=====================================================================
                                     CERT-Renater

                          Note d'Information No. 2006/VULN016
_____________________________________________________________________

DATE                      : 17/01/2006

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Solaris 8, Solaris 9, Solaris 10.

======================================================================

Sun(sm) Alert Notification
      * Sun Alert ID: 102033
      * Synopsis: Vulnerabilities in lpsched(1M) May Allow an Unprivileged
        User to Remove System Files or Disable the LP Service
      * Category: Security
      * Product: Solaris 9 Operating System, Solaris 10 Operating System,
        Solaris 8 Operating System
      * BugIDs: 6314243, 6314245
      * Avoidance: Patch
      * State: Resolved
      * Date Released: 13-Jan-2006
      * Date Closed: 13-Jan-2006
      * Date Modified:

1. Impact

    Security vulnerabilities in lpsched(1M) may allow a local unprivileged
    user the ability to delete any file or disable the LP print service on
    a system configured as a print server.

    Sun acknowledges, with thanks, Hiroshi Nakano of Ryukoku University
    for bringing these issues to our attention.

2. Contributing Factors

    These issues can occur in the following releases:

    SPARC Platform
      * Solaris 8 without patch 109320-17
      * Solaris 9 without patch 113329-16
      * Solaris 10 without patch 120467-03

    x86 Platform
      * Solaris 8 without patch 109321-17
      * Solaris 9 without patch 114980-17
      * Solaris 10 without patch 120468-03

    Note: Solaris 7 will not be evaluated regarding the potential impact
    of the issue described in this Sun Alert.

    This issue only affects systems which have been configured to act as
    print servers. To determine if the system has been configured as a
    print server, the following command can be used:
     $ ls /etc/lp/printers

    If there are files listed, then the host in question is a print
    server.

3. Symptoms

    There are a number of possible symptoms of this issue, including the
    modification/deletion of files owned by privileged users and the
    disabling of the main Solaris print daemon. In order to check whether
    the Solaris print daemon has been disabled on a print server, the
    following command can be run:
     % lpstat -r

    and will return either "scheduler is running" or "scheduler is not
    running."

4. Relief/Workaround

    There is no workaround to these issues. Please see the Resolution
    section below.

5. Resolution

    These issues are addressed in the following releases:

    SPARC Platform
      * Solaris 8 with patch 109320-17 or later
      * Solaris 9 with patch 113329-16 or later
      * Solaris 10 with patch 120467-03 or later

    x86 Platform
      * Solaris 8 with patch 109321-17 or later
      * Solaris 9 with patch 114980-17 or later
      * Solaris 10 with patch 120468-03 or later

    This Sun Alert notification is being provided to you on an "AS IS"
    basis. This Sun Alert notification may contain information provided by
    third parties. The issues described in this Sun Alert notification may
    or may not impact your system(s). Sun makes no representations,
    warranties, or guarantees as to the information contained herein. ANY
    AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
    WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
    NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT
    YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
    INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE
    OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN.
    This Sun Alert notification contains Sun proprietary and confidential
    information. It is being provided to you pursuant to the provisions of
    your agreement to purchase services from Sun, or, if you do not have
    such an agreement, the Sun.com Terms of Use. This Sun Alert
    notification may only be used for the purposes contemplated by these
    agreements.

    Copyright 2000-2005 Sun Microsystems, Inc., 4150 Network Circle, Santa
    Clara, CA 95054 U.S.A. All rights reserved

======================================================================

            =========================================================
            Les serveurs de référence du CERT-Renater
            http://www.urec.fr/securite
            http://www.cru.fr/securite
            http://www.renater.fr
            =========================================================
            + CERT-RENATER          | tel : 01-53-94-20-44          +
            + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
            + 75013 Paris           | email: certsvp@renater.fr     +
            =========================================================