On Mon, Jan 15, 2001 at 10:10:08AM +0100, V. Achiaga wrote: > > > Hey, > > What u mean debian-specific patch? > > I only want to mean a patch including the patch.diff file, or an > official debian package (.deb file) if debian is vulnerable then a updated package should indeed be placed in security.debian.org > > > I know there's a debian package of lprng, but I don't know if the patch > > > you're talking about is applied to this package, I guess you should check > > > the changelog to find out. > > At the moment, the patch isnt applied... So I think that debian is > vulnerable. i am not certain that it is, from the original post to BugTraq telnetting to the printer port and entering several %s would cause the daemon to segfault, this does not occur on debian. also i tried an exploit (targetted at RH7) which had various bruteforce options against debian and it failed. does not necessarily mean its not vulnerable of course... a couple things i noticed: lprng does *NO* logging that i can see, syslog seems to direct lpr logs to /var/log/lpr.log which is empty on my system no matter what i do. also from the lprng changelog.Debian.gz: lprng (3.6.12-7) stable; urgency=high * SECURITY FIXES!! * syslog() overflow bug fixed * getttext NLSPATH security bug fixed. * spool_file_perms security bug fixed. * Added setuid Linux bug work-around. -- Craig Small <csmall@debian.org> Sun, 15 Oct 2000 15:42:02 -0500 as i understand it the syslog() problem in this case is a format string so that might be something different. as far as i can tell debian's lprng never logs anything so perhaps never calls syslog(). i wish debian released security unadvisories when thier package is not vulnerable to a certain bug like this... -- Ethan Benson http://www.alaska.net/~erbenson/
Attachment:
pgpySWi3OeFX2.pgp
Description: PGP signature