Note: This is an archival copy of Security Sun Alert 200978 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000736.1.
Solaris 9 Operating System
Solaris 10 Operating System
Solaris 7 Operating System
Solaris 8 Operating System
Date of Resolved Release
A local or remote unprivileged user may be able to remove any file on the system due to a security vulnerability in the "printd" daemon.
Sun acknowledges, with thanks, H.D. Moore of Metaspoilt.com, for bringing this issue to our attention.
This issue can occur in the following releases:
This issue only occurs on systems that have the printer package "SUNWpcu" installed.
There are no reliable symptoms that would indicate the described issue has been exploited.
To work around the described issue, one of the following options can be applied:
Temporarily rename the following file used by the "printd" daemon:
Note: Renaming this file will cause systems configured to use the cascade spooler to fail to send print requests to the configured remote host.
Disable the BSD print protocol adaptor (in.lpd(1M)) by doing the following:
For pre-Solaris 10 systems:
1. Edit the "/etc/inetd.conf" file and comment out the following line by adding the "#" symbol to the beginning of the line as shown:
#printer stream tcp6 nowait root /usr/lib/print/in.lpd in.lpd
2. Tell the inetd(1M) process to reread the newly modified "/etc/inetd.conf" file by sending it a hangup signal, SIGHUP:
# /usr/bin/pkill -HUP inetd
For systems running Solaris 10 or above:
Execute the following command:
# svcadm disable svc:/application/print/rfc1179
This issue is addressed in the following releases:
This solution has no attachment