-----BEGIN PGP SIGNED MESSAGE----- NetBSD Security Advisory 2001-018 ================================= Topic: Remote Buffer Overflow Vulnerability in BSD Line Printer Daemon Version: NetBSD-current: prior to August 28, 2001 NetBSD-1.5.2: affected NetBSD-1.5.1: affected NetBSD-1.5: affected NetBSD-1.4.*: affected Severity: Remote root compromise from any host which can connect to lpd(8) Fixed: NetBSD-current: August 28, 2001 NetBSD-1.5 branch: September 30, 2001 NetBSD-1.4 branch: not yet Abstract ======== There is an remotely exploitable buffer overrun in the printer daemon, /usr/sbin/lpd. Technical Details ================= http://msgs.securepoint.com/cgi-bin/get/bugtraq0108/259.html Solutions and Workarounds ========================= NetBSD 1.3 and later install with lpd disabled by default. A system is vulnerable to this security hole only if it is running /usr/sbin/lpd, and access to lpd is allowed by entries in /etc/hosts.lpd. Updating the binary for safety is recommended. Quick workaround: If you are running /usr/sbin/lpd, and you do not need it, stop it. If you have /etc/hosts.lpd which is open to everyone, you will want to tighten the setup so that no malicious parties can access your remote printer. Solutions: * NetBSD -current, 1.5, 1.5.1, 1.5.2: Systems running NetBSD-current dated from before 2001-08-28 should be upgraded to NetBSD-current dated 2001-08-28 or later. Systems running NetBSD 1.5, 1.5.1 or 1.5.2 dated from before 2001-09-30 should be upgraded to NetBSD-1.5 branch sources dated 2001-09-30 or later. The following directory needs to be updated from the netbsd-current CVS branch (aka HEAD) for NetBSD-current, or netbsd-1-5 CVS branch for NetBSD 1.5, 1.5.1 or 1.5.2: src/usr.sbin/lpr To update from CVS, re-build, and re-install lpd(8): # cd src/usr.sbin/lpr # cvs update -d -P # make cleandir dependall install Alternatively, apply the following patch (with potential offset differences) and rebuild & re-install lpd(8): ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2001-018-lpd.patch To patch, re-build and re-install lpd(8): # cd src/usr.sbin/lpr/common_sources # patch < /path/to/SA2001-012-lpd.patch # cd ../lpd # make cleandir dependall install * NetBSD 1.4, 1.4.x: Systems running NetBSD-1.4.x releases should apply the following patch (with potential offset differences): ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2001-018-lpd.patch To patch, re-build and re-install lpd(8): # cd src/usr.sbin/lpr/common_sources # patch < /path/to/SA2001-012-lpd.patch # cd ../lpd # make cleandir dependall install The anonymous CVS branch netbsd-1-4 should be updated with a fix in the near future. Thanks To ========= Jun-ichiro Hagino for the original patches to -current, from a fix in OpenBSD John Messenger for correcting errors in the update instructions. Revision History ================ 2001-11-22 Initial release 2001-11-28 Correct instructions for patch usage. More Information ================ An up-to-date PGP signed copy of this release will be maintained at ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2001-018.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/. Copyright 2001, The NetBSD Foundation, Inc. All Rights Reserved. $NetBSD: NetBSD-SA2001-018.txt,v 1.7 2001/11/28 05:39:37 david Exp $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (NetBSD) Comment: For info see http://www.gnupg.org iQCVAwUBPAR5QD5Ru2/4N2IFAQGbyQP9HhZ5yewZ7U0mQXqveczfccslnmAV4P+O T4I1at+uXRXPcZKCFKfc43sPTsTQDmfYIcWDhgoJHm8A+zVKpuQFsmNeVmrQWkt8 HDx8l07NMdjy62PboLb4Fpdu13Jn/SBicRcbXWZm+pJwlb3X+wBxk2yQ1xL5w4u+ V9TP0iSSrac= =0w7r -----END PGP SIGNATURE-----