Fw: FreeBSD Security Advisory FreeBSD-SA-01:58.lpd
Joe Paleafei
mantaray at linuxfreemail.com
Thu Aug 30 14:47:02 PDT 2001
----- Original Message -----
From: "FreeBSD Security Advisories" <security-advisories at FreeBSD.ORG>
To: "FreeBSD Security Advisories" <security-advisories at FreeBSD.ORG>
Sent: Thursday, August 30, 2001 9:15 AM
Subject: FreeBSD Security Advisory FreeBSD-SA-01:58.lpd
> -----BEGIN PGP SIGNED MESSAGE-----
>
>
============================================================================
=
> FreeBSD-SA-01:58 Security
Advisory
> FreeBSD,
Inc.
>
> Topic: lpd contains remote root vulnerability
>
> Category: core
> Module: lpd
> Announced: 2001-08-30
> Credits: ISS X-Force <xforce at iss.net>
> Affects: All released versions FreeBSD 4.x, 3.x,
> FreeBSD 4.3-STABLE, 3.5.1-STABLE prior to the correction
> date
> Corrected: 2001-08-30 09:27:41 UTC (FreeBSD 4.3-STABLE)
> 2001-08-30 09:28:35 UTC (RELENG_4_3)
> 2001-08-30 09:46:44 UTC (FreeBSD 3.5.1-STABLE)
> FreeBSD only: NO
>
> I. Background
>
> lpd is the BSD line printer daemon used to print local and remote
> print jobs.
>
> II. Problem Description
>
> Users on the local machine or on remote systems which are allowed to
> access the local line printer daemon may be able to cause a buffer
> overflow. By submitting a specially-crafted incomplete print job and
> subsequently requesting a display of the printer queue, a static
> buffer overflow may be triggered. This may cause arbitrary code to be
> executed on the local machine as root.
>
> In order to remotely exploit this vulnerability, the remote machine
> must be given access to the local printer daemon via a hostname entry
> in /etc/hosts.lpd or /etc/hosts.equiv. lpd is not enabled on FreeBSD
> by default.
>
> All versions of FreeBSD prior to the correction date including FreeBSD
> 4.3 contain this problem. The base system that will ship with FreeBSD
> 4.4 does not contain this problem since it was corrected before the
> release.
>
> III. Impact
>
> Users on the local machine and on remote systems which are allowed to
> connect to the local printer daemon may be able to trigger a buffer
> overflow causing arbitrary code to be executed on the local system as
> root.
>
> lpd is not enabled by default. If you have not enabled lpd, your
> system is not vulnerable.
>
> IV. Workaround
>
> Disable lpd by executing the following command as root:
>
> # killall lpd
>
> V. Solution
>
> One of the following:
>
> 1) Upgrade your vulnerable FreeBSD system to 4.3-STABLE or the
> RELENG_4_3 security branch after the respective correction dates.
>
> 2) FreeBSD 3.x, 4.x systems prior to the correction date:
>
> The following patches have been verified to apply to FreeBSD
> 4.2-RELEASE, 4.3-RELEASE, 4.3-STABLE and 3.5.1-STABLE dated prior to
> the correction date. It may or may not apply to older, unsupported
> versions of FreeBSD.
>
> Download the relevant patch and the detached PGP signature from the
> following locations, and verify the signature using your PGP utility.
>
> [FreeBSD 4.3-RELEASE, 4.3-STABLE]
>
> # fetch
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:58/lpd-4.3.patch
> # fetch
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:58/lpd-4.3.patch.asc
>
> [FreeBSD 4.2-RELEASE, 3.5.1-STABLE]
>
> # fetch
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:58/lpd-3.x-4.2.patch
> # fetch
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:58/lpd-3.x-4.2.patch.as
c
>
> Execute the following commands as root:
>
> # cd /usr/src
> # patch -p < /path/to/patch
> # cd /usr/src/usr.sbin/lpr
> # make depend && make all install
>
> 3) FreeBSD 4.3-RELEASE systems:
>
> An experimental upgrade package is available for users who wish to
> provide testing and feedback on the binary upgrade process. This
> package may be installed on FreeBSD 4.3-RELEASE systems only, and is
> intended for use on systems for which source patching is not practical
> or convenient.
>
> If you use the upgrade package, feedback (positive or negative) to
> security-officer at FreeBSD.org is requested so we can improve the
> process for future advisories.
>
> During the installation procedure, backup copies are made of the files
> which are replaced by the package. These backup copies will be
> reinstalled if the package is removed, reverting the system to a
> pre-patched state.
>
> # fetch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:58/security-patch-lpd-
01.58.tgz
> # fetch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:58/security-patch-lpd-
01.58.tgz.asc
>
> Verify the detached PGP signature using your PGP utility.
>
> # pkg_add security-patch-lpd-01.58.tgz
>
> Restart lpd after applying the patch by executing the following
> commands as root:
>
> # killall lpd
> # /usr/sbin/lpd
>
> VI. Correction details
>
> The following is the $FreeBSD$ revision number of the file that was
> corrected for the supported branches of FreeBSD. The $FreeBSD$
> revision number of the installed source can be examined using the
> ident(1) command. The patch provided above does not cause these
> revision numbers to be updated.
>
> [FreeBSD 4.3-STABLE]
> Revision Path
> 1.15.2.8 src/usr.sbin/lpr/common_source/displayq.c
>
> [RELENG_4_3]
> Revision Path
> 1.15.2.3.2.1 src/usr.sbin/lpr/common_source/displayq.c
>
> [FreeBSD 3.5.1-STABLE]
> Revision Path
> 1.14.2.2 src/usr.sbin/lpr/common_source/displayq.c
>
> VII. References
>
> <URL: http://xforce.iss.net/alerts/advise93.php>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.6 (FreeBSD)
> Comment: For info see http://www.gnupg.org
>
> iQCVAwUBO46QLFUuHi5z0oilAQEJQQQAkjEeA8fQMhbFswTq743vCdfGKTSZbXRI
> IF1hbTPKQ8G+dX57lMDgkR7WiFOf/DR9AFuX6gevCslCNJo8hySW74UxnnRv67/6
> lsNUqWfAXD+d/yDUMO6amWUlz8xFNpIHa5Zf8F1QaPI3TBzrKKPekFUa3sHwlBD1
> WSFK0ZoFMgw=
> =8ZK/
> -----END PGP SIGNATURE-----
>
> To Unsubscribe: send mail to majordomo at FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
More information about the LUAU
mailing list