The version of lpr that was distributed with Debian
GNU/Linux 2.1 suffers from a couple of problems:
- there was a race in lpr that could be exploited by users to print files
they cannot normally read
- lpd did not check permissions of queue-files. As a result by using the -s
flag it could be tricked into printing files a user can otherwise not read
Update: Additional vulnerabilities have been discovered in lpr. See
http://www.debian.org/security/2000/20000109 for
more information, including the following:
The version of lpr that was distributed with Debian GNU/Linux 2.1 and the
updated version released in 2.1r4 have two security problems:
- the client hostname wasn't verified properly, so if someone is able to
control the DNS entry for their IP they could fool lpr into granting access.
- it was possible to specify extra options to sendmail which could be used
to specify another configuration file. This can be used to gain root access.
Both problems have been fixed in 0.48-0.slink1. We recommend you upgrade
your lpr package immediately.
See
BugTraq list (1999 Oct 0176) for more information.
