Product
Solaris 2.6 Operating System
Solaris 7 Operating System

Bug Id
4236546

Date of Resolved Release
31-MAR-2003

Impact

Local unprivileged users may be able to gain unauthorized root access due to a buffer overflow in the lpq(1B) command.

This issue is described in NSFOCUS Security Bulletin SA2003-02 available from http://www.nsfocus.com/english/homepage/sa2003-02.htm.

Sun acknowledges with thanks, NSFOCUS Information Technology, for bringing this issue to our attention.

Contributing Factors

This issue can occur in the following releases:

SPARC Platform

• Solaris 2.6 without patch 106235-12
• Solaris 7 without patch 107115-12

x86 Platform

• Solaris 2.6 without patch 106236-12
• Solaris 7 without patch 107116-12

Note: Solaris 2.5.1 will not be evaluated regarding the potential impact of the issue described in this Sun Alert document.

Solaris 8 and Solaris 9 are not impacted by this issue.

Symptoms

There are no symptoms that would show the buffer overflow in lpq(1B) has been exploited to gain unauthorized root access to a host. Failed attempts to exploit lpq(1B) might result in a core file being generated. If file(1) was run on this core, it would show that it was produced from lpq(1B).

Workaround

To work around the described issue, remove the set-user-ID bit from lpstat(1). The lpq(1B) command is a symbolic link to lpstat(1) . This can be done with the following command as the root user:

	# /usr/bin/chmod u-s /usr/bin/lpstat

Note: Removing the set-user-ID bit from the lpstat(1) binary will prevent unprivileged users from displaying information about the print service.

Resolution

This issue is addressed in the following releases:

SPARC Platform

• Solaris 2.6 with patch 106235-12 or later
• Solaris 7 with patch 107115-12 or later

x86 Platform

• Solaris 2.6 with patch 106236-12 or later
• Solaris 7 with patch 107116-12 or later

Modification History

References

106235-12
106236-12
107115-12
107116-12




Attachments

This solution has no attachment