Report forwarded to debian-bugs-dist@lists.debian.org, Craig Small <csmall@debian.org>, lprng@packages.qa.debian.org: Bug#188366; Package lprng.
(full text, mbox, link).
Acknowledgement sent to Karol Lewandowski <klz@o2.pl>:
New Bug report received and forwarded. Copy sent to Craig Small <csmall@debian.org>, lprng@packages.qa.debian.org.
(full text, mbox, link).
Package: lprng
Version: 3.8.10-1
Severity: grave
Tags: patch security
Justification: user security hole
A LPRng component -- `psbanner' (program for creating postscript banner
pages), insecurely creates file `/tmp/before'. A file is created
every time filter is run, it is owned by user `daemon' and group `lp'.
An attacker might create symbolic link from `/tmp/before' to file
which is owned by user `daemon', eg. `/var/spool/lpd/lp/acct',
allowing him to overwrite its contents (with enviroment
variables). When any user will try to print something, the file which
`/tmp/before' points to will be overwriten.
NOTE: This will work only if printer is configured to print banner
pages by `psbanner' program.
Example of `/etc/printcap', which can be used for attack:
lp:
:lp=/dev/lp0
:mx=0
:bp=/usr/lib/lprng/filters/psbanner
:sd=/var/spool/lpd/lp
This error was reported before, and should be fixed since LPRng-3.8.7
(seen in changelog.gz).
A simple patch is included:
--- psbanner.orig Wed Apr 9 16:50:21 2003
+++ psbanner Wed Apr 9 17:03:10 2003
@@ -42,9 +42,7 @@
vAr=""
vAlue=""
iI=""
-set >/tmp/before
Args="$@"
-echo "$@" >>/tmp/before
while expr "$1" : '-.*' >/dev/null ; do
vAr=`expr "$1" : '-\(.\).*'`;
vAlue=`expr "$1" : '-.\(.*\)'`;
-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux greenplant 2.4.20 #1 Thu Jan 23 18:12:01 CET 2003 i686
Locale: LANG=C, LC_CTYPE=pl_PL.ISO-8859-2
Versions of packages lprng depends on:
ii debconf 1.0.32 Debian configuration management sy
ii libc6 2.2.5-11.2 GNU C Library: Shared libraries an
Information forwarded to debian-bugs-dist@lists.debian.org, Craig Small <csmall@debian.org>, lprng@packages.qa.debian.org: Bug#188366; Package lprng.
(full text, mbox, link).
Acknowledgement sent to Matt Zimmerman <mdz@debian.org>:
Extra info received and forwarded to list. Copy sent to Craig Small <csmall@debian.org>, lprng@packages.qa.debian.org.
(full text, mbox, link).
On Wed, Apr 09, 2003 at 06:48:14PM +0200, Karol Lewandowski wrote:
> A LPRng component -- `psbanner' (program for creating postscript banner
> pages), insecurely creates file `/tmp/before'. A file is created every
> time filter is run, it is owned by user `daemon' and group `lp'.
This seems to affect lprng in woody (but not potato). I will prepare a
security update.
--
- mdz
Information forwarded to debian-bugs-dist@lists.debian.org, lprng@packages.qa.debian.org: Bug#188366; Package lprng.
(full text, mbox, link).
Acknowledgement sent to Craig Small <csmall@debian.org>:
Extra info received and forwarded to list. Copy sent to lprng@packages.qa.debian.org.
(full text, mbox, link).
On Wed, Apr 09, 2003 at 06:48:14PM +0200, Karol Lewandowski wrote:
> A LPRng component -- `psbanner' (program for creating postscript banner
> pages), insecurely creates file `/tmp/before'. A file is created
> every time filter is run, it is owned by user `daemon' and group `lp'.
I've uploaded lprng 3.8.20-4 that fixes this problem in sid/sarge
I've also uploaded lprng 3.8.10-2 that fixes this problem in woody,
this was of course after I read the bit on the security site that
I shouldn't do that, sigh.
Anyhow it's fixed, the fix is simple and the diff and dsc are there for
the security team to fix. i have also sent an email to the lprng
list as this is the quickest way to get the upstreams attention.
Here's what I wrote to the list, you might want to use some of it or
Karol's email for the DSA.
--------------
LPRng - Insecure file creation
Karol Lewandowski discovered that psbanner, a printer filter that creates
a PostScript format banner and is part of LPRng, insecurely creates a file
/tmp/before. The program does no checks of this file but writes its current
environment and called arguments to the file unconditionally.
The filter is run by the lpd process, which runs as the uid daemon. By
using symlinks and enviornmental manipulation, an attacker can create a
file owned by uid daemon.
This attack can only occur if the printer is configured to print
PostScript banner pages using the psbanner program, usually with the
bp=i/usr/lib/lprng/filters/psbanner printcap clause.
Debian users should upgrade to lprng 3.8.20-4 (sid, sarge) or lprng
3.8.10-2 (woody).
--
Craig Small VK2XLZ GnuPG:1C1B D893 1418 2AF4 45EE 95CB C76C E5AC 12CA DFA5
Eye-Net Consulting http://www.enc.com.au/ <csmall@enc.com.au>
MIEEE <csmall@ieee.org> Debian developer <csmall@debian.org>
We believe that the bug you reported is fixed in the latest version of
lprng, which is due to be installed in the Debian FTP archive:
lprng-doc_3.8.20-4_all.deb
to pool/main/l/lprng/lprng-doc_3.8.20-4_all.deb
lprng_3.8.20-4.diff.gz
to pool/main/l/lprng/lprng_3.8.20-4.diff.gz
lprng_3.8.20-4.dsc
to pool/main/l/lprng/lprng_3.8.20-4.dsc
lprng_3.8.20-4_i386.deb
to pool/main/l/lprng/lprng_3.8.20-4_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 188366@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Craig Small <csmall@debian.org> (supplier of updated lprng package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 10 Apr 2003 21:13:56 +1000
Source: lprng
Binary: lprng lprng-doc
Architecture: source i386 all
Version: 3.8.20-4
Distribution: unstable
Urgency: high
Maintainer: Craig Small <csmall@debian.org>
Changed-By: Craig Small <csmall@debian.org>
Description:
lprng - lpr/lpd printer spooling system
lprng-doc - lpr/lpd printer spooling system (documentation)
Closes: 188366
Changes:
lprng (3.8.20-4) unstable; urgency=high
.
* Removed unsecure create of /tmp/before
SECURITY BUG Closes: #188366
Files:
3778e13f4d8c3d09894c55b19b8db80b 709 net extra lprng_3.8.20-4.dsc
991d749bcba5cf3150754ac547f7c61e 36286 net extra lprng_3.8.20-4.diff.gz
54058a4d7efd88605927059bb2167c78 2028074 doc extra lprng-doc_3.8.20-4_all.deb
9533470b2f0d1791338463ad5f965446 823518 net extra lprng_3.8.20-4_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQE+lVL5x2zlrBLK36URAsF5AKCOoPwWWKlvKWKJfc1ca5hgZq6JnACdFpaN
ge1xB1RX6OpiO4/cWNAkbhY=
=I4lS
-----END PGP SIGNATURE-----
Information forwarded to debian-bugs-dist@lists.debian.org, Craig Small <csmall@debian.org>, lprng@packages.qa.debian.org: Bug#188366; Package lprng.
(full text, mbox, link).
Acknowledgement sent to Matt Zimmerman <mdz@debian.org>:
Extra info received and forwarded to list. Copy sent to Craig Small <csmall@debian.org>, lprng@packages.qa.debian.org.
(full text, mbox, link).
On Thu, Apr 10, 2003 at 10:30:46PM +1000, Craig Small wrote:
> I've also uploaded lprng 3.8.10-2 that fixes this problem in woody,
> this was of course after I read the bit on the security site that
> I shouldn't do that, sigh.
It looks like you accidentally uploaded it to unstable and it was rejected;
in this case this is fortunate as it means that we don't have to clean up
any messes. :-)
The packages that I prepared for stable yesterday are at:
http://people.debian.org/~mdz/security/lprng/
Your review is appreciated, though the problem is very trivial and you
probably made the same change.
> Here's what I wrote to the list, you might want to use some of it or
> Karol's email for the DSA.
Thanks for this.
--
- mdz
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.