Note: This is an archival copy of Security Sun Alert 200212 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000163.1.
Article ID : 1000163.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2006-04-23
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Vulnerabilities in lpsched(1M) May Allow an Unprivileged User to Remove System Files or Disable the LP Service

Category
Security

Release Phase
Resolved

Product
Solaris 9 Operating System
Solaris 10 Operating System
Solaris 8 Operating System

Bug Id
6314243, 6314245

Date of Resolved Release
13-JAN-2006

Impact

Security vulnerabilities in lpsched(1M) may allow a local unprivileged user the ability to delete any file or disable the LP print service on a system configured as a print server.

Sun acknowledges, with thanks, Hiroshi Nakano of Ryukoku University for bringing these issues to our attention.


Contributing Factors

These issues can occur in the following releases:

SPARC Platform

  • Solaris 8 without patch 109320-17
  • Solaris 9 without patch 113329-16
  • Solaris 10 without patch 120467-03

x86 Platform

  • Solaris 8 without patch 109321-17
  • Solaris 9 without patch 114980-17
  • Solaris 10 without patch 120468-03

Note: Solaris 7 will not be evaluated regarding the potential impact of the issue described in this Sun Alert.

This issue only affects systems which have been configured to act as print servers. To determine if the system has been configured as a print server, the following command can be used: 

    $ ls /etc/lp/printers

If there are files listed, then the host in question is a print server.


Symptoms

There are a number of possible symptoms of this issue, including the modification/deletion of files owned by privileged users and the disabling of the main Solaris print daemon. In order to check whether the Solaris print daemon has been disabled on a print server, the following command can be run:

    % lpstat -r

and will return either "scheduler is running" or "scheduler is not running."


Workaround

There is no workaround to these issues. Please see the Resolution section below.


Resolution

These issues are addressed in the following releases:

SPARC Platform

  • Solaris 8 with patch 109320-17 or later
  • Solaris 9 with patch 113329-16 or later
  • Solaris 10 with patch 120467-03 or later

x86 Platform

  • Solaris 8 with patch 109321-17 or later
  • Solaris 9 with patch 114980-17 or later
  • Solaris 10 with patch 120468-03 or later


References

120468-03
120467-03
113329-16
114980-17
109320-17
109321-17




Attachments
This solution has no attachment