A bounds check that was added to lprm in 1996 does its checking too
late to be effective.  Because of the insufficient check, it may
be possible for a local user to exploit lprm to gain elevated
privileges.  It is not know at this time whether or not the bug is
actually exploitable.

Starting with OpenBSD 3.2, lprm is setuid user daemon which limits
the impact of the bug.  OpenBSD 3.1 and below however, ship with
lprm setuid root so this is a potential localhost root hole on older
versions of OpenBSD.

The bug is fixed in OpenBSD-current as well as the 3.2 and 3.1
-stable branches.

Patch for OpenBSD 3.1:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.1/common/023_lprm.patch

Patch for OpenBSD 3.2:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.2/common/010_lprm.patch

Thanks go to Arne Woerner for noticing this bug.


----- End forwarded message -----

--JYK4vJDZwFMowpUq
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (NetBSD)

iD8DBQE+Z2wG9ehacAz5CRoRAgU2AJwNDKAgDnD3Cy+PwRigK4WyeHIbOgCgidGY
KdkhiIWdRRD6bzEAyYByWdM=
=EjfG
-----END PGP SIGNATURE-----

--JYK4vJDZwFMowpUq--