[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[linux-security] lpr bugs
- To: linux-security
- Subject: [linux-security] lpr bugs
- Date: Wed, 4 Oct 2000 17:22:22 -0700 (PDT)
Problem description
===================
The old BSD-based lpr (shipped with Red Hat Linux 5.x and 6.x and probably
almost any other Linux distribution other than RH 7.0) has a
recently discovered format string bug in its calls to the syslog facility.
While there is not known exploits for this issue at this time, it might be
possible for a user to gain local root access. For this reason, upgrading
to the new lpr is strongly encouraged.
Solution
========
RedHat 6.x:
rpm -Fvh lpr-0.50-7.i386.rpm
(this rpm is, e.g., available from the sphinx.sfu.ca in the directory
/vol/vol1/distrib/redhat/RedHat/RPMS)
I have not been able to find patches for other distributions although
they are probably vulnerable as well (e.g., Mandrake is based on RedHat).