A buffer overflow exists in the Solaris line printer daemon (
in.lpd) that may allow a remote intruder to execute arbitrary code with the privileges of the running
in.lpd. This daemon runs with root privileges by default on all recent versions of Solaris.
in.lpd provides services for remote users to interact with a local printer, listening for remote requests on port 515/tcp. There is an unchecked buffer in the part of the code responsible for transferring print jobs from one machine to another. If given too many jobs to work on at once, an attacker can either crash the printer daemon or attempt to execute arbitrary code with super user privileges on the victim system.
Vulnerable versions of Solaris are as follows:
Solaris 2.6 x86
Solaris 7 x86
Solaris 8 x86
Sun recommends the following workarounds until the patches identified below may be applied:
A remote intruder may be able to execute arbitrary code with the privileges in the running daemon (typically root). In addition, a remote intruder may be able to crash vulnerable printer daemons.
Patches have been released by Sun. They are part of a jumbo
lp patch set identified by the following ids, per Sun Security Bulletin #206:
The following patches are available in relation to the above problem.
` OS Version Patch ID
SunOS 5.8 109320-04
SunOS 5.8_x86 109321-04
SunOS 5.7 107115-09
SunOS 5.7_x86 107116-09
SunOS 5.6 106235-09
SunOS 5.6_x86 106236-09
Thein.lpd` daemon was not available prior to Solaris 2.6.
These patches resolve Sun problem report 4446925 in.lpd contains a remote exploitable overflow.
Vendor| Status| Date Notified| Date Updated
Sun| | 21 Jun 2001| 31 Aug 2001
If you are a vendor and your product is affected, let us know.
Group | Score | Vector
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | N/A | N/A
The X-Force team of Internet Security Systems, Inc. has released an advisory about this issue.
This document was written by Jeffrey S. Havrilla