COMMAND
lpr
SYSTEMS AFFECTED
Linux
PROBLEM
Following is based on a RedHat Security Advisory RHSA-2000:066-03.
lpr has a format string security bug. It also mishandles any
extension to the lpd communication protocol, and assumes that the
instructions contained in the extension are a file it should try
to print. It also has a race condition in the handling of queue
interactions that can cause the queue to wedge.
The old BSD-based lpr which was shipped with Red Hat Linux 5.x and
6.x has a recently discovered format string bug in its calls to
the syslog facility. While RedHat is not aware of any exploits
for this issue, it might be possible for a user to gain local
root access. For this reason, upgrading to the new lpr is
strongly encouraged.
Additionally, lpr did not properly handle extensions to the lpd
protocol. LPRng, an advanced replacement for lpr included in Red
Hat Linux 7, makes use of extensions. The lpr included in Red
Hat Linux 6.2 and earlier will not recognize these extensions,
and attempt to handle the instructions as if they were a file to
be printed. As a result, the lpr system sends out three of the
following email messages per print job:
Date: Thu, 10 Aug 2000 21:36:32 -0400
From: bin <bin@redhat.com>
Reply-To: root@yyyyy.redhat.com
To: xxxx@xxxxxx.redhat.com
Subject: lp printer job "(stdin)"
Your printer job ((stdin))
was not printed because the daemon could not stat the file
Additionaly, a race condition exists in the contention for the
lock file, making it posible for the queue to get into a wedged
state.
Thanks goes to Chris Evans for spotting this in the OpenBSD lpr
CVS commit logs, and verifying the problem existed for Linux as
well.
SOLUTION
For RedHat:
ftp://updates.redhat.com/5.2/alpha/lpr-0.50-7.alpha.rpm
ftp://updates.redhat.com/5.2/sparc/lpr-0.50-7.sparc.rpm
ftp://updates.redhat.com/5.2/i386/lpr-0.50-7.i386.rpm
ftp://updates.redhat.com/5.2/SRPMS/lpr-0.50-7.src.rpm
ftp://updates.redhat.com/6.2/alpha/lpr-0.50-7.alpha.rpm
ftp://updates.redhat.com/6.2/sparc/lpr-0.50-7.sparc.rpm
ftp://updates.redhat.com/6.2/i386/lpr-0.50-7.i386.rpm
ftp://updates.redhat.com/6.2/SRPMS/lpr-0.50-7.src.rpm
Greg KH has built packages for this update for Immunix OS 6.2
(StackGuarded versions of the RedHat packages.) They can be
found at:
http://immunix.org:8080/ImmunixOS/6.2/updates/RPMS/lpr-0.50-7_StackGuard.i386.rpm
http://www.immunix.org:8080/ImmunixOS/6.2/updates/SRPMS/lpr-0.50-7_StackGuard.src.rpm
For Conectiva Linux:
ftp://atualizacoes.conectiva.com.br/4.0/i386/lpr-0.50-6cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0/SRPMS/lpr-0.50-6cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/i386/lpr-0.50-6cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/SRPMS/lpr-0.50-6cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/lpr-0.50-6cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.1/SRPMS/lpr-0.50-6cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/lpr-0.50-6cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/SRPMS/lpr-0.50-6cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/lpr-0.50-6cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/lpr-0.50-6cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/lpr-0.50-6cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/lpr-0.50-6cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/lpr-0.50-6cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/SRPMS/lpr-0.50-6cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/lpr-0.50-6cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/SRPMS/lpr-0.50-6cl.src.rpm
For Linux-Mandrake:
Linux-Mandrake 6.0: 6.0/RPMS/lpr-0.50-3mdk.i586.rpm
6.0/SRPMS/lpr-0.50-3mdk.src.rpm
Linux-Mandrake 6.1: 6.1/RPMS/lpr-0.50-3mdk.i586.rpm
6.1/SRPMS/lpr-0.50-3mdk.src.rpm
Linux-Mandrake 7.0: 7.0/RPMS/lpr-0.50-3mdk.i586.rpm
7.0/SRPMS/lpr-0.50-3mdk.src.rpm
Linux-Mandrake 7.1: 7.1/RPMS/lpr-0.50-3mdk.i586.rpm
7.1/SRPMS/lpr-0.50-3mdk.src.rpm