[6540] in bugtraq
Re: Nasty security hole in "lprm"
daemon@ATHENA.MIT.EDU (Chris Evans)
Mon Apr 20 03:25:57 1998
Date: Sat, 18 Apr 1998 15:49:08 +0100
Reply-To: Chris Evans <chris@FERRET.LMH.OX.AC.UK>
From: Chris Evans <chris@FERRET.LMH.OX.AC.UK>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.LNX.3.95.980418153204.6065A-100000@ferret.lmh.ox.ac.uk>
Hi,
Sorry to follow up on my own post about lprm, but...
...yes OpenBSD fixed it long ago.
I'll bet there are other lpr subsystem bugs they fixed too, that we should
all care about :)
===================================================================
RCS file: /usr/OpenBSD/cvs/src/usr.sbin/lpr/common_source/rmjob.c,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- src/usr.sbin/lpr/common_source/rmjob.c 1996/07/04 05:41:52 1.3
+++ src/usr.sbin/lpr/common_source/rmjob.c 1996/10/25 19:38:21 1.4
@@ -327,12 +327,12 @@
(void)snprintf(buf, sizeof(buf), "\5%s %s", RP, all ? "-all" : person);
cp = buf;
- for (i = 0; i < users; i++) {
+ for (i = 0; i < users && cp-buf+1+strlen(user[i]) < sizeof buf; i++) {
cp += strlen(cp);
*cp++ = ' ';
strcpy(cp, user[i]);
}
- for (i = 0; i < requests; i++) {
+ for (i = 0; i < requests && cp-buf+10 < sizeof buf; i++) {
cp += strlen(cp);
(void) sprintf(cp, " %d", requ[i]);
}
