Re: Linux /usr/bin/lpc overflow

[chotaire () HOTMAIL COM (-*- Chotaire -*-)]

On Wed, 3 Feb 1999, Denis Bucher wrote:

> Under an installation of SuSE 5.1, I found lpc 4.0.3 !
> Therefore I think 5.1 is not safe !

SuSE5.0 goes like this:

pimmelchen /usr/sbin# ls -al lpc
-r-xr-sr-x   1 root     lp          20468 Nov 25  1996 lpc
pimmelchen /usr/sbin# rpm -q -f lpc
lprold-3.0-1

It's quite interesting that I cannot determine the specific version number
of lpc itself. Am I on chronical drugs or did they forget to mention it?

The latest online version of SuSE6.0
(.S.u.S.E-disk-001.1999012511 at ftp.suse.com) tells us:

lprold-3.0.1-37.src.rpm

..which contains a 1997 version of the lpr package and a SuSE patch from
December 1998. There is a file called README.SECURITY in it saying:

This version of the line printer suite has been taken from the OpenBSD
project.  This version fixes numerous vulnerabilities which are present
in other releases of these packages.  Including those announced in
SNI-19.BSD.lpd.advisory, and numerous buffer overflow problems, present
in both the client programs and the lp daemon.

the lpc client itself is the following version:

/*      $OpenBSD: lpc.c,v 1.5 1997/01/17 16:12:37 millert Exp $ */

The SuSE patch changes the following in the lpc subdirectory:

--- lpc/cmds.c
+++ lpc/cmds.c  Tue Dec  1 21:49:38 1998
@@ -181,7 +181,7 @@
                printf("\tcannot open lock file\n");
                goto out;
        }
-       if (!getline(fp) || flock(fileno(fp), LOCK_SH|LOCK_NB) == 0) {
+       if (!lpr_getline(fp) || flock(fileno(fp), LOCK_SH|LOCK_NB) == 0) {
                (void) fclose(fp);      /* unlocks as well */
                printf("\tno daemon to abort\n");
                goto out;
@@ -1101,7 +1101,7 @@
                seteuid(uid);
                if (fp == NULL)
                        continue;
-               while (getline(fp) > 0)
+               while (lpr_getline(fp) > 0)
                        if (line[0] == 'P')
                                break;
                (void) fclose(fp);
--- lpd/lpd.c
+++ lpd/lpd.c   Wed Dec  2 19:44:13 1998
@@ -197,7 +197,7 @@
        }
 #define        mask(s) (1 << ((s) - 1))
        omask =
sigblock(mask(SIGHUP)|mask(SIGINT)|mask(SIGQUIT)|mask(SIGTERM));
-       (void) umask(07);
+       (void) umask(S_IRWXO);
        signal(SIGHUP, mcleanup);
        signal(SIGINT, mcleanup);
        signal(SIGQUIT, mcleanup);
@@ -316,6 +316,7 @@
        if (lflag)
                syslog(LOG_INFO, "exiting");
        unlink(_PATH_SOCKETNAME);
+       unlink(_PATH_MASTERLOCK);
        exit(0);
 }

@@ -481,6 +482,7 @@
                }
                else free(buf);
        }
+       cgetclose();
 }

 /*
@@ -553,7 +555,7 @@
 again:
        if (hostf) {
 #if __GNU_LIBRARY__ - 0 >= 6
-               if (!__ivaliduser(hostf, f->sin_addr.s_addr, DUMMY,
DUMMY)) {
+               if (__ivaliduser(hostf, f->sin_addr.s_addr, DUMMY, DUMMY))
{
                        (void) fclose(hostf);
                        return;
                }

I hope this information is interesting for someone. I am not in the mood
to check into it, since I never used the lpd package for known reasons :)
And by the way, reallife is calling (girls, hehe).


Regards
Chotaire