The debian-private mailing list leak, part 1. Volunteers have complained about Blackmail. Lynchings. Character assassination. Defamation. Cyberbullying. Volunteers who gave many years of their lives are picked out at random for cruel social experiments. The former DPL's girlfriend Molly de Blanc is given volunteers to experiment on for her crazy talks. These volunteers never consented to be used like lab rats. We don't either. debian-private can no longer be a safe space for the cabal. Let these monsters have nowhere to hide. Volunteers are not disposable. We stand with the victims.
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SECURITY: [linux-alert] LSF Update#14: Vulnerability of the lpr program. AUSCERT 9610291550

On Sat, 23 Nov 1996, Alexander O. Yuriev wrote:

alex>  No problem. It was made publically available a while ago... Please drop me a
alex>  note when you test it.

Yes, Debian is vulnerable. Thats what I did:

        bash> whoami  
        winni

        bash> gcc -o exploit exploit.c 
        bash> ./exploit 

        bash# whoami
        root
        bash# dpkg --status lpr
        Package: lpr
        Section: net
[..]
        Maintainer: Sven Rudolph <sr1@inf.tu-dresden.de>
        Version: 5.9-12
[..]
        Description: Berkeley lpr/lpd line printer spooling system
         This is the standards UNIX printer spooler and associated utilties.
         You can use this for local and remote printers.


I suggest the following text for the section about Debian (please edit it,
English is not my native language):

	The standard configuration of Debian/GNU Linux (all versions)
	is to install the "lpr"-package that contains the vulnerable
        "lpr"-utility.
	The alternate Debian-package named "lprng" does contain a totally
	different "lpr"-utility that is _not_ vulnerable. But this package
	is not installed by default.

	To check what package you have installed just execute the commands

		dir /usr/bin/lpr
		dpkg --status lprng

	If they print out

		-rwsr-sr-x  1  root lp  14169 Jul 29 23:25  /usr/bin/lpr
		Package `lprng' is not installed and no info is available.

        it indicates that (a) you have a "lpr"-utility installed and
	(b) it is _not_ the "safe" version. In this case you should
	immediatly install the "lprng"-package by fetching the
        appropreciate package for your architecture ("i386" for intel
	PCs or "m68k" for Motorola-based systems) from

ftp://ftp.debian.org/debian/project/experimental/lprng_2.3.12-2_i386.deb
ftp://ftp.debian.org/debian/project/experimental/lprng_2.3.12-3_m68k.deb

	The installation of the package is straightforward, e.g.

		dpkg  --install  lprng_2.3.12-2_i386.deb

	for the i386-architecture.


        NOTE:	After installing the "lprng"-package the unsecure "lpr"
		seems to be installed, too.  *THATS OK.*
		It's because the configuration-files (/etc/printcap) are
		not deleted but re-used by "lprng". The binaries of "lpr"
		are deleted and replaced by "safe" lprng-binaries. You
		can confirm this by executing "dpkg --status lpr" which
		should report "Status: install ok config-files".


Hm. Longer than I first thought.

-Winfried


--
Please respect the confidentiality of material on the debian-private list.
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-private-REQUEST@lists.debian.org . Trouble? e-mail to Bruce@Pixar.com