can exploit a
|
|
buffer overflow to obtain root privs.
|
|
|
|
III. Impact
|
|
|
|
Remote users can gain root privs.
|
|
|
|
IV. Workaround
|
|
|
|
The only workaround is to disable lpd, which will have the effect
|
|
of removing the printing functionality from the system. Since
|
|
the buffer overflow happens before the connection is authenticated,
|
|
using lpd's authentication methods will not affect the system
|
|
vulnerability.
|
|
|
|
V. Solution
|
|
|
|
Apply the following patch, rebuild and install libc:
|
|
|
|
(This patch can also be found on
|
|
ftp://freebsd.org/pub/CERT/patches/SA-97:02/)
|
|
|
|
Index: rcmd.c
|
|
===================================================================
|
|
RCS file: /home/imp/FreeBSD/CVS/src/lib/libc/net/rcmd.c,v
|
|
retrieving revision 1.3.4.4
|
|
retrieving revision 1.3.4.5
|
|
diff -u -r1.3.4.4 -r1.3.4.5
|
|
--- rcmd.c 1997/02/09 06:57:54 1.3.4.4
|
|
+++ rcmd.c 1997/02/26 06:14:11 1.3.4.5
|
|
@@ -377,7 +377,8 @@
|
|
if ((hp = gethostbyaddr((char *)&raddr, sizeof(u_long),
|
|
AF_INET)) == NULL)
|
|
return (-1);
|
|
- strcpy(hname, hp->h_name);
|
|
+ strncpy(hname, hp->h_name, sizeof(hname));
|
|
+ hname[sizeof(hname) - 1] = '\0';
|
|
|
|
while (fgets(buf, sizeof(buf), hostf)) {
|
|
p = buf;
|
|
|
|
VI. Thanks
|
|
|
|
This problem was brought to light by Oliver Friedrichs
|
|
<oliver@SECNET.COM>.
|
|
|
|
=============================================================================
|
|
FreeBSD, Inc.
|
|
|
|
Web Site: http://www.freebsd.org/
|
|
Confidential contacts: security-officer@freebsd.org
|
|
PGP Key: ftp://freebsd.org/pub/CERT/public_key.asc
|
|
Security notifications: security-notifications@freebsd.org
|
|
Security public discussion: security@freebsd.org
|
|
|
|
Notice: Any patches in this document may not apply cleanly due to
|
|
modifications caused by digital signature or mailer software.
|
|
Please reference the URL listed at the top of this document
|
|
for original copies of all patches if necessary.
|
|
=============================================================================
|
|
|
|
-----BEGIN PGP SIGNATURE-----
|
|
Version: 2.6.2
|
|
|
|
iQCVAwUBMznCN1UuHi5z0oilAQFZ4QQAjlb006zWQrHqeihPP6Z9Dt+d3GmMIOzC
|
|
E/JHqxblF+GJuhmAmlJ4SCLvi7lKP8jiL9VdKOjK2dKW1XSDGuzH9BvCXtRaAaMJ
|
|
pO9icPi1D71qYEwRrhDG2/p2WxcXAXzSgfEPBAHMdfA6Ivg1v50t4mBcDemryrw1
|
|
721tD7zYq68=
|
|
=iXDD
|
|
-----END PGP SIGNATURE-----
|