.------------------------------------------------. |**** Project Independence Security Advisory ****| `-----------* ID: PISA-18-NOV-99-000 *-----------' Issued by: David Webster Issue Date: 18-NOV-99 Overview: File access problems in lpr/lpd Affected: Independence Release 6.0-0.8 (Redhat 6.0) References: RedHat Security Advisory; RHSA-1999:041-01 -=-=-==-=-=- Detailed Problem Description: There are two problems in the lpr and lpd programs. By exploiting a race between the access check and the actual file opening, it is potentially possible to have lpr read a file as root that the user does not have access to. Also, the lpd program would blindly open queue files as root; by use of the '-s' flag to lpr, it was possible to have lpd print files that the user could not access. Thanks go to Tymm Twillman for pointing out these vulnerabilities. Solution: Update the affected RPM packages by downloading and installing the RPMs listed below. For each RPM, run: root# rpm -Uvh where is the name of the RPM. [Note: Only install the compiled RPM (*.i386.rpm) OR the source RPM (*.src.rpm), not both.] RPMs: http://independence.seul.org/security/1999/rpms/lpr-0.43-2.i386.rpm ftp://ftp.redhat.com/pub/redhat/updates/6.1/i386/lpr-0.43-2.i386.rpm Source RPMs: http://independence.seul.org/security/1999/rpms/lpr-0.43-2.src.rpm ftp://ftp.redhat.com/pub/redhat/updates/6.1/SRPMS/lpr-0.43-2.src.rpm Verification: MD5 sum Package Name -------------------------------------------------------------------------- cc1f97635c0a1029febc1f0e75e40527 lpr-0.43-2.i386.rpm 2c258e8aa98f5b005b326f3110410965 lpr-0.43-2.src.rpm -------------------------------------------------------------------------- These packages are GPG signed by Red Hat, Inc. for security. Their key is available at: http://www.redhat.com/corp/contact.html You can verify each package with the following command: rpm --checksig If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: rpm --checksig --nogpg This security advisory, and all future ones should be signed by me, David Webster (aka cognition), with key ID: 45 FA C2 83 Which is avaliable from: http://www.cognite.net/pgp.html, and most good pgp key servers. An archive of these messages can be currently be found on: http://www.cognite.net/indy/ A process of automatic retrival is being worked on. [Note: these problems were discovered, and fixed by RedHat.] .---------------------------------------------------. | And problems regarding this, or future advisories | | should be emailed to me: | `---------------------------------------------------'