------------------------------------------------------------------------ BCSA 004 Badly Coded, Inc. Security Advisory October 6th, 2014 ------------------------------------------------------------------------ BCSA-004: Multiple vulnerabilities in check_permissions in BCLPR 1.3 Affected versions: 1.3 and earlier Fixed versions: 1.4 and later Two different vulnerabilities have been found in BCLPR version 1.3, either of which could lead to local privilege escalation. Affected users are urged to upgrade immediately. Coincidentally both vulnerabilities are related to the function check_permissions. First, the function check_permissions contained a faulty check for a buffer overflow: because a variable used in the check was stored on the stack, and the check was performed using a signed comparison, the check could easily be bypassed by replacing the value of the variable. Second, the function check_permissions did not correctly perform its intended check, because it compared the permissions on the opened file with the effective permissions of BCLPR, which were root's permissions, rather than the permissions of the user running BCLPR, as intended. This could allow users to print a file they should not have been able to read. We would like to acknowledge a number of students from the University of Minnesota's Computer Science and Engineering 5271 course who reported both vulnerabilities. We have also taken this opportunity to implement some security best practices as suggested by these students, such as making the names of printers canonical by converting uppercase letters to lowercase, limiting the length of user-supplied messages, and prohibiting execution of code on the stack. Version 1.4 is the most secure version of BCLPR ever, and we suggest that affected users upgrade at their earliest convenience.