SGI CERT ADVISORY RESPONSE
The BSD lpr spooling system is provided as an optionally installed
subsystem for all SGI platforms that require interaction with other BSD
lpr based systems (Sun Microsystems SunOS, Novell, and DEC Ultrix for
example). The BSD lpr subsystem (eoe2.sw.bsdlpr) is NOT installed by
default and should not be confused with the standard AT&T System V lp
print spooling mechanism that is normally used on SGI systems. THIS
DOCUMENT IS ONLY APPLICABLE TO THOSE SITES THAT HAVE INSTALLED
THE BSD LPR SUBSYSTEM.
The lpr utility for IRIX 4.0.5 (all versions) and IRIX 5.x (5.0, 5.0.1,
5.1.* and 5.2) is vulnerable to a potential system security breach as
outlined in a recent 1994 CERT Advisory.
SGI engineering has investigated this compromise and has generated
corrected versions of lpr software. SGI recommends that this new lpr
software be installed on any SGI system which uses the lpr spooler to
avoid any potential penetration by unprivileged users.
Customers and interested parties may obtain the the new lpr software
versions via Internet anonymous ftp to SGI or from their SGI
service/support provider.
The SGI anonymous ftp site is ftp.sgi.com (192.48.153.1) and
the files related to this issue are:
-FOR IRIX 4.0.5
~ftp/sgi/IRIX4.0/lpr/lpr.latest.Z
-FOR IRIX 5.x
~ftp/sgi/IRIX5.0/lpr/lpr.latest.Z
The files are in tar format and compressed and will need to be extracted
appropriately. Below it is outline how to do this assuming one of
the above files was ftp'ed to the /tmp directory. Also, checksums for
each of the files is shown and should be check for assurance software is
correct and original.
% cd /tmp
% zcat lpr.latest.Z | tar -xvf -
tar: blocksize = 16
x lpr.new, 171016 bytes, 335 blocks
x lpr.new.install, 1575 bytes, 4 blocks
% sum -r lpr*
03015 171 lpr.latest.Z
21563 335 lpr.new
63777 4 lpr.new.install
|