SA-1996.05.txt
9f54f002a77bd52b64227ee5e0fe85b5ff801e26d68f741fd34b9c114625e3f3
Caldera Security Advisory SA-96.05
October 28th, 1996
Topic: Vulnerability in lpr
I. Problem Description
The lpr utility is used to spool print jobs under Linux. To
gain access to resources it needs, the lpr program is installed
as set-user-id root.
A vulnerability in lpr makes it possible to overflow an
internal buffer whose contents is under the control of the
user of lpr. If this buffer is overflowed with appropriate
data, a program such as a shell can be started. This
program then runs with root permissions on the local machine.
Exploit programs for lpr are known to exist for Linux
systems on x86 hardware.
II. Impact
On systems such as CND 1.0 and lpr installed set-user-id root
(which is the default), an unprivileged user can obtain root
access.
III. Solution / Workaround
A simple workaround is to update to a non-vulnerable version
of lpr:
ncftp ftp://ftp.caldera.com/pub/cnd-1.0/updates/NetKit-B-lpr-0.06-4c2.i386.rpm
rpm -Uvh NetKit-B-lpr-0.06-4c2.i386.rpm
IV. References
This and other Caldera security resources are located at:
http://www.caldera.com/tech-ref/cnd-1.0/security/