Vulnerability Note VU#412566
Solaris conv_fix insecure file handling vulnerability
A vulnerability in a program supplied with the Solaris printing system could allow a local attacker to gain elevated privileges on the system.
The Solaris operating system from Sun Microsystems includes a number of supplemental programs to aid in configuration and maintenance of the printing subsystem. One of these programs, /usr/lib/print/conv_fix (which is invoked from the /usr/lib/print/conv_lpd shell script), operates on files in an insecure manner. An attacker can create a file containing data of their choosing that would later be processed by conv_fix. The attacker can then cause their data to be written out to any file on the system if the conv_lpd script is executed as root.
An attacker with local access may be able to overwrite or create any file on the system if the conv_lpd program is run by root. Depending on which file was created or overwritten, this could allow the attacker to gain elevated privileges or a cause a denial-of-service against the system.
Apply a patch from the vendor
Patches have been released to address this issue. Please see the Systems Affected section of this document for more details.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Sun Microsystems Inc.||Affected||-||04 Mar 2004|
CVSS Metrics (Learn More)
Thanks to Sun Microsystems, Inc. for reporting this vulnerability.
This document was written by Chad R Dougherty.
- CVE IDs: Unknown
- Date Public: 26 Feb 2004
- Date First Published: 04 Mar 2004
- Date Last Updated: 04 Mar 2004
- Severity Metric: 0.96
- Document Revision: 9
If you have feedback, comments, or additional information about this vulnerability, please send us email.