From owner-freebsd-bugs  Tue Oct 22 09:00:04 1996
Return-Path: owner-bugs
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id JAA07266
          for bugs-outgoing; Tue, 22 Oct 1996 09:00:04 -0700 (PDT)
Received: (from gnats@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id JAA07254;
          Tue, 22 Oct 1996 09:00:02 -0700 (PDT)
Date: Tue, 22 Oct 1996 09:00:02 -0700 (PDT)
Message-Id: <199610221600.JAA07254@freefall.freebsd.org>
To: freebsd-bugs
Cc: 
From: Marc Slemko <marcs@znep.com>
Subject: Re: bin/1863: On systems with setuid 'lpr' and defined printers, lpr breaks root
Reply-To: Marc Slemko <marcs@znep.com>
Sender: owner-bugs@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

The following reply was made to PR bin/1863; it has been noted by GNATS.

From: Marc Slemko <marcs@znep.com>
To: tqbf@enteract.com
Cc: freebsd-gnats-submit@FreeBSD.ORG
Subject: Re: bin/1863: On systems with setuid 'lpr' and defined printers, lpr breaks root
Date: Tue, 22 Oct 1996 09:49:36 -0600 (MDT)

 Below is an excerpt from a diff between the current FreeBSD and the
 current OpenBSD lpr.c that shows how this problem is fixed in the OpenBSD
 source. 
 
 There are also some other attempts at security improvements in the OpenBSD
 lpr code; they should be looked at to see if they are valid and, if so,
 imported. 
 
 ***************
 *** 471,477 ****
         register int len = 2;
   
         *p1++ = c;
 !       while ((c = *p2++) != '\0') {
                 *p1++ = (c == '\n') ? ' ' : c;
                 len++;
         }
 --- 505,511 ----
         register int len = 2;
   
         *p1++ = c;
 !       while ((c = *p2++) != '\0' && len < sizeof(buf)) {
                 *p1++ = (c == '\n') ? ' ' : c;
                 len++;
         }