Title: Solaris lpstat Buffer Overflow Vulnerability
Severity: MODERATE
Description:
The lpstat utility is used to display the contents of the print queue. It has been reported that the version of lpstat shipped with Sun Solaris is vulnerable to a locally exploitable buffer overflow. As lpstat for Solaris is configured setuid root, exploitation of this vulnerability could result in elevation of privileges for a local attacker.
The condition occurs when lpstat is invoked as lpq, a symbolic link pointing to the lpstat binary (for BSD compatability). The function bsd_queue() attempts to append user-supplied data to a local buffer using the C library function strcat(). As this function has no bounds checking, a stack-based buffer overflow condition is present. Local attackers may exploit this condition to overwrite the return address of the affected procedure and execute instructions with effective root privileges.
Affected Products:
- Sun Solaris 2.5.1
- Sun Solaris 2.5.1_ppc
- Sun Solaris 2.5.1_x86
- Sun Solaris 2.6
- Sun Solaris 2.6_x86
- Sun Solaris 7.0
- Sun Solaris 7.0_x86
References:
- Sun Microsystems: 52443
- Sun Microsystems: Sun Patch Access Page
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
