Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found -7 articles for you...
100
security advisorybuffer overflowlocal privilege escalationSuSE: 2004:0021 Moderate: lprold Buffer Overflow Exploit
This buffer overflow can be exploited by a local user, if the printer system is set up correctly, to gain root privileges. lprold is installed as default package and has the setuid bit set.. ______________________________________________________________________________ SuSE Security Announcement Package: lprold Announcement-ID: SuSE-SA:2003:0014 Date: Thursday, Mar 13th 2003 16:00 MET Affected products: 7.1, 7.2, 7.3 SuSE eMail Server 3.1 SuSE eMail Server III SuSE Firewall Adminhost VPN SuSE Linux Admin-CD for Firewall SuSE Firewall on CD 2 - VPN SuSE Firewall on CD 2 SuSE Linux Enterprise Server for S/390 SuSE Linux Connectivity Server SuSE Linux Enterprise Server 7 SuSE Linux Office Server Vulnerability Type: local privilege escalation Severity (1-10): 3 SuSE default package: yes Cross References: Content of this advisory: 1) security vulnerability resolved: buffer overflow in lprm problem description, discussion, solution and upgrade information 2) pending vulnerabilities, solutions, workarounds: - ethereal - qpopper - XFree4 - sendmail - apcupsd - snort - file - zlib - vnc 3) standard appendix (further information) ______________________________________________________________________________ 1) problem description, brief discussion, solution, upgrade information The lprm command of the printing package lprold shipped till SuSE 7.3 contains a buffer overflow. This bufferoverflow can be exploited by a local user, if the printer system is set up correctly, to gain root privileges. lprold is installed as default package and has the setuid bit set. As a temporary workaround you can disable the setuid bit of lprm by executing the following tasks as root: - add "/usr/bin/lprm root.root 755" to /etc/permissions.local - run 'chkstat -set /etc/permissions.local' Another way would be to just allow trusted users to run lprm by executing the following tasks as root: - add "/usr/bin/lprm root.trusted 4755" to /etc/permissions.local - run 'chkstat -set /etc/permissions.local' Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement. Then, install the package using the command "rpm -Fhv file.rpm" to apply the update. Our maintenance customers are being notified individually. The packages are being offered to install from the maintenance web. Intel i386 Platform: SuSE-7.3: 52a301d88fce69dcf2de53c86d70f51e source rpm(s): 9907cc1bd077493d0bb1a0e646a20022 SuSE-7.2: 364faa0d5266e36d7db90ac223137f2d source rpm(s): eff9c0ff34e0ad0d313477b998964a26 SuSE-7.1: 5454e913e660a6d409a200a3ddd19f8b source rpm(s): ad22928b988b8ed055ab5698e15479e4 Sparc Platform: SuSE-7.3: 88a5f8cf7db0c123776b4fa9f47e9205 source rpm(s): 83860e8bd337b3617f8c59605c8ff847 AXP Alpha Platform: SuSE-7.1: 651c6141e07560763f07b74c1506d668 source rpm(s): 96b67fb75ae0c4702f6e881c665f81dd PPC Power PC Platform: SuSE-7.3: 8caba2cc70f7edfa96c23ac3bab3e8bf source rpm(s): b1741e591445aef7b8aaf83a8a4a34ef SuSE-7.1: 1b86cd16e6e5b8e63252b9c9a6acd5b9 source rpm(s): e44adcc90b604bc4dc81b43e57f6e161 ______________________________________________________________________________ 2) Pending vulnerabilities in SuSE Distributions and Workarounds: - ethereal A format string bug in ethereal's SOCKS handling code and a buffer overflow in the NTLMSSP was found in ethereal. Both bugs may lead to remote system compromise. New packages are currently being build and will be available soon. - qpopper In version 4.0.x of qpopper a buffer overflow *after* user authen- tication can be exploited to gain a shell on a POP-server machine. New packages are currently being build and will be available soon. - XFree4 A buffer overflow in the Xlib code can be triggered while handling the environment variable XLOCALEDIR. The X version affected is 4.2.0 (SuSE Linux 8.0 and 8.1). We still investigate this issue. - sendmail A correction is necessary to the last SuSE Security Announcement (SuSE-SA:2003:013) about sendmail: The Vulnerability Type must read remote buffer overflow. - apcupsd The control and management daemon for APC UPS systems is vulnerable to remote code execution due to buffer overflow and format string bugs. A dedicated advisory for this issue will be released as soon as all packages are build. - snort snort, a sensor-based Network Intrusion Detection System, was vulnerable to a buffer overflow in it's RPC preprocessor. As a workaround the following line in snort.conf should be commented out and snort should be restarted to disable the RPC-preprocessor: preprocessor rpc_decode: 111 32771 Future version of SuSE Linux will be shipped with a fixed snort package. - file A locally exploitable buffer overflow was found in the file command. New packages are currently being build and will be available soon. - zlib zlib's function gzprintf() is prone to a buffer overflow if its arguments expand to more then Z_PRINTF_BUFSIZE bytes. A fixed version of zlib will be shipped with future SuSE Linux versions. - vnc VNC (Virtual Network Computing) uses a weak cookie generation process which can be exploited by an attacker to bypass authentication. New packages are currently being tested and will be available on our FTP servers soon. ______________________________________________________________________________ 3) standard appendix: authenticity verification, additional information - Package authenticity verification: SuSE update packages are available on many mirror ftp servers all over the world. While this service is being considered valuable and important to the free and open source software community, many users wish to be sure about the origin of the package and its content before installing the package. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or rpm package: 1) md5sums as provided in the (cryptographically signed) announcement. 2) using the internal gpg signatures of the rpm package. 1) execute the command md5sum after you downloaded the file from a SuSE ftp server or its mirrors. Then, compare the resulting md5sum with the one that is listed in the announcement. Since the announcement containing the checksums is cryptographically signed (usually using the key
Mar 13, 2003
SuSE
100
security advisorycriticalremote accessSUSE: Security Advisory for lprold 3.0.48 Critical: Remote Access
A security hole was discovered in the package lprold < 3.0.48.. -----BEGIN PGP SIGNED MESSAGE----- ______________________________________________________________________________ SuSE Security Announcement Package: lprold < 3.0.48 Date: Tue, 11 Jan 2000 13:01:16 GMT Affected SuSE versions: all including 6.3 Vulnerability Type: local and remote vulnerabilities SuSE default package: yes Other affected systems: all unix systems using lpr(-old) ______________________________________________________________________________ A security hole was discovered in the package mentioned above. Please update as soon as possible or disable the service if you are using this software on your SuSE Linux installation(s). Other Linux distributions or operating systems might be affected as well, please contact your vendor for information about this issue. Please note, that that we provide this information on an "as-is" basis only. There is no warranty whatsoever and no liability for any direct, indirect or incidental damage arising from this information or the installation of the update package. _____________________________________________________________________________ 1. Problem Description lprold is the default printer daemon. If the hosts.lpd mechanism is used to permit printing to remote hosts, this can be circumvented if the attacker controls a DNS server, because no double-reverse lookup was done the IP address. A second vulnerability involves the manipulating the control file of a print job in a way, that statements are sent to sendmail as arguments where an attacker could specify a sendmail config file of his own. 2. Impact Depending on the hosts.lpd configuration, unauthorized users may use your printer (and issue a denial of service attack). The second vulnerability leads to an easy root compromise, which can be exploited from remote. 3. Solution Update the package from our FTPserver. ______________________________________________________________________________ Please verify these md5 checksums of the updates before installing: (For SuSE 6.0, please use the 6.1 updates) 72c9261e00024b3388246c900c8a95e5 ce0e2ff49e11e15db2f29607867d49e0 /6.3/n1/lprold-3.0.48-4.alpha.rpm 6340bd651729c535cc2ae2ff0e080a47 af82f4fea307acb584e38a0696ad247b 3404fb4e939203c8b8145e7880035869 ______________________________________________________________________________ You can find updates on our ftp-Server: for Intel processors for Alpha processors or try the following web pages for a list of mirrors: https://www.suse.com/de-de/ Our webpage for patches: https://www.suse.com/de-de/ Our webpage for security announcements: https://www.suse.com/de-de/ If you want to report vulnerabilities, please contact
Jan 17, 2000
•Critical
SuSE
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!