COMMAND
	    lpr
SYSTEMS AFFECTED
	    BSD
PROBLEM
	    Chris Evans found following.  If we look into  lpr/lpd/printjob.c,
	    we can find the following two lines of code
	
	        if ((s = checkremote()))
	                syslog(LOG_WARNING, s);
	
	    This  is  a  classic  format  string  mistake.   It  may  not   be
	    exploitable, because the failure strings returned by checkremote()
	    in lpr/common_source/common.c,  do not  contain much  data that  a
	    user could control.
	    However,  it  illustrates  that   format  string  bugs  creep   in
	    everywhere,  even  in  code  that  gets syslog() calls correct the
	    majority of the time, as is the case with BSD-lpr.
SOLUTION
	    OpenBSD ship  BSD-lpr. Not  only have  they already  fixed this in
	    their CVS, but they  also offer web indexed  CVS.  They caught  it
	    independently as part of their "format strings" audit.
	
	        http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/lpr/lpd/printjob.c?r1=1.19&r2=1.20
	
	    It seems FreeBSD fixed this one back in 1997:
	
	        http://www.FreeBSD.org/cgi/cvsweb.cgi/src/usr.sbin/lpr/lpd/printjob.c.diff?r1=1.17&r2=1.18
	
	    This was fixed in NetBSD after advisory:
	
	        http://cvsweb.netbsd.org/bsdweb.cgi/basesrc/usr.sbin/lpr/lpd/printjob.c