FreeBSD Information for VU#382365

LPRng can pass user-supplied input as a format string parameter to syslog() calls



Vendor Statement

FreeBSD does not include LPRng in the base system. Older versions of FreeBSD included a vulnerable version of LPRng in the Ports

Collection but this was corrected almost 2 months ago, prior to the release of FreeBSD 4.2. See FreeBSD Security Advisory 00:56 ( for more information.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References



While the default FreeBSD install is not vulnerable to this issue, users runnning the LPRng included the Ports Collections prior to 4.2 should immediately upgrade to the LPRng-3.6.25 in the latest sysutils package.

If you have feedback, comments, or additional information about this vulnerability, please send us email.