Caldera Security Advisory SA-96.05
October 28th, 1996

Topic: Vulnerability in lpr

I. Problem Description

	The lpr utility is used to spool print jobs under Linux.  To
	gain access to resources it needs, the lpr program is installed
	as set-user-id root.

	A vulnerability in lpr makes it possible to overflow an
	internal buffer whose contents is under the control of the
	user of lpr.  If this buffer is overflowed with appropriate
	data, a program such as a shell can be started.  This
	program then runs with root permissions on the local machine.

	Exploit programs for lpr are known to exist for Linux
	systems on x86 hardware.

II. Impact

	On systems such as CND 1.0 and lpr installed set-user-id root
	(which is the default), an unprivileged user can obtain root
	access.

III. Solution / Workaround

	A simple workaround is to update to a non-vulnerable version
	of lpr:

 ncftp ftp://ftp.caldera.com/pub/cnd-1.0/updates/NetKit-B-lpr-0.06-4c2.i386.rpm
 rpm -Uvh NetKit-B-lpr-0.06-4c2.i386.rpm


IV. References

	This and other Caldera security resources are located at:

	http://www.caldera.com/tech-ref/cnd-1.0/security/