The debian-private mailing list leak, part 1. Volunteers have complained about Blackmail. Lynchings. Character assassination. Defamation. Cyberbullying. Volunteers who gave many years of their lives are picked out at random for cruel social experiments. The former DPL's girlfriend Molly de Blanc is given volunteers to experiment on for her crazy talks. These volunteers never consented to be used like lab rats. We don't either. debian-private can no longer be a safe space for the cabal. Let these monsters have nowhere to hide. Volunteers are not disposable. We stand with the victims.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SECURITY: [linux-alert] LSF Update#14: Vulnerability of the lpr program. AUSCERT 9610291550



Hi,

Your message dated: Sat, 23 Nov 1996 15:54:00 +0100

> many thanks for the information about the vulnerability of the lpr-program.
> Although, I have some critism.
> 
> 
> : ABSTRACT
> : 
> : 	A vulnerability exists in the lpr program version 0.06. If installed 
> : 	suid to root, the lpr program allows local users to gain access to a
> : 	super-user account.
> 
> There is no "lpr program version 0.06". There is a Berkeley "lpr program
> version 5.9" patched for used under Linux. This program is part of the
> "netkit package version 0.06".
> Don't get me wrong, I do not write this to put the name of Berkeley in the
> lights (I hate Berkeley-stuff most of the time).

Hmm.. That was the result of the strings on my box... That is why I said
0.06... Also if you look around in packages of Redhat and Caldera, lpr is 
marked as 0.06...  

I think we need to come up with a methods of describing versions... 

> But version numbers should be perfectly clear when they are a indicator for
> vulnerability. For example, the old Debian-lpr is referenced as
> "lpr 5.9-12" - so I'm not vulnerable?

I don't use Debian so when I received a message from Debian Project which
stated that Debian does not use lpr from what used to be a NetKit, I used
that message as a basis for my section on Debian. Can someone from Debian
_quickly_ verify _again_ if Debian/GNU Linux 1.1 is vulnerable? AUSCERT
wants to use this LSF Update in their advisory.

>  
> : 		Debian
> : 
> : 			Debian/GNU Linux 1.1 does not use lpr program and 
> : 			therefore is not vulnerable. If you have installed
> : 			lpr package yourself, your system becomes
> : 			vulnerable.
> 
> I already spoke to Sven Rudolph: Debian 1.1 ships with the Berkley lpr
> version 5.9. I'm unsure if it's from netkit 0.07A or from 0.06. Am I
> vulnerable or not?

Frankly, I could not check it myself and PGP signed messages that I received
from Debian Project indicated that they are not.

> Today I've installed "lprng" from the directory "projects/experimental".
> I'm unsure if it's more secure. Are there any buffer overrun tests on it's
> version of "lpr"?

LPRng is considered to be _far_ more secure as it uses different design
strategy.

> 
> ".. does not use lpr program .." would mean Debian has no lpr program at
> all.
> 
> : 			It is believed at this moment that all Linux
> : 			distributions using lpr version 0.06 or prior
> : 			contain a vulnerable lpr program.
> 
> Whats with the 0.07A and above? Is it _not_ vulnerable?

I am CC'ing this message to NetKit maintainer but if I remember correctly
lpr is no longer a part of the main netkit.... but hold me responsible for
this - I very well can be wrong here.

>  
> 
> : 			Until the official fix-kits are available for those
> : 			systems, it is advised that system administrators
> : 			obtain the source code of a LPRng print system used
> : 			in Debian/GNU Linux 1.1, compile it and replace the
> : 			lpr subsystem.
> 
> Sorry if I repeat my question: are there buffer-overrun test on "lpr" from
> the LPRng-package? If it is safe, it should be mentioned.

It does not contain the particular bug that we see in lpr. Unfortunately, I
do not know anyone who can do A1 class formal design verification on the
subsystem.

To distribution and package maintainers:

	This again raises a questions of version numbering. Is there any way
	we can all decide on using same version numbering scheme for
	packages so if a package Blah 1.3 is in a distributions A and B in
	both of them it gets name Blah-1.3-whatever-distribution-specific-parameters?
 
	Also... Please Please Please check several of your systems prior to
	supplying information that will go into LSF Updates...

Alex




--
Please respect the confidentiality of material on the debian-private list.
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-private-REQUEST@lists.debian.org . Trouble? e-mail to Bruce@Pixar.com