Information about a vulnerability in the BSD/OS 2.0/2.0.1 kernel and a pointer to the patch.
0344b1366542c48113543ef804d5aa9cd34729c74443c7de930544516c3cb7b9
-----BEGIN PGP SIGNED MESSAGE-----
=============================================================================
CERT(sm) Vendor-Initiated Bulletin VB-96.04
March 18, 1996
Topic: BSD/OS 2.0/2.0.1 kernel vulnerability
Source: Berkeley Software Design, Inc.
To aid in the wide distribution of essential security information, the CERT
Coordination Center is forwarding the following information from Berkeley
Software Design, Inc. (BSDI), who urges you to act on this information as soon
as possible. BSDI contact information is included in the forwarded text below;
please contact them if you have any questions or need further information.
========================FORWARDED TEXT STARTS HERE============================
=============================================================================
Security Advisory
Berkeley Software Design, Inc.
Topic: BSD/OS 2.0/2.0.1 kernel vulnerability
Number: 1996-03-05
Date: March 5, 1996
Patch: ftp://ftp.bsdi.com/bsdi/patches/patches-2.0.1/K201-008
=============================================================================
I. Background
A bug was found in an unused portion of the ptrace code in
BSD/OS 2.0 and 2.0.1 that caused a system vulnerability. The
bug is not present in the current release, BSD/OS 2.1. BSDI
is not aware of anyone who is actively exploiting this bug.
All BSDI customers with current support contracts were mailed
floppies containing the patch for this problem. Customers
without current support contracts can and should download the
patch from the ftp server.
II. Problem Description
Permssion checking for an unused operation was incorrect.
III. Impact
The problem could allow local users to control privileged
processes, and could thus allow users to acquire unauthorized
permissions.
This vulnerability can only be exploited by users with a valid
account on the local system.
IV. Solution(s)
Install BSDI patch K201-008 on all BSD/OS 2.0 or 2.0.1 systems,
or upgrade to BSD/OS 2.1.
=============================================================================
Berkeley Software Design, Inc.
5579 Tech Center Drive, Suite 110
Colorado Springs, CO 80919
Web Site: http://www.bsdi.com/
BSDI Support: +1 800 ITS BSD8 / +1 719 536 9346
Support Email: support@bsdi.com
PGP Key: ftp://ftp.bsdi.com/bsdi/info/pgp_key
=========================FORWARDED TEXT ENDS HERE=============================
CERT publications, information about FIRST representatives, and other
security-related information are available for anonymous FTP from
ftp://info.cert.org/pub/
CERT advisories and bulletins are also posted on the USENET newsgroup
comp.security.announce
To be added to our mailing list for CERT advisories and bulletins, send your
email address to
cert-advisory-request@cert.org
If you believe that your system has been compromised, contact the CERT
Coordination Center or your representative in the Forum of Incident Response
and Security Teams (FIRST).
If you wish to send sensitive incident or vulnerability information to CERT
staff by electronic mail, we strongly advise you to encrypt your message.
We can support a shared DES key or PGP. Contact the CERT staff for more
information.
Location of CERT PGP key
ftp://info.cert.org/pub/CERT_PGP.key
CERT Contact Information
- ------------------------
Email cert@cert.org
Phone +1 412-268-7090 (24-hour hotline)
CERT personnel answer 8:30-5:00 p.m. EST
(GMT-5)/EDT(GMT-4), and are on call for
emergencies during other hours.
Fax +1 412-268-6989
Postal address
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
USA
CERT is a service mark of Carnegie Mellon University.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBMaMvC3VP+x0t4w7BAQGY1gP8CFguURNtnh1MSia2LcpZdd6Nz+fkdID7
JNbMyqSdkFQsKn52w7cnUOeAehTiwsSfr0Mzjra2J3q1c8I5d1BDNb7SyC+U7Xxu
lsdAyZKVCspwPJoO97i6wa9WMicdZ2Hl1aqSVMve3/XCdN5RQlf2RvtxPcYNFKlA
smrhyFW2NAg=
=k0Mk
-----END PGP SIGNATURE-----