-----BEGIN PGP SIGNED MESSAGE----- ______________________________________________________________________________ SGI Security Advisory Title: libcpr vulnerability Number: 20040507-01-P Date: May 26, 2004 Reference: SGI BUG 914419 Reference: CVE CAN-2004-0134 Fixed in: Patches 5606, 5607, 5608, 5609 and 5610 ______________________________________________________________________________ SGI provides this information freely to the SGI user community for its consideration, interpretation, implementation and use. SGI recommends that this information be acted upon as soon as possible. SGI provides the information in this Security Advisory on an "AS-IS" basis only, and disclaims all warranties with respect thereto, express, implied or otherwise, including, without limitation, any warranty of merchantability or fitness for a particular purpose. In no event shall SGI be liable for any loss of profits, loss of business, loss of data or for any indirect, special, exemplary, incidental or consequential damages of any kind arising from your use of, failure to use or improper use of any of the instructions or information in this Security Advisory. _____________________________________________________________________________ - ----------------------- - --- Issue Specifics --- - ----------------------- Adam Gowdiak from the Poznan Supercomputing and Networking Center has reported that under certain conditions /usr/sbin/cpr binary can be forced to load a user provided library while restarting the checkpointed process which can be used to obtain root user privileges. SGI has assigned the following Common Vulnerabilities and Exposures (cve.mitre.org) name to this vulnerability: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0134 SGI has investigated the issue and recommends the following steps for resolving this issue. It is HIGHLY RECOMMENDED that these measures be implemented on ALL vulnerable SGI systems. This issue has been corrected in future releases of IRIX. - -------------- - --- Impact --- - -------------- To determine the version of IRIX you are running, execute the following command: # /bin/uname -R That will return a result similar to the following: # 6.5 6.5.21f The first number ("6.5") is the release name, the second ("6.5.21f" in this case) is the extended release name. The extended release name is the "version" we refer to throughout this document. - ---------------- - --- Solution --- - ---------------- SGI has provided a series of patches for these vulnerabilities. Our recommendation is to upgrade to IRIX 6.5.25, or install the appropriate patches. OS Version Vulnerable? Patch # Other Actions - ---------- ----------- ------- ------------- IRIX 3.x unknown Note 1 IRIX 4.x unknown Note 1 IRIX 5.x unknown Note 1 IRIX 6.0.x unknown Note 1 IRIX 6.1 unknown Note 1 IRIX 6.2 unknown Note 1 IRIX 6.3 unknown Note 1 IRIX 6.4 unknown Note 1 IRIX 6.5 unknown Note 1 IRIX 6.5.1 unknown Note 1 IRIX 6.5.2 unknown Note 1 IRIX 6.5.3 unknown Note 1 IRIX 6.5.4 unknown Note 1 IRIX 6.5.5 unknown Note 1 IRIX 6.5.6 unknown Note 1 IRIX 6.5.7 unknown Note 1 IRIX 6.5.8 unknown Note 1 IRIX 6.5.9 unknown Note 1 IRIX 6.5.10 unknown Note 1 IRIX 6.5.11 unknown Note 1 IRIX 6.5.12 unknown Note 1 IRIX 6.5.13 unknown Note 1 IRIX 6.5.14 unknown Note 1 IRIX 6.5.15 unknown Note 1 IRIX 6.5.16 unknown Note 1 IRIX 6.5.17 unknown Note 1 IRIX 6.5.18 unknown Note 1 IRIX 6.5.19 unknown Note 1 IRIX 6.5.20m yes 5606 Notes 2 & 3 IRIX 6.5.20f yes 5607 Notes 2 & 3 IRIX 6.5.21 yes 5608 Notes 2 & 3 IRIX 6.5.22 yes 5609 Notes 2 & 3 IRIX 6.5.23 yes 5609 Notes 2 & 3 IRIX 6.5.24 yes 5610 Notes 2 & 3 IRIX 6.5.25 no NOTES 1) This version of the IRIX operating system is not actively supported. Upgrade to an actively supported IRIX operating system. See http://support.sgi.com/ for more information. 2) If you have not received an IRIX 6.5.X CD for IRIX 6.5, contact your SGI Support Provider or URL: http://support.sgi.com/ 3) Install the required patch(es) based on your operating release. ##### Patch File Checksums #### The actual patch will be a tar file containing the following files: Filename: README.patch.5606 Algorithm #1 (sum -r): 37588 8 README.patch.5606 Algorithm #2 (sum): 32901 8 README.patch.5606 MD5 checksum: B5C3F81FF84AC7C9698FF5FBFCD23DD5 Filename: patchSG0005606 Algorithm #1 (sum -r): 37659 5 patchSG0005606 Algorithm #2 (sum): 7464 5 patchSG0005606 MD5 checksum: C3AC7041D0BAE3F439A0426EFCB9C4CD Filename: patchSG0005606.eoe_man Algorithm #1 (sum -r): 37809 29 patchSG0005606.eoe_man Algorithm #2 (sum): 6758 29 patchSG0005606.eoe_man MD5 checksum: 0B817D89AE398F9B74A22EBF82FA53D7 Filename: patchSG0005606.eoe_sw Algorithm #1 (sum -r): 60939 1681 patchSG0005606.eoe_sw Algorithm #2 (sum): 42966 1681 patchSG0005606.eoe_sw MD5 checksum: BA965ED4F5B925F043B2BCDB29D1E5E4 Filename: patchSG0005606.eoe_sw64 Algorithm #1 (sum -r): 16988 1719 patchSG0005606.eoe_sw64 Algorithm #2 (sum): 7922 1719 patchSG0005606.eoe_sw64 MD5 checksum: 3C548C5DE1C693BDAA262AF0F8A349B7 Filename: patchSG0005606.idb Algorithm #1 (sum -r): 48114 3 patchSG0005606.idb Algorithm #2 (sum): 45251 3 patchSG0005606.idb MD5 checksum: 7BE6C64724B749060DC208D581530059 Filename: README.patch.5607 Algorithm #1 (sum -r): 04156 9 README.patch.5607 Algorithm #2 (sum): 62950 9 README.patch.5607 MD5 checksum: 0A2EFE3AC5BC04E81A715E958FF1ED4A Filename: patchSG0005607 Algorithm #1 (sum -r): 41377 5 patchSG0005607 Algorithm #2 (sum): 35341 5 patchSG0005607 MD5 checksum: 6020A4ED5C6D0E4F7CD07BFAB1E07652 Filename: patchSG0005607.eoe_man Algorithm #1 (sum -r): 37809 29 patchSG0005607.eoe_man Algorithm #2 (sum): 6758 29 patchSG0005607.eoe_man MD5 checksum: 0B817D89AE398F9B74A22EBF82FA53D7 Filename: patchSG0005607.eoe_sw Algorithm #1 (sum -r): 07626 1847 patchSG0005607.eoe_sw Algorithm #2 (sum): 59526 1847 patchSG0005607.eoe_sw MD5 checksum: 7F85081459DBF8A512FD2FFBD9AD1D37 Filename: patchSG0005607.eoe_sw64 Algorithm #1 (sum -r): 27243 1720 patchSG0005607.eoe_sw64 Algorithm #2 (sum): 31616 1720 patchSG0005607.eoe_sw64 MD5 checksum: 68CC0D6EC13DAC63F11BE0C971250294 Filename: patchSG0005607.idb Algorithm #1 (sum -r): 32428 4 patchSG0005607.idb Algorithm #2 (sum): 26167 4 patchSG0005607.idb MD5 checksum: BE05BCF4016B097EF4225479B66B506A Filename: README.patch.5608 Algorithm #1 (sum -r): 44575 8 README.patch.5608 Algorithm #2 (sum): 32934 8 README.patch.5608 MD5 checksum: 61695BFDD1A066D99FF588BF45357361 Filename: patchSG0005608 Algorithm #1 (sum -r): 16737 4 patchSG0005608 Algorithm #2 (sum): 59501 4 patchSG0005608 MD5 checksum: ED7D6F6A9486FFA247152A041355369D Filename: patchSG0005608.eoe_man Algorithm #1 (sum -r): 38217 30 patchSG0005608.eoe_man Algorithm #2 (sum): 34665 30 patchSG0005608.eoe_man MD5 checksum: 5640D001B448B2A37F2852D299C6D584 Filename: patchSG0005608.eoe_sw Algorithm #1 (sum -r): 65175 1695 patchSG0005608.eoe_sw Algorithm #2 (sum): 59497 1695 patchSG0005608.eoe_sw MD5 checksum: 25ABFCCE90C4807F2D03D21D74A48C2B Filename: patchSG0005608.eoe_sw64 Algorithm #1 (sum -r): 09274 1718 patchSG0005608.eoe_sw64 Algorithm #2 (sum): 10352 1718 patchSG0005608.eoe_sw64 MD5 checksum: E570B855EBDB9606B84B60B3FFB171C1 Filename: patchSG0005608.idb Algorithm #1 (sum -r): 47068 3 patchSG0005608.idb Algorithm #2 (sum): 45435 3 patchSG0005608.idb MD5 checksum: 336B55C8AA738819E801EB674F3F4AD8 Filename: README.patch.5609 Algorithm #1 (sum -r): 57021 8 README.patch.5609 Algorithm #2 (sum): 23379 8 README.patch.5609 MD5 checksum: 9585A8388D55FD6E5D8496CFD3D3B07F Filename: patchSG0005609 Algorithm #1 (sum -r): 31065 3 patchSG0005609 Algorithm #2 (sum): 13185 3 patchSG0005609 MD5 checksum: 7E8140FE524B1B42D411D8CF08363B23 Filename: patchSG0005609.eoe_sw Algorithm #1 (sum -r): 42020 1689 patchSG0005609.eoe_sw Algorithm #2 (sum): 42175 1689 patchSG0005609.eoe_sw MD5 checksum: F211BA20C8ADDB51E75DE1D790331D45 Filename: patchSG0005609.eoe_sw64 Algorithm #1 (sum -r): 02074 1710 patchSG0005609.eoe_sw64 Algorithm #2 (sum): 24791 1710 patchSG0005609.eoe_sw64 MD5 checksum: A2AC8FB26FF1B4723251B30E80E1E486 Filename: patchSG0005609.idb Algorithm #1 (sum -r): 18602 3 patchSG0005609.idb Algorithm #2 (sum): 23438 3 patchSG0005609.idb MD5 checksum: F6E5E81876FC2F79DE2F77CB539EC453 Filename: README.patch.5610 Algorithm #1 (sum -r): 51110 8 README.patch.5610 Algorithm #2 (sum): 20293 8 README.patch.5610 MD5 checksum: 9800BD29494DB131DF267C73152CAA27 Filename: patchSG0005610 Algorithm #1 (sum -r): 20688 3 patchSG0005610 Algorithm #2 (sum): 5422 3 patchSG0005610 MD5 checksum: AE133E85CD9516BF1A2C318851418D8F Filename: patchSG0005610.eoe_sw Algorithm #1 (sum -r): 14132 1682 patchSG0005610.eoe_sw Algorithm #2 (sum): 2892 1682 patchSG0005610.eoe_sw MD5 checksum: 277CEB35D636450629DB25AC2743266A Filename: patchSG0005610.eoe_sw64 Algorithm #1 (sum -r): 27314 1700 patchSG0005610.eoe_sw64 Algorithm #2 (sum): 6892 1700 patchSG0005610.eoe_sw64 MD5 checksum: 62284868F4DAEDCBD85B6A7EDDA02F58 Filename: patchSG0005610.idb Algorithm #1 (sum -r): 38492 3 patchSG0005610.idb Algorithm #2 (sum): 23256 3 patchSG0005610.idb MD5 checksum: 3252933C83413CE3EFA45E17897BE9AA - ------------------------ - --- Acknowledgments ---- - ------------------------ SGI wishes to thank Adam Gowdiak and the Poznan Supercomputing and Networking Center for their assistance in this matter. - ------------- - --- Links --- - ------------- SGI Security Advisories can be found at: http://www.sgi.com/support/security/ and ftp://patches.sgi.com/support/free/security/advisories/ Red Hat Errata: Security Alerts, Bugfixes, and Enhancements http://www.redhat.com/apps/support/errata/ SGI Advanced Linux Environment security updates can found on: ftp://oss.sgi.com/projects/sgi_propack/download/ SGI patches can be found at the following patch servers: http://support.sgi.com/ The primary SGI anonymous FTP site for security advisories and security patches is ftp://patches.sgi.com/support/free/security/ - ----------------------------------------- - --- SGI Security Information/Contacts --- - ----------------------------------------- If there are questions about this document, email can be sent to security-info@sgi.com. ------oOo------ SGI provides security information and patches for use by the entire SGI community. This information is freely available to any person needing the information and is available via anonymous FTP and the Web. The primary SGI anonymous FTP site for security advisories and patches is patches.sgi.com. Security advisories and patches are located under the URL ftp://patches.sgi.com/support/free/security/ The SGI Security Headquarters Web page is accessible at the URL: http://www.sgi.com/support/security/ For issues with the patches on the FTP sites, email can be sent to security-info@sgi.com. For assistance obtaining or working with security patches, please contact your SGI support provider. ------oOo------ SGI provides a free security mailing list service called wiretap and encourages interested parties to self-subscribe to receive (via email) all SGI Security Advisories when they are released. Subscribing to the mailing list can be done via the Web (http://www.sgi.com/support/security/wiretap.html) or by sending email to SGI as outlined below. % mail wiretap-request@sgi.com subscribe wiretap < YourEmailAddress such as midwatch@sgi.com > end ^d In the example above, is the email address that you wish the mailing list information sent to. The word end must be on a separate line to indicate the end of the body of the message. The control-d (^d) is used to indicate to the mail program that you are finished composing the mail message. ------oOo------ SGI provides a comprehensive customer World Wide Web site. This site is located at http://www.sgi.com/support/security/ . ------oOo------ If there are general security questions on SGI systems, email can be sent to security-info@sgi.com. For reporting *NEW* SGI security issues, email can be sent to security-alert@sgi.com or contact your SGI support provider. A support contract is not required for submitting a security report. ______________________________________________________________________________ This information is provided freely to all interested parties and may be redistributed provided that it is not altered in any way, SGI is appropriately credited and the document retains and includes its valid PGP signature. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBQLTG0rQ4cFApAP75AQGuxwP+NWbyADTnKYGHYSgiKT1tdIukggG+/Vxi TCCRzTBJ7PL2Lhv+qbCmDNMl7UX4WXYAsTxSP760zk8jiUR6JXOgDLhbYFK5bABA eqBMaZWDMK7L+1IVl94Rvw7/5xXkQ05FGAdiQpVH2LtsszNzZiLeV5Eto3gTuuAr +zJC2vc6oQA= =2E6X -----END PGP SIGNATURE-----