COMMAND

    lpr

SYSTEMS AFFECTED

    Linux

PROBLEM

    Following is based on a RedHat Security Advisory RHSA-2000:066-03.
    lpr has  a format  string security  bug.   It also  mishandles any
    extension to the lpd communication protocol, and assumes that  the
    instructions contained in the extension  are a file it should  try
    to print.  It also has  a race condition in the handling  of queue
    interactions that can cause the queue to wedge.

    The old BSD-based lpr which was shipped with Red Hat Linux 5.x and
    6.x has a  recently discovered format  string bug in  its calls to
    the syslog facility.   While RedHat is  not aware of  any exploits
    for this  issue, it  might be  possible for  a user  to gain local
    root  access.   For  this  reason,  upgrading  to  the  new lpr is
    strongly encouraged.

    Additionally, lpr did  not properly handle  extensions to the  lpd
    protocol.  LPRng, an advanced replacement for lpr included in  Red
    Hat Linux 7,  makes use of  extensions.  The  lpr included in  Red
    Hat Linux  6.2 and  earlier will  not recognize  these extensions,
    and attempt to handle the instructions  as if they were a file  to
    be printed.  As  a result, the lpr  system sends out three  of the
    following email messages per print job:

        Date: Thu, 10 Aug 2000 21:36:32 -0400
        From: bin <bin@redhat.com>
        Reply-To: root@yyyyy.redhat.com
        To: xxxx@xxxxxx.redhat.com
        Subject: lp printer job "(stdin)"

        Your printer job ((stdin))
        was not printed because the daemon could not stat the file

    Additionaly, a  race condition  exists in  the contention  for the
    lock file, making it  posible for the queue  to get into a  wedged
    state.

    Thanks goes to  Chris Evans for  spotting this in  the OpenBSD lpr
    CVS commit logs,  and verifying the  problem existed for  Linux as
    well.

SOLUTION

    For RedHat:

        ftp://updates.redhat.com/5.2/alpha/lpr-0.50-7.alpha.rpm
        ftp://updates.redhat.com/5.2/sparc/lpr-0.50-7.sparc.rpm
        ftp://updates.redhat.com/5.2/i386/lpr-0.50-7.i386.rpm
        ftp://updates.redhat.com/5.2/SRPMS/lpr-0.50-7.src.rpm
        ftp://updates.redhat.com/6.2/alpha/lpr-0.50-7.alpha.rpm
        ftp://updates.redhat.com/6.2/sparc/lpr-0.50-7.sparc.rpm
        ftp://updates.redhat.com/6.2/i386/lpr-0.50-7.i386.rpm
        ftp://updates.redhat.com/6.2/SRPMS/lpr-0.50-7.src.rpm

    Greg KH  has built  packages for  this update  for Immunix  OS 6.2
    (StackGuarded  versions  of  the  RedHat  packages.)   They can be
    found at:

        http://immunix.org:8080/ImmunixOS/6.2/updates/RPMS/lpr-0.50-7_StackGuard.i386.rpm
        http://www.immunix.org:8080/ImmunixOS/6.2/updates/SRPMS/lpr-0.50-7_StackGuard.src.rpm

    For Conectiva Linux:

        ftp://atualizacoes.conectiva.com.br/4.0/i386/lpr-0.50-6cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/4.0/SRPMS/lpr-0.50-6cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/4.0es/i386/lpr-0.50-6cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/4.0es/SRPMS/lpr-0.50-6cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/4.1/i386/lpr-0.50-6cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/4.1/SRPMS/lpr-0.50-6cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/4.2/i386/lpr-0.50-6cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/4.2/SRPMS/lpr-0.50-6cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/5.0/i386/lpr-0.50-6cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/lpr-0.50-6cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/5.1/i386/lpr-0.50-6cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/lpr-0.50-6cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/lpr-0.50-6cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/SRPMS/lpr-0.50-6cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/lpr-0.50-6cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/SRPMS/lpr-0.50-6cl.src.rpm

    For Linux-Mandrake:

        Linux-Mandrake 6.0: 6.0/RPMS/lpr-0.50-3mdk.i586.rpm
                            6.0/SRPMS/lpr-0.50-3mdk.src.rpm
        Linux-Mandrake 6.1: 6.1/RPMS/lpr-0.50-3mdk.i586.rpm
                            6.1/SRPMS/lpr-0.50-3mdk.src.rpm
        Linux-Mandrake 7.0: 7.0/RPMS/lpr-0.50-3mdk.i586.rpm
                            7.0/SRPMS/lpr-0.50-3mdk.src.rpm
        Linux-Mandrake 7.1: 7.1/RPMS/lpr-0.50-3mdk.i586.rpm
                            7.1/SRPMS/lpr-0.50-3mdk.src.rpm