From owner-freebsd-security  Wed Mar 26 18:28:09 1997
Return-Path: <owner-security>
Received: (from root@localhost)
          by freefall.freebsd.org (8.8.5/8.8.5) id SAA24584
          for security-outgoing; Wed, 26 Mar 1997 18:28:09 -0800 (PST)
Received: from pdx1.world.net (pdx1.world.net [192.243.32.18])
          by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id SAA24564
          for <security@freebsd.org>; Wed, 26 Mar 1997 18:28:05 -0800 (PST)
From: proff@suburbia.net
Received: from suburbia.net (suburbia.net [203.4.184.1]) by pdx1.world.net (8.7.5/8.7.3) with SMTP id SAA03271 for <security@freebsd.org>; Wed, 26 Mar 1997 18:30:00 -0800 (PST)
Received: (qmail 6055 invoked by uid 110); 26 Mar 1997 22:48:30 -0000
Message-ID: <19970326224830.6053.qmail@suburbia.net>
Subject: Re: FreeBSD-SA-97:02: Buffer overflow in lpd
In-Reply-To: <E0wA0Nz-0005pU-00@rover.village.org> from FreeBSD Security Officer at "Mar 26, 97 02:37:35 pm"
To: security@freebsd.org
Date: Thu, 27 Mar 1997 09:48:29 +1100 (EST)
X-Mailer: ELM [version 2.4ME+ PL28 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

-- Start of PGP signed section.
> =============================================================================
> FreeBSD-SA-97:02                                            Security Advisory
>                                                                 FreeBSD, Inc.
> 
> Topic:          Buffer overflow in lpd
> 
> Category:       core
> Module:         lpd
> Announced:      1997-03-xxx
> Affects:        FreeBSD 2.1.7 and earlier and FreeBSD 2.2 snapshots
> 		before 1997/02/25 suffer from this problem.
> Corrected:      FreeBSD-current as of 1997/02/25
> 		FreeBSD 2.2 as of 1997/02/25
> FreeBSD only:   yes
> 
> Patches:        ftp://freebsd.org/pub/CERT/patches/SA-97:02/
> 
> =============================================================================
> 
> I.   Background
> 
>      The lpd program is used to print local and remote print jobs.  It
>      is standard software in the FreeBSD operating system.
> 
> II.  Problem Description
> 
>      The lpd program runs as root.  A remote attacker can exploit a
>      buffer overflow to obtain root privs.
> 
> III. Impact
> 
>      Remote users can gain root privs.
> 

Writing exploit code using only alpha-numeric characters, "." and "-" might
be an interesting challenge.

--
Prof. Julian Assange  |If you want to build a ship, don't drum up people
		      |together to collect wood and don't assign them tasks
proff@suburbia.net    |and work, but rather teach them to long for the endless
proff@gnu.ai.mit.edu  |immensity of the sea. -- Antoine de Saint Exupery