Date: Sun, 23 Jul 1995 15:43:15 +0200 (MET DST) From: okir@monad.swb.de (Olaf Kirch) To: jkh@time.cdrom.com Subject: Tentative fix for BSD lpr (fwd) Message-ID: <m0sa1JM-00005JC@monad.swb.de> Resent-Message-ID: <450.806573769@time.cdrom.com>
next in thread | raw e-mail | index | archive | help
Hello,
Prompted by the lpr -r -s problems recently reported on bugtraq and
linux-security, I looked into the lpr source and came up with a couple
of patches. I was told that you are maintaining the original BSD source
base of lpd/lpr, so I thought you might be interested in taking a look
at those. If this is no news for you, and you've already fixed the
problem yourself, please feel free to ignore my mail.
The patch is against a slightly modified source from the Linux
NetKit distribution of BSD networking stuff. It does the following
things:
* Attempt to fix the lpr -r and lpr -r -s race conditions.
Code related to job file removal can be found in the following
places:
lpr: after the job has been spooled (lpr -r)
lpd: after the job has been successfully printed (lpr -r -s)
lprm: when removing a pending job (lpr -r -s)
Unlinking now always happens under the euid/egid of the user who
submitted the job. This is easy for lpr, but slightly more
difficult for lpd/lprm. Trusting that the job description files
are ok, I extract the user and host name and match them against
hosts.equiv and .rhosts to make sure the accounts are
equivalent.
There's a tiny difference between lpd and lprm: lpd still has
the FQDN of the original submitter's host, while lprm has to use
the host information from the job description file (currently
not checked against the sender's hostname).
* Made the /dev/printer Unix socket mode 600. It used to be
777 thus allowing anyone to submit faked jobs with false
credentials.
* Avoid the FTP bounce attack.
* Fixed a possible stack overwrite problem in rmjob.c. There may
be more of those lurking. [there was another overwrite problem
in chkhost, where the hostname buffer was too small (50 bytes).
Fortunately, the function never returns when it fails to validate
the hostname, so there's no way to inject worm-like code through
bogus DNS PTR records].
The patch follows below.
Best wishes,
Olaf
------------------------------------------------------------------
table
`!"#$%&'()*+,-./0123456789:;<=>?
@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_
begin 644 lpr.diff.gz
M'XL(",J#$3```VQP<BYD:69F`*U9?5O;R!'_6_X4$^=)+&,9+,L8,"&7-$<:z
M[H"DO-P]+<G#"6EEJ\B2JI<X-,=W[\SLKB0;DTNOS1.P=W9V=][V-[.#'P8!y
M],L,HC3;3+)PNN4E\WD27^=)F7EB*YO_,[G9]&AZ_4RKW^__P6+C5^'#3V4,x
ML`OV>#(<3D8#L/?V1JU>K_?XSL8Y+OFIC&#HP&`PL>V)P\NV6Z]>0=_>&5MCw
MZ-''#KQZU0+#F[D9;`1A)/9;\!4);X^.#V'#"]+]5D_.1LDT=N?BRAE^@@-Hv
MMY$1^<(`S"?>[-:DM=TN4HQ,%&46[\N3=AW+MO&HW9%E[\JSC,`MW,AL>VX<u
M)P4DJ8CA6=ZV@+?`;8W%#+^!.15%%,;"1"FZ79;*R!=AX<W`)/K5X!-1>X;At
MN;F`SH?.A`9&7F2QE]Z92F`+B+EG6Y"'_Q9)H.G=OMW=YP5:LP?SI&CGXZ`Cs
MV6XRX=Z2>.J\R\X$8&L#RA@/N`4WSQ,O=`OT%RF2P\86\;*%@BR9PY,#F"5Yr
MP38RC#0+XR(PV\_R":#N/+/?ZM<S<EM3"M^%'T`;S!?_*D4IT&8?XS9,>(V!q
M^^@)'\E:::4AR>`G2SNBN5$H2[L57==KBK7NK)5-192+Y47?E*$VWSW^HA_Sp
M<Q+Z70B\*,FEEV70#`<.QF5O:-N/AF<FIF%>B`SP8-C(+(C)=I)MH[0P<E,+o
MTJOQZ!.:ECZJ,%XS/=S>^;2_'/,4VEL;4AI[S[('*,YPQ[(=*0_9DP3&^`@Hn
M?CGZ+6AG;0S4@P,XO3P^;MP%<_"ML.Y+_ZB0IN48REUV*X8R17+:,&5?&AY6m
ME[Q;7C);MOZ:`^35J6Y+^N">I/4-2:\:M*5;<0^/2;.R_^S!_K-Z_]E5@[:\l
M_S=B!=@_#H8)@IDS'%K.6"%,Q;[(PD*8-V5@`1X<XMD%WH."W:&9Y):9F#/Uk
MOM7#_ZT>>K\'&W"I+C??Z4TB;;5Z&'2M7G6?I._I`EM0YB+K5J$F`U:/B*,>j
M$2>.R$AHHM(K($4$6?C&1KH@KC+TKPOT-7ZB/3!FZ)O)]IJJJ6DU-=53*!D'i
MW3ZI(*$'92"O(/ITMCI\RV500D/\;LW/!_[^.SPA`7$ADFG81#!X_APRFDYNh
M3:GV0&JN](<7,%#+S'0A14P7B#(F3U<W1/'D2H%TT7^9+JZGY!/<04^5]52Ig
MIII:]&TI.P[QI!6=6".]B2A7=J9#Q;2YI\I,;Y(R\N-.`9E`/A!!(+PB_"P`f
M=]@BJ[L!88\ZK-ON5B*01&Q^N"<,P2#R'Q0)4>K3CRH,JM%R,5"1C9,DAA/We
MCC(YIO'!]F0P7"X`:M:5I#^:.*-&TM_>XZ2/'PI5C?PN1_@WC]__]?KP[`SQd
MJ[P)8W\"S^9M>4/$E[`P;7TO,'+GB6]>?WA]\>[Z_/V;GP\O3E^?'*+[QP-$c
M.`1,6`CPW"C"'%C.W?P6@0_<F^2SV-S<E/DP#Z=H4IY+Z#?O[8L`DX,?^#FZb
MT(87+R`HX_`+344$\XBO-+9@6V>(\=#:14@>.Y8L*BCN,TH]>9'O&R3)4T@"a
MR-,DB4!/L`1T^_".B2Q/8LE)Z8^8)0W\)(RG9-@Y\[?ZO(+B_X9J'U83`27`z
M``B2#-$C%''1R6'N>C,$.+D=KI3K/&2]^LOEV_.C?\BE5*ZYL<]@J/<A3&F<y
MPOG(^-YS>FO.^<9!R@#>W*<-\BM"6\JH[;B,HK9%WSB=8QF)(S+VB!*@`[W1x
M<%`EP"K_*NPB&!"4BF>4/.MIF5)I-EBB2PRD++R1IU7J=HGQ:GO`V9@R>Q!Fw
M.5UKFPCB"ZZ,U5)4JKB.B\0UNYKY!JNR"&O)`\8$RN!!_V4>QM=IDM$FR#W+v
MS0:-LRECI*0%[CR,[@CE7K^]/CH]O&#@:^SQ\@"./GQX?W9Q?79X?GCVR^&/u
M78VR?WH'Y"`<Q']-OA>K;%O#;J-T/G$CC(DYE9J$RZ[O(U+E\M+.4HFX9,N;t
M.YK"4H5MUGVNCB`B>9I.58E7^5%-=BU8TDA=NY&S:PV'&`G.7E7-\P.`BHYYs
M:LJ*DDO9I9<`7B(CYV*)XIO=32-79L2^+HPP%&350/%N-A90D%#2P54O9#%]r
M`STM.0^[T`?$*;SPO9YZ*I!@M([*D<V.(C*U"A2*%%6.U\_JUH`9>%=P3q
MZ1NT-Y-4S?-U:3K,RQ011"KQ`Q1)E"SDD"2:Z.7+)5-SD2Z86.;F^FZC:.[3p
M>55]A,ZFFU55H1*9W[T_OS@__-OET2^R(D4^=^J&\41YB]<T"L\GUY_=*/0Io
M-\LY2WK&@A\O3T[^7GTH$VE!'UG*EOO6TF9Y)DLO*1!K68<,:;P^=VIX:B30n
MFO0PB]9SWY=*&_S+^70TQG=TG4]E.JVRZ5-,8@A*QNG[UV_>7!C&L"8A"%X<m
MGF&&-9R:B%R'Y^>&@8<K$ER>'A^=_FP8VP1>#--%6&#UMCM0D/[;;VG6Z0!3l
M&<L)7@U^L1@*\^,BPXQ']0\QD)P[(WI,[6PK.7WQ&8O'`#_4&OP6>IP`>56*k
MZ8_>L$4"-W>0W\VY_J7#PCBAE?BA5N(W_WL6-E(H`SQG4=J`X@8S&M>4.JTMj
MY4)FK]/A(_S25HW^Q!(WTL.XRI:2%]W+O/9`FQ8I@*C#FBSS>A'6Y?6N/`R#i
MT'.+$,,I"$7D:U,[]I!L[=B.+K'6/?D>Z6-4?85WG4GS):?ML/*<UN^JU6FKh
MB8L,Q7U;W2VZL5(;]4I#$%'PIW?CZ0=;,;7>AZ(LC$LADX(SWF.E=P:6;O!(g
M/9S.I!Z,Y*!^B-KR2<(B](V&NKAY?J7LTN_8G4\KBM>:/\II249#6X(9T<IKf
M-(!:Q%\[$W)PZDX%+$*_F&FW4N&S0_7/L*J<U^]PJ3RGX&VY@R.E7YJB:'NDe
M'5-A/CXA,%%3W`DW[I<IWCK@T]PX*6942C7O/!;L6.C*>^]P%V7'T3??"'(Ad
M;BD&L6(_QI]'FQ(Z?39?])?*3_\GW?Z46K1"NF0/M4+TW7-V="&BWUOT:#]Wc
M`X%EF'F$4)&*;M6A6WK$-\3\GU_P2_VU![OQTS(7L3]WPTA-2ZPGP^EN`Z#@b
MF@DPBS$!H!!1A$^3)$4SX%.J+!BJL+A'`B$0L2F;[`WY@3<8C*EAI0)UI6LIa
MTXZ\B[IM]S%>N#E0NX\IB.$WPG-+JE$*T%.DFD1W=`]0=@UC5[KG8]Q>[O'Iz
MEJQ44G9E'QXFS27PO8DET#Q$5*77EXA#[AZN[1H:01"5^<Q\M(M#H;BN:J#4y
MGE4%@QJMU@J*_#UE@F9=>7'O3)SMND)P1F-&QE'59I=*>`FB5XA55C9=HT(Hx
MFWS\JJ"B5T45,5=]BI5)#N*:H>E;:B_3#QD\$W-\BLO6K.R,:PGN52]M/.`0w
MH@\E,<X\Q:`,@[H')\4,?/+04Y1DH.K*+(C<::/X-KE213E\\45%/76@Z@9Iv
MHR1W/0\?,&9[$T4;,@?JP1+98_X#PMC>L1QMQ57EPKS6S[W!BX(%R%U2-A2Mu
M_K1PSZ_0JBG;>ZJZV+IW0SHP6>K<`I%E26;3A=&G`KVJ\<@R9@H=*.-UG86Jt
MTV2ODR\[MP]7X*?+,BR]CA7V?*V:@8_W`A]K!:+P=6=/M[R0BYD>M-(&JQTSs
MY"R_S6GB"2MM-\DLWPBKCO+JQAJ%(KMEHOZX('-V[2[JU69L?3HD3KJLU?U_r
IU]1[*(;W![V])U742`3B!%6F9G6Z,@%K_O)`9E&=?/X#9K!1DQ(<``"Lq
`p
end
--
Olaf Kirch | --- o --- Nous sommes du soleil we love when we play
okir@monad.swb.de | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax
For my PGP public key, finger okir@brewhq.swb.de.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?m0sa1JM-00005JC>