[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: lprng

On Mon, Jan 15, 2001 at 10:10:08AM +0100, V. Achiaga wrote:
> > Hey,
> > What u mean debian-specific patch?
>   I only want to mean a patch including the patch.diff file, or an
> official debian package (.deb file) 

if debian is vulnerable then a updated package should indeed be placed
in security.debian.org

> > > I know there's a debian package of lprng, but I don't know if the patch
> > > you're talking about is applied to this package, I guess you should check
> > > the changelog to find out.
> At the moment, the patch isnt applied... So I think that debian is
> vulnerable.

i am not certain that it is, from the original post to BugTraq
telnetting to the printer port and entering several %s would cause the
daemon to segfault, this does not occur on debian.  also i tried an
exploit (targetted at RH7) which had various bruteforce options
against debian and it failed.  does not necessarily mean its not
vulnerable of course...

a couple things i noticed:

lprng does *NO* logging that i can see, syslog seems to direct lpr
logs to /var/log/lpr.log which is empty on my system no matter what i
do.  also from the lprng changelog.Debian.gz:

lprng (3.6.12-7) stable; urgency=high
  * syslog() overflow bug fixed
  * getttext NLSPATH security bug fixed.
  * spool_file_perms security bug fixed.
  * Added setuid Linux bug work-around.

 -- Craig Small <csmall@debian.org>  Sun, 15 Oct 2000 15:42:02 -0500

as i understand it the syslog() problem in this case is a format
string so that might be something different.  as far as i can tell
debian's lprng never logs anything so perhaps never calls syslog().  

i wish debian released security unadvisories when thier package is not
vulnerable to a certain bug like this... 

Ethan Benson

Attachment: pgpC_AhxQ31Os.pgp
Description: PGP signature

Reply to: