=====================================================================
                                 CERT-Renater

                      Note d'Information No. 2000/VULN286
_____________________________________________________________________

DATE                      : 05/10/2000

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Red Hat Linux 5.x and 6.x
                            
======================================================================

---------------------------------------------------------------------
                   Red Hat, Inc. Security Advisory

Synopsis:          lpr has a format string security bug, LPRng compat
issues, and a race cond.
Advisory ID:       RHSA-2000:066-05
Issue date:        2000-09-25
Updated on:        2000-10-04
Product:           Red Hat Linux
Keywords:          lpr security lpd LPRng
Cross references:  N/A
---------------------------------------------------------------------

1. Topic:

lpr has a format string security bug.  It also mishandles any extension
to the lpd communication protocol, and assumes that the instructions
contained in the extension are a file it should try to print.  It also 
has a race condition in the handling of queue interactions that can 
cause the queue to wedge.

Note: Packages indicated in revision -03 and earlier were not signed
with
the Red Hat GPG key.  This has been corrected.

2. Relevant releases/architectures:

Red Hat Linux 5.0 - i386, alpha
Red Hat Linux 5.1 - i386, alpha, sparc
Red Hat Linux 5.2 - i386, alpha, sparc
Red Hat Linux 6.0 - i386, alpha, sparc
Red Hat Linux 6.1 - i386, alpha, sparc
Red Hat Linux 6.2 - i386, alpha, sparc

3. Problem description:

The old BSD-based lpr which we shipped with Red Hat Linux 5.x and 6.x
has a recently discovered format string bug in its calls to the syslog
facility. 
While we are not aware of any exploits for this issue, it might be
possible for a user to gain local root access.  For this reason, 
upgrading to the new lpr is strongly encouraged.

Additionally, lpr did not properly handle extensions to the lpd
protocol. 
LPRng, an advanced replacement for lpr included in Red Hat Linux 7,
makes use of extensions.  The lpr included in Red Hat Linux 6.2 and 
earlier will not recognize these extensions, and attempt to handle the 
instructions as if they were a file to be printed.  As a result, the lpr 
system sends out three of the following email messages per print job:

Date: Thu, 10 Aug 2000 21:36:32 -0400