Debian: lprng insecure temporary file vulnerability

    Date14 Apr 2003
    CategoryDebian
    1906
    Posted ByLinuxSecurity Advisories
    psbanner, a printer filter, insecurely creates a temporary file for debugging purpose when it is configured as filter.
    
    - --------------------------------------------------------------------------
    Debian Security Advisory DSA 285-1                     This email address is being protected from spambots. You need JavaScript enabled to view it. 
    http://www.debian.org/security/                             Martin Schulze
    April 14th, 2003                         http://www.debian.org/security/faq
    - --------------------------------------------------------------------------
    
    Package        : lprng
    Vulnerability  : insecure temporary file
    Problem-Type   : local
    Debian-specific: no
    CVE Id         : CAN-2003-0136
    
    Karol Lewandowski discovered that psbanner, a printer filter that
    creates a PostScript format banner and is part of LPRng, insecurely
    creates a temporary file for debugging purpose when it is configured
    as filter.  The program does not check whether this file already
    exists or is linked to another place writes its current environment
    and called arguments to the file unconditionally with the user id
    daemon.
    
    For the stable distribution (woody) this problem has been fixed in
    version 3.8.10-1.2.
    
    The old stable distribution (potato) is not affected by this problem.
    
    For the unstable distribution (sid) these problems have been fixed in
    version 3.8.20-4.
    
    We recommend that you upgrade your lprng package.
    
    
    Upgrade Instructions
    - --------------------
    
    wget url
            will fetch the file for you
    dpkg -i file.deb
            will install the referenced file.
    
    If you are using the apt-get package manager, use the line for
    sources.list as given below:
    
    apt-get update
            will update the internal database
    apt-get upgrade
            will install corrected packages
    
    You may use an automated update by adding the resources from the
    footer to the proper configuration.
    
    
    Debian GNU/Linux 3.0 alias woody
    - --------------------------------
    
      Source archives:
    
         http://security.debian.org/pool/updates/main/l/lprng/lprng_3.8.10-1.2.dsc
          Size/MD5 checksum:      656 5b675ef9bc39b470e3ec8cb1b88150b4
         http://security.debian.org/pool/updates/main/l/lprng/lprng_3.8.10-1.2.diff.gz
          Size/MD5 checksum:    17298 53d5ce171d250135756bf4682a82737d
         http://security.debian.org/pool/updates/main/l/lprng/lprng_3.8.10.orig.tar.gz
          Size/MD5 checksum:  5125140 3127e3793b94bd4a403a3809b1d8467b
    
      Architecture independent components:
    
         http://security.debian.org/pool/updates/main/l/lprng/lprng-doc_3.8.10-1.2_all.deb
          Size/MD5 checksum:  1709460 2cec616424b93bfe9df97b0b378b0c6b
    
      Alpha architecture:
    
         http://security.debian.org/pool/updates/main/l/lprng/lprng_3.8.10-1.2_alpha.deb
          Size/MD5 checksum:   543788 2889fb7f5dcca329b03edc9f1489e1e6
    
      ARM architecture:
    
         http://security.debian.org/pool/updates/main/l/lprng/lprng_3.8.10-1.2_arm.deb
          Size/MD5 checksum:   511150 becc4d3f2165ae49dfbf518ce488caea
    
      Intel IA-32 architecture:
    
         http://security.debian.org/pool/updates/main/l/lprng/lprng_3.8.10-1.2_i386.deb
          Size/MD5 checksum:   467568 b16f01e1ea4a1c458a6e32829a85c7b3
    
      Intel IA-64 architecture:
    
         http://security.debian.org/pool/updates/main/l/lprng/lprng_3.8.10-1.2_ia64.deb
          Size/MD5 checksum:   631104 b34cf87d77dd353bf702d403e9561718
    
      HP Precision architecture:
    
         http://security.debian.org/pool/updates/main/l/lprng/lprng_3.8.10-1.2_hppa.deb
          Size/MD5 checksum:   544364 b6e5e6f81c4d291c65b55fbe71ac6747
    
      Motorola 680x0 architecture:
    
         http://security.debian.org/pool/updates/main/l/lprng/lprng_3.8.10-1.2_m68k.deb
          Size/MD5 checksum:   467846 2659f796ef5715191e6ab5919cdddb30
    
      Big endian MIPS architecture:
    
         http://security.debian.org/pool/updates/main/l/lprng/lprng_3.8.10-1.2_mips.deb
          Size/MD5 checksum:   480194 93b19b4230658fa889315579da6d4db2
    
      Little endian MIPS architecture:
    
         http://security.debian.org/pool/updates/main/l/lprng/lprng_3.8.10-1.2_mipsel.deb
          Size/MD5 checksum:   477314 9edafa58c5a2bf0f3dcbb1c1a1542a78
    
      PowerPC architecture:
    
         http://security.debian.org/pool/updates/main/l/lprng/lprng_3.8.10-1.2_powerpc.deb
          Size/MD5 checksum:   512804 d0d141a47635f7c4ccf208489d14e6bb
    
      IBM S/390 architecture:
    
         http://security.debian.org/pool/updates/main/l/lprng/lprng_3.8.10-1.2_s390.deb
          Size/MD5 checksum:   505336 a897c14ef252fb998395d67c9eeab1cd
    
      Sun Sparc architecture:
    
         http://security.debian.org/pool/updates/main/l/lprng/lprng_3.8.10-1.2_sparc.deb
          Size/MD5 checksum:   513382 fc6769e619873033d73a3c7d9cb47fb9
    
    
      These files will probably be moved into the stable distribution on
      its next revision.
    
    - ---------------------------------------------------------------------------------
    For apt-get: deb  http://security.debian.org/ stable/updates main
    For dpkg-ftp:  ftp://security.debian.org/debian-security dists/stable/updates/main
    Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.
    Package info: `apt-cache show ' and  http://packages.debian.org/
    
    
    
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"7","type":"x","order":"1","pct":58.33,"resources":[]},{"id":"88","title":"Should be more technical","votes":"3","type":"x","order":"2","pct":25,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"2","type":"x","order":"3","pct":16.67,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.