Description: Javier Fern
Description: Javier Fernández-Sanguino Peña has reported a vulnerability in LPRng, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. The vulnerability is caused due to the lprng_certs.sh script creating temporary files insecurely. This can be exploited via symlink attacks to overwrite arbitrary files with the privileges of the user running the vulnerable script. The vulnerability has been reported in version 3.8.28. Other versions may also be affected. Solution: Grant only trusted users access to affected systems.
Sent an email upstream regarding this issue.
Created attachment 47706 [details, diff] lprng_certs.diff Patch from http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=286391
Created attachment 47707 [details, diff] lprng_certs.diff (fixed path version) New version with paths fixed. Tested on LPRng-3.8.27 with following results : Hunk #1 succeeded at 320 with fuzz 2
Printing team, please check patch and bump.
applied in lprng-3.8.27-r1, marked: x86 ~ppc ~sparc ~alpha ~hppa amd64 ~mips
Arches, please test and mark stable
Stable on ppc.
Stable on sparc.
Stable on alpha.
Ready for a GLSA vote
I see only Secunia's advisory so far.
lprng_certs looks really minor use and the tempfile is somewhat protected using $$, so I vote NO, but feel free to disagree with me and play devil's advocate (we have issued GLSAs for more exotic things)
I vote NO. Anyone taking up Koon's challenge feel free to reopen.
Tada, and now actually closing.