Hosting Provided By

potential buffer overflow in lprm

From: Todd C. Miller <Todd.Miller(at)courtesan.com>
Date: Wed Mar 05 2003 - 17:26:22 EST

A bounds check that was added to lprm in 1996 does its checking too late to be effective. Because of the insufficient check, it may be possible for a local user to exploit lprm to gain elevated privileges. It is not know at this time whether or not the bug is actually exploitable.

Starting with OpenBSD 3.2, lprm is setuid user daemon which limits the impact of the bug. OpenBSD 3.1 and below however, ship with lprm setuid root so this is a potential localhost root hole on older versions of OpenBSD.

The bug is fixed in OpenBSD-current as well as the 3.2 and 3.1 -stable branches.

Patch for OpenBSD 3.1:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.1/common/023_lprm.patch

Patch for OpenBSD 3.2:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.2/common/010_lprm.patch

Thanks go to Arne Woerner for noticing this bug. Received on Wed Mar 5 17:28:51 2003

This message: [ Message body ]
Next message: Todd C. Miller: "patches available for RSA timing attacks"
Previous message: Todd C. Miller: "remote buffer overflow in sendmail"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 13:46:07 EDT