| VID |
23006 |
| Severity |
40 |
| Port |
515 |
| Protocol |
TCP |
| Class |
LPD |
| Detailed Description |
The lpd server calls dvips in insecure mode. An attacker may use this flaw to execute arbitrary
commands remotely on the affected host.
'dvips' is a utility that converts DVI documents to PostScript. It is an optional component of the TeTeX text formatting package. When installed on a system where LPRnG and TeTeX are in use, 'dvips' will be invoked by 'lpd' when a DVI document is to be printed if a printfilter exists for it.
The default configuration of the DVI print filter (dvips) in Red Hat Linux 7.0 and earlier does not run dvips in secure mode when dvips is executed by lpd, which could allow remote attackers to gain privileges by printing a DVI file that contains malicious commands.
* References:
http://www.securityfocus.com/bid/3241
http://www.redhat.com/support/errata/RHSA-2001-102.html
Affected Platforms:
RedHat Linux 6.2
RedHat Linux 7.0
RedHat Linux 7.1 |
| Recommendation |
A workaround is to modify the entry in the printfilters file for DVI documents.
On Red Hat systems, edit the file /usr/lib/rhs/rhs-printfilters/dvi-to-ps.fpi
and change the line that specifies how 'dvips' is to be executed from:
dvips -f $DVIPS_OPTIONS < $TMP_FILE
To:
dvips -R -f $DVIPS_OPTIONS < $TMP_FILE
The '-R' parameter will run 'dvips' in secure mode. |
| Related URL |
CVE-2001-1002 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
