linux security - Nov 1996 - LSF Update#14: Vulnerability of the lpr program.

-----BEGIN PGP SIGNED MESSAGE-----

$Id: lpr-vulnerability-0.6-linux,v 1.1 1996/11/22 21:42:46 alex Exp $

                          Linux Security FAQ Update
                              lpr Vulnerability
                        Thu Nov 21 22:24:12 EST 1996
   Copyright (C) 1995,1996 Alexander O. Yuriev (alex@bach.cis.temple.edu)
                              CIS Laboratories
                             TEMPLE  UNIVERSITY
                                   U.S.A.

============================================================================
This is an official Update of the Linux Security FAQ, and it is supposed to
                be signed by one of the following PGP keys:

 1024/ADF3EE95 1995/06/08 Linux Security FAQ Primary Key <Alexander O.
Yuriev>

    Unless you are able to verify at least one of signatures, please be very
                    careful when following instructions.

   Linux Security WWW: http://bach.cis.temple.edu/linux/linux-security

             linux-security & linux-alert mailing list archives:
	
            ftp://linux.nrao.edu/pub/linux/security/list-archive

 ============================================================================
REVISION HISTORY
	
 (This section in automatically maintained by the Revision Control System )

$Log: lpr-vulnerability-0.6-linux,v $
Revision 1.1  1996/11/22 21:42:46  alex
Initial revision



ABSTRACT

	A vulnerability exists in the lpr program version 0.06. If installed
	suid to root, the lpr program allows local users to gain access to a
	super-user account.

RISK ASSESSMENT

	Local users can gain root privileges. The exploits that exercise
	this vulnerability were made available.

VULNERABILITY ANALYSIS

	lpr utility from the lpr 0.06 suffers from the buffer overrun
	problem. Installing lpr as a suid-to-root is needed to allow
	print spooling.

DISTRIBUTION FIXES

		Red Hat Commercial Linux

			RedHat 2.1, RedHat 3.0.3 (Picasso) and RedHat 4.0
			contain vulnerable lpr utility. Users of RedHat
			Linux distributions prior to version 4.0 are urged
			to upgrade to RedHat Linux 4.0
			
			The replacement RPMS are available from the
			following URLs:

			RedHat 4.0 x86 Architecture

ftp://ftp.redhat.com/pub/redhat/redhat-4.0/updates/i386/lpr-0.12-1.i386.rpm
ftp://bach.cis.temple.edu/pub/Linux/Security/DISTRIBUTION-FIXES/RedHat/lpr-0.12-1.i386.rpm

			RedHat 4.0 Alpha Architecture

ftp://ftp.redhat.com/pub/redhat/redhat-4.0/updates/axp/lpr-0.12-1.axp.rpm
ftp://bach.cis.temple.edu/pub/Linux/Security/DISTRIBUTION-FIXES/RedHat/lpr-0.12-1.axp.rpm

			RedHat 4.0 SPARC Architecture

ftp://ftp.redhat.com/pub/redhat/redhat-4.0/updates/sparc/lpr-0.12-1.sparc.rpm
ftp://bach.cis.temple.edu/pub/Linux/Security/DISTRIBUTION-FIXES/RedHat/lpr-0.12-1.sparc.rpm


			Please verify the MD5 fingerprint of the RPMs
			prior to installing them.

            6d36461d6c8b6c50ccadf9de530a6136  lpr-0.12-1.i386.rpm
            87eb9c5b4d7e6a4217fdb9d3bbd6527b  lpr-0.12-1.axp.rpm
            c04359e61cd16108ce5793aa388f206f  lpr-0.12-1.sparc.rpm

		Caldera Network Desktop

			Caldera Network Desktop version 1.0 contains a
			vulnerable lpr program.

			The replacement RPMS are available from the
			following URLs:

ftp://ftp.caldera.com/pub/cnd-1.0/updates/NetKit-B-lpr-0.06-4c2.i386.rpm
ftp://bach.cis.temple.edu/pub/Linux/Security/DISTRIBUTION-FIXES/CND/NetKit-B-lpr-0.06-4c2.i386.rpm

			WARNING: We are unable to provide the MD5
			fingerprint for the replacement kit from Caldea as
			it was not provided to us.

		Debian

			Debian/GNU Linux 1.1 does not use lpr program and
			therefore is not vulnerable. If you have installed
			lpr package yourself, your system becomes
			vulnerable.

		Slackware
	
			There is no official information available about
			vulnerability of Slackware 3.0 or Slackware 3.1
			distributions from distribution maintainer.

			The testing indicates that both Slackware 3.0 and
			Slackware 3.1 distributions contains the vulnerable
			lpr program.

			Until the official fix-kit for Slackware 3.0 and
			Slackware 3.1 available system administrators
			are advised to follow the instructions in the Other
			Linux Distributions section of this LSF Update.

		Yggdrasil

			Yggdrasil Computing Inc neither confirmed not denied
			vulnerability of Plug and Play Fall''95 Linux.

			The testing indicates that Plug and Play Fall''95
			Linux distribution contains a vulnerable lpr.

			Until the official fix-kit for Yggdrasil Plug and
			Play Linux becomes available system administrators
			are advised to follow the instructions in the Other
			Linux Distributions section of this LSF Update

		Other Linux Distributions

			It is believed at this moment that all Linux
			distributions using lpr version 0.06 or prior
			contain a vulnerable lpr program.

			Administrators of systems based on distributions
			not listed in this update or distributions that
			do not have fix-kits available at the moment are
			urged to contact their support centers requesting
			the fix-kits to be made available to them.

			In order to prevent the vulnerability from being
			exploited in the mean time, it is recommended that
			the suid bit is removed from the lpr program
			using command

				chmod u-s /usr/bin/lpr

			Until the official fix-kits are available for those
			systems, it is advised that system administrators
			obtain the source code of a LPRng print system used
			in Debian/GNU Linux 1.1, compile it and replace the
			lpr subsystem.

ftp://ftp.debian.org/debian/project/experimental/lprng_2.3.12.orig.tar.gz
ftp://ftp.debian.org/debian/project/experimental/lprng_2.3.12-2.diff.gz

ftp://bach.cis.temple.edu/pub/Linux/Security/DISTRIBUTION-FIXES/OTHER/lprng_2.3.12.orig.tar.gz
ftp://bach.cis.temple.edu/pub/Linux/Security/DISTRIBUTION-FIXES/OTHER/lprng_2.3.12-2.diff.gz


			Please verify the MD5 fingerprint of the files prior
			to installing them.

         ca51aaa4560ddfc6ced987d568d8cc1c  lprng_2.3.12-2.diff.gz
         f1c23e214a752e1c2dab2399b3457d2d  lprng_2.3.12.orig.tar.gz

CREDITS

	This LSF Update is based on the information originally posted to
	linux-security mailing list. The information on the fix-kit for
	Red Hat commercial Linux was provided by Marc Ewing (marc@redhat.com)
	of Red Hat Software Inc,; for the Caldera Network Desktop by Ron Holt
	of Caldera Inc.; for Debian/GNU Linux 1.1 by Sven Rudolph
	<sr1@inf.tu-dresden.de> of Debian Project.



-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMpYbw4xFUz2t8+6VAQF9pgQAhwl4zNBrlfVxgv7+Ubm8uRkRRaZcjvxH
4F4FdFdtBjyqgkj4dMIKEEhy28TZbAqh0ks6eiviwFAYuMnu3G+MBeGLyHOpX4Mw
krb7At3wt41Yj5NXHpsz9GebYBVfM8sOl4CKX0UcdXdizxfNKxXd8SJLnYteye2b
8paVHnyyDyo=9xvg
-----END PGP SIGNATURE-----