SUN MICROSYSTEMS SECURITY BULLETIN: #00118, 11 November 92 This information is only to be used for the purpose of alerting customers to problems. Any other use or re-broadcast of this information without the express written consent of Sun Microsystems shall be prohibited. Sun expressly disclaims all liability for any misuse of this information by any third party. --------------------------------------------------------------------------- All patches listed are available through your local Sun answer centers worldwide as well as through anonymous ftp: in the US, ftp to ftp.uu.net and obtain the patch from the /systems/sun/sun-dist directory; in Europe, ftp to mcsun.eu.net and obtain the patch from the ~ftp/sun/fixes directory. Note that Sun does not have direct access to mcsun.eu.net and must request that patches be copied from ftp.uu.net to mcsun.eu.net. Therefore, there may be a time lag before patches appear on mcsun.eu.net. Please refer to the BugId and PatchId when requesting patches from Sun answer centers. ---------------------------------------------------------------------------- BULLETIN TOPICS I. Patches that contain fixes for new bugs. These patches were also updated for 4.1.3 compatibility if applicable. A. 100103-11 - SunOS 4.1, 4.1.1, 4.1.2, 4.1.3: script to change file permissions to a more secure mode B. 100173-09 - SunOS 4.1, 4.1.1, 4.1.2, 4.1.3: NFS Jumbo Patch C. 100201-06 - SunOS 4.1, 4.1.1: C2 Jumbo Patch D. 100267-09 - SunOS 4.1.1: international libc replacement with all 4.1.1 patches E. 100305-10 - SunOS 4.1, 4.1.1, 4.1.2, 4.1.3: lpr, lpd, lpstat F. 100377-05 - SunOS 4.1, 4.1.1, 4.1.2, 4.1.3: sendmail, sendmail.mx G. 100507-04 - SunOS 4.1.1, 4.1.2, 4.1.3: tmpfs jumbo patch H. 100513-01 - SunOS 4.1 4.1.1 4.1.2 4.1.3: jumbo tty patch I. 100564-05 - SunOS 4.1.2, 4.1.3: C2 Jumbo Patch J. 100723-01 - Solaris 2.0FCS/SunOS 5.0, install creates security holes II. Patches upgraded for SunOS 4.1.3 A. 100296-04 - SunOS 4.1.1, 4.1.2, 4.1.3: netgroup exports to world B. 100482-03 - SunOS 4.1, 4.1.1, 4.1.2, 4.1.3: ypserv, ypxfrd C. 100372-02 - SunOS 4.1.1, 4.1.2, 4.1.3: tfs and c2 do not work together D. 100383-05 - SunOS 4.0.3, 4.1, 4.1.1, 4.1.2, 4.1.3: rdist security enhancement E. 100567-04 - SunOS 4.1, 4.1.1, 4.1.2, 4.1.3: icmp redirects, mfree panic F. 100630-01 - SunOS 4.1, 4.1.1, 4.1.2, 4.1.3: login international, su, LD_ environment variables G. 100633-01 - SunOS 4.1.1,4.1.2, 4.1.3: unbundled SunSHIELD ARM 1.0, "LD_" environment variables can be used to exploit login/su, International version. ============================================================================== SPECIAL NOTE: Upgraded patches 100173-09, 100507-04, 100513-01, and 100567-04 all require that a new kernel be configured, made, and installed. All four patches provide significant security enhancements. Note that the installer need only build a new kernel once, after loading in the object files (".o" files) from one or more of the mentioned patches. ============================================================================== PATCHES THAT CONTAIN FIXES FOR NEW BUGS A. Sun Patch ID: 100103-11, shell script modification of file permissions to a more secure mode. Sun Bug IDs: 1046817, 1047044, 1048142, 1054480, 1037153, 1039292, 1042662 SunOS release: 4.1, 4.1.1, 4.1.2, 4.1.3 Synopsis: The script for this patch has been tested on 4.1.3 and also changes the permissions for two additional files: /var/yp/`domainname`/mail.aliases.dir and /var/yp/`domainname`/mail.aliases.pag. Checksum of compressed tarfile 100103-11.tar.Z on ftp.uu.net = 19847 6 B. Sun Patch ID: 100173-09, NFS Jumbo Patch Sun Bug IDs: 1039977, 1032959, 1029628, 1037476, 1038302, 1034328, 1045536, 1030884, 1045993, 1047557, 1052330, 1053679, 1041409, 1065361, 1066287, 1064433, 1070654, 1076985, 1095935, 1097593 SunOS release: 4.1.1, 4.1.2, 4.1.3 Synopsis: Patch upgraded for SunOS 4.1.3 and fix for bugid 1097593 Problem Description: Bug 1097593 - Accessing NFS mounted files as root causes any application not to be able to access the same file regardless of the file's permissions. Checksum of compressed tarfile 100173-09.tar.Z on ftp.uu.net = 28314 788 C. Sun Patch ID: 100201-06, C2 Jumbo Patch Sun Bug IDs: 1059261, 1043667, 1040465, 1044204, 1040334, 1047131, 1049585, 1058378, 1063796, 1085851, 1097292 SunOS release: 4.1, 4.1.1 (Please refer to Patch 100564-05 for 4.1.2, 4.1.3) Synopsis: Bug fixes for 1063796, 1085851, 1097292 Problem Description: Bug 1063796 - when running C2 with NIS, yppasswd from client system would take 5 minutes delay. Bug 1085851 - a dynamically-linked program that is executed by a setuid program has access to the callers environmental variables if the setuid program sets the real UID equal to the effective UID and the real GID equal to the effective GID before the dynamically-linked program is executed. Bug 1097292 - rpc.pwdauthd's core image contains plaintext passwords and passwd.adjunct file. Checksum of compressed tarfile 100201-06.tar.Z on ftp.uu.net = 13145 164 D. Sun Patch ID: 100267-09, international libc replacement with all 4.1.1 patches Sun Bug IDs: 1034993, 1045471, 1033812, 1038500, 1050040, 1051619, 1053346, 1053356, 1052398, 1069731, 1069726, 1033104, 1069972, 1061071, 1054748, 1049421, 1070565, 1059039, 1072740, 1088455, 1041424, 1087375, 1053431, 1093261, 1091493 SunOS release: 4.1.1 Synopsis: Bug fixes for 1053431, 1093261, 1091493 Problem Description: Bug 1053431 - innetgr may acknowledge false netgroup membership. Bug 1093261 - undefined symbols when linking statically with "mblen()". Bug 1091493 - mbtowc and mbstowcs give different results for same character. Checksum of compressed tarfile 100267-09.tar.Z on ftp.uu.net = 55338 5891 E. Sun Patch ID: 100305-10, passwd, lpd, lpr, delete, system, lpstat -v Sun Bug IDs: 1016437, 1040453, 1057834, 1058003, 1059620, 1061504, 1063772, 1081850, 1081968, 1090527 SunOS release: 4.1, 4.1.1, 4.1.2, 4.1.3 Synopsis: Patch upgraded for SunOS 4.1.3 and fix for bugid 1090527 Problem Description: Bug 1090527 - lpstat -v only returns the second entry from printer alias list. Checksum of compressed tarfile 100305-10.tar.Z on ftp.uu.net = 28781 368 F. Sun Patch ID: 100377-05, sendmail Jumbo Patch Sun Bug IDs: 1056203, 1030087, 1068637, 1085853, 1041284, 1092073, 1092650, 1093667, 1089670, 1084351 SunOS release: 4.1, 4.1.1, 4.1.2, 4.1.3 Synopsis: Patch upgraded for SunOS 4.1.3 and fix for bugids 1093667, 1092650, 1092073, 1089670, 1084351 Problem Description: Bug 1093667 - Sendmail doesn't generate error mail in error conditions. Bug 1092650 - Sendmail truncates the header if the header length is too long. Bug 1092073 - sendmail loops on mail where name of recipient contains eight bit character(s). Bug 1089670 - Sendmail.mx doesn't handle subdomains. Bug 1084351 - Sendmail gets 550 user unknown during "rcpt to" right after reboot. Checksum of compressed tarfile 100377-05.tar.Z on ftp.uu.net = 29141 1076 G. Sun Patch ID: 100507-04, tmpfs jumbo patch Sun Bug IDs: 1038651, 1091294, 1089447, 1083412 SunOS release: 4.1.1, 4.1.2, 4.1.3 Synopsis: Patch upgraded for SunOS 4.1.3 and fix for bugid 1083412 Problem Description: Bug 1083412 - copying files from an nfs mounted partition to a tmpfs mount can result in security breach. Checksum of compressed tarfile 100507-04.tar.Z on ftp.uu.net = 57590 61 H. Sun Patch ID: 100513-01, Jumbo tty patch Sun Bug IDs: 1008324, 1040722, 1048128, 1060689, 1064320, 1069768, 1070495 SunOS release: 4.1, 4.1.1, 4.1.2, 4.1.3 Synopsis: This patch is a consolidation of patches 100225-02, 100194-02, 100397-01, 100188-02 (TIOCCONS), 100358-01, and 100414-01; it also includes a fix for bugid 1064320. As such this patch supersedes these previous patches. Problem Description: Bug 1064320 - in a 4/110 with ALM-2, null characters are not echoed with a Hayes Smartmodem1200. Bug 1008324 - TIOCCONS can be used to re-direct console output/input away from "console" (for obsolete patch 100188-02). Checksum of compressed tarfile 100513-01.tar.Z on ftp.uu.net = 20616 480 I. Sun Patch ID: 100564-05, C2 Jumbo Patch Sun Bug IDs: 1040334, 1043667, 1058378, 1059261, 1063796, 1039587, 1097292 SunOS release: 4.1.2, 4.1.3 (Please refer to Patch 100201-06 for 4.1, 4.1.1) Synopsis: Patch upgraded for SunOS 4.1.3 and fix for bugids 1097292 and 1006905 Problem Description: Bug 1097292 - rpc.pwdauthd's core image contains plaintext passwords and passwd.adjunct file. Bug 1006905 - rpc.yppasswdd can sometimes corrupt passwd dbm files Checksum of compressed tarfile 100564-05.tar.Z on ftp.uu.net = 00115 824 J. Sun Patch ID: 100723-01, Solaris 2.0FCS install Sun Bug IDs: 1098207 SunOS release: Solaris 2.0FCS/SunOS 5.0 Synopsis: Solaris 2.0FCS/SunOS 5.0 install creates security holes Problem Description: Bug 1098207 - Solaris 2.0FCS install procedures leave world-writable directories, thus opening a path for normal users to gain root privileges. Note that this patch contains a README file only. The README file instructs the installer to run the following command as root after the installation of Solaris 2.0: # pkgchk -f The command above will correct improperly set directory and file attributes created during the installation process. Checksum of compressed tarfile 100723-01.tar.Z on ftp.uu.net = 22726 1 ============================================================================== UPGRADED PATCH INFORMATION FOR SUNOS 4.1.3 COMPATIBILITY A. Sun Patch ID: 100296-04, netgroup exports to world Sun Bug IDs: 2000680, 1044852, 1048890, 1047410 SunOS release: 4.1.1, 4.1.2, 4.1.3 Synopsis: Patch upgraded for SunOS 4.1.3 Checksum of compressed tarfile 100296-04.tar.Z on ftp.uu.net = 42492 40 B. Sun Patch ID: 100482-03, ypserv and ypxfrd security patch Sun Bug IDs: 1036869, 1039839, 1082319, 1082320, 1080353 SunOS release: 4.1, 4.1.1, 4.1.2, 4.1.3 Synopsis: Patch upgraded for SunOS 4.1.3 Please note that the /var/yp/securenets configuration file that is provided in this patch does not support blank lines. Checksum of compressed tarfile 100482-03.tar.Z on ftp.uu.net = 27837 342 C. Sun Patch ID: 100372-02, tfs and c2 do not work together Sun Bug IDs: 1052574 SunOS release: 4.1.1, 4.1.2, 4.1.3 Synopsis: Patch upgraded for SunOS 4.1.2 and 4.1.3 compatibility Checksum of compressed tarfile 100372-02.tar.Z on ftp.uu.net = 22739 712 D. Sun Patch ID: 100383-05, rdist security enhancement Sun Bug IDs: 1069497, 1074961 SunOS release: 4.0.3, 4.1, 4.1.1, 4.1.2 4.1.3 Synopsis: Patch upgraded for SunOS 4.1.3 compatibility Checksum of compressed tarfile 100383-05.tar.Z on ftp.uu.net = 52230 135 E. Sun Patch ID: 100567-04 Sun Bug IDs: 1087460, 1093937 SunOS release: 4.1, 4.1.1, 4.1.2, 4.1.3 Synopsis: Patch upgraded for SunOS 4.1.3 compatibility Checksum of compressed tarfile 100567-04.tar.Z on ftp.uu.net = 15728 11 F. Sun Patch ID: 100630-01, login international, su, LD_ environment variables Sun Bug IDs: 1085851 SunOS release: 4.1, 4.1.1, 4.1.2, 4.1.3 Synopsis: Patch upgraded for SunOS 4.1.3 compatibility Note that this patch contains the international version of /bin/login that users who are not using the US Encryption Kit need to install. Patch 100631-01 contains the domestic version of /bin/login. /usr/bin/su and /usr/5bin/su from this international patch are suitable for sites that use the US Encryption Kit. Export restrictions prevent putting patch 100631-01 onto anonymous ftp sites. Please contact your Sun Answer Center for patch 100631-01. Checksum of compressed tarfile 100630-01.tar.Z on ftp.uu.net = 28074 39 Checksum of compressed tarfile 100631-01.tar.Z = 44444 25 G. Sun Patch ID: 100633-01, Unbundled SunSHIELD/ARM: login international, su, LD_ environment variables Sun Bug IDs: 1085851 SunOS release: 4.1.1, 4.1.2, 4.1.3; Unbundled Product: SunSHIELD, ARM Synopsis: Patch upgraded for SunOS 4.1.3 compatibility Checksum of compressed tarfile 100633-01.tar.Z on ftp.uu.net = 33264 20 =========================================================================== Sun Microsystems acknowledges the Department of Energy's Computer Incident Advisory Capability (CIAC), especially the efforts of Karyn Pichnarczyk, for their assistance in and review of patch revision issues pertaining to SunOS 4.1.3. Sun Microsystems recommends that all customers concerned with the security of their SunOS system(s) obtain and install the patches that are applicable to their computing environment. Kenneth L. Pon Software Security Coordinator Sun Microsystems Computer Corporation