Debian Bug report logs - #188366
psbanner: insecure file creation (/tmp/before)

version graph

Package: lprng; Maintainer for lprng is Craig Small <csmall@debian.org>; Source for lprng is src:lprng.

Reported by: Karol Lewandowski <klz@o2.pl>

Date: Wed, 9 Apr 2003 17:03:04 UTC

Severity: grave

Tags: patch, security

Found in version 3.8.10-1

Fixed in version lprng/3.8.20-4

Done: Craig Small <csmall@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Craig Small <csmall@debian.org>, lprng@packages.qa.debian.org:
Bug#188366; Package lprng. Full text and rfc822 format available.

Acknowledgement sent to Karol Lewandowski <klz@o2.pl>:
New Bug report received and forwarded. Copy sent to Craig Small <csmall@debian.org>, lprng@packages.qa.debian.org. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Karol Lewandowski <klz@o2.pl>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: psbanner: insecure file creation (/tmp/before)
Date: Wed, 09 Apr 2003 18:48:14 +0200
Package: lprng
Version: 3.8.10-1
Severity: grave
Tags: patch security
Justification: user security hole

A LPRng component -- `psbanner' (program for creating postscript banner
pages), insecurely creates file `/tmp/before'.  A file is created
every time filter is run, it is owned by user `daemon' and group `lp'.

An attacker might create symbolic link from `/tmp/before' to file
which is owned by user `daemon', eg. `/var/spool/lpd/lp/acct',
allowing him to overwrite its contents (with enviroment
variables). When any user will try to print something, the file which
`/tmp/before' points to will be overwriten.  

NOTE: This will work only if printer is configured to print banner
pages by `psbanner' program.

Example of `/etc/printcap', which can be used for attack:

lp:
	:lp=/dev/lp0
	:mx=0
	:bp=/usr/lib/lprng/filters/psbanner
	:sd=/var/spool/lpd/lp


This error was reported before, and should be fixed since LPRng-3.8.7
(seen in changelog.gz).


A simple patch is included:

--- psbanner.orig	Wed Apr  9 16:50:21 2003
+++ psbanner	Wed Apr  9 17:03:10 2003
@@ -42,9 +42,7 @@
 vAr=""
 vAlue=""
 iI=""
-set >/tmp/before
 Args="$@"
-echo "$@" >>/tmp/before
 while expr "$1" : '-.*' >/dev/null ; do
   vAr=`expr "$1" : '-\(.\).*'`;
   vAlue=`expr "$1" : '-.\(.*\)'`;



-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux greenplant 2.4.20 #1 Thu Jan 23 18:12:01 CET 2003 i686
Locale: LANG=C, LC_CTYPE=pl_PL.ISO-8859-2

Versions of packages lprng depends on:
ii  debconf                       1.0.32     Debian configuration management sy
ii  libc6                         2.2.5-11.2 GNU C Library: Shared libraries an




Information forwarded to debian-bugs-dist@lists.debian.org, Craig Small <csmall@debian.org>, lprng@packages.qa.debian.org:
Bug#188366; Package lprng. Full text and rfc822 format available.

Acknowledgement sent to Matt Zimmerman <mdz@debian.org>:
Extra info received and forwarded to list. Copy sent to Craig Small <csmall@debian.org>, lprng@packages.qa.debian.org. Full text and rfc822 format available.

Message #10 received at 188366@bugs.debian.org (full text, mbox):

From: Matt Zimmerman <mdz@debian.org>
To: Karol Lewandowski <klz@o2.pl>, 188366@bugs.debian.org
Subject: Re: Bug#188366: psbanner: insecure file creation (/tmp/before)
Date: Wed, 9 Apr 2003 13:59:23 -0400
On Wed, Apr 09, 2003 at 06:48:14PM +0200, Karol Lewandowski wrote:

> A LPRng component -- `psbanner' (program for creating postscript banner
> pages), insecurely creates file `/tmp/before'.  A file is created every
> time filter is run, it is owned by user `daemon' and group `lp'.

This seems to affect lprng in woody (but not potato).  I will prepare a
security update.

-- 
 - mdz



Information forwarded to debian-bugs-dist@lists.debian.org, lprng@packages.qa.debian.org:
Bug#188366; Package lprng. Full text and rfc822 format available.

Acknowledgement sent to Craig Small <csmall@debian.org>:
Extra info received and forwarded to list. Copy sent to lprng@packages.qa.debian.org. Full text and rfc822 format available.

Message #15 received at 188366@bugs.debian.org (full text, mbox):

From: Craig Small <csmall@debian.org>
To: team@security.debian.org
Cc: Karol Lewandowski <klz@o2.pl>, 188366@bugs.debian.org, mdz@debian.org
Subject: Re: Bug#188366: psbanner: insecure file creation (/tmp/before)
Date: Thu, 10 Apr 2003 22:30:46 +1000
[Message part 1 (text/plain, inline)]
On Wed, Apr 09, 2003 at 06:48:14PM +0200, Karol Lewandowski wrote:
> A LPRng component -- `psbanner' (program for creating postscript banner
> pages), insecurely creates file `/tmp/before'.  A file is created
> every time filter is run, it is owned by user `daemon' and group `lp'.


I've uploaded lprng 3.8.20-4 that fixes this problem in sid/sarge

I've also uploaded lprng 3.8.10-2 that fixes this problem in woody,
this was of course after I read the bit on the security site that
I shouldn't do that, sigh.

Anyhow it's fixed, the fix is simple and the diff and dsc are there for
the security team to fix.  i have also sent an email to the lprng
list as this is the quickest way to get the upstreams attention.


Here's what I wrote to the list, you might want to use some of it or
Karol's email for the DSA.

--------------


LPRng - Insecure file creation

Karol Lewandowski discovered that psbanner, a printer filter that creates
a PostScript format banner and is part of LPRng, insecurely creates a file
/tmp/before.  The program does no checks of this file but writes its current 
environment and called arguments to the file unconditionally.

The filter is run by the lpd process, which runs as the uid daemon.  By
using symlinks and enviornmental manipulation, an attacker can create a
file owned by uid daemon.

This attack can only occur if the printer is configured to print 
PostScript banner pages using the psbanner program, usually with the
bp=i/usr/lib/lprng/filters/psbanner printcap clause.

Debian users should upgrade to lprng 3.8.20-4 (sid, sarge) or lprng
3.8.10-2 (woody).

-- 
Craig Small VK2XLZ  GnuPG:1C1B D893 1418 2AF4 45EE  95CB C76C E5AC 12CA DFA5
Eye-Net Consulting http://www.enc.com.au/                <csmall@enc.com.au>
MIEEE <csmall@ieee.org>                 Debian developer <csmall@debian.org>
[Message part 2 (application/pgp-signature, inline)]

Reply sent to Craig Small <csmall@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Karol Lewandowski <klz@o2.pl>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #20 received at 188366-close@bugs.debian.org (full text, mbox):

From: Craig Small <csmall@debian.org>
To: 188366-close@bugs.debian.org
Subject: Bug#188366: fixed in lprng 3.8.20-4
Date: Thu, 10 Apr 2003 08:32:15 -0400
We believe that the bug you reported is fixed in the latest version of
lprng, which is due to be installed in the Debian FTP archive:

lprng-doc_3.8.20-4_all.deb
  to pool/main/l/lprng/lprng-doc_3.8.20-4_all.deb
lprng_3.8.20-4.diff.gz
  to pool/main/l/lprng/lprng_3.8.20-4.diff.gz
lprng_3.8.20-4.dsc
  to pool/main/l/lprng/lprng_3.8.20-4.dsc
lprng_3.8.20-4_i386.deb
  to pool/main/l/lprng/lprng_3.8.20-4_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 188366@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Craig Small <csmall@debian.org> (supplier of updated lprng package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 10 Apr 2003 21:13:56 +1000
Source: lprng
Binary: lprng lprng-doc
Architecture: source i386 all
Version: 3.8.20-4
Distribution: unstable
Urgency: high
Maintainer: Craig Small <csmall@debian.org>
Changed-By: Craig Small <csmall@debian.org>
Description: 
 lprng      - lpr/lpd printer spooling system
 lprng-doc  - lpr/lpd printer spooling system (documentation)
Closes: 188366
Changes: 
 lprng (3.8.20-4) unstable; urgency=high
 .
   * Removed unsecure create of /tmp/before
     SECURITY BUG Closes: #188366
Files: 
 3778e13f4d8c3d09894c55b19b8db80b 709 net extra lprng_3.8.20-4.dsc
 991d749bcba5cf3150754ac547f7c61e 36286 net extra lprng_3.8.20-4.diff.gz
 54058a4d7efd88605927059bb2167c78 2028074 doc extra lprng-doc_3.8.20-4_all.deb
 9533470b2f0d1791338463ad5f965446 823518 net extra lprng_3.8.20-4_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+lVL5x2zlrBLK36URAsF5AKCOoPwWWKlvKWKJfc1ca5hgZq6JnACdFpaN
ge1xB1RX6OpiO4/cWNAkbhY=
=I4lS
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Craig Small <csmall@debian.org>, lprng@packages.qa.debian.org:
Bug#188366; Package lprng. Full text and rfc822 format available.

Acknowledgement sent to Matt Zimmerman <mdz@debian.org>:
Extra info received and forwarded to list. Copy sent to Craig Small <csmall@debian.org>, lprng@packages.qa.debian.org. Full text and rfc822 format available.

Message #25 received at 188366@bugs.debian.org (full text, mbox):

From: Matt Zimmerman <mdz@debian.org>
To: Craig Small <csmall@debian.org>
Cc: team@security.debian.org, Karol Lewandowski <klz@o2.pl>, 188366@bugs.debian.org
Subject: Re: Bug#188366: psbanner: insecure file creation (/tmp/before)
Date: Thu, 10 Apr 2003 09:00:27 -0400
On Thu, Apr 10, 2003 at 10:30:46PM +1000, Craig Small wrote:

> I've also uploaded lprng 3.8.10-2 that fixes this problem in woody,
> this was of course after I read the bit on the security site that
> I shouldn't do that, sigh.

It looks like you accidentally uploaded it to unstable and it was rejected;
in this case this is fortunate as it means that we don't have to clean up
any messes. :-)

The packages that I prepared for stable yesterday are at:

http://people.debian.org/~mdz/security/lprng/

Your review is appreciated, though the problem is very trivial and you
probably made the same change.

> Here's what I wrote to the list, you might want to use some of it or
> Karol's email for the DSA.

Thanks for this.

-- 
 - mdz



Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 19:40:59 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.