Two security vulnerabilities exist in the lpd (line printer daemon) shipped with the lpr package. First, authentication was not thorough enough. If a remote user was able to control their own DNS so that their IP address resolved to the hostname of the print server, access would be granted, when it should not be. Secondly, it was possible in the control file of a print job to specify arguments to sendmail. Through careful manipulation of control and data files, this could cause sendmail to be executed with a user-specified configuration file. This could lead very easily to a root compromise.
56b741d61ee2576a5d24470f80029e501accafe37d6d997f5fa992cf0d973d00<!DOCTYPE HTML PUBLIC "html.dtd">
<HTML>
<HEAD>
<TITLE>redhat.com | support</TITLE>
<SCRIPT LANGUAGE="JavaScript">
function logon_submit()
{
document.Logon0.i_1.value = document.Logon1.i_1.value;
document.Logon0.i_2.value = document.Logon1.i_2.value;
document.Logon0.action = "http://customer.support.redhat.com/rhoaprod/plsql/xxrh_OracleApps.VL";
document.Logon0.method = "POST";
document.Logon0.submit();
}
</SCRIPT>
</HEAD>
<BODY BGCOLOR="#FFFFFF" VLINK="#999966" LINK="#CC0000">
<MAP NAME="imageMap">
<AREA SHAPE="rect" ALT="home" COORDS="0,2,36,25" HREF="http://www.redhat.com/index.html">
<AREA SHAPE="rect" ALT="products" COORDS="39,2,143,25" HREF="http://www.redhat.com/products/">
<AREA SHAPE="rect" ALT="store" COORDS="145,2,183,25" HREF="http://store.redhat.com/commerce/">
<AREA SHAPE="rect" ALT="download" COORDS="185,2,244,25" HREF="http://www.redhat.com/download/">
<AREA SHAPE="rect" ALT="support" COORDS="246,2,295,25" HREF="http://www.redhat.com/support/">
<AREA SHAPE="rect" ALT="training" COORDS="297,2,352,25" HREF="http://www.redhat.com/products/training.html">
</MAP>
<TABLE WIDTH="600" CELLSPACING="0" BORDER="0" CELLPADDING="0">
<TR>
<TD WIDTH="176" BGCOLOR="#CC0000" VALIGN="TOP"><A HREF="http://store.redhat.com/commerce/"><IMG SRC="http://www.redhat.com/img/logo_small3a.gif" WIDTH="56" HEIGHT="43" ALT="redhat.com" BORDER="0"></A><A HREF="http://www.redhat.com/index.html"><IMG SRC="http://www.redhat.com/img/logo_small3b.gif" WIDTH="120" HEIGHT="43" ALT="redhat.com" BORDER="0"></A></TD>
<TD WIDTH="424" BGCOLOR="#CC0000" VALIGN="MIDDLE" ALIGN="RIGHT"> <IMG SRC="http://www.redhat.com/img/global_nav.gif" WIDTH="353" HEIGHT="26" ALT="" USEMAP="http://www.redhat.com/support/errata/RHSA2000002-01.html#imageMap" BORDER="0"> <A HREF="http://www.redhat.com/join/"><IMG SRC="http://www.redhat.com/img/header_join.gif" WIDTH="34" HEIGHT="24" ALT="join" BORDER="0"></A> </TD>
</TR>
</TABLE>
<TABLE WIDTH="600" CELLSPACING="0" BORDER="0" CELLPADDING="2">
<TR>
<TD BGCOLOR="#333333"><IMG SRC="http://www.redhat.com/img/pixel.gif" WIDTH="1" HEIGHT="2" ALT="" BORDER="0"></TD>
<TD BGCOLOR="#333333"><IMG SRC="http://www.redhat.com/img/pixel.gif" WIDTH="1" HEIGHT="2" ALT="" BORDER="0"></TD>
</TR>
<TR>
<TD COLSPAN="2" BGCOLOR="#333333" VALIGN="MIDDLE" ALIGN="CENTER"><A HREF="http://ad.doubleclick.net/jump/www.redhat.com/;sz=468x60;ord=OHvj@86EKcsAACdnRcY"><IMG SRC="http://ad.doubleclick.net/ad/www.redhat.com/;sz=468x60;ord=OHvj@86EKcsAACdnRcY" WIDTH="468" HEIGHT="60" BORDER="0"></A></TD>
</TR>
<TR>
<TD COLSPAN="2" BGCOLOR="#333333"><IMG SRC="http://www.redhat.com/img/pixel.gif" WIDTH="1" HEIGHT="2" ALT="" BORDER="0"></TD>
</TR>
<TR>
<TD COLSPAN="2" BGCOLOR="#999966"><A HREF="http://www.redhat.com/support/"><FONT SIZE="2" FACE="HELVETICA" COLOR="#FFFFCC"><SPAN STYLE="COLOR:#FFFFCC">Product Support:</SPAN></FONT></A> <A HREF="http://www.redhat.com/support/errata/"><FONT SIZE="2" FACE="HELVETICA" COLOR="#FFFFCC"><SPAN STYLE="COLOR:#FFFFCC">Errata:</SPAN></FONT></A> <A HREF="http://www.redhat.com/support/errata/rh-errata.html"><FONT SIZE="2" FACE="HELVETICA" COLOR="#FFFFCC"><SPAN STYLE="COLOR:#FFFFCC">Red Hat Linux:</SPAN></FONT></A> <A HREF="http://www.redhat.com/support/errata/rh61-errata-security.html"><FONT SIZE="2" FACE="HELVETICA" COLOR="#FFFFCC"><SPAN STYLE="COLOR:#FFFFCC">6.1 Security Advisories:</SPAN></FONT></A> <FONT SIZE="3" FACE="HELVETICA" COLOR="#FFFFFF"><B>Advisory</B></FONT></TD>
</TR>
</TABLE>
<TABLE WIDTH="600" CELLSPACING="0" BORDER="0" CELLPADDING="0">
<TR>
<TD WIDTH="50"><IMG SRC="http://www.redhat.com/img/pixel.gif" WIDTH="50" HEIGHT="1" ALT="" BORDER="0"></TD>
<TD WIDTH="525" VALIGN="TOP"><BR>
<FONT SIZE="3" FACE="HELVETICA">
<!-- begin content -->
<TABLE WIDTH="525" CELLSPACING="0" BORDER="0" CELLPADDING="0">
<TR>
<TD COLSPAN="3"> </TD>
</TR>
<TR>
<TD COLSPAN="2"><FONT SIZE="3" FACE="HELVETICA"><B>Red Hat, Inc. Security Advisory</B></FONT><HR NOSHADE SIZE="2"></TD>
<TD WIDTH="45"></TD>
</TR>
<TR>
<TD WIDTH="45%"><FONT SIZE="3" FACE="HELVETICA" COLOR="#666666"><B>Package</B></FONT></TD>
<TD WIDTH="45%"><FONT SIZE="3" FACE="HELVETICA">lpr</FONT></TD>
<TD WIDTH="45"></TD>
</TR>
<TR>
<TD COLSPAN="2"><HR NOSHADE SIZE="1"></TD>
<TD></TD>
</TR>
<TR>
<TD WIDTH="45%"><FONT SIZE="3" FACE="HELVETICA" COLOR="#666666"><B>Synopsis</B></FONT></TD>
<TD WIDTH="45%"><FONT SIZE="3" FACE="HELVETICA">New lpr packages available</FONT></TD>
<TD></TD>
</TR>
<TR>
<TD COLSPAN="2"><HR NOSHADE SIZE="1"></TD>
<TD></TD>
</TR>
<TR>
<TD WIDTH="45%"><FONT SIZE="3" FACE="HELVETICA" COLOR="#666666"><B>Advisory ID</B></FONT></TD>
<TD WIDTH="45%"><FONT SIZE="3" FACE="HELVETICA">RHSA-2000:002-01</FONT></TD>
<TD></TD>
</TR>
<TR>
<TD COLSPAN="2"><HR NOSHADE SIZE="1"></TD>
<TD></TD>
</TR>
<TR>
<TD WIDTH="45%"><FONT SIZE="3" FACE="HELVETICA" COLOR="#666666"><B>Issue Date</B></FONT></TD>
<TD WIDTH="45%"><FONT SIZE="3" FACE="HELVETICA">2000-01-07</FONT></TD>
<TD></TD>
</TR>
<TR>
<TD COLSPAN="2"><HR NOSHADE SIZE="1"></TD>
<TD></TD>
</TR>
<TR>
<TD WIDTH="45%"><FONT SIZE="3" FACE="HELVETICA" COLOR="#666666"><B>Updated on</B></FONT></TD>
<TD WIDTH="45%"><FONT SIZE="3" FACE="HELVETICA">2000-01-07</FONT></TD>
<TD></TD>
</TR>
<TR>
<TD COLSPAN="2"><HR NOSHADE SIZE="1"></TD>
<TD></TD>
</TR>
<TR>
<TD WIDTH="45%"><FONT SIZE="3" FACE="HELVETICA" COLOR="#666666"><B>Keywords</B></FONT></TD>
<TD WIDTH="45%"><FONT SIZE="3" FACE="HELVETICA">lpr lpd DNS sendmail</FONT></TD>
<TD></TD>
</TR>
<TR>
<TD COLSPAN="2"><HR NOSHADE SIZE="1"></TD>
<TD></TD>
</TR>
<TR>
<TD COLSPAN="2"><FONT SIZE="3" FACE="HELVETICA">
<BR><BR>
<P>
<FONT COLOR="#666666">1. Topic:</FONT><BR>
<!-- begin TOPIC -->
New lpr packages are available to fix two security problems
in lpd.
<!-- end TOPIC -->
<P>
<FONT COLOR="#666666">2. Problem description:</FONT><BR>
<!-- begin PROBLEM DESCRIPTION -->
Two security vulnerabilities exist in the lpd
(line printer daemon) shipped with the lpr package.
<P>
First, authentication was not thorough enough. If a remote user
was able to control their own DNS so that their IP address resolved
to the hostname of the print server, access would be granted,
when it should not be.
<P>
Secondly, it was possible in the control file of a print job
to specify arguments to sendmail. By careful manipulation of
control and data files, this could cause sendmail to be executed
with a user-specified configuration file. This could lead
very easily to a root compromise.
<P>
It is recommended that all users of Red Hat Linux using the
lpr package (which is required to print) upgrade to the
fixed packages.
<P>
Thanks go to DilDog (dildog@l0pht.com) for noting the vulnerability.
<P>
<!-- end PROBLEM DESCRIPTION -->
<P>
<FONT COLOR="#666666">3. Bug IDs fixed: (see <A HREF="http://bugzilla.redhat.com/bugzilla">bugzilla</A> for more information)</FONT><BR>
<!-- begin BUG IDS FIXED -->
<!-- end BUG IDS FIXED -->
<P>
<FONT COLOR="#666666">4. Relevant releases/architectures:</FONT><BR>
<!-- begin RELEVANT RELEASES/ARCHITECTURES -->
Red Hat Linux 6.1, all architectures
<!-- end RELEVANT RELEASES/ARCHITECTURES -->
<P>
<FONT COLOR="#666666">5. Obsoleted by:</FONT><BR>
<!-- begin OBSOLETED BY -->
None
<!-- end OBSOLETED BY-->
<P>
<FONT COLOR="#666666">6. Conflicts with:</FONT><BR>
<!-- begin CONFLICTS WITH -->
None
<!-- end CONFLICTS WITH -->
<P>
<FONT COLOR="#666666">7. RPMs required:</FONT><BR>
<!-- begin RPMS REQUIRED -->
<P><B>Intel:</B><P>
<A HREF="ftp://updates.redhat.com/6.1/i386/">ftp://updates.redhat.com/6.1/i386/</A><P>
<A HREF="ftp://updates.redhat.com/6.1/i386/lpr-0.48-1.i386.rpm">lpr-0.48-1.i386.rpm</A><BR>
<P><B>Alpha:</B><P>
<A HREF="ftp://updates.redhat.com/6.1/alpha">ftp://updates.redhat.com/6.1/alpha</A><P>
<A HREF="ftp://updates.redhat.com/6.1/alpha/lpr-0.48-1.alpha.rpm">lpr-0.48-1.alpha.rpm</A><BR>
<P><B>SPARC:</B><P>
<A HREF="ftp://updates.redhat.com/6.1/sparc/">ftp://updates.redhat.com/6.1/sparc</A><P>
<A HREF="ftp://updates.redhat.com/6.1/sparc/lpr-0.48-1.sparc.rpm">lpr-0.48-1.sparc.rpm</A><BR>
<P><B>Source:</B><P>
<A HREF="ftp://updates.redhat.com/6.1/SRPMS/">ftp://updates.redhat.com/6.1/SRPMS</A><P>
<A HREF="ftp://updates.redhat.com/6.1/SRPMS/lpr-0.48-1.src.rpm">lpr-0.48-1.src.rpm</A><BR>
<!-- end RPMS REQUIRED -->
<P>
<FONT COLOR="#666666">8. Solution:</FONT><BR>
<!-- begin foo SOLUTION -->
For each RPM for your particular architecture, run:
<P>
rpm -Uvh filename
<P>
where filename is the name of the RPM.
<P>
Then, restart lpd:<BR>
/etc/rc.d/init.d/lpd restart
<!-- end SOLUTION -->
<P>
<FONT COLOR="#666666">9. Verification:</FONT><BR>
<!-- begin foo VERIFICATION -->
<PRE>
MD5 sum Package Name
-------------------------------------------------------------------------
78f2220331189e723eab944b53d0710e i386/lpr-0.48-1.i386.rpm
3fcb89eb1a76741a505d3eeeddfa3674 alpha/lpr-0.48-1.alpha.rpm
441cfee04428ca215d98d9ce3d20bc4d sparc/lpr-0.48-1.sparc.rpm
55c6a740b03569919ec08992257cad96 SRPMS/lpr-0.48-1.src.rpm
</PRE>
These packages are GPG signed by Red Hat, Inc. for security. Our key
is available at:<BR>
<A HREF="http://www.redhat.com/about/contact.html">http://www.redhat.com/about/contact.html</A>
<P>
You can verify each package with the following command:
rpm --checksig filename
<P>
If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
rpm --checksig --nogpg filename
<P>
Note that you need RPM >= 3.0 to check GnuPG keys.
<!-- end VERIFICATION -->
<P>
<FONT COLOR="#666666">10. References:</FONT><BR>
<!-- begin REFERENCES -->
Thanks to dildog@l0pht.com for finding this bug.
<!-- end REFERENCES -->
</FONT></TD>
<TD></TD>
</TR>
</TABLE>
<!-- end content -->
<BR> <BR></FONT>
<!-- end content -->
<!-- footer -->
<P>
<FORM METHOD="POST" ACTION="http://www.redhat.com/apps/search/results.html">
<TABLE WIDTH="525" CELLSPACING="0" BORDER="0" CELLPADDING="0">
<TR>
<TD COLSPAN="2"><IMG SRC="http://www.redhat.com/img/pixel_black.gif" WIDTH="525" HEIGHT="2" ALT="" BORDER="0"></TD>
</TR>
<TR>
<TD BGCOLOR="#FFFFCC" WIDTH="470" NOWRAP><FONT SIZE="2" FACE="HELVETICA" COLOR="#666666"><B>Search for</B> <INPUT MAXLENGTH="35" NAME="search:query" TYPE="text" SIZE="13"> <B>on</B> <INPUT NAME="search:where" TYPE="radio" VALUE="redhat" CHECKED> redhat.com <INPUT NAME="search:where" TYPE="radio" VALUE="linux"> Linux sites <INPUT TYPE="Submit" VALUE="Go"></FONT></TD>
<TD BGCOLOR="#FFFFCC" WIDTH="55" ALIGN="right"><A HREF="http://www.google.com/"><IMG SRC="http://www.redhat.com/img/google_sm.gif" WIDTH="55" ALT="google" HEIGHT="35" BORDER="0"></A></TD>
</TR>
</TABLE>
</FORM>
<P>
<FONT SIZE="1" FACE="HELVETICA" COLOR="#CC0000">
<A HREF="http://www.redhat.com/index.html">Home</A> | <A HREF="http://www.redhat.com/products/">Products & Services</A> | <A HREF="http://www.redhat.com/commerce/">Store</A> | <A HREF="http://www.redhat.com/download/">Download</A> | <A HREF="http://www.redhat.com/support/">Product Support</A> | <A HREF="http://www.redhat.com/products/training.html">Training</A> | <A HREF="http://www.redhat.com/partners/">Partners & Programs</A>
<BR><A HREF="http://www.redhat.com/community/">Community Center</A> | <A HREF="http://www.redhat.com/news/">News & Views</A> | <A HREF="http://www.redhat.com/appindex/">Linux Applications</A> | <A HREF="http://www.redhat.com/join/">Join</A> | <A HREF="http://www.redhat.com/cgi-bin/dispatcher/edit_user">My Account</A>
<BR><A HREF="http://www.redhat.com/about/">About Red Hat</A> | <A HREF="http://www.redhat.com/legal/legal_statement.html">Legal Statement</A> | <A HREF="http://www.redhat.com/legal/privacy_statement.html">Privacy Statement</A> | <A HREF="http://www.redhat.com/legal/y2k_statement.html">Y2K Statement</A> | <A HREF="http://www.redhat.com/feedback.html">Feedback</A><BR>
</FONT>
<P>
<FONT SIZE="1" FACE="HELVETICA">Copyright © 1999 Red Hat, Inc. All rights reserved.<BR></FONT>
<!-- end footer -->
</TD>
<TD WIDTH="25"><IMG SRC="http://www.redhat.com/img/pixel.gif" WIDTH="25" HEIGHT="1" ALT="" BORDER="0"></TD>
</TR>
</TABLE>
</BODY>
</HTML>
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed