The debian-private mailing list leak, part 1. Volunteers have complained about Blackmail. Lynchings. Character assassination. Defamation. Cyberbullying. Volunteers who gave many years of their lives are picked out at random for cruel social experiments. The former DPL's girlfriend Molly de Blanc is given volunteers to experiment on for her crazy talks. These volunteers never consented to be used like lab rats. We don't either. debian-private can no longer be a safe space for the cabal. Let these monsters have nowhere to hide. Volunteers are not disposable. We stand with the victims.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

KSR[T] Advisory #004: printfilter / groff / lpd (fwd)



Hi,

Are we vulnerable to the below?  I am here thinking of magicfilter, which
runs a lot of these sorts of apps.

John

-- 
John Goerzen
Southwind Internet Access, Inc. Technical Support
Business e-mail: jgoerzen@southwind.net

Personal e-mail: jgoerzen@complete.org
Wichita State University e-mail: jgoerzen@cs.twsu.edu
Developer, Debian GNU/Linux    <http://www.debian.org>

---------- Forwarded message ----------
Date: Sat, 25 Oct 1997 08:22:39 -0700
From: "KSR[T]" <ksrt@dec.net>
To: BUGTRAQ@NETSPACE.ORG
Subject: KSR[T] Advisory #004: printfilter / groff / lpd

-----
KSR[T] Website : http://www.dec.net/ksrt
E-mail: ksrt@dec.net
-----

                                                          KSR[T] Advisory #004
                                                          Date:   Oct  6, 1997
                                                          ID #:   lin-lpdg-004

Operating System(s): Redhat Linux 4.2

Affected Program:    lpd / printfilter / groff

Problem Description: The printfilter software package that comes with
                     Redhat Linux is called by lpd to determine the type
                     of file that is being printed, and then to apply
                     the appropriate 'filter' so that the file will be
                     printed properly.

                     The 'filters' are usually shell scripts that call
                     a helper application.  The first problem is that
                     some of these filters use /tmp as scratch space,
                     which opens up a symlink attack for file creation
                     and file overwriting.  ( lpd is running as user bin,
                     group root )

                     The second problem is that a lot of the helper
                     applications were not built with security in mind.
                     One example of this is groff.

                     There are several troff/groff 'requests' that allow
                     commands to be executed.  The result is that anyone
                     with a simple understanding of troff can send
                     a troff document to a remote server, causing the
                     remote server to execute arbitrary commands as
                     user bin, group root.

                     It is important to note that other operating systems
                     may use a print filter that will use applications
                     like troff.  They are just as susceptible to attack as
                     the operating systems listed above.

Compromise:          local users can overwrite files writable by user bin
                     and/or group root.

                     local and remote users can execute commands as user
                     bin, group root.  From this point, a clever attacker
                     can obtain root.
Patch/Fix:

Erik Troan <ewt@redhat.com> has put updated RPMS online at:

ftp://ftp.redhat.com/updates/4.2/i386/groff-1.10-8.1.i386.rpm
ftp://ftp.redhat.com/updates/4.2/i386/rhs-printfilters-1.41.1-1.i386.rpm


--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-private-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .