SUN MICROSYSTEMS SECURITY BULLETIN: #00120, 10 June 93

This information is only to be used for the purpose of alerting
customers to problems.  Any other use or re-broadcast of this 
information without the express written consent of Sun Microsystems
shall be prohibited.

Sun Microsystems expressly disclaims all liability for any misuse of
this information by any third party.

Sun Microsystems recommends that all customers concerned with the security
of their SunOS system(s) obtain and install the patches that are applicable
to their computing environment.

-----------------------------------------------------------------------------

All patches listed are available through your local Sun answer centers
worldwide as well as through anonymous FTP:  in the US, FTP to ftp.uu.net 
and obtain the patch from the /systems/sun/sun-dist directory; in Europe,
FTP to mcsun.eu.net and obtain the patch from the ~ftp/sun/fixes directory.
Note that Sun does not have direct access to mcsun.eu.net and must request
that patches be copied from ftp.uu.net to mcsun.eu.net.  Therefore, there
may be a time lag before patches appear on mcsun.eu.net.

Please refer to the BugId and PatchId when requesting patches from Sun
answer centers.

------------------------------------------------------------------------------

BULLETIN TOPICS

I.   New Patches
      A. 101080-01 - SunOS 4.1, 4.1.1, 4.1.2, 4.1.3: expreserve can be used to
         overwite any file


==============================================================================
 
SPECIAL NOTES: 

1. The expreserve vulnerability is known to Sun to exist on SunOS 4.1,
   4.1.1, 4.1.2, 4.1.3, 5.1/Solaris 2.1, and 5.2/Solaris 2.2.

2. Sun recommends that the expreserve utility be disabled immediately,
   and that official Sun patches be installed to correct the problem
   as soon as they become available. To prevent use of the expreserve
   utility, execute the following command as root:

  /usr/bin/chmod a-x /usr/lib/expreserve

   The expreserve command normally is used to recover vi editor files
   when vi terminates unexpectedly. Disabling expreserve will disable
   this recovery feature. Users of vi should be advised of this temporary
   change and encouraged to save their work frequently.

3. Patch 101080-01, described below, fixes the problem for SunOS 4.1,
   4.1.1, 4.1.2, and 4.1.3., and is now available from the sources
   described above. The README file does not refer to SunOS 4.1 because
   the patch was released before applicability of the patch to 4.1 was
   confirmed. 

4. A patch for all SunOS 5.x/Solaris 2.x systems is under development
   and will be released as soon as testing is complete. A notice similar
   to this one will accompany the release.

5. Due to the extraordinary recent publicity surrounding this
   vulnerability, Sun has opted NOT to delay the release of the first
   patch until the second patch is ready. Sun especially regrets any
   inconvenience resulting from the split release.
 

==============================================================================


I. PATCHES THAT CONTAIN FIXES FOR NEW BUGS

A. Sun Patch ID:  101080-01, security problem with expreserve.
   Sun Bug IDs: 1044909, 1083183
   SunOS release: SunOS 4.1, 4.1.1, 4.1.2, 4.1.3
   Synopsis:    This patch fixes a problem in the expreserve program
        which allows it to be used to overwrite any file. This
        vulnerability can be used to obtain root access to the system. 
   Problem Description: 
      Bug 1044909 - race condition when file is created owned by root.
      Bug 1083183 - expreserve can be used to overwite any file.

Checksum of compressed tarfile 101080-01.tar.Z on ftp.uu.net =  45221   13

NOTE: This patch obsoletes patch 100251-01.

Sun Microsystems acknowledges the CERT Coordination Center, the CIAC
Computer Security Technology Center, and Lawrence Livermore Laboratories
for their assistance in the resolution of the expreserve problem.


===========================================================================

Mark G. Graff
Software Security Coordinator
Sun Microsystems, Inc.