Multiple Vendor lpr Format String Vulnerability
BID:1711
Info
Multiple Vendor lpr Format String Vulnerability
| Bugtraq ID: | 1711 |
| Class: | Input Validation Error |
| CVE: |
CVE-2000-1208 |
| Remote: | No |
| Local: | Yes |
| Published: | Sep 26 2000 12:00AM |
| Updated: | Jul 11 2009 03:56AM |
| Credit: | This vulnerability was originally reported to bugtraq by Chris Evans <[email protected]> on September 25, 2000. |
| Vulnerable: |
Wirex Immunix OS 6.2 Redhat Linux 7.0 OpenBSD OpenBSD 2.7 NetBSD NetBSD 1.4.2 NetBSD NetBSD 1.4.1 NetBSD NetBSD 1.4 |
| Not Vulnerable: |
SuSE Linux 7.0 SuSE Linux 6.4 SuSE Linux 6.3 |
Discussion
Multiple Vendor lpr Format String Vulnerability
lpr is a utility which queues print jobs and submits them to a destination.
lpr contains a function called checkremote() which returns a pointer to a null terminated character string. This string is passed to syslog() as its primary argument, the format string. As a result, if this string is constructed so that malicious format specifiers can be included, syslog can crash or be exploited to execute arbitrary code. It has been reported that intentional user input into this string is not possible without root access and thus It is considered unlikely that this vulnerability is exploitable.
As OpenBSD lpr is derived from the BSD source tree, other modern BSD distributions may be vulnerable as well.
RedHat advisory RHSA-2000:066-03 makes note of additional minor issues relating to LPR including a potential DoS as well as a race condition allowing the queue to become wedged. See Reference section for details.
lpr is a utility which queues print jobs and submits them to a destination.
lpr contains a function called checkremote() which returns a pointer to a null terminated character string. This string is passed to syslog() as its primary argument, the format string. As a result, if this string is constructed so that malicious format specifiers can be included, syslog can crash or be exploited to execute arbitrary code. It has been reported that intentional user input into this string is not possible without root access and thus It is considered unlikely that this vulnerability is exploitable.
As OpenBSD lpr is derived from the BSD source tree, other modern BSD distributions may be vulnerable as well.
RedHat advisory RHSA-2000:066-03 makes note of additional minor issues relating to LPR including a potential DoS as well as a race condition allowing the queue to become wedged. See Reference section for details.
Solution / Fix
Multiple Vendor lpr Format String Vulnerability
Solution:
As part of their "format strings" audit, OpenBSD have independently discovered and corrected this vulnerability in their CVS.
This was fixed in NetBSD within the last 17 hours. http://cvsweb.netbsd.org/bsdweb.cgi/basesrc/usr.sbin/lpr/lpd/printjob.c
RedHat:
For each RPM for your particular architecture, run:
rpm -Fvh [filename]
where filename is the name of the RPM.
RPMs required:
Red Hat Linux 5.2:
alpha:
ftp://updates.redhat.com/5.2/alpha/lpr-0.50-7.5.x.alpha.rpm
sparc:
ftp://updates.redhat.com/5.2/sparc/lpr-0.50-7.5.x.sparc.rpm
i386:
ftp://updates.redhat.com/5.2/i386/lpr-0.50-7.5.x.i386.rpm
sources:
ftp://updates.redhat.com/5.2/SRPMS/lpr-0.50-7.5.x.src.rpm
Red Hat Linux 6.x:
alpha:
ftp://updates.redhat.com/6.2/alpha/lpr-0.50-7.6.x.alpha.rpm
sparc:
ftp://updates.redhat.com/6.2/sparc/lpr-0.50-7.6.x.sparc.rpm
i386:
ftp://updates.redhat.com/6.2/i386/lpr-0.50-7.6.x.i386.rpm
sources:
ftp://updates.redhat.com/6.2/SRPMS/lpr-0.50-7.6.x.src.rpm
Immunix:
packages for this update for Immunix OS 6.2 (StackGuarded versions of the RedHat packages.) They can be found at:
http://immunix.org:8080/ImmunixOS/6.2/updates/RPMS/lpr-0.50-7_StackGuard.i386.rpm
or
http://www.immunix.org:8080/ImmunixOS/6.2/updates/SRPMS/lpr-0.50-7_StackGuard.src.rpm
md5sums of the packages:
5f08dd8fadc05e71bbdafad6b2744dc8 lpr-0.50-7_StackGuard.i386.rpm
641637b987c94c9d3644946e4b006007 lpr-0.50-7_StackGuard.src.rpm
Mandrake:
Linux-Mandrake 6.0:
d19963294f539c64a4e852fb3f1f8c89 6.0/RPMS/lpr-0.50-3mdk.i586.rpm
6026033d4fe19be43694a653d495af0a 6.0/SRPMS/lpr-0.50-3mdk.src.rpm
Linux-Mandrake 6.1:
128b012e397473163c1e2c1ed4b78806 6.1/RPMS/lpr-0.50-3mdk.i586.rpm
6026033d4fe19be43694a653d495af0a 6.1/SRPMS/lpr-0.50-3mdk.src.rpm
Linux-Mandrake 7.0:
0ce870aa142c3482bdd0ad7b72a422c1 7.0/RPMS/lpr-0.50-3mdk.i586.rpm
6026033d4fe19be43694a653d495af0a 7.0/SRPMS/lpr-0.50-3mdk.src.rpm
Linux-Mandrake 7.1:
6d82c047a905fea7edecc9bed347eae0 7.1/RPMS/lpr-0.50-3mdk.i586.rpm
6026033d4fe19be43694a653d495af0a 7.1/SRPMS/lpr-0.50-3mdk.src.rpm
Wirex Immunix OS 6.2
Solution:
As part of their "format strings" audit, OpenBSD have independently discovered and corrected this vulnerability in their CVS.
This was fixed in NetBSD within the last 17 hours. http://cvsweb.netbsd.org/bsdweb.cgi/basesrc/usr.sbin/lpr/lpd/printjob.c
RedHat:
For each RPM for your particular architecture, run:
rpm -Fvh [filename]
where filename is the name of the RPM.
RPMs required:
Red Hat Linux 5.2:
alpha:
ftp://updates.redhat.com/5.2/alpha/lpr-0.50-7.5.x.alpha.rpm
sparc:
ftp://updates.redhat.com/5.2/sparc/lpr-0.50-7.5.x.sparc.rpm
i386:
ftp://updates.redhat.com/5.2/i386/lpr-0.50-7.5.x.i386.rpm
sources:
ftp://updates.redhat.com/5.2/SRPMS/lpr-0.50-7.5.x.src.rpm
Red Hat Linux 6.x:
alpha:
ftp://updates.redhat.com/6.2/alpha/lpr-0.50-7.6.x.alpha.rpm
sparc:
ftp://updates.redhat.com/6.2/sparc/lpr-0.50-7.6.x.sparc.rpm
i386:
ftp://updates.redhat.com/6.2/i386/lpr-0.50-7.6.x.i386.rpm
sources:
ftp://updates.redhat.com/6.2/SRPMS/lpr-0.50-7.6.x.src.rpm
Immunix:
packages for this update for Immunix OS 6.2 (StackGuarded versions of the RedHat packages.) They can be found at:
http://immunix.org:8080/ImmunixOS/6.2/updates/RPMS/lpr-0.50-7_StackGuard.i386.rpm
or
http://www.immunix.org:8080/ImmunixOS/6.2/updates/SRPMS/lpr-0.50-7_StackGuard.src.rpm
md5sums of the packages:
5f08dd8fadc05e71bbdafad6b2744dc8 lpr-0.50-7_StackGuard.i386.rpm
641637b987c94c9d3644946e4b006007 lpr-0.50-7_StackGuard.src.rpm
Mandrake:
Linux-Mandrake 6.0:
d19963294f539c64a4e852fb3f1f8c89 6.0/RPMS/lpr-0.50-3mdk.i586.rpm
6026033d4fe19be43694a653d495af0a 6.0/SRPMS/lpr-0.50-3mdk.src.rpm
Linux-Mandrake 6.1:
128b012e397473163c1e2c1ed4b78806 6.1/RPMS/lpr-0.50-3mdk.i586.rpm
6026033d4fe19be43694a653d495af0a 6.1/SRPMS/lpr-0.50-3mdk.src.rpm
Linux-Mandrake 7.0:
0ce870aa142c3482bdd0ad7b72a422c1 7.0/RPMS/lpr-0.50-3mdk.i586.rpm
6026033d4fe19be43694a653d495af0a 7.0/SRPMS/lpr-0.50-3mdk.src.rpm
Linux-Mandrake 7.1:
6d82c047a905fea7edecc9bed347eae0 7.1/RPMS/lpr-0.50-3mdk.i586.rpm
6026033d4fe19be43694a653d495af0a 7.1/SRPMS/lpr-0.50-3mdk.src.rpm
Wirex Immunix OS 6.2
-
Wirex 6.2 I386 lpr-0.50-7.6.x_StackGuard.i386.rpm
http://immunix.org/ImmunixOS/6.2/updates/RPMS/lpr-0.50-7.6.x_StackGuar d.i386.rpm
References
Multiple Vendor lpr Format String Vulnerability
References:
References:
- NetBSD BSD-lpr Format Strings Bug Fix (NetBSD)
- OpenBSD Homepage (OpenBSD)
- OpenBSD RCS file: /usr/OpenBSD/cvs/src/usr.sbin/lpr/lpd/printjob.c,v (OpenBSD)