lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <Pine.LNX.4.43.0303051533220.26977-110000@mail.securityfocus.com>
Date: Wed, 5 Mar 2003 15:33:25 -0700 (MST)
From: Dave Ahmad <da@...urityfocus.com>
To: bugtraq@...urityfocus.com
Subject: potential buffer overflow in lprm (fwd)



David Mirza Ahmad
Symantec

"sabbe dhamma anatta"

0x26005712
8D 9A B1 33 82 3D B3 D0 40 EB  AB F0 1E 67 C6 1A 26 00 57 12

Return-Path: <owner-security-announce+M30=da=securityfocus.com@...nbsd.org>
Delivered-To: da@...urityfocus.com
Received: (qmail 32695 invoked from network); 5 Mar 2003 22:30:51 -0000
Received: from openbsd.cs.colorado.edu (128.138.192.83)
  by mail.securityfocus.com with SMTP; 5 Mar 2003 22:30:51 -0000
Received: from openbsd.org (localhost.cs.colorado.edu [127.0.0.1])
	by openbsd.cs.colorado.edu (8.12.7/8.12.5) with ESMTP id h25MRMEa018623
	for <da@...urityfocus.com>; Wed, 5 Mar 2003 15:29:44 -0700 (MST)
Received: from xerxes.courtesan.com (courtesan.com [206.168.103.86])
	by openbsd.cs.colorado.edu (8.12.8/8.12.5) with ESMTP id h25MQLZN029235
	(version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=FAIL)
	for <security-announce@...nbsd.org>; Wed, 5 Mar 2003 15:26:22 -0700 (MST)
Received: from xerxes.courtesan.com (IDENT:millert@...alhost.courtesan.com [127.0.0.1])
	by xerxes.courtesan.com (8.12.8/8.12.6) with ESMTP id h25MQMQs018799
	for <security-announce@...nbsd.org>; Wed, 5 Mar 2003 15:26:22 -0700 (MST)
Message-Id: <200303052226.h25MQMQs018799@...xes.courtesan.com>
To: security-announce@...nbsd.org
Subject: potential buffer overflow in lprm
Date: Wed, 05 Mar 2003 15:26:22 -0700
From: "Todd C. Miller" <Todd.Miller@...rtesan.com>
X-Loop: security-announce@...nbsd.org
Precedence: list
Sender: owner-security-announce@...nbsd.org


A bounds check that was added to lprm in 1996 does its checking too
late to be effective.  Because of the insufficient check, it may
be possible for a local user to exploit lprm to gain elevated
privileges.  It is not know at this time whether or not the bug is
actually exploitable.

Starting with OpenBSD 3.2, lprm is setuid user daemon which limits
the impact of the bug.  OpenBSD 3.1 and below however, ship with
lprm setuid root so this is a potential localhost root hole on older
versions of OpenBSD.

The bug is fixed in OpenBSD-current as well as the 3.2 and 3.1
-stable branches.

Patch for OpenBSD 3.1:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.1/common/023_lprm.patch

Patch for OpenBSD 3.2:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.2/common/010_lprm.patch

Thanks go to Arne Woerner for noticing this bug.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ