SUN MICROSYSTEMS SECURITY BULLETIN: #00119, 15 March 93 This information is only to be used for the purpose of alerting customers to problems. Any other use or re-broadcast of this information without the express written consent of Sun Microsystems shall be prohibited. Sun expressly disclaims all liability for any misuse of this information by any third party. - --------------------------------------------------------------------------- All patches listed are available through your local Sun answer centers worldwide as well as through anonymous FTP: in the US, FTP to ftp.uu.net and obtain the patch from the /systems/sun/sun-dist directory; in Europe, FTP to mcsun.eu.net and obtain the patch from the ~ftp/sun/fixes directory. Note that Sun does not have direct access to mcsun.eu.net and must request that patches be copied from ftp.uu.net to mcsun.eu.net. Therefore, there may be a time lag before patches appear on mcsun.eu.net. Please refer to the BugId and PatchId when requesting patches from Sun answer centers. - ---------------------------------------------------------------------------- BULLETIN TOPICS I. New Patches A. 100833-02 - Solaris 2.1/SunOS 5.1: auditing hooks missing from some system programs. B. 100884-01 - Solaris 2.1/SunOS 5.1: cumulative fixes to /kernel/unix including srmmu window handler does not check %sp C. 100891-01 - SunOS 4.1.3: international libc replacement (Note: Patch 100890-01, SunOS 4.1.3: domestic libc replacement, cannot be made available via anonymous FTP because of export restrictions. Please contact your Sun Answer Center for this patch, if applicable.) II. Upgraded Patches A. 100121-09 - SunOS 4.1 NFS Jumbo Patch B. 100173-10 - SunOS 4.1, 4.1.1, 4.1.2, 4.1.3: NFS Jumbo Patch C. 100224-06 - SunOS 4.1.1, 4.1.2, 4.1.3: /bin/mail, /bin/rmail D. 100305-11 - SunOS 4.1, 4.1.1, 4.1.2, 4.1.3: lpr, lpd, lpstat E. 100383-06 - SunOS 4.0.3, 4.1, 4.1.1, 4.1.2, 4.1.3: rdist security and hard links enhancement F. 100448-01 - SunOS 4.1.1 4.1.2 4.1.3: OpenWindows 3.0: loadmodule is a security hole G. 100452-28 - OpenWindows 3.0: XView/3.0 CTE Jumbo Patch H. 100482-04 - SunOS 4.1, 4.1.1, 4.1.2, 4.1.3: ypserv, ypxfrd I. 100513-02 - SunOS 4.1 4.1.1 4.1.2 4.1.3: jumbo tty patch J. 100623-03 - SunOS 4.1.2 4.1.3: UFS jumbo patch III. Security Fixes not available by Patch Installation A. DNI (DECnet Interface) B. PC-NFS ============================================================================== SPECIAL NOTE: SunOS 4.x patches 100121-09, 100173-10, 100513-02, and 100623-03 all require that a new kernel be configured, made, and installed. All four patches provide significant security enhancements. Note that the installer need only build a new kernel once, after loading in the object files (".o" files) from one or more of the mentioned patches. ============================================================================== I. PATCHES THAT CONTAIN FIXES FOR NEW BUGS A. Sun Patch ID: 100833-02, auditing hooks missing from some system programs. Sun Bug IDs: 1107949, 1108803 SunOS release: Solaris 2.1/SunOS 5.1 Synopsis: This patch is required for using the unbundled Basic Security Module product on the Solaris 2.1 release. It fixes the problem of several programs not being dynamically linked with the libc2 security auditing library and other programs that were missing the appropriate auditing hooks. Problem Description: Bug 1107949 - The makefile for libc2 needs to be modified to allow for dynamic linking. Bug 1108803 - inetd, rshd, ftpd, rexecd, mountd, cron, and rexd need to have the C2 auditing hooks added and the program dynamically linked with the C2 library. Checksum of compressed tarfile 100833-02.tar.Z on ftp.uu.net = 49753 155 B. Sun Patch ID: 100884-01, cumulative fixes to /kernel/unix Sun Bug IDs: 1108813, 1107190, 1108112, 1108947, 1110653, 1110373, 1105806, 1100073, 1103645, 1106404, 1111011, 1112756, 1113153, 1114791 SunOS release: Solaris 2.1/SunOS 5.1 Synopsis: cumulative fixes to /kernel/unix including srmmu security fix. Note that patches 100825-01, 100828-01, 100829-02, and 100848-01 are obsoleted by this patch. Problem Description: Bug 1108813 - security, srmmu window handler does not check %sp Checksum of compressed tarfile 100884-01.tar.Z on ftp.uu.net = 03775 2610 C. Sun Patch ID: 100891-01, SunOS 4.1.3: international libc replacement Sun Bug IDs: 1108813 SunOS release: Solaris 2.1/SunOS 5.1 Synopsis: Several bug fixes for 4.1.3, including two for security Problem Description: Bug 1033104 - when /etc/hosts.equiv file begins with -@netgroup, any machine gets equivalent access Bug 1053431 - innetgr may acknowledge false netgroup membership Bug 1077337 - xlock crashes when handling many return keypresses leaving system open Checksum of compressed tarfile 100891-01.tar.Z on ftp.uu.net = 33195 3075 ============================================================================== II. UPGRADED PATCH INFORMATION A. Sun Patch ID: 100121-09, NFS Jumbo Patch for SunOS 4.1 Sun Bug IDs: 1026933, 1034007, 1039977, 1029628, 1037476, 1038327, 1038302, 1034328, 1045536, 1045993, 1047557, 1030884, 1052330, 1053679 SunOS release: 4.1 Synopsis: This revision adds sun4e 4.1 support. Problem Description: Security relevant bug fixes: Bug 1026933 - Pages (not just bytes) of one file appear in another. This only happens on the client; the file on the server is not affected. This problem disappears when the system is rebooted. Bug 1029628 - When a program with the setuid bit set is copied between local files the setuid bit is cleared. If the same file is copied to an NFS file system the setuid bit is not cleared on the new file. Bug 1034328 - An NFS client can crash if two procedures unlink the same file at once. Bug 1045536 - NFS exports to non-sun systems can allow file truncation. Checksum of compressed tarfile 100121-09.tar.Z on ftp.uu.net = 57589 360 B. Sun Patch ID: 100173-10, NFS Jumbo Patch Sun Bug IDs: 1039977, 1032959, 1029628, 1037476, 1038302, 1034328, 1045536, 1030884, 1045993, 1047557, 1052330, 1053679, 1041409, 1065361, 1066287, 1064433, 1070654, 1076985, 1095935, 1097593, 1111816 SunOS release: 4.1.1, 4.1.2, 4.1.3 Synopsis: Patch revised to fix bugid 1111816 Problem Description: Bug 1111816 - NFS write/append performance is poor (nfs_vnodeops.o modified). Checksum of compressed tarfile 100173-10.tar.Z on ftp.uu.net = 48086 788 C. Sun Patch ID: 100224-06, /bin/mail, /bin/rmail Sun Bug IDs: 1045636, 1047340, 1051832, 1092987 SunOS release: 4.1.1, 4.1.2, 4.1.3 Synopsis: Fixes bugids 1092987 and 1115042; old security fix for 1047340 Problem Description: Bug 1047340 - /bin/mail can be used to invoke a root shell. Bug 1092987 - mail signal handlers cause recursing SIGBUS errors. Bug 1115042 - mail crashes when value for MAXLET exceeded. Checksum of compressed tarfile 100224-06.tar.Z on ftp.uu.net = 57647 54 D. Sun Patch ID: 100305-11, passwd, lpd, lpr, delete, system, lpstat -v Sun Bug IDs: 1016437, 1040453, 1057834, 1058003, 1059620, 1061504, 1063772, 1081850, 1081968, 1090527, 1048004 SunOS release: 4.1, 4.1.1, 4.1.2, 4.1.3 Synopsis: Patch revised for bugid 1048004 fix Problem Description: Bug 1048004 - lpr checks on the real user rather than the effective user. Checksum of compressed tarfile 100305-11.tar.Z on ftp.uu.net = 38582 500 E. Sun Patch ID: 100383-06, rdist security and hard links enhancement Sun Bug IDs: 1069497, 1074961, 1059506 SunOS release: 4.0.3, 4.1, 4.1.1, 4.1.2 4.1.3 Synopsis: Patch upgraded to fix bugid 1059506 Problem Description: Bug 1069497 - user can gain root access using rdist (chmod(2)). Bug 1074961 - /usr/ucb/rdist under some conditions can be forced to create setuid root programs thus causing a security problem. Bug 1059506 - /usr/ucb/rdist does not transfer hard linked files. Checksum of compressed tarfile 100383-06.tar.Z on ftp.uu.net = 58984 121 F. Sun Patch ID: 100448-01, OpenWindows 3.0: loadmodule Sun Bug IDs: 1076118 SunOS release: SunOS 4.1.1 4.1.2 4.1.3 Synopsis: Patch tested on SunOS 4.1.3. The revision number of this patch in Sun's patch database was not revised. Problem Description: Bug 1076118 - loadmodule has a security hole. Checksum of compressed tarfile 100448-01.tar.Z on ftp.uu.net = 29285 5 G. Sun Patch ID: 100452-28, OpenWindows 3.0: XView/3.0 CTE Jumbo Patch Sun Bug IDs: Many, security related bugs are 1077164 and 1091601. SunOS release: All compatible with OpenWindows 3.0 Problem Description: Bug 1077164 - cmdtool L2/AGAIN key displays unechoed characters. Bug 1091601 - cmdtool feature has potential for revealing passwords. Checksum of compressed tarfile 100452-28.tar.Z on ftp.uu.net = 07299 1688 H. Sun Patch ID: 100482-04, ypserv and ypxfrd security patch Sun Bug IDs: 1036869, 1039839, 1082319, 1082320, 1080353, 1078977 SunOS release: 4.1, 4.1.1, 4.1.2, 4.1.3 Synopsis: Patch upgraded for bugid 1078977 and obsoletes patch 100465 Problem Description: Bug 1078977 - DNS lookup will fail if the first nameserver in /etc/resolv.conf is up but has no nameserver daemon running. The ECONNREFUSED will be carried on down to the other nameservers listed in resolv.conf even if they are up and their nameserver daemons are running. Please note that the /var/yp/securenets configuration file that is provided in this patch does not support blank lines. Checksum of compressed tarfile 100482-04.tar.Z on ftp.uu.net = 06594 342 I. Sun Patch ID: 100513-02, Jumbo tty patch Sun Bug IDs: 1008324, 1040722, 1048128, 1060689, 1064320, 1069768, 1070495, 1104557 SunOS release: 4.1, 4.1.1, 4.1.2, 4.1.3 Synopsis: This patch is a consolidation of patches 100225-02, 100194-02, 100397-01, 100188-02 (TIOCCONS), 100358-01, and 100414-01. It obsoletes these previous patches. The current revision includes a fix for bug 1104557. Problem Description: Bug 1008324 - TIOCCONS can be used to re-direct console output/input away from "console" (from obsoleted patch 100188-02). Bug 1104557 - In rare circumstances, attempting a TIOCSTI ioctl on a pty, when the read side of the stream is full, can panic Bad Trap from ttycommon_qfull, after passing that routine a faulty pointer to the queue. Checksum of compressed tarfile 100513-02.tar.Z on ftp.uu.net = 34315 483 J. Sun Patch ID: 100623-03, UFS jumbo patch Sun Bug IDs: 1078521, 1039693, 1082206, 1071839, 1102884, 1100860, 1077035, 1063470, 1075369 SunOS release: 4.1.2, 4.1.3 Synopsis: The following information was derived from the patch's README file: Patches which may conflict with this patch: 100505-01, 100548-01, 100575-02, 100731-01 This patch and patch 100575-02 both modify ufs_bmap.o. The version of ufs_bmap.o in this patch also contains the fix made for 100575-02. 100575-02 is the galaxy performance/watchdog reset/system hang patch for SunOS 4.1.2. This patch should be applied in conjunction with the latest version of the NFS jumbo patch, 100173. The NFS jumbo patch should be applied before this patch. Problem Description: Bug 1063470 - Non-random NFS file handles can be guessed Checksum of compressed tarfile 100623-03.tar.Z on ftp.uu.net = 56063 141 =========================================================================== III. SECURITY FIXES NOT AVAILABLE BY PATCH INSTALLATION A. DNI (DECnet Interface) Sun Bug IDs: 1060768, 1083426 Synopsis: To close the vulnerability described, obtain upgraded DNI version 7.0.1. The stated security bugs were fixed in obsoleted patch 100827-01, the DNI 7.0.1 jumbo patch, which obsoleted patches 100611-01 and 100472-02. Problem Description: Bug 1060768 - dni_rc_ins creates the rc script with world write. Bug 1083426 - DNI permissions on files copied by dnicp to Vax/VMS systems are not set properly. B. PC-NFS Sun Bug IDs: 1107553, 1109375 Synopsis: To close the vulnerability described, obtain the most recent version of pcnfsd by anonymous FTP. pcnfsd is available from the following FTP servers: bcm.tmc.edu, src.doc.ic.ac.uk, and ftpserver.massey.ac.nz. Obtain pcnfsd.93.02.16.tar.Z if available; else use pcnfsd.92.11.05.tar.Z. Problem Description: Bug 1107553 - pcnfsd, security hole SDR# pcn2251 Bug 1109375 - pcnfsd, need to control printer, login SDR# pcn2325 Sun Microsystems acknowledges Brian Fitzgerald of Rensselaer Polytechnic Institute and the CERT Coordination Center for their assistance in the resolution of the aforementioned PC-NFS problems. =========================================================================== Sun Microsystems recommends that all customers concerned with the security of their SunOS system(s) obtain and install the patches that are applicable to their computing environment. Kenneth L. Pon Software Security Coordinator Sun Microsystems Computer Corporation