Patch-ID# 106235-14 Keywords: security lp.tell in.lpd lpfilter bsd_lpsched.so.1 -y Synopsis: SunOS 5.6: lp patch Date: Aug/20/2003 Install Requirements: Additional instructions may be listed below Solaris Release: 2.6 SunOS Release: 5.6 Unbundled Product: Unbundled Release: Xref: This patch available for x86 as patch 106236 Topic: SunOS 5.6: lp patch Relevant Architectures: sparc BugId's fixed with this patch: 1218803 4033371 4057917 4059204 4075350 4077583 4083736 4085677 4085695 4087598 4090067 4091581 4093648 4094225 4094545 4095132 4106214 4109721 4110644 4115983 4116398 4119457 4129917 4130727 4131103 4137389 4139071 4139861 4147263 4147753 4151445 4153128 4154946 4156106 4165358 4167195 4167443 4179341 4184007 4186811 4187773 4188167 4189161 4200078 4207894 4213872 4215944 4217305 4218904 4220608 4235953 4236024 4236546 4239765 4240238 4251153 4260829 4263321 4263391 4264235 4265529 4273437 4281487 4302705 4303242 4309558 4310991 4314312 4319723 4324679 4325537 4334568 4337699 4343460 4367433 4374037 4381196 4383387 4386671 4390810 4411642 4422628 4434247 4446925 4488655 4499302 4501950 4504977 4512799 4529640 4640166 4704812 4704824 4705899 4705911 4714952 4761753 Changes incorporated in this version: 4704812 4704824 Patches accumulated and obsoleted by this patch: Patches which conflict with this patch: Patches required with this patch: Obsoleted by: Files included with this patch: /usr/bin/cancel /usr/bin/lp /usr/bin/lpset /usr/bin/lpstat /usr/lib/libprint.so.2 /usr/lib/lp/bin/lp.cat /usr/lib/lp/bin/netpr /usr/lib/lp/local/lp /usr/lib/lp/local/lpadmin /usr/lib/lp/local/lpmove /usr/lib/lp/local/lpstat /usr/lib/lp/lpsched /usr/lib/lp/model/netstandard /usr/lib/lp/postscript/postprint /usr/lib/lp/postscript/postprint.ps /usr/lib/lp/postscript/postreverse /usr/lib/print/bsd-adaptor/bsd_cascade.so.1 /usr/lib/print/bsd-adaptor/bsd_lpsched.so.1 /usr/lib/print/in.lpd /usr/sbin/lpadmin /usr/sbin/lpfilter /usr/sbin/lpmove /usr/ucb/lpc Problem Description: 4704812 lpstat: cftime() is deprecated in favor of strftime() 4704824 lpstat: potential buffer overrun (from 106235-13) 4087598 printd consumes all of swap 4705899 libprint:nss_write.c uses fopen() to create temp file 4705911 lib/print/job.c: makes unsafe use of access() 4714952 bsd-gw gives "dfAnnnhostname file exists" from a previous job 4761753 filedescriptor "fd" is not closed in job_retrieve() (from 106235-12) 4236546 lpq dumps core with stack corruption (from 106235-11) 4529640 Euro symbol not printing on postscript printers 4640166 lp:when hold a request during slow-filtering, a request could be canceled (from 106235-10) 4422628 lpstat shows old output (host!user) for remote queues 4488655 lp translates backquote in filename to underscore 4499302 lpstat -p doesn't report the printer status correctly. 4501950 Solaris lpd Remote Command Execution Vulnerability 4504977 netpr uses 100% CPU if network printer disappears during printing 4512799 lp dumps core if more than 61 files are specified (from 106235-09) 4309558 lp, lpstat and cancel: Inconsistent request-ID of moved jobs 4343460 problem handling interface script exit codes 1 to 127 4367433 netpr stuck in endless loop when network printer is rebooted 4374037 Corrupted xfa files in /var/spool/print. 4381196 *postreverse* SEGV if file size is a multiple of the system pagesize 4383387 LP subsystem is vulnerable to printing any file readable by LP. 4386671 lpstat handles aliases differently in solaris 7 and solaris 8. 4390810 lpsched has trouble to handle BS2000 print jobs 4434247 lpmove cannot move jobs with job-id of 0 (zero) 4446925 *in.lpd* contains a remote exploitable overflow (from 106235-08) 4411642 Regression in Bugfix 4303242 (from 106235-07) 4153128 lpsched(1M) sends mail to antiquated "system!user" Note Following installation of this patch, notification emails sent by the lpsched daemon will be only to users of the form user@hostname and not hostname!user as previously. 4187773 lpmove corrupts request id 4303242 lpmove doesn't allow special character "-" in source 4319723 lpstat -a ignores aliases and secondary queue entries 4324679 lpstat formats output incorrectly when receiving data from Novell client 4325537 cust using sap and loosing print jobs.. 4337699 cancel kills pid 99 (from 106235-06) 4334568 security: dangerous dlopen in libprint (from 106235-05) 4091581 Solaris 2.6 printing does not support lpr -C. 4188167 in.lpd core dumps every time when receiving job from a Stratus client 4235953 printd fails to start manually for jobs submitted with "lp -c" 4236024 After installing patch 106235-03, "lp -H" option is ignored 4239765 in.lpd segfaults performing strcmp() in job_list_append() 4251153 netpr kills a queued print job when the tcp socket is closed prematurely 4260829 Solaris printing does not support lpr -C for local printing 4263321 OW hang when running printd 4263391 printjobs disappear when network printer is powered off 4264235 "lp -c" did not warn users when /var is full 4265529 lpstat order changes when print job is modified. 4273437 netpr core dumps and printing fails when job id grows past 9999 4281487 lpsched dies without error message 4302705 lp dumps core on client-side request-id collision 4310991 netpr: buffer overflow in netpr_send_message() 4314312 libprint has buffer overflows and other security problems in Solaris 2.6 and 7 (from 106235-04) 4220608 lpsched dies on Solaris 7 4218904 lpstat -t shows duplicate queue information for remote queues 4217305 lost print jobs are not reliably requeued. 4215944 "O" field in print control file truncates at 65 characters 4213872 /usr/ucb/lpr no longer copies datafile with 106235-02 4207894 lp -t generates an additional space title parameter 4200078 106235-02; cannot print files unless they are readable by lp after patch install 4189161 in.lpd in cascade server is messing up control files 4186811 Printing of forms to a class does not work 4184007 super user executes lpstat with -t under at two seconds interval causes core 4167195 in.lpd in solaris 2.6 coredumps, if print request comes from sdlp s/w ver 1.17 4131103 S2.6 doesn't allow use of special characters ':', '=', and ' ' in printer names 4240238 lpset can't add values with = in them 4093648 Users should be able to su to lp then run specific lp commands. 4057917 netpr: sends illegal BSD control file to BSD remote printer 4033371 lp: jobs submitted to a class are STATICALLY queued to printers (from 106235-03) 4167443 Unable to configure SUN to HP or Unisys printing under 2.6. 4147753 netpr uses up to 100% cpu if wrong queuename specified 4094225 lprm - does not remove all jobs from the print queue as documented 4165358 in.lpd cascading uses wrong queuename 4130727 cancel/lprm security bug 4085677 'lpstat -o' displays jobs of other queues 4179341 printd fails if 'N' entry is missing in control file 4156106 cancelling a job while printer is paper out or offline hangs xtp pad printer. 4095132 lpstat -t is very slow 4077583 Bug in argument parsing for LP (from 106235-02) 1218803 lpstat shows remote printer names instead of the local names 4090067 in.lpd sometimes doesn't work correctly 4094545 non-root user can kill printd process 4106214 cannot cancel or lprm my own jobs 4109721 lpstat doesn't report the correct default printer. 4119457 printd follows symlinks and this can overwrite files 4129917 lpstat buffer overflow 4137389 lpsched handles title option badly 4139071 extra chars in title when sending to remote printer on 2.7 server 4139861 ecpp0 driver fails when printing PCL files under Solaris 2.6 4147263 lpadmin -H ignored from 2.6 to s998_16 4151445 can't cancel large jobs on ecpp port 4154946 lp security bug - can read/write files submitted by another user (from 106235-01) 4116398 new filter can't add properly with lpfilter 4115983 lp -y option is unable to recognize over secondary arguments 4110644 print server does not accept request to printer class 4085695 in.lpd security problem 4083736 in.lpd security problem 4075350 lp.tell loops tightly consuming 20% CPU printing stalled for that printer 4059204 lp can allow user to gain root access Patch Installation Instructions: -------------------------------- Refer to the Install.info file within the patch for instructions on using the generic 'installpatch' and 'backoutpatch' scripts provided with each patch. Any other special or non-generic installation instructions should be described below. Special Install Instructions: ----------------------------- After Patch installation, the lpsched daemon should be stopped and restarted. As root: /etc/init.d/lp stop /etc/init.d/lp start NOTE: BugID 4153128 (lpsched(1M) sends mail to antiquated "system!user") Following installation of this patch, notification emails sent by the lpsched daemon will be only to users of the form user@hostname and not hostname!user as previously. README -- Last modified date: Wednesday, August 20, 2003