SUN MICROSYSTEMS SECURITY BULLETIN: #00117, 16 July 92

This information is only to be used for the purpose of alerting
customers to problems.  Any other use or re-broadcast of this 
information without the express written consent of Sun Microsystems
shall be prohibited.

Sun expressly disclaims all liability for any misuse of this information
by any third party.
---------------------------------------------------------------------------

   All patches listed are available through your local Sun answer centers
   worldwide as well as through anonymous ftp:  in the US, ftp to ftp.uu.net 
   and obtain the patch from the /systems/sun/sun-dist directory; in Europe,
   ftp to mcsun.eu.net and obtain the patch from the ~ftp/sun/fixes directory.
   Note that Sun does not have direct access to mcsun.eu.net and must request
   that patches be copied from ftp.uu.net to mcsun.eu.net.  Therefore, there
   may be a time lag before patches appear on mcsun.eu.net.

Please refer to the BugId and PatchId when requesting patches from Sun
answer centers.

----------------------------------------------------------------------------

BULLETIN TOPICS
I.   New Patches
     A.  100633-01, SunOS 4.1.1,4.1.2: unbundled SunSHIELD ARM 1.0, "LD_" 
         environment variables can be used to exploit login/su, International 
         version.
II.  Upgraded Patches
     A.  100173-08, SunOS 4.1.1,4.1.2: NFS Jumbo, uid truncation problem
     B.  100376-04, SunOS 4.1,4.1.1,4.1.2: integer mul/div, crashme
     C.  100567-02, SunOS 4.1,4.1.1,4.1.2: icmp redirects can be used to 
         make a host drop connections; mfree panic

==============================================================================

SPECIAL NOTE:  Upgraded patches 100173-08, 100376-04, and 100567-02 all
require that a new kernel be configured, made, and installed.  All three
patches provide significant security enhancements.  Note that the installer
need only build a new kernel once, after loading in the object files 
(".o" files) from one or more of the mentioned patches.

==============================================================================

NEW PATCH INFORMATION

Sun Patch ID:  100633-01
Sun Bug IDs:   1085851
SunOS release: 4.1.1, 4.1.2; unbundled SunSHIELD ARM 1.0
Synopsis:      "LD_" environment variables can be used to exploit login and su
Problem Description: 
   Bug 1085851 - a dynamically-linked program that is invoked by a 
   setuid/setgid program has access to the caller's environmental variables
   if the setuid/setgid program sets the real and effective UIDs to be equal
   and the real and effective GIDs to be equal before the dynamically-linked 
   program is executed.  A vulnerability exists if the UIDs and GIDs are not
   equal to those of the user that invoked the setuid/setgid program.

Checksum of compressed tarfile 100633-01.tar.Z on ftp.uu.net =  43774    20


==============================================================================

UPGRADED PATCH INFORMATION


Sun Patch ID:  100173-08
Sun Bug IDs:   1076985, 1095935 (new for -08 version)
SunOS release: 4.1.1, 4.1.2
Synopsis: This patch fixes two additional problems in NFS.
Problem Description: This patch adds two fixes for the -08 version of 
    the NFS Jumbo:
    1. Bug 1076985 - NFS client crashes when accessing mounted file from 
       a non-sun NFS server.
    2. Bug 1095935 - A type mismatch in the declaration of UID can be 
       exploited to obtain unauthorized privileges.

Checksum of compressed tarfile 100173-08.tar.Z on ftp.uu.net =  32598   475
 

Sun Patch ID:  100376-04
Sun Bug IDs:   1032053, 1069072, 1071053, 1082751
SunOS release: 4.1, 4.1.1, 4.1.2
Synopsis: This patch fixes previous problems with the -02 version
   of the patch for integer multiplication and will make your system resistant
   against the publically available "crashme" program, version 1.8.  Note that
   there is no -03 version for this patch.
Problem Description:      This patch combines 4 fixes:
   1. Bug 1032053 - getreg should use fuword() when simulating instructions.
   2. Bug 1069072 - Integer division on sparc can be used to gain root access.
   3. Bug 1071053 - Integer multiplication on sparc can be used to gain root 
      access.
   4. Bug 1082751 - segmentation violation caused by sdiv, udiv

NOTE:  The SunOS 4.1.2, sun4m version of this patch requires changes made
   by patch 100542-04 (IPI - Galaxy jumbo patch).  To install this version,
   obtain patch 100542-04 and follow the instructions in the README file
   for patch 100376-04.

Sun Microsystems acknowledges many customer contributions in the test of
this patch.

Checksum of compressed tarfile 100376-04.tar.Z on ftp.uu.net =  12884   100
Checksum of compressed tarfile 100542-04.tar.Z on ftp.uu.net =  34068   242
 

Sun Patch ID:  100567-02
Sun Bug IDs:   1087460, 1093937
SunOS release: 4.1, 4.1.1, 4.1.2
Synopsis: This patch fixes two problems in ip_icmp.o.
Problem Description: 
    1. Bug 1087460 - freeing the same mbuf a second time causes mfree to 
       panic.  This bug was fixed in the -01 version.
    2. Bug 1093937 - icmp redirects can be used to make a host drop 
       connections.  The current fix will make your networked systems
       more resistant to attacks based on the spoofing of icmp messages, 
       but may not prevent all forms of such attacks.

Sun Microsystems acknowledges Darren Reed of the Australian National 
University, Canberra, for the permission to use his source code 
modifications in the above patch.  Sun also thanks the CERT/CC computer 
security emergency response team for its assistance in the test of this patch.

Checksum of compressed tarfile 100567-02.tar.Z on ftp.uu.net =  23118    13


===========================================================================

Sun Microsystems recommends that all customers concerned with the security
of their SunOS systems obtain and load the patches that are applicable to 
their system(s).

Kenneth L. Pon
Software Security Coordinator
Sun Microsystems, Inc.