Debian Security Advisory
lpr -- access control problem and root exploit
- Date Reported:
- 09 Jan 2000
- Affected Packages:
- Security database references:
- No other external database security references currently available.
- More information:
- The version of lpr that was distributed with Debian
GNU/Linux 2.1 and the updated version released in 2.1r4 have a two security
Both problems have been fixed in 0.48-0.slink1. We recommend you upgrade
your lpr package immediately.
- the client hostname wasn't verified properly, so if someone is able to
control the DNS entry for their IP they could fool lpr into granting access.
- it was possible to specify extra options to sendmail which could be used to
specify another configuration file. This can be used to gain root access.
- Fixed in: