MCI Telecommunications
internetMCI Security Group
Report Name: iMCI MIIGS Security Alert
Report Number: iMCISE:IMCITEMPLE:112296:01:P1R1
Report Date: 11/22/96
Report Format: Formal
Report Classification: MCI Informational
Report Reference: http://www.security.mci.net
Report Distribution: iMCI Security,
MCI Internal Internet Gateway Security (MIIGS),
MCI Emergency Alert LiSt (MEALS)
(names on file)
----------------------------------------------------------------------------
---
-----BEGIN PGP SIGNED MESSAGE-----
$Id: lpr-vulnerability-0.6-linux,v 1.1 1996/11/22 21:42:46 alex Exp $
Linux Security FAQ Update
lpr Vulnerability
Thu Nov 21 22:24:12 EST 1996
Copyright (C) 1995,1996 Alexander O. Yuriev (alex@bach.cis.temple.edu)
CIS Laboratories
TEMPLE UNIVERSITY
U.S.A.
=============================================================================
This is an official Update of the Linux Security FAQ, and it is supposed to
be signed by one of the following PGP keys:
1024/ADF3EE95 1995/06/08 Linux Security FAQ Primary Key <Alexander O. Yuriev>
Unless you are able to verify at least one of signatures, please be very
careful when following instructions.
Linux Security WWW: http://bach.cis.temple.edu/linux/linux-security
linux-security & linux-alert mailing list archives:
ftp://linux.nrao.edu/pub/linux/security/list-archive
=============================================================================
REVISION HISTORY
(This section in automatically maintained by the Revision Control System )
$Log: lpr-vulnerability-0.6-linux,v $
Revision 1.1 1996/11/22 21:42:46 alex
Initial revision
ABSTRACT
A vulnerability exists in the lpr program version 0.06. If installed
suid to root, the lpr program allows local users to gain access to a
super-user account.
RISK ASSESSMENT
Local users can gain root privileges. The exploits that exercise
this vulnerability were made available.
VULNERABILITY ANALYSIS
lpr utility from the lpr 0.06 suffers from the buffer overrun
problem. Installing lpr as a suid-to-root is needed to allow
print spooling.
DISTRIBUTION FIXES
Red Hat Commercial Linux
RedHat 2.1, RedHat 3.0.3 (Picasso) and RedHat 4.0
contain vulnerable lpr utility. Users of RedHat
Linux distributions prior to version 4.0 are urged
to upgrade to RedHat Linux 4.0
The replacement RPMS are available from the
following URLs:
RedHat 4.0 x86 Architecture
ftp://ftp.redhat.com/pub/redhat/redhat-4.0/updates/i386/lpr-0.12-1.i386.rpm
ftp://bach.cis.temple.edu/pub/Linux/Security/DISTRIBUTION-FIXES/RedHat/lpr-0
.12-1.i386.rpm
RedHat 4.0 Alpha Architecture
ftp://ftp.redhat.com/pub/redhat/redhat-4.0/updates/axp/lpr-0.12-1.axp.rpm
ftp://bach.cis.temple.edu/pub/Linux/Security/DISTRIBUTION-FIXES/RedHat/lpr-0
.12-1.axp.rpm
RedHat 4.0 SPARC Architecture
ftp://ftp.redhat.com/pub/redhat/redhat-4.0/updates/sparc/lpr-0.12-1.sparc.rpm
ftp://bach.cis.temple.edu/pub/Linux/Security/DISTRIBUTION-FIXES/RedHat/lpr-0
.12-1.sparc.rpm
Please verify the MD5 fingerprint of the RPMs
prior to installing them.
6d36461d6c8b6c50ccadf9de530a6136 lpr-0.12-1.i386.rpm
87eb9c5b4d7e6a4217fdb9d3bbd6527b lpr-0.12-1.axp.rpm
c04359e61cd16108ce5793aa388f206f lpr-0.12-1.sparc.rpm
Caldera Network Desktop
Caldera Network Desktop version 1.0 contains a
vulnerable lpr program.
The replacement RPMS are available from the
following URLs:
ftp://ftp.caldera.com/pub/cnd-1.0/updates/NetKit-B-lpr-0.06-4c2.i386.rpm
ftp://bach.cis.temple.edu/pub/Linux/Security/DISTRIBUTION-FIXES/CND/NetKit-B
-lpr-0.06-4c2.i386.rpm
WARNING: We are unable to provide the MD5
fingerprint for the replacement kit from Caldea as
it was not provided to us.
Debian
Debian/GNU Linux 1.1 does not use lpr program and
therefore is not vulnerable. If you have installed
lpr package yourself, your system becomes
vulnerable.
Slackware
There is no official information available about
vulnerability of Slackware 3.0 or Slackware 3.1
distributions from distribution maintainer.
The testing indicates that both Slackware 3.0 and
Slackware 3.1 distributions contains the vulnerable
lpr program.
Until the official fix-kit for Slackware 3.0 and
Slackware 3.1 available system administrators
are advised to follow the instructions in the Other
Linux Distributions section of this LSF Update.
Yggdrasil
Yggdrasil Computing Inc neither confirmed not denied
vulnerability of Plug and Play Fall'95 Linux.
The testing indicates that Plug and Play Fall'95
Linux distribution contains a vulnerable lpr.
Until the official fix-kit for Yggdrasil Plug and
Play Linux becomes available system administrators
are advised to follow the instructions in the Other
Linux Distributions section of this LSF Update
Other Linux Distributions
It is believed at this moment that all Linux
distributions using lpr version 0.06 or prior
contain a vulnerable lpr program.
Administrators of systems based on distributions
not listed in this update or distributions that
do not have fix-kits available at the moment are
urged to contact their support centers requesting
the fix-kits to be made available to them.
In order to prevent the vulnerability from being
exploited in the mean time, it is recommended that
the suid bit is removed from the lpr program
using command
chmod u-s /usr/bin/lpr
Until the official fix-kits are available for those
systems, it is advised that system administrators
obtain the source code of a LPRng print system used
in Debian/GNU Linux 1.1, compile it and replace the
lpr subsystem.
ftp://ftp.debian.org/debian/project/experimental/lprng_2.3.12.orig.tar.gz
ftp://ftp.debian.org/debian/project/experimental/lprng_2.3.12-2.diff.gz
ftp://bach.cis.temple.edu/pub/Linux/Security/DISTRIBUTION-FIXES/OTHER/lprng_
2.3.12.orig.tar.gz
ftp://bach.cis.temple.edu/pub/Linux/Security/DISTRIBUTION-FIXES/OTHER/lprng_
2.3.12-2.diff.gz
Please verify the MD5 fingerprint of the files prior
to installing them.
ca51aaa4560ddfc6ced987d568d8cc1c lprng_2.3.12-2.diff.gz
f1c23e214a752e1c2dab2399b3457d2d lprng_2.3.12.orig.tar.gz
CREDITS
This LSF Update is based on the information originally posted to
linux-security mailing list. The information on the fix-kit for
Red Hat commercial Linux was provided by Marc Ewing (marc@redhat.com)
of Red Hat Software Inc,; for the Caldera Network Desktop by Ron Holt
of Caldera Inc.; for Debian/GNU Linux 1.1 by Sven Rudolph
<sr1@inf.tu-dresden.de> of Debian Project.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBMpYbw4xFUz2t8+6VAQF9pgQAhwl4zNBrlfVxgv7+Ubm8uRkRRaZcjvxH
4F4FdFdtBjyqgkj4dMIKEEhy28TZbAqh0ks6eiviwFAYuMnu3G+MBeGLyHOpX4Mw
krb7At3wt41Yj5NXHpsz9GebYBVfM8sOl4CKX0UcdXdizxfNKxXd8SJLnYteye2b
8paVHnyyDyo=
=9xvg
-----END PGP SIGNATURE-----
===============================================================