3571e53040
patches for easier mirroring, to eliminate a special copy, to make www.freebsd.org/security a full copy of security.freebsd.org and be eventually be the same. For now files are just sitting there. The symlinks are missing. Discussed on: www (repository location) Discussed with: simon (so)
89 lines
3 KiB
Text
89 lines
3 KiB
Text
-----BEGIN PGP SIGNED MESSAGE-----
|
|
|
|
=============================================================================
|
|
FreeBSD-SA-96:18 Security Advisory
|
|
FreeBSD, Inc.
|
|
|
|
Topic: Buffer overflow in lpr (revised)
|
|
|
|
Category: core
|
|
Module: lpr
|
|
Announced: 1996-11-25
|
|
Affects: FreeBSD 2.0, 2.0.5, 2.1, 2.1.5
|
|
Corrected: FreeBSD-current as of 1996/10/27
|
|
FreeBSD-stable as of 1996/11/01
|
|
FreeBSD 2.2 and 2.1.6 releases
|
|
FreeBSD only: no
|
|
|
|
Patches: ftp://freebsd.org/pub/CERT/patches/SA-96:18/
|
|
|
|
=============================================================================
|
|
|
|
I. Background
|
|
|
|
The lpr program is used to print files. It is standard software
|
|
in the FreeBSD operating system.
|
|
|
|
This advisory is based on AUSCERT's advisory AA-96.12. The FreeBSD
|
|
security-officers would like to thank AUSCERT for their efforts.
|
|
|
|
This is a revised advisory, issued to state clearly exactly which
|
|
versions of FreeBSD are vulnerable.
|
|
|
|
II. Problem Description
|
|
|
|
Due to its nature, the lpr program is setuid root. Unfortunately,
|
|
the program does not do sufficient bounds checking on arguments which
|
|
are supplied by users. As a result it is possible to overwrite the
|
|
internal stack space of the program while it's executing. This can
|
|
allow an intruder to execute arbitrary code by crafting a carefully
|
|
designed argument to lpr. As lpr runs as root this allows intruders
|
|
to run arbitrary commands as root.
|
|
|
|
|
|
III. Impact
|
|
Local users can gain root privileges.
|
|
|
|
|
|
IV. Workaround
|
|
|
|
AUSCERT has developed a wrapper to help prevent lpr being exploited
|
|
using this vulnerability. This wrapper, including installation
|
|
instructions, can be found in
|
|
ftp://ftp.auscert.org.au/pub/auscert/advisory/
|
|
AA-96.12.lpr.buffer.overrun.vul
|
|
|
|
V. Solution
|
|
|
|
Apply one of the following patches. Patches are provided for
|
|
FreeBSD-current (before 1996/10/27) (SA-96:18-solution.current)
|
|
FreeBSD-2.0.5, FreeBSD-2.1.0, FreeBSD-2.1.5 and
|
|
FreeBSd-stable (before 1996/11/01) (SA-96:18-solution.2xx)
|
|
|
|
Patches can be found on ftp://freebsd.org/pub/CERT/patches/SA-96:18
|
|
|
|
=============================================================================
|
|
FreeBSD, Inc.
|
|
|
|
Web Site: http://www.freebsd.org/
|
|
Confidential contacts: security-officer@freebsd.org
|
|
PGP Key: ftp://freebsd.org/pub/CERT/public_key.asc
|
|
Security notifications: security-notifications@freebsd.org
|
|
Security public discussion: security@freebsd.org
|
|
|
|
Notice: Any patches in this document may not apply cleanly due to
|
|
modifications caused by digital signature or mailer software.
|
|
Please reference the URL listed at the top of this document
|
|
for original copies of all patches if necessary.
|
|
=============================================================================
|
|
|
|
|
|
-----BEGIN PGP SIGNATURE-----
|
|
Version: 2.6.2
|
|
|
|
iQCVAwUBMptSe1UuHi5z0oilAQEWJwP5AZbCK/p+LJLDTOp68CARC18JB8+VF4DI
|
|
2qeGrMRxtWRJXD+MWV2llWbQBvX0iE53zzb7su0KYuq38zmVyoN6GM5KaRgRbHJC
|
|
tjEYrQ5AQK0an3C8ACOEy5Tt4PU10BPZlssWHWotTOpPeVIzjj7RZqSJLywSwoIh
|
|
wGzvSrEpYSk=
|
|
=r1Lc
|
|
-----END PGP SIGNATURE-----
|