From owner-freebsd-bugs  Sun Oct  5 02:51:27 1997
Return-Path: <owner-freebsd-bugs>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id CAA10155
          for bugs-outgoing; Sun, 5 Oct 1997 02:51:27 -0700 (PDT)
Received: from sax.sax.de (sax.sax.de [193.175.26.33])
          by hub.freebsd.org (8.8.7/8.8.7) with SMTP id CAA10146
          for <bugs@FreeBSD.ORG>; Sun, 5 Oct 1997 02:51:23 -0700 (PDT)
Received: (from uucp@localhost) by sax.sax.de (8.6.12/8.6.12-s1) with UUCP id LAA00985; Sun, 5 Oct 1997 11:51:21 +0200
Received: (from j@localhost)
	by uriah.heep.sax.de (8.8.7/8.8.5) id LAA29234;
	Sun, 5 Oct 1997 11:33:55 +0200 (MET DST)
Message-ID: <19971005113354.BI32445@uriah.heep.sax.de>
Date: Sun, 5 Oct 1997 11:33:54 +0200
From: j@uriah.heep.sax.de (J Wunsch)
To: bugs@FreeBSD.ORG
Cc: a42n8k9@REDROSE.NET (Bennett Samowich)
Subject: Re: Possible weakness in LPD protocol (fwd)
References: <Pine.BSF.3.96.971002185454.1458H-100000@cyrus.watson.org>
X-Mailer: Mutt 0.60_p2-3,5,8-9
Mime-Version: 1.0
X-Phone: +49-351-2012 669
X-PGP-Fingerprint: DC 47 E6 E4 FF A6 E9 8F  93 21 E0 7D F9 12 D6 4E
Reply-To: joerg_wunsch@uriah.heep.sax.de (Joerg Wunsch)
In-Reply-To: <Pine.BSF.3.96.971002185454.1458H-100000@cyrus.watson.org>; from Robert Watson on Oct 2, 1997 18:55:10 -0400
Sender: owner-freebsd-bugs@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

As Robert Watson wrote:

> Was wondering if this was a concern for us?

I think the serious bugs have been fixed.

> ---------- Forwarded message ----------
> Date: Thu, 2 Oct 1997 16:58:23 -0400
> From: Bennett Samowich <a42n8k9@REDROSE.NET>
> Reply-To: a42n8k9@unspecified-domain,
>     *NO-SPAM**.redrose.net@unspecified-domain
> To: BUGTRAQ@NETSPACE.ORG
> Subject: Possible weakness in LPD protocol

> SOLUTIONS ???
> These holes are due to the implementation of the lpr protocol and the
> fact that lpd runs as root.  I am sure that there may be many solutions
> to this, but At first glance I think that by checking for a '/' in the
> filenames would cause the program to react when someone tries to print
> files from outside of the queue directory.

This has been done in the FreeBSD version.  As i read the commit logs,
the fixes have been obtained mostly or exclusively from OpenBSD.

Bennett, if you are intending to use some of the BSD source code, it
will be a good idea to use the most up-to-date sources from the
actively maintained BSD code.  While reviewing the code portions
you've quoted, i noticed a number of buffer overflow fixes as well
(again, most likely courtesy OpenBSD).

> As far as the mail bomb, maybe by checking the destination host with
> lpd's view of the caller, but that wouldn't allow for someone to print
> from one account and get the mail at another.  IE the boss getting
> notices when the report is finished.

This problem is still open.  Perhaps the algorithm should be changed
to send at most a single mail per print job.  I don't think much more
can be done about it without losing functionality.

-- 
cheers, J"org

joerg_wunsch@uriah.heep.sax.de -- http://www.sax.de/~joerg/ -- NIC: JW11-RIPE
Never trust an operating system you don't have sources for. ;-)