_____________________________________________________
              The Computer Incident Advisory Capability
                          ___  __ __    _     ___
                         /       |     / \   /
                         \___  __|__  /___\  \___
         _____________________________________________________
                          Information Bulletin
 
      New patch for OpenWindows V.3 available for SunOS systems
 
December 12 1630 PST 1991             Number C-10
_________________________________________________________________________
PROBLEM: A vulnerability in OpenWindows V.3 can be exploited to gain 
   unauthorized root access.
PLATFORM: OpenWindows, version 3 
DAMAGE: Allows unauthorized root access with unrestricted access to the 
  system
SOLUTION: Apply Sun Patch ID: 100448-01 available from Sun or ftp.uu.net
_________________________________________________________________________
        Critical Facts about OpenWindows V.3 patch

CIAC has learned from Sun Microsystems Inc. that it has a security
vulnerability in its OpenWindows V 3.0 product that should be
corrected immediately.  CIAC advises that you replace the exploitable
executable file with the patch described below.  Please note that Sun
only supports this product on sun4 and sun4c architectures running
SunOS 4.1.1.  The product is not available for sun3 architectures.

The README file included with the patch has specific installation
instructions that should read and understand before you attempt
installation.

Below is an excerpt from an alert distributed by SUN providing
additional information on this patch.
--------------------------------------------------------------------------
   Sun Bug ID  : 1076118
   Sun Patch ID: 100448-01
   Checksum of compressed tarfile 100448-01.tar.Z on ftp.uu.net = 04354   5 

   Sun advises that you replace the exploitable executable file with
   the appropriate replacement provided in the patch.  Please refer to
   the patch's README file for more information.

   All patches listed are available through local Sun answer centers
   worldwide as well as through anonymous ftp:  in the US, ftp to ftp.uu.net 
   and obtain the patch from the ~ftp/sun-dist directory; in Europe, ftp to 
   mcsun.eu.net and obtain the patch from the ~ftp/sun/fixes
   directory.  Please refer to the BugID and PatchID when requesting
   patches from Sun answer centers.
--------------------------------------------------------------------------


For additional information or assistance, please contact CIAC:

     David Brown
     (510)423-9878** or (FTS) 543-9878
     (FAX) (510) 423-8002** or (FTS) 543-8002
     dsbrown@llnl.gov    

Send e-mail to ciac@llnl.gov or call CIAC at 

     (510) 422-8193**/(FTS)532-8193.  

**Note area code has changed from 415, although the 415 area code will
work until Jan. 1992.

PLEASE NOTE:  Many users outside of the DOE and ESnet computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents.  Some of the other teams include the NASA NSI response team,
DARPA's CERT/CC, NAVCIRT, and the Air Force response team.  Your
agency's team will coordinate with CIAC.

CIAC would like to thank Ken Pon at Sun Microsystems for providing
some of the information described in this bulletin.  Neither the
United States Government nor the University of California nor any of
their employees, makes any warranty, expressed or implied, or assumes
any legal liability or responsibility for the accuracy, completeness,
or usefulness of any information, product, or process disclosed, or
represents that its use would not infringe privately owned rights.
Reference herein to any specific commercial products, process, or
service by trade name, trademark manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation, or
favoring by the United States Government or the University of
California.  The views and opinions of authors expressed herein do not
necessarily state or reflect those of the United States Government nor
the University of California, and shall not be used for advertising or
product endorsement purposes.