Title: Lpd Remote Command Execution via DVI Printfilter Configuration Error
Severity: HIGH
Description:
'dvips' is a utility that converts DVI documents to PostScript. It is an optional component of the TeTeX text formatting package. When installed on a system where LPRnG and TeTeX are in use, 'dvips' will be invoked by 'lpd' when a DVI document is to be printed.
DVI files can contain directives that will cause the interpreter to open files and/or execute commands while the file is being processed. The developers of 'dvips' included a switch that will cause these directives to be ignored for security reasons.
On some systems, this switch will not be included when 'dvips' is invoked by 'lpd'. On these systems, it may be possible for a remote attacker to execute arbitrary commands on vulnerable systems by attempting to print a malicious DVI document. Any command executed will run with the privileges of user 'lp'.
It should be noted that this vulnerability is only due to the configuration of the DVI printfilter on some systems. There is no specific vulnerability in lpd, dvips or any other executable component. It is simply an error in the default configuration present on some systems. It has been reported that Red Hat 7.0 is vulnerable with the default configuration installed with the RPM packages.
Affected Products:
- RedHat Linux 6.2.0
- RedHat Linux 7.0.0
- RedHat Linux 7.1.0
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
