From owner-freebsd-security  Mon Jul 24 01:55:56 1995
Return-Path: security-owner
Received: (from majordom@localhost)
          by freefall.cdrom.com (8.6.11/8.6.6) id BAA11748
          for security-outgoing; Mon, 24 Jul 1995 01:55:56 -0700
Received: from time.cdrom.com (time.cdrom.com [192.216.222.226])
          by freefall.cdrom.com (8.6.11/8.6.6) with ESMTP id BAA11742
          for <security@freebsd.org>; Mon, 24 Jul 1995 01:55:44 -0700
Received: from localhost (localhost [127.0.0.1]) by time.cdrom.com (8.6.11/8.6.9) with SMTP id BAA00452 for <security@freebsd.org>; Mon, 24 Jul 1995 01:16:09 -0700
Prev-Resent: Mon, 24 Jul 1995 01:16:08 -0700
Prev-Resent: "security@freebsd.org "
Received: from throck.cdrom.com (throck.cdrom.com [192.216.222.225]) by time.cdrom.com (8.6.11/8.6.9) with ESMTP id NAA00436 for <jkh@time.cdrom.com>; Sun, 23 Jul 1995 13:40:00 -0700
Received: from brewhq.swb.de (brewhq.swb.de [193.175.30.3]) by throck.cdrom.com (8.6.11/8.6.9) with SMTP id GAA18677 for <jkh@time.cdrom.com>; Sun, 23 Jul 1995 06:21:06 -0700
Received: by brewhq.swb.de (Linux Smail3.1.29.0 #5)
	id m0sa0vo-0005BoC; Sun, 23 Jul 95 15:18 MET DST
Received: by monad.swb.de (smail3.1.29.0 #5)
	id m0sa1JM-00005JC; Sun, 23 Jul 95 15:43 MET DST
Message-Id: <m0sa1JM-00005JC@monad.swb.de>
From: okir@monad.swb.de (Olaf Kirch)
Subject: Tentative fix for BSD lpr (fwd)
To: jkh@time.cdrom.com
Date: Sun, 23 Jul 1995 15:43:15 +0200 (MET DST)
X-Mailer: ELM [version 2.4 PL23]
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
Content-Length: 6261      
Resent-To: security@freebsd.org
Resent-Date: Mon, 24 Jul 1995 01:16:09 -0700
Resent-Message-ID: <450.806573769@time.cdrom.com>
Resent-From: "Jordan K. Hubbard" <jkh@time.cdrom.com>
Sender: security-owner@freebsd.org
Precedence: bulk


Hello,

Prompted by the lpr -r -s problems recently reported on bugtraq and
linux-security, I looked into the lpr source and came up with a couple
of patches.  I was told that you are maintaining the original BSD source
base of lpd/lpr, so I thought you might be interested in taking a look
at those. If this is no news for you, and you've already fixed the
problem yourself, please feel free to ignore my mail.

The patch is against a slightly modified source from the Linux
NetKit distribution of BSD networking stuff. It does the following
things:

 *	Attempt to fix the lpr -r and lpr -r -s race conditions.
	Code related to job file removal can be found in the following
	places:

	 lpr:	after the job has been spooled (lpr -r)
	 lpd:	after the job has been successfully printed (lpr -r -s)
	 lprm:	when removing a pending job (lpr -r -s)

	Unlinking now always happens under the euid/egid of the user who
	submitted the job. This is easy for lpr, but slightly more
	difficult for lpd/lprm. Trusting that the job description files
	are ok, I extract the user and host name and match them against
	hosts.equiv and .rhosts to make sure the accounts are
	equivalent.

	There's a tiny difference between lpd and lprm: lpd still has
	the FQDN of the original submitter's host, while lprm has to use
	the host information from the job description file (currently
	not checked against the sender's hostname).

 *	Made the /dev/printer Unix socket mode 600. It used to be
	777 thus allowing anyone to submit faked jobs with false
	credentials.

 *	Avoid the FTP bounce attack.

 *	Fixed a possible stack overwrite problem in rmjob.c. There may
	be more of those lurking. [there was another overwrite problem
	in chkhost, where the hostname buffer was too small (50 bytes).
	Fortunately, the function never returns when it fails to validate
	the hostname, so there's no way to inject worm-like code through
	bogus DNS PTR records].

The patch follows below. 

Best wishes,
Olaf
------------------------------------------------------------------

table
`!"#$%&'()*+,-./0123456789:;<=>?
@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_
begin 644 lpr.diff.gz
M'XL(",J#$3```VQP<BYD:69F`*U9?5O;R!'_6_X4$^=)+&,9+,L8,"&7-$<:z
M[H"DO-P]+<G#"6EEJ\B2JI<X-,=W[\SLKB0;DTNOS1.P=W9V=][V-[.#'P8!y
M],L,HC3;3+)PNN4E\WD27^=)F7EB*YO_,[G9]&AZ_4RKW^__P6+C5^'#3V4,x
ML`OV>#(<3D8#L/?V1JU>K_?XSL8Y+OFIC&#HP&`PL>V)P\NV6Z]>0=_>&5MCw
MZ-''#KQZU0+#F[D9;`1A)/9;\!4);X^.#V'#"]+]5D_.1LDT=N?BRAE^@@-Hv
MMY$1^<(`S"?>[-:DM=TN4HQ,%&46[\N3=AW+MO&HW9%E[\JSC,`MW,AL>VX<u
M)P4DJ8CA6=ZV@+?`;8W%#+^!.15%%,;"1"FZ79;*R!=AX<W`)/K5X!-1>X;At
MN;F`SH?.A`9&7F2QE]Z92F`+B+EG6Y"'_Q9)H.G=OMW=YP5:LP?SI&CGXZ`Cs
MV6XRX=Z2>.J\R\X$8&L#RA@/N`4WSQ,O=`OT%RF2P\86\;*%@BR9PY,#F"5Yr
MP38RC#0+XR(PV\_R":#N/+/?ZM<S<EM3"M^%'T`;S!?_*D4IT&8?XS9,>(V!q
M^^@)'\E:::4AR>`G2SNBN5$H2[L57==KBK7NK)5-192+Y47?E*$VWSW^HA_Sp
M<Q+Z70B\*,FEEV70#`<.QF5O:-N/AF<FIF%>B`SP8-C(+(C)=I)MH[0P<E,+o
MTJOQZ!.:ECZJ,%XS/=S>^;2_'/,4VEL;4AI[S[('*,YPQ[(=*0_9DP3&^`@Hn
M?CGZ+6AG;0S4@P,XO3P^;MP%<_"ML.Y+_ZB0IN48REUV*X8R17+:,&5?&AY6m
ME[Q;7C);MOZ:`^35J6Y+^N">I/4-2:\:M*5;<0^/2;.R_^S!_K-Z_]E5@[:\l
M_S=B!=@_#H8)@IDS'%K.6"%,Q;[(PD*8-V5@`1X<XMD%WH."W:&9Y):9F#/Uk
MOM7#_ZT>>K\'&W"I+C??Z4TB;;5Z&'2M7G6?I._I`EM0YB+K5J$F`U:/B*,>j
M$2>.R$AHHM(K($4$6?C&1KH@KC+TKPOT-7ZB/3!FZ)O)]IJJJ6DU-=53*!D'i
MW3ZI(*$'92"O(/ITMCI\RV500D/\;LW/!_[^.SPA`7$ADFG81#!X_APRFDYNh
M3:GV0&JN](<7,%#+S'0A14P7B#(F3U<W1/'D2H%TT7^9+JZGY!/<04^5]52Ig
MIII:]&TI.P[QI!6=6".]B2A7=J9#Q;2YI\I,;Y(R\N-.`9E`/A!!(+PB_"P`f
M=]@BJ[L!88\ZK-ON5B*01&Q^N"<,P2#R'Q0)4>K3CRH,JM%R,5"1C9,DAA/We
MCC(YIO'!]F0P7"X`:M:5I#^:.*-&TM_>XZ2/'PI5C?PN1_@WC]__]?KP[`SQd
MJ[P)8W\"S^9M>4/$E[`P;7TO,'+GB6]>?WA]\>[Z_/V;GP\O3E^?'*+[QP-$c
M.`1,6`CPW"C"'%C.W?P6@0_<F^2SV-S<E/DP#Z=H4IY+Z#?O[8L`DX,?^#FZb
MT(87+R`HX_`+344$\XBO-+9@6V>(\=#:14@>.Y8L*BCN,TH]>9'O&R3)4T@"a
MR-,DB4!/L`1T^_".B2Q/8LE)Z8^8)0W\)(RG9-@Y\[?ZO(+B_X9J'U83`27`z
M``B2#-$C%''1R6'N>C,$.+D=KI3K/&2]^LOEV_.C?\BE5*ZYL<]@J/<A3&F<y
MPOG(^-YS>FO.^<9!R@#>W*<-\BM"6\JH[;B,HK9%WSB=8QF)(S+VB!*@`[W1x
M<%`EP"K_*NPB&!"4BF>4/.MIF5)I-EBB2PRD++R1IU7J=HGQ:GO`V9@R>Q!Fw
M.5UKFPCB"ZZ,U5)4JKB.B\0UNYKY!JNR"&O)`\8$RN!!_V4>QM=IDM$FR#W+v
MS0:-LRECI*0%[CR,[@CE7K^]/CH]O&#@:^SQ\@"./GQX?W9Q?79X?GCVR^&/u
M78VR?WH'Y"`<Q']-OA>K;%O#;J-T/G$CC(DYE9J$RZ[O(U+E\M+.4HFX9,N;t
M.YK"4H5MUGVNCB`B>9I.58E7^5%-=BU8TDA=NY&S:PV'&`G.7E7-\P.`BHYYs
M:LJ*DDO9I9<`7B(CYV*)XIO=32-79L2^+HPP%&350/%N-A90D%#2P54O9#%]r
M`STM.0^[T`?$*;SPO9YZ*I!@M([*D<V.(C*U"A2*%%6.U\&#2_JUH`9>%=P3q
MZ1NT-Y-4S?-U:3K,RQ011"KQ`Q1)E"SDD"2:Z.7+)5-SD2Z86.;F^FZC:.[3p
M>55]A,ZFFU55H1*9W[T_OS@__-OET2^R(D4^=^J&\41YB]<T"L\GUY_=*/0Io
M-\LY2WK&@A\O3T[^7GTH$VE!'UG*EOO6TF9Y)DLO*1!K68<,:;P^=VIX:B30n
MFO0PB]9SWY=*&_S+^70TQG=TG4]E.JVRZ5-,8@A*QNG[UV_>7!C&L"8A"%X<m
MGF&&-9R:B%R'Y^>&@8<K$ER>'A^=_FP8VP1>#--%6&#UMCM0D/[;;VG6Z0!3l
M&<L)7@U^L1@*\^,BPXQ']0\QD)P[(WI,[6PK.7WQ&8O'`#_4&OP6>IP`>56*k
MZ8_>L$4"-W>0W\VY_J7#PCBAE?BA5N(W_WL6-E(H`SQG4=J`X@8S&M>4.JTMj
MY4)FK]/A(_S25HW^Q!(WTL.XRI:2%]W+O/9`FQ8I@*C#FBSS>A'6Y?6N/`R#i
MT'.+$,,I"$7D:U,[]I!L[=B.+K'6/?D>Z6-4?85WG4GS):?ML/*<UN^JU6FKh
MB8L,Q7U;W2VZL5(;]4I#$%'PIW?CZ0=;,;7>AZ(LC$LADX(SWF.E=P:6;O!(g
M/9S.I!Z,Y*!^B-KR2<(B](V&NKAY?J7LTN_8G4\KBM>:/\II249#6X(9T<IKf
M-(!:Q%\[$W)PZDX%+$*_F&FW4N&S0_7/L*J<U^]PJ3RGX&VY@R.E7YJB:'NDe
M'5-A/CXA,%%3W`DW[I<IWCK@T]PX*6942C7O/!;L6.C*>^]P%V7'T3??"'(Ad
M;BD&L6(_QI]'FQ(Z?39?])?*3_\GW?Z46K1"NF0/M4+TW7-V="&BWUOT:#]Wc
M`X%EF'F$4)&*;M6A6WK$-\3\GU_P2_VU![OQTS(7L3]WPTA-2ZPGP^EN`Z#@b
MF@DPBS$!H!!1A$^3)$4SX%.J+!BJL+A'`B$0L2F;[`WY@3<8C*EAI0)UI6LIa
MTXZ\B[IM]S%>N#E0NX\IB.$WPG-+JE$*T%.DFD1W=`]0=@UC5[KG8]Q>[O'Iz
MEJQ44G9E'QXFS27PO8DET#Q$5*77EXA#[AZN[1H:01"5^<Q\M(M#H;BN:J#4y
MGE4%@QJMU@J*_#UE@F9=>7'O3)SMND)P1F-&QE'59I=*>`FB5XA55C9=HT(Hx
MFWS\JJ"B5T45,5=]BI5)#N*:H>E;:B_3#QD\$W-\BLO6K.R,:PGN52]M/.`0w
MH@\E,<X\Q:`,@[H')\4,?/+04Y1DH.K*+(C<::/X-KE213E\\45%/76@Z@9Iv
MHR1W/0\?,&9[$T4;,@?JP1+98_X#PMC>L1QMQ57EPKS6S[W!BX(%R%U2-A2Mu
M_K1PSZ_0JBG;>ZJZV+IW0SHP6>K<`I%E26;3A=&G`KVJ\<@R9@H=*.-UG86Jt
MTV2ODR\[MP]7X*?+,BR]CA7V?*V:@8_W`A]K!:+P=6=/M[R0BYD>M-(&JQTSs
MY"R_S6GB"2MM-\DLWPBKCO+JQAJ%(KMEHOZX('-V[2[JU69L?3HD3KJLU?U_r
IU]1[*(;W![V])U742`3B!%6F9G6Z,@%K_O)`9E&=?/X#9K!1DQ(<``"Lq
`p
end
-- 
Olaf Kirch         |  --- o --- Nous sommes du soleil we love when we play
okir@monad.swb.de  |    / | \   sol.dhoop.naytheet.ah kin.ir.samse.qurax
             For my PGP public key, finger okir@brewhq.swb.de.