Note: This is an archival copy of Security Sun Alert 200438 as previously published on
Latest version of this security advisory is available from as Sun Alert 1000320.1.
Article ID : 1000320.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2006-05-10
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Solaris Security Vulnerability due to a Buffer Overflow in lpq(1B)


Release Phase

Solaris 2.6 Operating System
Solaris 7 Operating System

Bug Id

Date of Resolved Release


Local unprivileged users may be able to gain unauthorized root access due to a buffer overflow in the lpq(1B) command.

This issue is described in NSFOCUS Security Bulletin SA2003-02 available from

Sun acknowledges with thanks, NSFOCUS Information Technology, for bringing this issue to our attention.

Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • Solaris 2.6 without patch 106235-12
  • Solaris 7 without patch 107115-12

x86 Platform

  • Solaris 2.6 without patch 106236-12
  • Solaris 7 without patch 107116-12

Note: Solaris 2.5.1 will not be evaluated regarding the potential impact of the issue described in this Sun Alert document.

Solaris 8 and Solaris 9 are not impacted by this issue.


There are no symptoms that would show the buffer overflow in lpq(1B) has been exploited to gain unauthorized root access to a host. Failed attempts to exploit lpq(1B) might result in a core file being generated. If file(1) was run on this core, it would show that it was produced from lpq(1B).


To work around the described issue, remove the set-user-ID bit from lpstat(1). The lpq(1B) command is a symbolic link to lpstat(1) . This can be done with the following command as the root user:

	# /usr/bin/chmod u-s /usr/bin/lpstat

Note: Removing the set-user-ID bit from the lpstat(1) binary will prevent unprivileged users from displaying information about the print service.


This issue is addressed in the following releases:

SPARC Platform

  • Solaris 2.6 with patch 106235-12 or later
  • Solaris 7 with patch 107115-12 or later

x86 Platform

  • Solaris 2.6 with patch 106236-12 or later
  • Solaris 7 with patch 107116-12 or later

Modification History



This solution has no attachment