|
Vulnerability lpr Affected Linux Description Following is based on a RedHat Security Advisory RHSA-2000:066-03. lpr has a format string security bug. It also mishandles any extension to the lpd communication protocol, and assumes that the instructions contained in the extension are a file it should try to print. It also has a race condition in the handling of queue interactions that can cause the queue to wedge. The old BSD-based lpr which was shipped with Red Hat Linux 5.x and 6.x has a recently discovered format string bug in its calls to the syslog facility. While RedHat is not aware of any exploits for this issue, it might be possible for a user to gain local root access. For this reason, upgrading to the new lpr is strongly encouraged. Additionally, lpr did not properly handle extensions to the lpd protocol. LPRng, an advanced replacement for lpr included in Red Hat Linux 7, makes use of extensions. The lpr included in Red Hat Linux 6.2 and earlier will not recognize these extensions, and attempt to handle the instructions as if they were a file to be printed. As a result, the lpr system sends out three of the following email messages per print job: Date: Thu, 10 Aug 2000 21:36:32 -0400 From: bin <bin@redhat.com> Reply-To: root@yyyyy.redhat.com To: xxxx@xxxxxx.redhat.com Subject: lp printer job "(stdin)" Your printer job ((stdin)) was not printed because the daemon could not stat the file Additionaly, a race condition exists in the contention for the lock file, making it posible for the queue to get into a wedged state. Thanks goes to Chris Evans for spotting this in the OpenBSD lpr CVS commit logs, and verifying the problem existed for Linux as well. Solution For RedHat: ftp://updates.redhat.com/5.2/alpha/lpr-0.50-7.alpha.rpm ftp://updates.redhat.com/5.2/sparc/lpr-0.50-7.sparc.rpm ftp://updates.redhat.com/5.2/i386/lpr-0.50-7.i386.rpm ftp://updates.redhat.com/5.2/SRPMS/lpr-0.50-7.src.rpm ftp://updates.redhat.com/6.2/alpha/lpr-0.50-7.alpha.rpm ftp://updates.redhat.com/6.2/sparc/lpr-0.50-7.sparc.rpm ftp://updates.redhat.com/6.2/i386/lpr-0.50-7.i386.rpm ftp://updates.redhat.com/6.2/SRPMS/lpr-0.50-7.src.rpm Greg KH has built packages for this update for Immunix OS 6.2 (StackGuarded versions of the RedHat packages.) They can be found at: http://immunix.org:8080/ImmunixOS/6.2/updates/RPMS/lpr-0.50-7_StackGuard.i386.rpm http://www.immunix.org:8080/ImmunixOS/6.2/updates/SRPMS/lpr-0.50-7_StackGuard.src.rpm For Conectiva Linux: ftp://atualizacoes.conectiva.com.br/4.0/i386/lpr-0.50-6cl.i386.rpm ftp://atualizacoes.conectiva.com.br/4.0/SRPMS/lpr-0.50-6cl.src.rpm ftp://atualizacoes.conectiva.com.br/4.0es/i386/lpr-0.50-6cl.i386.rpm ftp://atualizacoes.conectiva.com.br/4.0es/SRPMS/lpr-0.50-6cl.src.rpm ftp://atualizacoes.conectiva.com.br/4.1/i386/lpr-0.50-6cl.i386.rpm ftp://atualizacoes.conectiva.com.br/4.1/SRPMS/lpr-0.50-6cl.src.rpm ftp://atualizacoes.conectiva.com.br/4.2/i386/lpr-0.50-6cl.i386.rpm ftp://atualizacoes.conectiva.com.br/4.2/SRPMS/lpr-0.50-6cl.src.rpm ftp://atualizacoes.conectiva.com.br/5.0/i386/lpr-0.50-6cl.i386.rpm ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/lpr-0.50-6cl.src.rpm ftp://atualizacoes.conectiva.com.br/5.1/i386/lpr-0.50-6cl.i386.rpm ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/lpr-0.50-6cl.src.rpm ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/lpr-0.50-6cl.i386.rpm ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/SRPMS/lpr-0.50-6cl.src.rpm ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/lpr-0.50-6cl.i386.rpm ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/SRPMS/lpr-0.50-6cl.src.rpm For Linux-Mandrake: Linux-Mandrake 6.0: 6.0/RPMS/lpr-0.50-3mdk.i586.rpm 6.0/SRPMS/lpr-0.50-3mdk.src.rpm Linux-Mandrake 6.1: 6.1/RPMS/lpr-0.50-3mdk.i586.rpm 6.1/SRPMS/lpr-0.50-3mdk.src.rpm Linux-Mandrake 7.0: 7.0/RPMS/lpr-0.50-3mdk.i586.rpm 7.0/SRPMS/lpr-0.50-3mdk.src.rpm Linux-Mandrake 7.1: 7.1/RPMS/lpr-0.50-3mdk.i586.rpm 7.1/SRPMS/lpr-0.50-3mdk.src.rpm