-----BEGIN PGP SIGNED MESSAGE-----


                 NetBSD Security Advisory 2001-018
                 =================================

Topic:    Remote Buffer Overflow Vulnerability in BSD Line Printer Daemon

Version:  NetBSD-current: prior to August 28, 2001
    NetBSD-1.5.2:  affected
    NetBSD-1.5.1:  affected
    NetBSD-1.5:  affected
    NetBSD-1.4.*:  affected

Severity:  Remote root compromise from any host which can connect to lpd(8)

Fixed:    NetBSD-current:    August 28, 2001
    NetBSD-1.5 branch:  September 30, 2001
    NetBSD-1.4 branch:   not yet

Abstract
========

There is an remotely exploitable buffer overrun in the printer daemon,
/usr/sbin/lpd.


Technical Details
=================

http://msgs.securepoint.com/cgi-bin/get/bugtraq0108/259.html


Solutions and Workarounds
=========================

NetBSD 1.3 and later install with lpd disabled by default.  A system is
vulnerable to this security hole only if it is running /usr/sbin/lpd,
and access to lpd is allowed by entries in /etc/hosts.lpd.  Updating
the binary for safety is recommended.

Quick workaround:
If you are running /usr/sbin/lpd, and you do not need it, stop it.
If you have /etc/hosts.lpd which is open to everyone, you will want to
tighten the setup so that no malicious parties can access your remote printer.

Solutions:

* NetBSD -current, 1.5, 1.5.1, 1.5.2:

  Systems running NetBSD-current dated from before 2001-08-28
  should be upgraded to NetBSD-current dated 2001-08-28 or later.

  Systems running NetBSD 1.5, 1.5.1 or 1.5.2 dated from before
  2001-09-30 should be upgraded to NetBSD-1.5 branch sources dated
  2001-09-30 or later.

  The following directory needs to be updated from the
  netbsd-current CVS branch (aka HEAD) for NetBSD-current,
  or netbsd-1-5 CVS branch for NetBSD 1.5, 1.5.1 or 1.5.2:
    src/usr.sbin/lpr

  To update from CVS, re-build, and re-install lpd(8):
    # cd src/usr.sbin/lpr
    # cvs update -d -P
    # make cleandir dependall install


  Alternatively, apply the following patch (with potential offset
  differences) and rebuild & re-install lpd(8):
    ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2001-018-lpd.patch

  To patch, re-build and re-install lpd(8):
    # cd src/usr.sbin/lpr/common_sources
    # patch < /path/to/SA2001-012-lpd.patch
    # cd ../lpd
    # make cleandir dependall install


* NetBSD 1.4, 1.4.x:

  Systems running NetBSD-1.4.x releases should apply the following
  patch (with potential offset differences):
    ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2001-018-lpd.patch

  To patch, re-build and re-install lpd(8):
    # cd src/usr.sbin/lpr/common_sources
    # patch < /path/to/SA2001-012-lpd.patch
    # cd ../lpd
    # make cleandir dependall install


  The anonymous CVS branch netbsd-1-4 should be updated with a
  fix in the near future.


Thanks To
=========

Jun-ichiro Hagino for the original patches to -current, from a fix in
OpenBSD

John Messenger for correcting errors in the update instructions.

Revision History
================

  2001-11-22      Initial release
  2001-11-28      Correct instructions for patch usage.


More Information
================

An up-to-date PGP signed copy of this release will be maintained at
  ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2001-018.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.


Copyright 2001, The NetBSD Foundation, Inc.  All Rights Reserved.

$NetBSD: NetBSD-SA2001-018.txt,v 1.7 2001/11/28 05:39:37 david Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (NetBSD)
Comment: For info see http://www.gnupg.org

iQCVAwUBPAR5QD5Ru2/4N2IFAQGbyQP9HhZ5yewZ7U0mQXqveczfccslnmAV4P+O
T4I1at+uXRXPcZKCFKfc43sPTsTQDmfYIcWDhgoJHm8A+zVKpuQFsmNeVmrQWkt8
HDx8l07NMdjy62PboLb4Fpdu13Jn/SBicRcbXWZm+pJwlb3X+wBxk2yQ1xL5w4u+
V9TP0iSSrac=
=0w7r
-----END PGP SIGNATURE-----