Note: This is an archival copy of Security Sun Alert 200438 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000320.1.
Article ID : 1000320.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2006-05-10
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Solaris Security Vulnerability due to a Buffer Overflow in lpq(1B)



Category
Security

Release Phase
Resolved

Product
Solaris 2.6 Operating System
Solaris 7 Operating System

Bug Id
4236546

Date of Resolved Release
31-MAR-2003

Impact

Local unprivileged users may be able to gain unauthorized root access due to a buffer overflow in the lpq(1B) command.

This issue is described in NSFOCUS Security Bulletin SA2003-02 available from http://www.nsfocus.com/english/homepage/sa2003-02.htm.

Sun acknowledges with thanks, NSFOCUS Information Technology, for bringing this issue to our attention.


Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • Solaris 2.6 without patch 106235-12
  • Solaris 7 without patch 107115-12

x86 Platform

  • Solaris 2.6 without patch 106236-12
  • Solaris 7 without patch 107116-12

Note: Solaris 2.5.1 will not be evaluated regarding the potential impact of the issue described in this Sun Alert document.

Solaris 8 and Solaris 9 are not impacted by this issue.


Symptoms

There are no symptoms that would show the buffer overflow in lpq(1B) has been exploited to gain unauthorized root access to a host. Failed attempts to exploit lpq(1B) might result in a core file being generated. If file(1) was run on this core, it would show that it was produced from lpq(1B).


Workaround

To work around the described issue, remove the set-user-ID bit from lpstat(1). The lpq(1B) command is a symbolic link to lpstat(1) . This can be done with the following command as the root user:

	# /usr/bin/chmod u-s /usr/bin/lpstat

Note: Removing the set-user-ID bit from the lpstat(1) binary will prevent unprivileged users from displaying information about the print service.


Resolution

This issue is addressed in the following releases:

SPARC Platform

  • Solaris 2.6 with patch 106235-12 or later
  • Solaris 7 with patch 107115-12 or later

x86 Platform

  • Solaris 2.6 with patch 106236-12 or later
  • Solaris 7 with patch 107116-12 or later



Modification History

References

106235-12
106236-12
107115-12
107116-12




Attachments
This solution has no attachment