Executive Summary

Summary
Title Sun Alert 247386 Part II - Multiple Printing Regressions in Solaris 10 Kernel Patches 127127-11 and 127128-11
Informations
Name SUN-247386 First vendor Publication 2009-06-15
Vendor Sun Last vendor Modification 2009-09-08
Severity (Vendor) N/A Revision N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector :
Cvss Base Score N/A Attack Range N/A
Cvss Impact Score N/A Attack Complexity N/A
Cvss Expoit Score N/A Authentication N/A
Calculate full CVSS 2.0 Vectors scores

Detail

Product: Solaris 10 Operating System OpenSolaris

Solaris 10 kernel patches 127127-11 (SPARC platform) or 127128-11 (x86 platform) introduce multiple printing regressions as listed below.

Note that these issues are in addition to the ones already identified in Sun Alert 241426, available at http://sunsolve.sun.com/search/document.do?assetkey=1-66-241426-1

6699689 - Using the -D option to lpadmin(1M) corrupts '/etc/printers.conf' and leads lpstat(1) to core dump after which printing is no longer possible.

6740381 - 'lpstat -o' no longer reports status for remote Windows printers.

6699255 - After installation of KU 127127/127128-11, printing is no longer possible if print server and client have different KU revision.

6720586 - "nobanner" entry gets added to request when lp(1) is invoked with the -i <request-id> to change print request options.

6724477 - The command "cancel <queuename>" causes a segmentation fault when used to cancel the first job on a remote queue.

6737146 - Unprivileged users cannot place a hold on "print -" requests when using the -H switch with l(1).

6740759 - lpstat(1) always reports "Forms allowed: (none)" after making a form (lpforms(1M)) available to the printer.

6749323 - It is not possible to determine from the output from lpstat(1) which host a job was submitted from.

6723892 - 'lpstat -p' dumps core when queues are created with the "-s ipp://" or "-s lpd://" options. This issue only occurs when the required fields are not specified. Supplying valid field data ensures this does not occur.

6739383 - print commands accept(1M), reject(1), enable(1), disable(1) do not report status after execution. This has minimal impact as although the status is not reported, the commands complete correctly. This can be verified via "lpstat -lp".

6740079 - "lpstat -R" does not show queued jobs, so it is not possible to tell the order in which jobs will be printed.

6752372 - The output from "lpstat -o" is incorrect and so it is not possible to find which job is currently being printed.

6723334 - There is a slow memory leak in the libpapi library. This could result in a system-wide resource shortage.

6724379 - Printing from FireFox 3 is not possible. Attempts to print using the FireFox 3 application will crash in papiJobStreamOpen.

6727979 - Printing to local queues is not be possible due to memory corruption in psm-lpsched.so which will core dump.

6752568 - Using "lpstat -o" to display queue data for a printer which has a queue name that matches the syntax for a job id is not possible.

For example, if a job id is defined as : <printer name>-<#>, i.e: hplaser-1 whereby 'hplaser' is the printer, and '1' is the job-id. If a printer is added with a name that matches the job-format "hplaser-1", then 'lpstat -o hplaser-1' will be treated as a job id rather than a printer id and will fail.

6759910 - lpstat(1) cannot display (-D) Description, but this does not affect print jobs.

6752577 - lpmove(1M) dumps core after moving a print job. Print jobs will be processed correctly, however each time lpmove is executed, a core file will be created.

6759604 - A local unprivileged user on the lp client can cancel print jobs owned by root, creating a Denial of Service (DoS) in the print process.

6757330 - Zero byte print jobs will hang. Other print jobs are not impacted when this occurs.

6591929 - Passing in a postscript file to lp via standard input (using the command like '$ cat <postscript-file> | lp)', will cause the printer to print the postscript markup version of the file. Drivers such as ljet and hpijs use this command format and are therefore impacted by this issue. Note that 'lp <postscript-file>' is not impacted by this issue.

6760057 - accept(1M), reject(1) commands are not supported for remote printer queues. Using these commands on remote printers fails but the error message generated omits the reason why the command is not working (not supported).

6746130 - more memory leaks in the libpapi library. This could result in a system-wide resource shortage.

6780792 - Print jobs sent to NIprint print-server software on Windows systems will not be processed and will never print.

6619120 - lpmove(1M) dumps core if it is invoked without using any paramaters as in the case when displaying the command usage data. Users may instead refer to the man page for usage details to work around this issue.

6761767 - '/usr/ucb/lpc topq' (see lpc(1B)), fails to move the specified print jobs to the top of the print queue.  Instead it will dump core.

6783023 - lpstat -v dumps core if there is no printer name defined in /etc/printers.conf.

State: Workaround
First released: 10-Dec-2008

Original Source

Url : http://blogs.sun.com/security/entry/sun_alert_247386_part_ii