Re: Possible weakness in LPD protocol

Eivind Eklund (perhaps@YES.NO)
Fri, 03 Oct 1997 22:19:50 +0200

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Oliver Friedrichs: "Re: Possible weakness in LPD protocol"
Previous message: Alan Cox: "Re: Ulrich Flegel's SSH/X11 "vulnerability""
Maybe in reply to: Bennett Samowich: "Possible weakness in LPD protocol"
Next in thread: Oliver Friedrichs: "Re: Possible weakness in LPD protocol"

>
> On October 02 1997, Bennett Samowich wrote:
>
> > 1.) Obtaining hard (or possibly soft) copies of any file on the system.
> > 2.) Deleting any file on the system.
> > 3.) Creating a file on the system.
> > 4.) Mail bombing.
>
> 5.) Overflow at least one buffer from the network; this is just
> above the "print any file" part of recvjob.c:
>
> cp = line;
> do {
> if ((size = read(1, cp, 1)) != 1) {
> if (size < 0)
> frecverr("%s: Lost connection",printer);
> return(nfiles);
> }
> } while (*cp++ != '\n');
>
>
> Consequences aren't really obvious, but you may be able to do
> nasty things.
>
> Will we ever get rid of gets()? (lpd source tree is from some
> recent RedHat distribution.)

This is fixed in OpenBSD and FreeBSD. Linux people should learn to
track what others do ;-)

The problems with '/' in filenames is fixed, too. The mail-bombing
might still be an issue, but there are lots of other ways to do that,
so I don't really think it warrants our attention (besides which I
can't see any way to fix it).

Eivind.

Next message: Oliver Friedrichs: "Re: Possible weakness in LPD protocol"
Previous message: Alan Cox: "Re: Ulrich Flegel's SSH/X11 "vulnerability""
Maybe in reply to: Bennett Samowich: "Possible weakness in LPD protocol"
Next in thread: Oliver Friedrichs: "Re: Possible weakness in LPD protocol"