-----BEGIN PGP SIGNED MESSAGE-----


________________________________________________________________________________
    Silicon Graphics Inc. Security Advisory

             Title: Sendmail Vulnerabilities CERT 95:05
                Number:         19950201-01-P332
                Date:           February 22, 1995
________________________________________________________________________________

Silicon Graphics provides this information freely to the SGI community
for its consideration, interpretation and implementation.   Silicon Graphics
recommends that this information be acted upon as soon as possible. 

Silicon Graphics will not be liable for any consequential damages arising
from the use of, or failure to use or use properly, any of the instructions
or information in this Security Advisory.
________________________________________________________________________________


Several sendmail vulnerabilities have been discovered in the IRIX 3.x, 4.x, 
5.x and 6.x operating systems.  These have detailed in CERT Advisory 95:05.

SGI Engineering has investigated this issue and recommends the following 
steps for neutralizing the exposure.  It is HIGHLY RECOMMENDED that these 
measures be done on ALL SGI systems running IRIX 3.x, 4.x, 5.x and 6.x .
The issue will be permanently corrected in a future release of IRIX.

- ----------------
- --- Solution ---
- ----------------


**** IRIX 3.x ****

Unfortunately, Silicon Graphics Inc, no longer supports the IRIX 3.x
operating system and therefore has no patches or binaries to provide.

However, two possible actions still remain: 1) upgrade the system to a 
supported version of IRIX (see below) and then install the binary/patch
or 2) obtain the sendmail source code from anonymous FTP at 
ftp.cs.berkeley.edu and compile the program manually. 

**** IRIX 4.x ****

For the IRIX operating system version 4.x, a manually installable
binary replacement has been generated and made available via anonymous
ftp and/or your service/support  provider.  The binary is sendmail.new.Z 
and is installable on all 4.x platforms.

The SGI anonymous ftp site is ftp.sgi.com (192.48.153.1).   The
binary maybe be found in the following directories on the ftp server:

        ~ftp/Security

                or

  ~ftp/Patches/4.x

                        ##### Checksums ####

Filename:      sendmail.new.Z
Algorithm #1 (sum -r):    27178 422 sendmail.new.Z
Algorithm #2 (sum):       46012 422 sendmail.new.Z
MD5 checksum:             146DD1019673D7C2C89A78D7ACF85CF6


After obtaining the binary, it may be installed with the instructions
below:


        1) Become the root user on the system.

                % /bin/su -
                Password:
                #

        2) Stop the current mail processes.

    # /etc/init.d/mail stop

  3) Rename the current sendmail binary to a temporary 
     name.

    # mv /usr/lib/sendmail /usr/lib/sendmail.stock
    
  4) Change permissions on the old sendmail binary so it can not
     be used anymore.

    # chmod 0400 /usr/lib/sendmail.stock

  5) Uncompress the binary.

                # uncompress /tmp/sendmail.new.Z
  
  6) Put the new sendmail binary into place (in the example
     here the binary was retrieved via anonymous ftp and put
     in /tmp)

    # mv /tmp/sendmail.new /usr/lib/sendmail

  7) Insure the correct permissions and ownership on the new
     sendmail.

    # chown root.sys /usr/lib/sendmail
    # chmod 4755 /usr/lib/sendmail

  8) Restart the mail system with the new sendmail binary in place.

    # /etc/init.d/mail start

  9) Return to normal user level.

    # exit



**** IRIX 5.0.x, 5.1.x ****

For the IRIX operating systems versions 5.0.x, 5.1.x, an upgrade
to 5.2 or better is required first.  When the upgrade is completed,
then the patch described in the next section "**** IRIX 5.2, 5.3, 6.0, 
6.0.1 ***"  can be applied.


**** IRIX 5.2, 5.3, 6.0, 6.0.1 ****

For the IRIX operating system versions 5.2, 5.3, 6.0 and 6.0.1, an
inst-able patch has been generated and made available via anonymous 
ftp and/or your service/support provider.  The patch is number 332 
and will install on IRIX 5.2, 5.3, 6.0 and 6.0.1 .   

The SGI anonymous ftp site is ftp.sgi.com (192.48.153.1).   Patch
332 can be found in the following directories on the ftp server:

  ~ftp/Security
    
    or 

  ~ftp/Patches/5.2
  ~ftp/Patches/5.3
  ~ftp/Patches/6.0
  ~ftp/Patches/6.0.1
  
                        ##### Checksums #### 

The actual patch will be a tar file containing the following files:

Filename:                 patchSG0000332
Algorithm #1 (sum -r):    21182 1 patchSG0000332
Algorithm #2 (sum):       23521 1 patchSG0000332
MD5 checksum:             73EC7CCD69D45C7704025543D3C3EE9E

Filename:                 patchSG0000332.eoe1_man
Algorithm #1 (sum -r):    28090 32 patchSG0000332.eoe1_man
Algorithm #2 (sum):       64391 32 patchSG0000332.eoe1_man
MD5 checksum:             1D0090FEBED2A87050CEE4F9B70F6996

Filename:                 patchSG0000332.eoe1_sw
Algorithm #1 (sum -r):    59645 326 patchSG0000332.eoe1_sw
Algorithm #2 (sum):       11387 326 patchSG0000332.eoe1_sw
MD5 checksum:             F4C24005A712621CADD64F409D7DD5CE

Filename:                 patchSG0000332.idb
Algorithm #1 (sum -r):    18850 2 patchSG0000332.idb
Algorithm #2 (sum):       42701 2 patchSG0000332.idb
MD5 checksum:             86AF417E2DF5B09A537B8ABD6ED049FA



- ------------------------------------
- --- Further Information/Contacts ---
- ------------------------------------

For obtaining security information, patches or assistance, please
contact your SGI support provider.

If there are questions about this document, email can be sent to
cse-security-alert@csd.sgi.com .

For reporting new SGI security issues, email can be sent to
security-alert@sgi.com .



-----BEGIN PGP SIGNATURE-----
Version: 2.6

iQCVAwUBL0zwCLQ4cFApAP75AQHoeQQAuL4QgHyadf3nIjzl9+sEAvEpVQKpBoU0
HBygdQTuwgJ7JbevjdGqkQrdjiFpDVRO1DCv5nDQsjMfBxxt4KFH9kWsPX7QH9CQ
vTzqY4FouQFN+M+Ko8kbtrrs/vAJJP/ctI04KSMWmh7rYdUp3Q28sMq/62i0u8l+
MWtfUHN3yz4=
=L39R
-----END PGP SIGNATURE-----