From owner-freebsd-security Sun Nov 24 19:27:19 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id TAA00621 for security-outgoing; Sun, 24 Nov 1996 19:27:19 -0800 (PST) Received: from scanner.worldgate.com (scanner.worldgate.com [198.161.84.3]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id TAA00612 for ; Sun, 24 Nov 1996 19:27:14 -0800 (PST) Received: from alive.ampr.ab.ca (uucp@localhost) by scanner.worldgate.com (8.7.5/8.7.3) with UUCP id UAA27223 for security@freebsd.org; Sun, 24 Nov 1996 20:27:06 -0700 (MST) Received: from localhost (marcs@localhost) by alive.ampr.ab.ca (8.7.5/8.7.3) with SMTP id UAA15005 for ; Sun, 24 Nov 1996 20:27:00 -0700 (MST) Date: Sun, 24 Nov 1996 20:27:00 -0700 (MST) From: Marc Slemko Reply-To: Marc Slemko To: security@freebsd.org Subject: cvs commit: ports/x11/XFree86 Makefile (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk As per the below commit, SuperProbe is no longer setuid root on FreeBSD. I would highly recommend that you remove the setuid bit if it is installed on your system; it is normally in /usr/X11R6/bin/SuperProbe if you have X installed. 'chmod u-s /usr/X11R6/bin/SuperProbe' will do the trick. There are at least two possible buffer overflows which are trivial to find by looking through the source. I have not investigated them fully to determine if they are exploitable; they are not exploitable using the more common methods, but they could still be exploitable. By removing the setuid bit, the net result is that non-root users can't probe your video chip. Funny, but to me that is a good thing not a bad thing. ---------- Forwarded message ---------- Date: Sun, 24 Nov 1996 18:29:27 -0800 (PST) From: Jean-Marc Zucconi To: CVS-committers@freefall.freebsd.org, cvs-all@freefall.freebsd.org, cvs-ports@freefall.freebsd.org Subject: cvs commit: ports/x11/XFree86 Makefile jmz 96/11/24 18:29:27 Modified: x11/XFree86 Makefile Log: Remove the suid bit of SuperProbe. According to Marc Slemko (marcs@alive.ampr.ab.ca) there are potential security holes in SuperProbe and it is not going to be setuid in the next release. Revision Changes Path 1.23 +2 -1 ports/x11/XFree86/Makefile From owner-freebsd-security Mon Nov 25 14:19:22 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id OAA14239 for security-outgoing; Mon, 25 Nov 1996 14:19:22 -0800 (PST) Received: from gvr.win.tue.nl (root@gvr.win.tue.nl [131.155.210.19]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id OAA14204; Mon, 25 Nov 1996 14:18:47 -0800 (PST) Received: (from guido@localhost) by gvr.win.tue.nl (8.8.2 with smtp patch/8.8.2) id XAA11972; Mon, 25 Nov 1996 23:18:21 +0100 (MET) Message-Id: <199611252218.XAA11972@gvr.win.tue.nl> From: FreeBSD Security Officer To: freebsd-security-notifications@freebsd.org, freebsd-announce@freebsd.org, freebsd-security@freebsd.org, first-teams@first.org Subject: FreeBSD Security Advisory: FreeBSD-SA-96:18.lpr Date: Mon, 25 Nov 1996 23:00:00 +0100 (MET) Reply-To: security-officer@freebsd.org Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-96:18 Security Advisory FreeBSD, Inc. Topic: Buffer overflow in lpr Category: core Module: lpr Announced: 1996-11-25 Affects: FreeBSD 2.* Corrected: FreeBSD-current as of 1996/10/27 FreeBSD-stable as of 1996/11/01 FreeBSD only: no Patches: ftp://freebsd.org/pub/CERT/patches/SA-96:18/ ============================================================================= I. Background The lpr program is used to print files. It is standard software in the FreeBSD operating system. This advisory is based on AUSCERT's advisory AA-96.12. The FreeBSD security-officers would like to thank AUSCERT for their efforts. II. Problem Description Due to its nature, the lpr program is setuid root. Unfortunately, the program does not do sufficient bounds checking on arguments which are supplied by users. As a result it is possible to overwrite the internal stack space of the program while it's executing. This can allow an intruder to execute arbitrary code by crafting a carefully designed argument to lpr. As lpr runs as root this allows intruders to run arbitrary commands as root. III. Impact Local users can gain root privileges. IV. Workaround AUSCERT has developed a wrapper to help prevent lpr being exploited using this vulnerability. This wrapper, including installation instructions, can be found in ftp://ftp.auscert.org.au/pub/auscert/advisory/ AA-96.12.lpr.buffer.overrun.vul V. Solution Apply one of the following patches. Patches are provided for FreeBSD-current (before 1996/10/27) (SA-96:18-solution.current) FreeBSD-2.0.5, FreeBSD-2.1.0, FreeBSD-2.1.5 and FreeBSd-stable (before 1996/11/01) (SA-96:18-solution.2xx) Patches can be found on ftp://freebsd.org/pub/CERT/patches/SA-96:18 ============================================================================= FreeBSD, Inc. Web Site: http://www.freebsd.org/ Confidential contacts: security-officer@freebsd.org PGP Key: ftp://freebsd.org/pub/CERT/public_key.asc Security notifications: security-notifications@freebsd.org Security public discussion: security@freebsd.org Notice: Any patches in this document may not apply cleanly due to modifications caused by digital signature or mailer software. Please reference the URL listed at the top of this document for original copies of all patches if necessary. ============================================================================= -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMpn2wlUuHi5z0oilAQGjhgP/XON+ydyxEm2eiY87pmdLhlF3Qwz//YRB MtoVrr2PffZ4FKXCcpQbG30F9AYDL0ZD19Uo89g8rzOfKhhwanFdvixqoGAr15h0 jyLdLv0YoStbehBuyMUHebUplctYmTpHskz0Zhv0OOVtlUuCgh0Y2V4WfZI6RVsu 0B3ZMw8JRQo= =cw23 -----END PGP SIGNATURE----- From owner-freebsd-security Mon Nov 25 19:20:42 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id TAA02116 for security-outgoing; Mon, 25 Nov 1996 19:20:42 -0800 (PST) Received: from alpha.xerox.com (alpha.Xerox.COM [13.1.64.93]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id TAA02107; Mon, 25 Nov 1996 19:20:29 -0800 (PST) Received: from crevenia.parc.xerox.com ([13.2.116.11]) by alpha.xerox.com with SMTP id <14495(5)>; Mon, 25 Nov 1996 19:19:56 PST Received: from localhost ([127.0.0.1]) by crevenia.parc.xerox.com with SMTP id <177711>; Mon, 25 Nov 1996 19:19:50 -0800 X-Mailer: exmh version 1.6.7 5/3/96 To: security-officer@freebsd.org cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-96:18.lpr In-reply-to: Your message of "Mon, 25 Nov 1996 14:00:00 PST." <199611252218.XAA11972@gvr.win.tue.nl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 25 Nov 1996 19:19:39 PST From: Bill Fenner Message-Id: <96Nov25.191950pst.177711@crevenia.parc.xerox.com> Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk In message <199611252218.XAA11972@gvr.win.tue.nl> security-officer wrote: >Affects: FreeBSD 2.* >Corrected: FreeBSD-current as of 1996/10/27 > FreeBSD-stable as of 1996/11/01 Shouldn't this be something more like Affects: FreeBSD 2.0, 2.0.5, 2.1, 2.1.5 Corrected: FreeBSD-current as of 1996/10/27 FreeBSD-stable as of 1996/11/01 FreeBSD 2.2 and 2.1.6 releases or something? The timing of the advisory and the statement "FreeBSD 2.*" implies that 2.1.6 is affected, while the CVS tree says that the fix was in 2.1.6 . Yes, if you know that 2.1.6 was based on FreeBSD-stable and was released after 1996/11/01, then you can derive the same information, but why not make it explicit? (Especially for the person who is browsing the security advisories next year and comes across this one... "oh, shoot, 2.2 is affected"...) Bill From owner-freebsd-security Mon Nov 25 20:57:28 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id UAA08555 for security-outgoing; Mon, 25 Nov 1996 20:57:28 -0800 (PST) Received: from ingenieria ([168.176.15.11]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id UAA08545 for ; Mon, 25 Nov 1996 20:57:13 -0800 (PST) Received: from unalmodem.usc.unal.edu.co by ingenieria (SMI-8.6/SMI-SVR4) id XAA09305; Mon, 25 Nov 1996 23:57:15 +0600 Message-ID: <329AA285.610B@ingenieria.ingsala.unal.edu.co> Date: Mon, 25 Nov 1996 23:55:49 -0800 From: "Pedro Giffuni S." Reply-To: pgiffuni@fps.biblos.unal.edu.co Organization: Universidad Nacional de Colombia X-Mailer: Mozilla 3.0 (Win16; I) MIME-Version: 1.0 To: security@freebsd.org Subject: Exportable crypt ???? Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Hello: Under the noble motivation of porting more mailers, I looked for MMDF, wich oldest than sendmail and ver versatile. I havenīt compiled it, and the story is not about mail...The only place where I could find MMDF was in ftp.arl.mil:/pub/. While I was there, I also found a program called BRL-CAD, and the NON_USA_README said: ... > We are looking for volunteers willing to be a "mirror" FTP site located > in Europe. > > Recipients without the UNIX "crypt" command will need to get the file > "enigma.c" located in this directory, which builds a public-domain > substitute for UNIX "crypt". Itīs seems like an invitation to export an encryption program to me ! But now, they are the US army, they donīt have to ask for permission, do they? (BTW, is that constitutional?) Pedro. From owner-freebsd-security Mon Nov 25 22:05:04 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id WAA12530 for security-outgoing; Mon, 25 Nov 1996 22:05:04 -0800 (PST) Received: from obie.softweyr.com (slc55.modem.xmission.com [204.228.136.55]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id WAA12513 for ; Mon, 25 Nov 1996 22:04:57 -0800 (PST) Received: (from wes@localhost) by obie.softweyr.com (8.7.5/8.6.12) id XAA01593; Mon, 25 Nov 1996 23:05:23 -0700 (MST) Date: Mon, 25 Nov 1996 23:05:23 -0700 (MST) Message-Id: <199611260605.XAA01593@obie.softweyr.com> From: Wes Peters To: pgiffuni@fps.biblos.unal.edu.co CC: security@freebsd.org Subject: Exportable crypt ???? In-Reply-To: <329AA285.610B@ingenieria.ingsala.unal.edu.co> References: <329AA285.610B@ingenieria.ingsala.unal.edu.co> Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Pedro Giffuni S. writes: > The only place where I could find MMDF was in ftp.arl.mil:/pub/. > While I was there, I also found a program called BRL-CAD, and the > NON_USA_README said: > > > We are looking for volunteers willing to be a "mirror" FTP site located > > in Europe. > > > > Recipients without the UNIX "crypt" command will need to get the file > > "enigma.c" located in this directory, which builds a public-domain > > substitute for UNIX "crypt". > > Itīs seems like an invitation to export an encryption program to me ! > But now, they are the US army, they donīt have to ask for permission, do > they? (BTW, is that constitutional?) Not all encryption software is illegal to export; I believe the limitations are based on the key size. Good ol' enigma.c, which has been kicking around UNIX in various forms since '72 or '74, uses a small enough key that nobody cares. It is based on a hardware device used by the Germans in WWII, known as the "Enigma Rotor." It is important to note that it was cracked by cryptographers working for the British Gov't early in the war; things encrypted with enigma are *certainly* not going to confuse MI5. ;^) -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC http://www.xmission.com/~softweyr softweyr@xmission.com From owner-freebsd-security Tue Nov 26 00:34:52 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id AAA25673 for security-outgoing; Tue, 26 Nov 1996 00:34:52 -0800 (PST) Received: from gw-nl1.philips.com (gw-nl1.philips.com [192.68.44.33]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id AAA25665; Tue, 26 Nov 1996 00:34:48 -0800 (PST) Received: (from nobody@localhost) by gw-nl1.philips.com (8.6.10/8.6.10-0.994n-08Nov95) id JAA20426; Tue, 26 Nov 1996 09:34:42 +0100 Received: from unknown(130.139.36.3) by gw-nl1.philips.com via smap (V1.3+ESMTP) with ESMTP id sma020353; Tue Nov 26 09:34:08 1996 Received: from spooky.lss.cp.philips.com (spooky.lss.cp.philips.com [130.144.199.105]) by smtprelay.nl.cis.philips.com (8.6.10/8.6.10-1.2.1m-961122) with ESMTP id JAA08156; Tue, 26 Nov 1996 09:34:07 +0100 Received: (from guido@localhost) by spooky.lss.cp.philips.com (8.6.10/8.6.10-0.991c-08Nov95) id JAA21795; Tue, 26 Nov 1996 09:34:08 +0100 From: Guido van Rooij Message-Id: <199611260834.JAA21795@spooky.lss.cp.philips.com> Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-96:18.lpr To: fenner@parc.xerox.com (Bill Fenner) Date: Tue, 26 Nov 1996 09:34:08 +0100 (MET) Cc: security-officer@freebsd.org, freebsd-security@freebsd.org Reply-To: Guido.vanRooij@nl.cis.philips.com In-Reply-To: <96Nov25.191950pst.177711@crevenia.parc.xerox.com> from Bill Fenner at "Nov 25, 96 07:19:39 pm" X-Mailer: ELM [version 2.4ME+ PL19 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Bill Fenner wrote: > In message <199611252218.XAA11972@gvr.win.tue.nl> security-officer wrote: > >Affects: FreeBSD 2.* > >Corrected: FreeBSD-current as of 1996/10/27 > > FreeBSD-stable as of 1996/11/01 > > Shouldn't this be something more like > > Affects: FreeBSD 2.0, 2.0.5, 2.1, 2.1.5 > Corrected: FreeBSD-current as of 1996/10/27 > FreeBSD-stable as of 1996/11/01 > FreeBSD 2.2 and 2.1.6 releases > > or something? The timing of the advisory and the statement "FreeBSD 2.*" > implies that 2.1.6 is affected, while the CVS tree says that the fix was in > 2.1.6 . Yes, if you know that 2.1.6 was based on FreeBSD-stable and was > released after 1996/11/01, then you can derive the same information, but why > not make it explicit? (Especially for the person who is browsing the security > advisories next year and comes across this one... "oh, shoot, 2.2 is > affected"...) Yes indeed. I'll send a revised one later today. -Guido From owner-freebsd-security Tue Nov 26 08:29:34 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id IAA11205 for security-outgoing; Tue, 26 Nov 1996 08:29:34 -0800 (PST) Received: from fps.biblos.unal.edu.co ([168.176.37.11]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id IAA11200 for ; Tue, 26 Nov 1996 08:29:30 -0800 (PST) From: pgiffuni@fps.biblos.unal.edu.co Received: from localhost by fps.biblos.unal.edu.co (AIX 4.1/UCB 5.64/4.03) id AA49416; Tue, 26 Nov 1996 11:32:11 -0500 Date: Tue, 26 Nov 1996 11:32:10 -0500 (EST) To: Wes Peters Cc: security@freebsd.org Subject: Re: Exportable crypt ???? (Secure RPC?) In-Reply-To: <199611260605.XAA01593@obie.softweyr.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk So... can we use it as a DES replacement for SECURE RPC? On Mon, 25 Nov 1996, Wes Peters wrote: > > Not all encryption software is illegal to export; I believe the > limitations are based on the key size. Good ol' enigma.c, which has > been kicking around UNIX in various forms since '72 or '74, uses a > small enough key that nobody cares. It is based on a hardware device > used by the Germans in WWII, known as the "Enigma Rotor." It is > important to note that it was cracked by cryptographers working for > the British Gov't early in the war; things encrypted with enigma are > *certainly* not going to confuse MI5. ;^) > > -- > "Where am I, and what am I doing in this handbasket?" > > Wes Peters Softweyr LLC > http://www.xmission.com/~softweyr softweyr@xmission.com > > > > From owner-freebsd-security Tue Nov 26 14:29:39 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id OAA02088 for security-outgoing; Tue, 26 Nov 1996 14:29:39 -0800 (PST) Received: from who.cdrom.com (who.cdrom.com [204.216.27.3]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id OAA02038 for ; Tue, 26 Nov 1996 14:29:31 -0800 (PST) Received: from enteract.com (root@enteract.com [206.54.252.1]) by who.cdrom.com (8.7.5/8.6.11) with ESMTP id MAA13287 for ; Tue, 26 Nov 1996 12:37:24 -0800 (PST) Received: (from tqbf@localhost) by enteract.com (8.8.2/8.7.6) id OAA14366 for security@freebsd.org; Tue, 26 Nov 1996 14:34:47 -0600 (CST) From: "Thomas H. Ptacek" Message-Id: <199611262034.OAA14366@enteract.com> Subject: FreeBSD Security Advisory: FreeBSD-SA-96:18.lpr (fwd) To: security@FreeBSD.org Date: Tue, 26 Nov 1996 14:34:46 -0600 (CST) Reply-To: tqbf@enteract.com X-Mailer: ELM [version 2.4 PL24 ME8a] Content-Type: text Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk ----- Forwarded message from The Nocturnal Prince ----- ============================================================================= FreeBSD-SA-96:18 Security Advisory FreeBSD, Inc. Topic: Buffer overflow in lpr Category: core Module: lpr Announced: 1996-11-25 Affects: FreeBSD 2.* Corrected: FreeBSD-current as of 1996/10/27 FreeBSD-stable as of 1996/11/01 FreeBSD only: no Patches: ftp://freebsd.org/pub/CERT/patches/SA-96:18/ ============================================================================= ---- End Forward Question. This was problem-reported over a month ago, and triggered discussions on the FreeBSD-security list and on bugtraq. I'm curious as to why it wasn't publicized immediately. Furthermore, I'm interested in learning more about the FreeBSD team's policy on security advisories in general, as several issues have been brought up in problem-report format that have yet to receive 'public' acknowledgement. For the record, these issues include the immediately exploitable 'route(1)' overflows, the chroot(2) vulnerability, and the reverse lookup overflow in traceroute(1). I also don't recall ever seeing a release regarding modstat(1)'s argv[2] overflow. It would appear that problem-reports are not the optimal way to deal with security issues in FreeBSD. If this is the case, can you recommend a better mechanism for bringing these problems to the attention of developers and users? Thank you. ---------------- Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf@enteract.com] ---------------- exit(main(kfp->kargc, argv, environ)); From owner-freebsd-security Tue Nov 26 15:30:13 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id OAA03971 for security-outgoing; Tue, 26 Nov 1996 14:37:22 -0800 (PST) Received: from who.cdrom.com (who.cdrom.com [204.216.27.3]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id OAA03885 for ; Tue, 26 Nov 1996 14:37:10 -0800 (PST) Received: from haldjas.folklore.ee (Haldjas.folklore.ee [193.40.6.121]) by who.cdrom.com (8.7.5/8.6.11) with ESMTP id LAA12704 for ; Tue, 26 Nov 1996 11:11:05 -0800 (PST) Received: from localhost (narvi@localhost) by haldjas.folklore.ee (8.8.2/8.6.12) with SMTP id VAA26973; Tue, 26 Nov 1996 21:08:02 +0200 (EET) Date: Tue, 26 Nov 1996 21:08:02 +0200 (EET) From: Narvi To: pgiffuni@fps.biblos.unal.edu.co cc: Wes Peters , security@freebsd.org Subject: Re: Exportable crypt ???? (Secure RPC?) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Tue, 26 Nov 1996 pgiffuni@fps.biblos.unal.edu.co wrote: > > So... can we use it as a DES replacement for SECURE RPC? > Only if you rename it INSECURE RPC (as opposed to ordinary RPC). I for one would not want such a thing unless it is labeled as such. Sander > > > On Mon, 25 Nov 1996, Wes Peters wrote: > > > > > *certainly* not going to confuse MI5. ;^) If I am not too wrong, not many other people aswell... > > > > -- > > "Where am I, and what am I doing in this handbasket?" > > > > Wes Peters Softweyr LLC > > http://www.xmission.com/~softweyr softweyr@xmission.com > > > > > > > > > From owner-freebsd-security Tue Nov 26 15:42:15 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id OAA02980 for security-outgoing; Tue, 26 Nov 1996 14:33:23 -0800 (PST) Received: from who.cdrom.com (who.cdrom.com [204.216.27.3]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id OAA02852; Tue, 26 Nov 1996 14:32:56 -0800 (PST) Received: from gvr.win.tue.nl (root@gvr.win.tue.nl [131.155.210.19]) by who.cdrom.com (8.7.5/8.6.11) with ESMTP id MAA13240 ; Tue, 26 Nov 1996 12:28:56 -0800 (PST) Received: (from guido@localhost) by gvr.win.tue.nl (8.8.2 with smtp patch/8.8.2) id VAA18385; Tue, 26 Nov 1996 21:27:27 +0100 (MET) Message-Id: <199611262027.VAA18385@gvr.win.tue.nl> From: FreeBSD Security Officer To: freebsd-security-notifications@FreeBSD.org, freebsd-announce@FreeBSD.org, freebsd-security@FreeBSD.org, first-teams@first.org Subject: FreeBSD Security Advisory: FreeBSD-SA-96:18.lpr (REVISED) Date: Tue, 26 Nov 1996 21:15:00 +0100 (MET) Reply-To: security-officer@FreeBSD.org Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-96:18 Security Advisory FreeBSD, Inc. Topic: Buffer overflow in lpr (revised) Category: core Module: lpr Announced: 1996-11-25 Affects: FreeBSD 2.0, 2.0.5, 2.1, 2.1.5 Corrected: FreeBSD-current as of 1996/10/27 FreeBSD-stable as of 1996/11/01 FreeBSD 2.2 and 2.1.6 releases FreeBSD only: no Patches: ftp://freebsd.org/pub/CERT/patches/SA-96:18/ ============================================================================= I. Background The lpr program is used to print files. It is standard software in the FreeBSD operating system. This advisory is based on AUSCERT's advisory AA-96.12. The FreeBSD security-officers would like to thank AUSCERT for their efforts. This is a revised advisory, issued to state clearly exactly which versions of FreeBSD are vulnerable. II. Problem Description Due to its nature, the lpr program is setuid root. Unfortunately, the program does not do sufficient bounds checking on arguments which are supplied by users. As a result it is possible to overwrite the internal stack space of the program while it's executing. This can allow an intruder to execute arbitrary code by crafting a carefully designed argument to lpr. As lpr runs as root this allows intruders to run arbitrary commands as root. III. Impact Local users can gain root privileges. IV. Workaround AUSCERT has developed a wrapper to help prevent lpr being exploited using this vulnerability. This wrapper, including installation instructions, can be found in ftp://ftp.auscert.org.au/pub/auscert/advisory/ AA-96.12.lpr.buffer.overrun.vul V. Solution Apply one of the following patches. Patches are provided for FreeBSD-current (before 1996/10/27) (SA-96:18-solution.current) FreeBSD-2.0.5, FreeBSD-2.1.0, FreeBSD-2.1.5 and FreeBSd-stable (before 1996/11/01) (SA-96:18-solution.2xx) Patches can be found on ftp://freebsd.org/pub/CERT/patches/SA-96:18 ============================================================================= FreeBSD, Inc. Web Site: http://www.freebsd.org/ Confidential contacts: security-officer@freebsd.org PGP Key: ftp://freebsd.org/pub/CERT/public_key.asc Security notifications: security-notifications@freebsd.org Security public discussion: security@freebsd.org Notice: Any patches in this document may not apply cleanly due to modifications caused by digital signature or mailer software. Please reference the URL listed at the top of this document for original copies of all patches if necessary. ============================================================================= -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMptSe1UuHi5z0oilAQEWJwP5AZbCK/p+LJLDTOp68CARC18JB8+VF4DI 2qeGrMRxtWRJXD+MWV2llWbQBvX0iE53zzb7su0KYuq38zmVyoN6GM5KaRgRbHJC tjEYrQ5AQK0an3C8ACOEy5Tt4PU10BPZlssWHWotTOpPeVIzjj7RZqSJLywSwoIh wGzvSrEpYSk= =r1Lc -----END PGP SIGNATURE----- From owner-freebsd-security Wed Nov 27 18:17:12 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id SAA29521 for security-outgoing; Wed, 27 Nov 1996 18:17:12 -0800 (PST) Received: from pollux.or.signature.nl (root@pollux.or.signature.nl [194.229.138.194]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id SAA29516 for ; Wed, 27 Nov 1996 18:17:09 -0800 (PST) Received: from pc03.or.signature.nl (pc03.or.signature.nl [194.229.138.197]) by pollux.or.signature.nl (8.8.3/bs) with SMTP id DAA07206 for ; Thu, 28 Nov 1996 03:17:50 +0100 (MET) Message-Id: <1.5.4.16.19961128021707.14e73f38@pollux.or.signature.nl> X-Sender: bit@pollux.or.signature.nl X-Mailer: Windows Eudora Light Version 1.5.4 (16) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 28 Nov 1996 02:17:07 +0000 To: freebsd-security@FreeBSD.ORG From: Bart Smit Subject: ??? Re: FreeBSD 2.1.6 replaced with point release (2.1.6.1) Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk >Following Murphy's law to the letter, a significant security hole in >sendmail 8.8.3 was found just one day after 2.1.6 was rolled and put >up on ftp.freebsd.org, requiring some sort of response before putting >2.1.6 onto CDROM. I hope I'm not the only one that has desperately been trying to find more info on the 8.8.3 security hole during the last two days. It was really starting to bug me but then I realized that this must refer to the hole that was FIXED in 8.8.3. A meta-Murphy typo? Someone please confirm... I refuse to feel silly. Bart