Updated LPRng packages for Red Hat Linux on IBM iSeries and pSeries systems resolve a temporary file vulnerability and an insecure default.
LPRng is a print spooler. LPRng includes a program, psbanner, that can be used to produce Postscript banner pages to separate print jobs. A vulnerability has been found in psbanner, which creates a temporary file with a known filename in an insecure manner. An attacker could create a symbolic link and cause arbitrary files to be written as the 'lp' user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0136 to this issue. Note: psbanner is not used by the default Red Hat Linux LPRng configuration. With its default configuration, LPRng accepts job submissions from any host, which is not appropriate in a workstation environment. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-0378 to this issue. The updated packages from this advisory change the job submission policy (in /etc/lpd.perms) so that jobs from remote hosts are refused by default and contain a patch so that psbanner does not create the temporary file. Those sites running print servers may want to adjust this policy as appropriate; for example, to give access to certain hosts or subnets. Refer to the lpd.perms(5) man page for details. Note: Default installations of Red Hat Linux 7.1 include ipchains rules blocking remote access to the print spooler IP port; as a result default installations already reject remote job submissions. IMPORTANT: There are special instructions for installing this update at the end of the "Solution" section.