-----BEGIN PGP SIGNED MESSAGE----- ________________________________________________________________________________ Silicon Graphics Inc. Security Advisory Title: colorview program allows reading of any file Number: 19950209-00-P Date: February, 9, 1995 ________________________________________________________________________________ Silicon Graphics provides this information freely to the SGI community for its consideration, interpretation and implementation. Silicon Graphics recommends that this information be acted upon as soon as possible. Silicon Graphics will not be liable for any consequential damages arising from the use of, or failure to use or use properly, any of the instructions or information in this Security Advisory. ________________________________________________________________________________ A vulnerability has been discovered in the IRIX 5.1.x, 5.2, 6.0 and 6.0.1 operating systems which would allow the colorview program to be used to view any file on the system. SGI Engineering has investigated this issue and recommends the following steps for neutralizing the exposure. It is HIGHLY RECOMMENDED that these measures be done on ALL SGI systems running IRIX 5.1.x, 5.2, 6.0 and 6.0.1 . The issue will be permanently corrected in future releases of IRIX. - -------------------------- - --- Immediate Solution --- - -------------------------- To correct this issue, it is recommended to remove the setuid bit on the colorview program. The following steps are provided to do this. 1) Become the root user on the system. % /bin/su Password: # 2) Change the permissions on the colorview program to remove the setuid permission. # chmod u-s /usr/sbin/colorview 3) Verify the permissions and ownership to be as follows after step 2. # cd /usr/sbin # ls -al colorview -rwxr-xr-x 1 root sys 396376 Jan 18 18:40 colorview - -------------------------- - --- Long Term Solution --- - -------------------------- There is no patch for this issue. For 5.1.x and 5.2 versions, this has been corrected in IRIX 5.3. - ------------------------------------ - --- Further Information/Contacts --- - ------------------------------------ For obtaining security information, patches or assistance, please contact your SGI support provider. For reporting new SGI security issues, email can be sent to security-alert@sgi.com . -----BEGIN PGP SIGNATURE----- Version: 2.6 iQCVAwUBL0ov39w7/Z6dLXhtAQEp5AQAp5TMbJbiSRjBQxYCJ2RQc0kU6D1AIb9j mYGeQj2Bdre7VLB0oNRQMU1H/nG8V4edSUPeFckhzgk5AZn8kSqojJiGs1WVEEHM jdU1bppt3PTaSwIVJDDEKk5+cs4xc5VaCrsK64K4ZI/PYMoqqyF8+lxyKs1KDCrG KMpSwsrBulc= =emdw -----END PGP SIGNATURE-----