Twenty Year Anniversary

011

011
Posted Sep 23, 1999

011

MD5 | c64df95284227574967533db4b6054fa

011

Change Mirror Download
From support@us.external.hp.com Wed Mar 13 00:59:15 1996
Date: Wed, 13 Mar 1996 01:02:13 -0800
From: HPSL Mail Service <support@us.external.hp.com>
Reply to: support-feedback@us.external.hp.com
To: Damien Sorder <jericho@netcom.com>
Subject: RE: send doc HPSBUX9405-011

--------
## Regarding your request:
Send Doc HPSBUX9405-011

The following are the results of your request from the HP SupportLine mail
service.

===============================================================================
Document Id: [HPSBUX9405-011]
Date Loaded: [05-05-94]

Description: Security Vulnerability in HP GlancePlus
===============================================================================

-----------------------------------------------------------------------
HEWLETT-PACKARD SECURITY BULLETIN: #00011, 04 May 94
-----------------------------------------------------------------------

_______________________________________________________________________
PROBLEM: Security vulnerability in product executables for HP GlancePlus
product revision B.09.00 and all earlier revisions, on all
releases of HP-UX.
PLATFORM: HP 9000 series 300/400s and 700/800s.
DAMAGE: A vulnerability exists in the GlancePlus product which allows
non-root users who can execute glance or gpm to gain root
privileges.
SOLUTION: Obtain and apply fix as outlined below. For HP-UX 9.X a new
version of Glance is available in the April 1994 Application
release which addresses the problem. All customers on support
should already have access to the fixed release.
AVAILABILITY: The fix is currently available.
_______________________________________________________________________

I. Glance Update

A. Problem

A vulnerability exists in the /usr/perf/bin programs Glance and gpm
revisions prior to and including B.09.00 (for series 700/800 systems),
and in the /usr/perf/bin/glance program revision prior to and including
A.09.06 (for series 300/400 systems). The vulnerability allows non-
root users to gain access to files regardless of ownership and
permissions. This could be exploited to gain root-level access.

B. Fixing the problem

The problem can be eliminated by installing the latest release of the
product, which contains a version of glance and gpm revision B.09.01
or greater (for series 700/800 systems) or glance revision A.09.07 or
greater (for series 300/400 systems). The GlancePlus version can be
determined on 9.X systems using the command "what /usr/perf/bin/glance".

PLATFORM OS GLANCE ver. Action
-------- -------- ----------- ---------------
300/400 HPUX 8.X all No patch currently available
HPUX 9.X A.09.06 or earlier Update to GlancePlus A.09.07
HPUX 9.X A.09.07 None
700/800 HPUX 8.X all No patch currently available
HPUX 9.X A.X or B.09.00 Update to GlancePlus B.09.01
HPUX 9.X B.09.01 None

There is currently no fix available for glance on HP-UX 8.X. Users on
8.X releases are advised to use the workaround below.

The GlancePlus product for HP-UX 9.X has been released on the HP-UX
Application Software Release CD for April 1994. All customers with
software support for HP GlancePlus should have access to the latest
GlancePlus release media containing the fix. If for some reason you
do not have access to the latest media, contact your HP Response
Center.

Hewlett-Packard recommends that all GlancePlus customers concerned
with the security of their HP-UX systems update from the April release
media as soon as possible.

As a workaround until the update can be applied, you may execute the
following commands as the root user in order to restrict access to
the product to only the root user:

chmod 744 /usr/perf/bin/glance
chmod 744 /usr/perf/bin/gpm

NOTE: The gpm program file will only exist on your system if you
have installed revision B.09.00, or later of the GlancePlus
product.

NOTE: On 8.X systems, the glance executable is /usr/bin/rxux/glance.

-----------------------------------------------------------------------
To subscribe to automatically receive NEW future HP Security Bulletins
from the HP SupportLine mail service via electronic mail, send the
following in the TEXT PORTION OF THE MESSAGE to
support@support.mayfield.hp.com (no Subject is required):

subscribe security_info

To retrieve the index of all HP Security Bulletins, send the following:

send security_info_list

To obtain a copy of the HP SupportLine mail service user's guide,
send the following:

send guide.txt


For security concerns, write to:

security-alert@hp.com

-----------------------------------------------------------------------

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

July 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    1 Files
  • 2
    Jul 2nd
    26 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    11 Files
  • 5
    Jul 5th
    13 Files
  • 6
    Jul 6th
    4 Files
  • 7
    Jul 7th
    4 Files
  • 8
    Jul 8th
    1 Files
  • 9
    Jul 9th
    16 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    32 Files
  • 12
    Jul 12th
    22 Files
  • 13
    Jul 13th
    15 Files
  • 14
    Jul 14th
    1 Files
  • 15
    Jul 15th
    1 Files
  • 16
    Jul 16th
    21 Files
  • 17
    Jul 17th
    4 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close