A buffer overflow exists in the LPRng printer spooler found on newer Linux and other Unix systems. Versions below LPRng 3.6.24-1 are vulnerable.
A buffer overrun exists in the 'netpr' program, part of the SUNWpcu (LP) package included with Solaris, from Sun Microsystems. Versions of netpr on Solaris 2.6 and 7.
By specifying a long buffer containing machine executable code, it is possible to execute arbitrary commands as root.
LPRng contains a function, use_syslog(), that returns user input to a string in LPRng that is passed to syslog() as the format string. As a result, it is possible to corrupt the program's flow of execution by entering malicious format specifiers. In testing this has been exploited to remotely elevate privileges.
On Sparc, the netpr exploits will spawn a root shell, whereas on x86 it will create a setuid root shell in /tmp.
Patches are available for LPRng from most Linux vendors. Upgrade or patch to a non-vulnerable version.
As of this writing, patches are not available to the general public. Removal of the setuid bit on the /usr/lib/lp/bin/netpr program will eliminate this vulnerability. This may prevent some portions of the network printing subsystem from working.