SUN MICROSYSTEMS SECURITY BULLETIN: #00101 This information is only to be used for the purpose of alerting customers to problems. Any other use or re-broadcast of this information without the express written consent of Sun Microsystems shall be prohibited. Sun expressly disclaims all liability for any misuse of this information by any third party. --------------------------------------------------------------------------- These patches are available through your local Sun answer centers worldwide. As well as through anonymous ftp to ftp.uu.net in the ~ftp/sun-dist directory. Please refer to the BugID and PatchID when requesting patches from Sun answer centers. NO README information will be posted in the patch on UUNET. Please refer the the information below for patch installation instructions. This is releated to the selection_svc bug in Sunview reference Bugid 1039576 and patchID 100085-03 Reference: Patch-ID# 100085-03 Synopsis:selection_svc and rpc can be used to gain access to system files Date: 05-Sept-90 SunOS release: 4.0.3, 4.1, sun386i 4.0.1/4.0.2 Problem Description: selection_svc can be used to get /etc/passwd from a machine you do not have login permissions to this can also be used to view user files on that machine. NEW bug information: ------------------------------------------------------------------------- Sun Bug ID : 1040747 Synopsis : sv_xv_sel_svc and rpc can be used to gain access to system files Sun Patch ID : 100184-02 Available for: Sun3, Sun4 Openwindows 2.0 Checksum of compressed tarfile 100184-02.tar.Z: 33786 35 -------------------------------------------------------------------------- README information follows: Patch-ID# 100184-02 Keywords:bugid 1040747 Synopsis: sv_xv_sel_svc and rpc can be used to gain access to system files Date: 14/Dec/90 SunOS release: 4.0.3 or later Unbundled Product: Open Windows Unbundled Release: Version 2 Topic: BugId's fixed with this patch: 1040747 Architectures for which this patch is available: sun4 sun3 Patches which may conflict with this patch: Obsoleted by: Open Windows Version 3 Problem Description: sv_xv_sel_svc and rpc can be used to gain access to system files. INSTALL: mv $OPENWINHOME/bin/xview/sv_xv_sel_svc $OPENWINHOME/bin/xview/sv_xv_sel_svc.orig cp `arch`/sv_xv_sel_svc $OPENWINHOME/bin/xview/sv_xv_sel_svc Brad Powell Sun Microsystems Software Security Coordinator.