Note: This is an archival copy of Security Sun Alert 200438 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000320.1.
Solaris 2.6 Operating System
Solaris 7 Operating System
Date of Resolved Release
Local unprivileged users may be able to gain unauthorized root access due to a buffer overflow in the lpq(1B) command.
This issue is described in NSFOCUS Security Bulletin SA2003-02 available from http://www.nsfocus.com/english/homepage/sa2003-02.htm.
Sun acknowledges with thanks, NSFOCUS Information Technology, for bringing this issue to our attention.
This issue can occur in the following releases:
Note: Solaris 2.5.1 will not be evaluated regarding the potential impact of the issue described in this Sun Alert document.
Solaris 8 and Solaris 9 are not impacted by this issue.
There are no symptoms that would show the buffer overflow in lpq(1B) has been exploited to gain unauthorized root access to a host. Failed attempts to exploit lpq(1B) might result in a core file being generated. If file(1) was run on this core, it would show that it was produced from lpq(1B).
To work around the described issue, remove the set-user-ID bit from lpstat(1). The lpq(1B) command is a symbolic link to lpstat(1) . This can be done with the following command as the root user:
# /usr/bin/chmod u-s /usr/bin/lpstat
Note: Removing the set-user-ID bit from the lpstat(1) binary will prevent unprivileged users from displaying information about the print service.
This issue is addressed in the following releases:
This solution has no attachment