[294] in linux-security and linux-alert archive
Tentative fix for BSD lpr
daemon@ATHENA.MIT.EDU (Olaf Kirch)
Sat Jul 22 20:20:24 1995
From: okir@monad.swb.de (Olaf Kirch)
To: linux-security@tarsier.cv.nrao.edu
Date: Sun, 23 Jul 1995 01:06:13 +0200 (MET DST)
Cc: flla@stud.uni-sb.de (Florian La Roche)
-----BEGIN PGP SIGNED MESSAGE-----
Hi all,
here's a patch to the BSD lpr stuff from NetKit-B-0.05. Apart from the
bug Zygo Blaxell reported, I stumbled across some more.
* lpr -r and lpr -r -s would remove arbitrary files in some cases.
Unfortunately, the file removal code is scattered throughout
several programs and source files. I found the following places:
lpr: after the job has been spooled (lpr -r)
lpd: after the job has been successfully printed (lpr -r -s)
lprm: when removing a pending job (lpr -r -s)
Unlinking now always happens under the euid/egid of the user who
submitted the job. This is easy for lpr, but slightly more
difficult for lpd/lprm. Trusting that the job description files
are ok, I extract the user and host name and match them against
hosts.equiv and .rhosts to make sure the accounts are
equivalent.
There's a tiny difference between lpd and lprm: lpd still has
the FQDN of the original submitter's host, while lprm has to use
the host information from the job description file (currently
not checked against the sender's hostname).
* Made the /dev/printer Unix socket mode 600. It used to be
777 thus allowing anyone to submit faked jobs with false
credentials.
* Avoid the FTP bounce attack.
* Fixed a possible stack overwrite problem in rmjob.c. I have the
feeling that this is not the only one... can you say RTM?
Please let me know if it works for you. I'll send out the patch to
linux-alert in a few days if no-one complains, or if someone comes up
with a cleaner one.
If anyone knows where to reach the BSD people who maintain this beast,
please drop me a note.
Have a nice day everyone,
Olaf
- --
Olaf Kirch | --- o --- Nous sommes du soleil we love when we play
okir@monad.swb.de | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax
For my PGP public key, finger okir@brewhq.swb.de.
table
`!"#$%&'()*+,-./0123456789:;<=>?
@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_
begin 644 lpr.diff.gz
M'XL(",J#$3```VQP<BYD:69F`*U9?5O;R!'_6_X4$^=)+&,9+,L8,"&7-$<:z
M[H"DO-P]+<G#"6EEJ\B2JI<X-,=W[\SLKB0;DTNOS1.P=W9V=][V-[.#'P8!y
M],L,HC3;3+)PNN4E\WD27^=)F7EB*YO_,[G9]&AZ_4RKW^__P6+C5^'#3V4,x
ML`OV>#(<3D8#L/?V1JU>K_?XSL8Y+OFIC&#HP&`PL>V)P\NV6Z]>0=_>&5MCw
MZ-''#KQZU0+#F[D9;`1A)/9;\!4);X^.#V'#"]+]5D_.1LDT=N?BRAE^@@-Hv
MMY$1^<(`S"?>[-:DM=TN4HQ,%&46[\N3=AW+MO&HW9%E[\JSC,`MW,AL>VX<u
M)P4DJ8CA6=ZV@+?`;8W%#+^!.15%%,;"1"FZ79;*R!=AX<W`)/K5X!-1>X;At
MN;F`SH?.A`9&7F2QE]Z92F`+B+EG6Y"'_Q9)H.G=OMW=YP5:LP?SI&CGXZ`Cs
MV6XRX=Z2>.J\R\X$8&L#RA@/N`4WSQ,O=`OT%RF2P\86\;*%@BR9PY,#F"5Yr
MP38RC#0+XR(PV\_R":#N/+/?ZM<S<EM3"M^%'T`;S!?_*D4IT&8?XS9,>(V!q
M^^@)'\E:::4AR>`G2SNBN5$H2[L57==KBK7NK)5-192+Y47?E*$VWSW^HA_Sp
M<Q+Z70B\*,FEEV70#`<.QF5O:-N/AF<FIF%>B`SP8-C(+(C)=I)MH[0P<E,+o
MTJOQZ!.:ECZJ,%XS/=S>^;2_'/,4VEL;4AI[S[('*,YPQ[(=*0_9DP3&^`@Hn
M?CGZ+6AG;0S4@P,XO3P^;MP%<_"ML.Y+_ZB0IN48REUV*X8R17+:,&5?&AY6m
ME[Q;7C);MOZ:`^35J6Y+^N">I/4-2:\:M*5;<0^/2;.R_^S!_K-Z_]E5@[:\l
M_S=B!=@_#H8)@IDS'%K.6"%,Q;[(PD*8-V5@`1X<XMD%WH."W:&9Y):9F#/Uk
MOM7#_ZT>>K\'&W"I+C??Z4TB;;5Z&'2M7G6?I._I`EM0YB+K5J$F`U:/B*,>j
M$2>.R$AHHM(K($4$6?C&1KH@KC+TKPOT-7ZB/3!FZ)O)]IJJJ6DU-=53*!D'i
MW3ZI(*$'92"O(/ITMCI\RV500D/\;LW/!_[^.SPA`7$ADFG81#!X_APRFDYNh
M3:GV0&JN](<7,%#+S'0A14P7B#(F3U<W1/'D2H%TT7^9+JZGY!/<04^5]52Ig
MIII:]&TI.P[QI!6=6".]B2A7=J9#Q;2YI\I,;Y(R\N-.`9E`/A!!(+PB_"P`f
M=]@BJ[L!88\ZK-ON5B*01&Q^N"<,P2#R'Q0)4>K3CRH,JM%R,5"1C9,DAA/We
MCC(YIO'!]F0P7"X`:M:5I#^:.*-&TM_>XZ2/'PI5C?PN1_@WC]__]?KP[`SQd
MJ[P)8W\"S^9M>4/$E[`P;7TO,'+GB6]>?WA]\>[Z_/V;GP\O3E^?'*+[QP-$c
M.`1,6`CPW"C"'%C.W?P6@0_<F^2SV-S<E/DP#Z=H4IY+Z#?O[8L`DX,?^#FZb
MT(87+R`HX_`+344$\XBO-+9@6V>(\=#:14@>.Y8L*BCN,TH]>9'O&R3)4T@"a
MR-,DB4!/L`1T^_".B2Q/8LE)Z8^8)0W\)(RG9-@Y\[?ZO(+B_X9J'U83`27`z
M``B2#-$C%''1R6'N>C,$.+D=KI3K/&2]^LOEV_.C?\BE5*ZYL<]@J/<A3&F<y
MPOG(^-YS>FO.^<9!R@#>W*<-\BM"6\JH[;B,HK9%WSB=8QF)(S+VB!*@`[W1x
M<%`EP"K_*NPB&!"4BF>4/.MIF5)I-EBB2PRD++R1IU7J=HGQ:GO`V9@R>Q!Fw
M.5UKFPCB"ZZ,U5)4JKB.B\0UNYKY!JNR"&O)`\8$RN!!_V4>QM=IDM$FR#W+v
MS0:-LRECI*0%[CR,[@CE7K^]/CH]O&#@:^SQ\@"./GQX?W9Q?79X?GCVR^&/u
M78VR?WH'Y"`<Q']-OA>K;%O#;J-T/G$CC(DYE9J$RZ[O(U+E\M+.4HFX9,N;t
M.YK"4H5MUGVNCB`B>9I.58E7^5%-=BU8TDA=NY&S:PV'&`G.7E7-\P.`BHYYs
M:LJ*DDO9I9<`7B(CYV*)XIO=32-79L2^+HPP%&350/%N-A90D%#2P54O9#%]r
M`STM.0^[T`?$*;SPO9YZ*I!@M([*D<V.(C*U"A2*%%6.U\_JUH`9>%=P3q
MZ1NT-Y-4S?-U:3K,RQ011"KQ`Q1)E"SDD"2:Z.7+)5-SD2Z86.;F^FZC:.[3p
M>55]A,ZFFU55H1*9W[T_OS@__-OET2^R(D4^=^J&\41YB]<T"L\GUY_=*/0Io
M-\LY2WK&@A\O3T[^7GTH$VE!'UG*EOO6TF9Y)DLO*1!K68<,:;P^=VIX:B30n
MFO0PB]9SWY=*&_S+^70TQG=TG4]E.JVRZ5-,8@A*QNG[UV_>7!C&L"8A"%X<m
MGF&&-9R:B%R'Y^>&@8<K$ER>'A^=_FP8VP1>#--%6&#UMCM0D/[;;VG6Z0!3l
M&<L)7@U^L1@*\^,BPXQ']0\QD)P[(WI,[6PK.7WQ&8O'`#_4&OP6>IP`>56*k
MZ8_>L$4"-W>0W\VY_J7#PCBAE?BA5N(W_WL6-E(H`SQG4=J`X@8S&M>4.JTMj
MY4)FK]/A(_S25HW^Q!(WTL.XRI:2%]W+O/9`FQ8I@*C#FBSS>A'6Y?6N/`R#i
MT'.+$,,I"$7D:U,[]I!L[=B.+K'6/?D>Z6-4?85WG4GS):?ML/*<UN^JU6FKh
MB8L,Q7U;W2VZL5(;]4I#$%'PIW?CZ0=;,;7>AZ(LC$LADX(SWF.E=P:6;O!(g
M/9S.I!Z,Y*!^B-KR2<(B](V&NKAY?J7LTN_8G4\KBM>:/\II249#6X(9T<IKf
M-(!:Q%\[$W)PZDX%+$*_F&FW4N&S0_7/L*J<U^]PJ3RGX&VY@R.E7YJB:'NDe
M'5-A/CXA,%%3W`DW[I<IWCK@T]PX*6942C7O/!;L6.C*>^]P%V7'T3??"'(Ad
M;BD&L6(_QI]'FQ(Z?39?])?*3_\GW?Z46K1"NF0/M4+TW7-V="&BWUOT:#]Wc
M`X%EF'F$4)&*;M6A6WK$-\3\GU_P2_VU![OQTS(7L3]WPTA-2ZPGP^EN`Z#@b
MF@DPBS$!H!!1A$^3)$4SX%.J+!BJL+A'`B$0L2F;[`WY@3<8C*EAI0)UI6LIa
MTXZ\B[IM]S%>N#E0NX\IB.$WPG-+JE$*T%.DFD1W=`]0=@UC5[KG8]Q>[O'Iz
MEJQ44G9E'QXFS27PO8DET#Q$5*77EXA#[AZN[1H:01"5^<Q\M(M#H;BN:J#4y
MGE4%@QJMU@J*_#UE@F9=>7'O3)SMND)P1F-&QE'59I=*>`FB5XA55C9=HT(Hx
MFWS\JJ"B5T45,5=]BI5)#N*:H>E;:B_3#QD\$W-\BLO6K.R,:PGN52]M/.`0w
MH@\E,<X\Q:`,@[H')\4,?/+04Y1DH.K*+(C<::/X-KE213E\\45%/76@Z@9Iv
MHR1W/0\?,&9[$T4;,@?JP1+98_X#PMC>L1QMQ57EPKS6S[W!BX(%R%U2-A2Mu
M_K1PSZ_0JBG;>ZJZV+IW0SHP6>K<`I%E26;3A=&G`KVJ\<@R9@H=*.-UG86Jt
MTV2ODR\[MP]7X*?+,BR]CA7V?*V:@8_W`A]K!:+P=6=/M[R0BYD>M-(&JQTSs
MY"R_S6GB"2MM-\DLWPBKCO+JQAJ%(KMEHOZX('-V[2[JU69L?3HD3KJLU?U_r
IU]1[*(;W![V])U742`3B!%6F9G6Z,@%K_O)`9E&=?/X#9K!1DQ(<``"Lq
`p
end
-----BEGIN PGP SIGNATURE-----
Version: 2.6
iQCVAgUBMBGEIOFnVHXv40etAQFQmgQAlBDi+2eKPQAWWq5e/ddyZTJbtY1JSUr6
9L3pb+Xu8sPm2tO65HysxCZiOyLslFQFzMlDZWEBh2Ic0iXYiuv+90BWgOOGzaaq
Jzsp48fe2K5HnD7jBD/qyhPsMtTxFgPh7mfznCJTV/ziHJDaoWBRIcDu5geDJtC4
V0T9gvnM50A=
=q2aq
-----END PGP SIGNATURE-----
