On Mon, Jan 15, 2001 at 10:10:08AM +0100, V. Achiaga wrote:
>
> > Hey,
> > What u mean debian-specific patch?
>
> I only want to mean a patch including the patch.diff file, or an
> official debian package (.deb file)
if debian is vulnerable then a updated package should indeed be placed
in security.debian.org
> > > I know there's a debian package of lprng, but I don't know if the patch
> > > you're talking about is applied to this package, I guess you should check
> > > the changelog to find out.
>
> At the moment, the patch isnt applied... So I think that debian is
> vulnerable.
i am not certain that it is, from the original post to BugTraq
telnetting to the printer port and entering several %s would cause the
daemon to segfault, this does not occur on debian. also i tried an
exploit (targetted at RH7) which had various bruteforce options
against debian and it failed. does not necessarily mean its not
vulnerable of course...
a couple things i noticed:
lprng does *NO* logging that i can see, syslog seems to direct lpr
logs to /var/log/lpr.log which is empty on my system no matter what i
do. also from the lprng changelog.Debian.gz:
lprng (3.6.12-7) stable; urgency=high
* SECURITY FIXES!!
* syslog() overflow bug fixed
* getttext NLSPATH security bug fixed.
* spool_file_perms security bug fixed.
* Added setuid Linux bug work-around.
-- Craig Small <[EMAIL PROTECTED]> Sun, 15 Oct 2000 15:42:02 -0500
as i understand it the syslog() problem in this case is a format
string so that might be something different. as far as i can tell
debian's lprng never logs anything so perhaps never calls syslog().
i wish debian released security unadvisories when thier package is not
vulnerable to a certain bug like this...
--
Ethan Benson
http://www.alaska.net/~erbenson/
PGP signature
