SGI CERT ADVISORY RESPONSE


The BSD lpr spooling system is provided as an optionally installed
subsystem for all SGI platforms that require interaction with other BSD
lpr based systems (Sun Microsystems SunOS, Novell, and DEC Ultrix for 
example).  The BSD lpr subsystem (eoe2.sw.bsdlpr) is NOT installed by 
default and should not be confused with the standard AT&T System V lp 
print spooling mechanism that is normally used on SGI systems.  THIS
DOCUMENT IS ONLY APPLICABLE TO THOSE SITES THAT HAVE INSTALLED 
THE BSD LPR SUBSYSTEM.
 
The lpr utility for IRIX 4.0.5 (all versions) and IRIX 5.x (5.0, 5.0.1,
5.1.* and 5.2) is vulnerable to a potential system security breach as
outlined in a recent 1994 CERT Advisory.  

SGI engineering has investigated this compromise and has generated
corrected versions of lpr software.  SGI recommends that this new lpr 
software be installed on any SGI system which uses the lpr spooler to 
avoid any potential penetration by unprivileged users.

Customers and interested parties may obtain the the new lpr software
versions via Internet anonymous ftp to SGI or from their SGI 
service/support provider.

The SGI anonymous ftp site is ftp.sgi.com (192.48.153.1) and 
the files related to this issue are:

    -FOR IRIX 4.0.5
	~ftp/sgi/IRIX4.0/lpr/lpr.latest.Z     

    -FOR IRIX 5.x
	~ftp/sgi/IRIX5.0/lpr/lpr.latest.Z    

The files are in tar format and compressed and will need to be extracted 
appropriately.  Below it is outline how to do this assuming one of
the above files was ftp'ed to the /tmp directory.  Also, checksums for
each of the files is shown and should be check for assurance software is
correct and original.


	% cd /tmp

	% zcat lpr.latest.Z | tar -xvf - 

		tar: blocksize = 16
		x lpr.new.install, 1575 bytes, 4 blocks
		x lpr.new, 41120 bytes, 81 blocks
			
	% sum -r lpr*

		61762    44 lpr.latest.Z
		22489    81 lpr.new
		63777     4 lpr.new.install