potential buffer overflow in lprm (fwd)

[Dave Ahmad <da () securityfocus com>]

David Mirza Ahmad
Symantec

"sabbe dhamma anatta"

0x26005712
8D 9A B1 33 82 3D B3 D0 40 EB  AB F0 1E 67 C6 1A 26 00 57 12
> --- Begin Message ---
>
>
> From: "Todd C. Miller" <Todd.Miller () courtesan com>
>
> Date: Wed, 05 Mar 2003 15:26:22 -0700
>
>
> A bounds check that was added to lprm in 1996 does its checking too
> late to be effective.  Because of the insufficient check, it may
> be possible for a local user to exploit lprm to gain elevated
> privileges.  It is not know at this time whether or not the bug is
> actually exploitable.
>
> Starting with OpenBSD 3.2, lprm is setuid user daemon which limits
> the impact of the bug.  OpenBSD 3.1 and below however, ship with
> lprm setuid root so this is a potential localhost root hole on older
> versions of OpenBSD.
>
> The bug is fixed in OpenBSD-current as well as the 3.2 and 3.1
> -stable branches.
>
> Patch for OpenBSD 3.1:
> ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.1/common/023_lprm.patch
>
> Patch for OpenBSD 3.2:
> ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.2/common/010_lprm.patch
>
> Thanks go to Arne Woerner for noticing this bug.
>
> --- End Message ---