___________________________________________________________________________ Caldera International, Inc. Security Advisory Subject: OpenServer: remote buffer overflow vulnerability in BSD line printer daemon Advisory number: CSSA-2001-SCO.20.1 Issue date: 2002 January 14 Cross reference: CSSA-2001-SCO.20 ___________________________________________________________________________ 1. Problem Description The BSD-derived lpd daemon is vulnerable to a buffer overflow. This could be used by an unauthorized user to gain privilege. 1.1 Revision Description The first edition of this advisory had incorrect instructions regarding the lpstat binary. The actual binaries in the patch have not been changed, only the instructions have changed. If you previously installed this patch, see section 4.4 below; do not follow any of the other instructions in the advisory. 2. Vulnerable Versions Operating System Version Affected Files ------------------------------------------------------------------ OpenServer <= 5.0.6a /usr/lib/lpd /usr/lpd/remote/lpstat 3. Workaround None. 4. OpenServer 4.1 Location of Fixed Binaries ftp://stage.caldera.com/pub/security/openserver/CSSA-2001-SCO.20.1/ 4.2 Verification md5 checksums: 48f989acb3a6606181575b3b765cd89e lpd.tar.Z md5 is available for download from ftp://stage.caldera.com/pub/security/tools/ 4.3 Installing Fixed Binaries Upgrade the affected binaries with the following commands: For 5.0.6: Download the tar file to /tmp # cd /tmp # uncompress lpd.tar.Z # tar xvf lpd.tar # mv /usr/lib/lpd /usr/lib/lpd- # mv /usr/lpd/remote/lpstat /usr/lpd/remote/lpstat- # chmod 0 /usr/lib/lpd- /usr/lpd/remote/lpstat- # cp lpstat /usr/lpd/remote # chown root:daemon /usr/lpd/remote/lpstat # chmod 6711 /usr/lpd/remote/lpstat # cp lpd /usr/lib # chown root:bin /usr/lib/lpd # chmod 2711 /usr/lib/lpd For 5.0.5 and below, two additional libraries are needed (libresolv.so.1 and libsocket.so.2). They may be obtained from CSSA-2001-SCO.10. 4.4 Correction Of Previous Incorrect Install The first edition of this advisory had incorrect instructions regarding the lpstat binary. The previous instructions caused the updated BSD lpstat binary to be installed in /usr/bin, when it actually belongs in /usr/lpd/remote. If the previous instructions were followed precisely, and no further changes were subsequently made, the following commands would correct the situation: # chmod 2711 /usr/bin/lpstat- # mv /usr/lpd/remote/lpstat /usr/lpd/remote/lpstat- # mv /usr/bin/lpstat /usr/lpd/remote/lpstat # chown root:daemon /usr/lpd/remote/lpstat # chmod 6711 /usr/lpd/remote/lpstat # mv /usr/bin/lpstat- /usr/bin/lpstat These instructions will not work if `mkdev rlp` was run after initially installing CSSA-2001-SCO.20, or if the /usr/bin/lpstat binary was replaced e.g. by the installation of CSSA-2001-SCO.38. In such cases you must inventory the various lpstat binaries on the system and make sure each is in its proper place. 5. References http://xforce.iss.net/alerts/advise94.php This and other advisories are located at http://stage.caldera.com/support/security This advisory addresses Caldera Security internal incident sr851853. 6. Disclaimer Caldera International, Inc. is not responsible for the misuse of any of the information we provide on our website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of Caldera International products. 7. Acknowledgements Caldera International wishes to thank the Internet Security Systems (ISS) X-Force for discovering and reporting this problem. ___________________________________________________________________________