The debian-private mailing list leak, part 1. Volunteers have complained about Blackmail. Lynchings. Character assassination. Defamation. Cyberbullying. Volunteers who gave many years of their lives are picked out at random for cruel social experiments. The former DPL's girlfriend Molly de Blanc is given volunteers to experiment on for her crazy talks. These volunteers never consented to be used like lab rats. We don't either. debian-private can no longer be a safe space for the cabal. Let these monsters have nowhere to hide. Volunteers are not disposable. We stand with the victims.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [linux-security] LSF Update#14: Vulnerability of the lpr program.



"Alexander O. Yuriev" <alex@bach.cis.temple.edu> writes:

>                           Linux Security FAQ Update
>                               lpr Vulnerability
>                         Thu Nov 21 22:24:12 EST 1996
>    Copyright (C) 1995,1996 Alexander O. Yuriev (alex@bach.cis.temple.edu)
>                               CIS Laboratories
>                              TEMPLE  UNIVERSITY
>                                    U.S.A.


> 		Debian
> 
> 			Debian/GNU Linux 1.1 does not use lpr program and 
> 			therefore is not vulnerable. If you have installed
> 			lpr package yourself, your system becomes
> 			vulnerable.

> 		Other Linux Distributions
> 
> 			It is believed at this moment that all Linux
> 			distributions using lpr version 0.06 or prior
> 			contain a vulnerable lpr program.
> 
> 			Administrators of systems based on distributions
> 			not listed in this update or distributions that
> 			do not have fix-kits available at the moment are
> 			urged to contact their support centers requesting
> 			the fix-kits to be made available to them. 
> 
> 			In order to prevent the vulnerability from being
> 			exploited in the mean time, it is recommended that
> 			the suid bit is removed from the lpr program
> 			using command
> 
> 				chmod u-s /usr/bin/lpr
> 
> 			Until the official fix-kits are available for those
> 			systems, it is advised that system administrators
> 			obtain the source code of a LPRng print system used
> 			in Debian/GNU Linux 1.1, compile it and replace the
> 			lpr subsystem.
> 
> ftp://ftp.debian.org/debian/project/experimental/lprng_2.3.12.orig.tar.gz
> ftp://ftp.debian.org/debian/project/experimental/lprng_2.3.12-2.diff.gz
> 
> ftp://bach.cis.temple.edu/pub/Linux/Security/DISTRIBUTION-FIXES/OTHER/lprng_2.3.12.orig.tar.gz
> ftp://bach.cis.temple.edu/pub/Linux/Security/DISTRIBUTION-FIXES/OTHER/lprng_2.3.12-2.diff.gz
> 
> 
> 			Please verify the MD5 fingerprint of the files prior
> 			to installing them.
> 
>          ca51aaa4560ddfc6ced987d568d8cc1c  lprng_2.3.12-2.diff.gz
>          f1c23e214a752e1c2dab2399b3457d2d  lprng_2.3.12.orig.tar.gz

There seems to have been some miscommunication regarding the impact of
this security hole on Debian.

LPRng is available for Debian, and I plan to introduce it as the
primary printing subsystem for Debian (NB: Other Debian people
disagree on this.) Current Debian systems still use BSD lpr and
therefore are vulnerable.

So please replace the Debian part above with the following:

-----------------------
Debian/GNU Linux 1.1 contains the vulnerable lpr utility. It is
installed as part of the standard installation.

A fixed version of lpr for Debian is not yet available.

In addition to lpr an alternative printing subsystem called LPRng is
available for Debian. LPRng is a enhanced printer spooler system, with
functionality similar to the Berkeley lpr software. Besides having
more features it avoids typical security holes by not running as
root. The vulnerability described above doesn't apply to LPRng.

The Debian packages of LPRng are available from the following URLs:

Debian 1.1 i386 Architecture

 ftp://ftp.debian.org/debian/bo/binary-i386/net/lprng_2.4.2-1.deb

Debian-development (no official release) m68k Architecture
Debian-development (no official release) sparc Architecture
Debian-development (no official release) alpha Architecture

 There are no binary packages of LPRng for these architectures
 available yet. You have to compile them from the sources.


The source package files for LPRng are available from the following URLs:

 ftp://ftp.debian.org/debian/bo/source/net/lprng_2.4.2-1.dsc
 ftp://ftp.debian.org/debian/bo/source/net/lprng_2.4.2.orig.tar.gz
 ftp://ftp.debian.org/debian/bo/source/net/lprng_2.4.2-1.diff.gz


Please verify the MD5 fingerprint of the Debian packages prior to
installing them.

f35277a64456eb035d14b177b4d2c605  lprng_2.4.2-1_i386.deb
b791d997d66b67bc1393ffd8281030bc  lprng_2.4.2-1.diff.gz
c0b60491659d7e074afa58c6329117ad  lprng_2.4.2-1.dsc
14b21cd6947e03c517fa50f5ddbb7ef7  lprng_2.4.2.orig.tar.gz
----------------------


In case you really want to point users of other distributions towards
LPRng: They only need the lprng_2.4.2.orig.tar.gz, its content is
identical to the original LPRng distribution available from
dickory.sdsu.edu:/pub/LPRng .

	Sven
-- 
Sven Rudolph <sr1@inf.tu-dresden.de> ; WWW : http://www.sax.de/~sr1/


--
Please respect the confidentiality of material on the debian-private list.
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-private-REQUEST@lists.debian.org . Trouble? e-mail to Bruce@Pixar.com