Vulnerability

    lpr

Affected

    BSD

Description

    Chris Evans found following.  If we look into  lpr/lpd/printjob.c,
    we can find the following two lines of code

        if ((s = checkremote()))
                syslog(LOG_WARNING, s);

    This  is  a  classic  format  string  mistake.   It  may  not   be
    exploitable, because the failure strings returned by checkremote()
    in lpr/common_source/common.c,  do not  contain much  data that  a
    user could control.

    However,  it  illustrates  that   format  string  bugs  creep   in
    everywhere,  even  in  code  that  gets syslog() calls correct the
    majority of the time, as is the case with BSD-lpr.

Solution

    OpenBSD ship  BSD-lpr. Not  only have  they already  fixed this in
    their CVS, but they  also offer web indexed  CVS.  They caught  it
    independently as part of their "format strings" audit.

        http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/lpr/lpd/printjob.c?r1=1.19&r2=1.20

    It seems FreeBSD fixed this one back in 1997:

        http://www.FreeBSD.org/cgi/cvsweb.cgi/src/usr.sbin/lpr/lpd/printjob.c.diff?r1=1.17&r2=1.18

    This was fixed in NetBSD after advisory:

        http://cvsweb.netbsd.org/bsdweb.cgi/basesrc/usr.sbin/lpr/lpd/printjob.c