Package: lprng
Version: 3.8.28-2
Severity: important
Tags: patch
Lpd closes all file descriptors after forking, including
the persistant LDAP and syslog sockets used by libnss-ldap.
It then happens to re-use one of these for the socket to the printer.
The effect is that LDAP queries and/or syslog messages get
routed directly to the printer.
The flow of events in lpd is as follows:
1) Make_passthrough() forks
2) child calls Full_daemon_perms() - This creates new sockets for LDAP.
3) child calls close_on_exec() - This closes the LDAP descriptor
4) child continues and later reuses the LDAP descriptor.
The fix is to call Full_daemon_perms() after the close_on_exec().
--- lprng-3.8.28/src/common/linelist.c.dist 2006-04-04
11:06:09.000000000 -0500
+++ lprng-3.8.28/src/common/linelist.c 2006-04-04 12:35:52.000000000
-0500
@@ -2755,6 +2755,7 @@
} else {
Full_user_perms();
}
+ close_on_exec(passfd->count);
for( i = 0; i < passfd->count; ++i ){
fd = Cast_ptr_to_int(passfd->list[i]);
if( dup2(fd,i) == -1 ){
@@ -2764,7 +2765,6 @@
exit(JFAIL);
}
}
- close_on_exec(passfd->count);
execve(cmd.list[0],cmd.list,env.list);
SNPRINTF(error,sizeof(error))
"Make_passthrough: pid %d, execve '%s' failed -
'%s'\n", getpid(),
-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.14.3.dell2850.120105
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
Versions of packages lprng depends on:
ii debconf 1.4.30.13 Debian configuration management sy
ii libc6 2.3.2.ds1-22 GNU C Library: Shared libraries an
ii libcomerr2 1.37-2sarge1 common error description library
ii libkrb53 1.3.6-2sarge2 MIT Kerberos runtime libraries
ii libssl0.9.7 0.9.7e-3sarge1 SSL shared libraries
-- debconf information:
* lprng/start_lpd: true
lprng/twolpd_perms:
lprng/twolpd_conf:
lprng/setuid_tools: false
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
