NETBSD Information for VU#274043

BSD Line Printer Daemon vulnerable to buffer overflow via crafted print request

Status

Affected

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE-----

NetBSD Security Advisory 2001-018
=================================

Topic: Remote Buffer Overflow Vulnerability in BSD Line Printer Daemon

Version: NetBSD-current: prior to August 28, 2001
NetBSD-1.5.2: affected
NetBSD-1.5.1: affected
NetBSD-1.5: affected
NetBSD-1.4.*: affected

Severity: Remote root compromise from any host which can connect to lpd(8)

Fixed: NetBSD-current: August 28, 2001
NetBSD-1.5 branch: September 30, 2001
NetBSD-1.4 branch: not yet

Abstract
========

There is an remotely exploitable buffer overrun in the printer daemon,
/usr/sbin/lpd.


Technical Details
=================

http://msgs.securepoint.com/cgi-bin/get/bugtraq0108/259.html


Solutions and Workarounds
=========================

NetBSD 1.3 and later install with lpd disabled by default. A system is
vulnerable to this security hole only if it is running /usr/sbin/lpd,
and access to lpd is allowed by entries in /etc/hosts.lpd. Updating
the binary for safety is recommended.

Quick workaround:
If you are running /usr/sbin/lpd, and you do not need it, stop it.
If you have /etc/hosts.lpd which is open to everyone, you will want to
tighten the setup so that no malicious parties can access your remote printer.

Solutions:

* NetBSD -current, 1.5, 1.5.1, 1.5.2:

Systems running NetBSD-current dated from before 2001-08-28
should be upgraded to NetBSD-current dated 2001-08-28 or later.

Systems running NetBSD 1.5, 1.5.1 or 1.5.2 dated from before
2001-09-30 should be upgraded to NetBSD-1.5 branch sources dated
2001-09-30 or later.

The following directory needs to be updated from the
netbsd-current CVS branch (aka HEAD) for NetBSD-current,
or netbsd-1-5 CVS branch for NetBSD 1.5, 1.5.1 or 1.5.2:
src/usr.sbin/lpr

To update from CVS, re-build, and re-install lpd(8):
# cd src/usr.sbin/lpr
# cvs update -d -P
# make cleandir dependall install


Alternatively, apply the following patch (with potential offset
differences) and rebuild & re-install lpd(8):
ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2001-018-lpd.patch

To patch, re-build and re-install lpd(8):
# cd src/usr.sbin/lpr/common_sources
# patch < /path/to/SA2001-012-lpd.patch
# make cleandir dependall install


* NetBSD 1.4, 1.4.x:

Systems running NetBSD-1.4.x releases should apply the following
patch (with potential offset differences):
ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2001-018-lpd.patch

To patch, re-build and re-install lpd(8):
# cd src/usr.sbin/lpr/common_sources
# patch < /path/to/SA2001-012-lpd.patch
# make cleandir dependall install


The anonymous CVS branch netbsd-1-4 should be updated with a
fix in the near future.


Thanks To
=========

Jun-ichiro Hagino for the original patches to -current, from a fix in
OpenBSD

Revision History
================

2001-11-22 Initial release


More Information
================

An up-to-date PGP signed copy of this release will be maintained at
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2001-018.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.


Copyright 2001, The NetBSD Foundation, Inc. All Rights Reserved.

$NetBSD: NetBSD-SA2001-018.txt,v 1.6 2001/11/22 15:21:45 david Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (NetBSD)
Comment: For info see http://www.gnupg.org

iQCVAwUBO/0YaT5Ru2/4N2IFAQFP2wP/cSSUxRgwi/JOWj7Yx6u35ygYpuZV3oXs
utQs/astpcjqVPQGqw0BRAuG5dJCqmLqf0F//cpwmFn/V5f5ByhwJE+x/KrtJ19N
S36uB6AAQYQ7Bh9GGVApncKwk2XeA3XcI2PAWX1VkRStzU/k6QYunfqqRdnMr5xr
srHaB5bZ9FQ=
=Wn9T
-----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References

None

Addendum

NetBSD Version 1.5.1 and earlier have been reported vulnerable in the Internet Security Systems Advisory.

If you have feedback, comments, or additional information about this vulnerability, please send us email.