linux security - Nov 1996 - LSF Update#14 v1.2 "lpr vulnerability"

-----BEGIN PGP SIGNED MESSAGE-----

$Id: lpr-vulnerability-0.6-linux,v 1.2 1996/11/25 22:39:20 alex Exp $

                          Linux Security FAQ Update
                              lpr Vulnerability
                        Mon Nov 25 16:56:59 EST 1996
   Copyright (C) 1995,1996 Alexander O. Yuriev (alex@bach.cis.temple.edu)
                              CIS Laboratories
                             TEMPLE  UNIVERSITY
                                   U.S.A.

============================================================================
This is an official Update of the Linux Security FAQ, and it is supposed to
                be signed by one of the following PGP keys:

 1024/ADF3EE95 1995/06/08 Linux Security FAQ Primary Key <Alexander O.
Yuriev>

    Unless you are able to verify at least one of signatures, please be very
                    careful when following instructions.

   Linux Security WWW: http://bach.cis.temple.edu/linux/linux-security

             linux-security & linux-alert mailing list archives:
	
            ftp://linux.nrao.edu/pub/linux/security/list-archive

 ============================================================================
REVISION HISTORY
	
 (This section in automatically maintained by the Revision Control System )

$Log: lpr-vulnerability-0.6-linux,v $
Revision 1.2  1996/11/25 22:39:20  alex
GNU/Debian Linux 1.1 -- Information about the vulnerability corrected
A section on lpr version numbering added
LPRng release site is used as a distribution site for the LPRng

Revision 1.1  1996/11/22 21:42:46  alex
Initial revision

ABSTRACT

	A vulnerability exists in the lpr program of Berkeley-derived lpr
	print-spool program. If installed suid to root, the lpr program
	allows local users to gain access to a super-user account.

	This is version 1.2 of the LSF Updated titled "lpr vulnerability"
	This LSF Update superceeds and obsoletes the LSF Update version 1.1
	titled "lpr vulnerability" dated Thu Nov 21 22:24:12 EST 1996.

	This LSF Update corrects information for Debian/GNU Linux
	distribution. Due to miscommunication with Debain Project version 1.1
	of LSF Update "lpr vulnerability" contained incorrect information
	regarding vulnerability of Debian/GNU Linux distribution 1.1.

	This LSF Update also provides explanation of a confusion caused by
	different version numbering schemes adopted by different
	distributions.

	There are no other significant changes in version 1.2 of the LSF
	Update "lpr vulnerability" compared to version 1.1 of this LSF
	Update.


ABOUT LPR VERSION NUMBERING SCHEMES

	Unfortunately, different distributions use different version
	numbering schemes for the same utilities. At this moment, a lpr
	utility exists in at least the following packages:

	Berkeley-derived lpr 5.9
		lpr.c identifies itself between 1.1 and 1.4
		This lpr is vulnerable.

	Berkeley-derived lpr 5.9, a part of a NetKit 0.6B (separate package)
		
		Utilities/System%package lpr
		name: NetKit-B version: 0.06
		Description: Printing support (lpr, lpd, etc)
		Depending on the release, this version of lpr can be
		vulnerable.

	Berkeley-derived lpr 5.9, based on a part of NetKit 0.6B
		
		Depending on the release, can be vulnerable.

		Release lpr-0.12-1 from RedHat is not vulnerable to the
		lpr bug.

	LPRng 2.3.12 lpr

		Part of LPRng print subsystem. lpr.c identifies itself as
		v3.3 Non-vulnerable to lpr bug.

	This LSF Update applies to Berkeley-derived lpr 5.9.			

RISK ASSESSMENT

	Local users can gain root privileges. The exploits that exercise
	this vulnerability were made available.

VULNERABILITY ANALYSIS

	lpr utility from Berkeley-derived lpr subsystem, which originally
	was used in NetKit 0.6B suffers from the buffer overrun problem.
	Installing lpr as a suid-to-root is needed to allow print spooling.

DISTRIBUTION FIXES

		Red Hat Commercial Linux

			RedHat 2.1, RedHat 3.0.3 (Picasso) and RedHat 4.0
			contain vulnerable lpr utility. Users of RedHat
			Linux distributions prior to version 4.0 are urged
			to upgrade to RedHat Linux 4.0
			
			The replacement RPMS are available from the
			following URLs:

			RedHat 4.0 x86 Architecture

ftp://ftp.redhat.com/pub/redhat/redhat-4.0/updates/i386/lpr-0.12-1.i386.rpm
ftp://bach.cis.temple.edu/pub/Linux/Security/DISTRIBUTION-FIXES/RedHat/lpr-0.12-1.i386.rpm

			RedHat 4.0 Alpha Architecture

ftp://ftp.redhat.com/pub/redhat/redhat-4.0/updates/axp/lpr-0.12-1.axp.rpm
ftp://bach.cis.temple.edu/pub/Linux/Security/DISTRIBUTION-FIXES/RedHat/lpr-0.12-1.axp.rpm

			RedHat 4.0 SPARC Architecture

ftp://ftp.redhat.com/pub/redhat/redhat-4.0/updates/sparc/lpr-0.12-1.sparc.rpm
ftp://bach.cis.temple.edu/pub/Linux/Security/DISTRIBUTION-FIXES/RedHat/lpr-0.12-1.sparc.rpm

			Please verify the MD5 fingerprint of the RPMs
			prior to installing them.

            6d36461d6c8b6c50ccadf9de530a6136  lpr-0.12-1.i386.rpm
            87eb9c5b4d7e6a4217fdb9d3bbd6527b  lpr-0.12-1.axp.rpm
            c04359e61cd16108ce5793aa388f206f  lpr-0.12-1.sparc.rpm

		Caldera Network Desktop

			Caldera Network Desktop version 1.0 contains a
			vulnerable lpr program.

			The replacement RPMS are available from the
			following URLs:

ftp://ftp.caldera.com/pub/cnd-1.0/updates/NetKit-B-lpr-0.06-4c2.i386.rpm
ftp://bach.cis.temple.edu/pub/Linux/Security/DISTRIBUTION-FIXES/CND/NetKit-B-lpr-0.06-4c2.i386.rpm

			WARNING: We are unable to provide the MD5
			fingerprint for the replacement kit from Caldea as
			it was not provided to us.

		Debian/GNU Linux

			Debian/GNU Linux 1.1 contains a vulnerable
			Berkeley-derived lpr utility which is installed as
			a part of a standard installation. If LPRng package
			is installed, the Debian/GNU Linux 1.1 contains a
			non-vulnerable lpr utility.

			The corrected Debain/GNU Linux 1.1 Berkeley-derived
			lpr package is available from the following URLs:

			Debian 1.1 i386 Architecture:

				ftp://ftp.debian.org/debian/rex/binary-i386/net/lpr_5.9-13.deb
			
ftp://bach.cis.temple.edu/pub/Linux/Security/DISTRIBUTION-FIXES/Debian/lpr_5.9-13.deb

			Debian-development (no official release) m68k Architecture
			Debian-development (no official release) sparc Architecture
			Debian-development (no official release) alpha Architecture	

				There are no binary packages of
				Berkeley-derived lpr subsystem for these
				architectures available at this moment.

				The source package files for lpr are
				available from the following URLs:

				ftp://ftp.debian.org/debian/rex/source/net/lpr_5.9-13.tar.gz
				ftp://ftp.debian.org/debian/rex/source/net/lpr_5.9-13.diff.gz

			
ftp://bach.cis.temple.edu/pub/Linux/Security/DISTRIBUTION-FIXES/Debian/lpr_5.9-13.tar.gz
			
ftp://bach.cis.temple.edu/pub/Linux/Security/DISTRIBUTION-FIXES/Debian/lpr_5.9-13.diff.gz

				Please verify the MD5 fingerprint of the
				Debian packages prior to installing them.

4288f4a14b58f439bd0930d2d4631301  lpr_5.9-13.deb
ac2f7f38fb410267742c3612ff9d2565  lpr_5.9-13.diff.gz
e02b657d2dee61e0efa48b8fb0246b1e  lpr_5.9-13.tar.gz

			In addition to a Berkeley-derived lpr an alternative
			printing subsystem called LPRng is available for
			Debian. LPRng is an enhanced printer spooler system,
			with functionality similar to the Berkeley lpr
			software.  Besides having more features LPRng avoids
			typical security holes by not running as root. The
			vulnerability described above doesn''t apply to
			LPRng.

			The Debian packages of LPRng are available from the
			following URLs:

			Debian 1.1 i386 Architecture

				ftp://ftp.debian.org/debian/bo/binary-i386/net/lprng_2.4.2-1.deb
			
ftp://bach.cis.temple.edu/pub/Linux/Security/DISTRIBUTION-FIXES/Debian/lprng_2.4.2-1.deb

			Debian-development (no official release) m68k Architecture
			Debian-development (no official release) sparc Architecture
			Debian-development (no official release) alpha Architecture

				There are no binary packages of LPRng for
				these architectures available yet. You have
				to compile them from the sources.

			The source package files for LPRng are available
			from the following URLs:

				ftp://ftp.debian.org/debian/bo/source/net/lprng_2.4.2-1.dsc
				ftp://ftp.debian.org/debian/bo/source/net/lprng_2.4.2.orig.tar.gz
				ftp://ftp.debian.org/debian/bo/source/net/lprng_2.4.2-1.diff.gz


			
ftp://bach.cis.temple.edu/pub/Linux/Security/DISTRIBUTION-FIXES/Debian/lprng_2.4.2-1.dsc
			
ftp://bach.cis.temple.edu/pub/Linux/Security/DISTRIBUTION-FIXES/Debian/lprng_2.4.2.orig.tar.gz
			
ftp://bach.cis.temple.edu/pub/Linux/Security/DISTRIBUTION-FIXES/Debian/lprng_2.4.2-1.diff.gz

			Please verify the MD5 fingerprint of the Debian
			packages prior to installing them.

				b791d997d66b67bc1393ffd8281030bc  lprng_2.4.2-1.diff.gz
				c0b60491659d7e074afa58c6329117ad  lprng_2.4.2-1.dsc
				14b21cd6947e03c517fa50f5ddbb7ef7  lprng_2.4.2.orig.tar.gz

		Slackware
	
			There is no official information available about
			vulnerability of Slackware 3.0 or Slackware 3.1
			distributions from distribution maintainer.

			The testing indicates that both Slackware 3.0 and
			Slackware 3.1 distributions contains vulnerable lpr
			program.

			Until the official fix-kit for Slackware 3.0 and
			Slackware 3.1 available system administrators
			are advised to follow the instructions in the Other
			Linux Distributions section of this LSF Update.

		Yggdrasil

			Yggdrasil Computing Inc neither confirmed not denied
			vulnerability of Plug and Play Fall''95 Linux.

			The testing indicates that Plug and Play Fall''95
			Linux distribution contains a vulnerable lpr.

			Until the official fix-kit for Yggdrasil Plug and
			Play Linux becomes available, system administrators
			are advised to follow the instructions in the Other
			Linux Distributions section of this LSF Update

		Other Linux Distributions

			It is believed at this moment that all Linux
			distributions using Berkeley-derived lpr subsystem
			based on the NetKit 0.06 or prior contain a
			vulnerable lpr program.

			Administrators of systems based on distributions
			not listed in this update or distributions that
			do not have fix-kits available at the moment are
			urged to contact their support centers requesting
			the fix-kits to be made available to them.

			In order to prevent the vulnerability from being
			exploited in the mean time, it is recommended that
			the suid bit is removed from the lpr program
			using command

				chmod u-s /usr/bin/lpr

			Until the official fix-kits are available for those
			systems, it is advised that system administrators
			obtain the source code of a LPRng print system used
			in Debian/GNU Linux 1.1, compile it and replace the
			Berkeley lpr subsystem.

			The LPRng software can be obtained from the
			following URLs:

			ftp://dickory.sdsu.edu/pub/LPRng/LPRng-2.4.2.tgz
		
ftp://bach.cis.temple.edu/pub/Linux/Security/DISTRIBUTION-FIXES/OTHER/LPRng-2.4.2.tgz

			Please verify the MD5 fingerprint of the files prior
			to installing them.

			7e96acf72e504189db0dc5ea6982f6f0  LPRng-2.4.2.tgz

CREDITS

	This LSF Update is based on the information originally posted to
	linux-security mailing list. The information on the fix-kit for
	Red Hat commercial Linux was provided by Marc Ewing (marc@redhat.com)
	of Red Hat Software Inc,; for the Caldera Network Desktop by Ron Holt
	of Caldera Inc.; for Debian/GNU Linux 1.1 by Sven Rudolph
	<sr1@inf.tu-dresden.de> of Debian Project.



-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMpog7IxFUz2t8+6VAQFPnAP/SD0K9sfu6jFc6QlH2odDRyaRrDXNWApT
3hoi7Yjjovgd9XNIEhT52l6brZhghrYTv3UHDv6toJxsB3+fCN22SSpxDljdu4v9
EOdS186FK5FigFP3ehU/XFyPta5jNABG9cwNnXmFMuZOPEUwULujS18xEG68hUnn
fHKgPLsPpVU=RbMG
-----END PGP SIGNATURE-----