75484 – net-print/lprng: Insecure tempfile handling

Bug 75484 - net-print/lprng: Insecure tempfile handling

Summary: net-print/lprng: Insecure tempfile handling

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All All

Importance:	High minor (vote)
Assignee:	Gentoo Security

URL:	http://secunia.com/advisories/13640/
Whiteboard:	C3 [noglsa] lewk
Keywords:

Depends on:
Blocks:

Reported:	2004-12-23 14:42 UTC by Luke Macken (RETIRED)
Modified:	2005-06-26 05:21 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
lprng_certs.diff (lprng_certs.diff,1.06 KB, patch) 2005-01-05 07:03 UTC, Thierry Carrez (RETIRED)	no flags	Details \| Diff
lprng_certs.diff (fixed path version) (lprng_certs.diff,1.09 KB, patch) 2005-01-05 07:09 UTC, Thierry Carrez (RETIRED)	no flags	Details \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Luke Macken (RETIRED) gentoo-dev

2004-12-23 14:42:46 UTC

Description:
Javier Fern

Comment 1 Luke Macken (RETIRED) gentoo-dev

2004-12-23 14:42:46 UTC

Description:
Javier Fernández-Sanguino Peña has reported a vulnerability in LPRng, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges.

The vulnerability is caused due to the lprng_certs.sh script creating temporary files insecurely. This can be exploited via symlink attacks to overwrite arbitrary files with the privileges of the user running the vulnerable script.

The vulnerability has been reported in version 3.8.28. Other versions may also be affected.

Solution:
Grant only trusted users access to affected systems.

Comment 2 Luke Macken (RETIRED) gentoo-dev

2004-12-23 14:47:20 UTC

Sent an email upstream regarding this issue.

Comment 3 Thierry Carrez (RETIRED) gentoo-dev

2005-01-05 07:03:02 UTC

Created attachment 47706 [details, diff]
lprng_certs.diff

Patch from http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=286391

Comment 4 Thierry Carrez (RETIRED) gentoo-dev

2005-01-05 07:09:58 UTC

Created attachment 47707 [details, diff]
lprng_certs.diff (fixed path version)

New version with paths fixed.

Tested on LPRng-3.8.27 with following results :
Hunk #1 succeeded at 320 with fuzz 2

Comment 5 Thierry Carrez (RETIRED) gentoo-dev

2005-01-05 07:10:35 UTC

Printing team, please check patch and bump.

Comment 6 Heinrich Wendel (RETIRED) gentoo-dev

2005-01-28 10:25:38 UTC

applied in lprng-3.8.27-r1, marked:

x86 ~ppc ~sparc ~alpha ~hppa amd64 ~mips

Comment 7 Thierry Carrez (RETIRED) gentoo-dev

2005-01-28 12:02:34 UTC

Arches, please test and mark stable

Comment 8 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev

2005-01-28 12:17:21 UTC

Stable on ppc.

Comment 9 Jason Wever (RETIRED) gentoo-dev

2005-01-29 11:45:53 UTC

Stable on sparc.

Comment 10 Bryan Østergaard (RETIRED) gentoo-dev

2005-01-30 12:23:19 UTC

Stable on alpha.

Comment 11 Thierry Carrez (RETIRED) gentoo-dev

2005-01-31 01:02:50 UTC

Ready for a GLSA vote

Comment 12 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-01-31 01:29:54 UTC

I see only Secunia's advisory so far.

Comment 13 Thierry Carrez (RETIRED) gentoo-dev

2005-02-02 10:20:36 UTC

lprng_certs looks really minor use and the tempfile is somewhat protected using $$, so I vote NO, but feel free to disagree with me and play devil's advocate (we have issued GLSAs for more exotic things)

Comment 14 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-02-07 01:25:09 UTC

I vote NO. Anyone taking up Koon's challenge feel free to reopen.

Comment 15 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-02-07 01:28:26 UTC

Tada, and now actually closing.