Debian Security Advisory

lpr -- users can see files they shouldn't

Date Reported:
30 Oct 1999
Affected Packages:
lpr
Vulnerable:
Yes
Security database references:
No other external database security references currently available.
More information:
The version of lpr that was distributed with Debian GNU/Linux 2.1 suffers from a couple of problems:
  • there was a race in lpr that could be exploited by users to print files they cannot normally read
  • lpd did not check permissions of queue-files. As a result by using the -s flag it could be tricked into printing files a user can otherwise not read

Update: Additional vulnerabilities have been discovered in lpr. See http://www.debian.org/security/2000/20000109 for more information, including the following:

The version of lpr that was distributed with Debian GNU/Linux 2.1 and the updated version released in 2.1r4 have two security problems:

  • the client hostname wasn't verified properly, so if someone is able to control the DNS entry for their IP they could fool lpr into granting access.
  • it was possible to specify extra options to sendmail which could be used to specify another configuration file. This can be used to gain root access.

Both problems have been fixed in 0.48-0.slink1. We recommend you upgrade your lpr package immediately.

See BugTraq list (1999 Oct 0176) for more information.