SUN MICROSYSTEMS SECURITY BULLETIN: #00119, 15 March 93

This information is only to be used for the purpose of alerting
customers to problems.  Any other use or re-broadcast of this 
information without the express written consent of Sun Microsystems
shall be prohibited.

Sun expressly disclaims all liability for any misuse of this information
by any third party.
- ---------------------------------------------------------------------------

   All patches listed are available through your local Sun answer centers
   worldwide as well as through anonymous FTP:  in the US, FTP to ftp.uu.net 
   and obtain the patch from the /systems/sun/sun-dist directory; in Europe,
   FTP to mcsun.eu.net and obtain the patch from the ~ftp/sun/fixes directory.
   Note that Sun does not have direct access to mcsun.eu.net and must request
   that patches be copied from ftp.uu.net to mcsun.eu.net.  Therefore, there
   may be a time lag before patches appear on mcsun.eu.net.

Please refer to the BugId and PatchId when requesting patches from Sun
answer centers.

- ----------------------------------------------------------------------------

BULLETIN TOPICS

I.   New Patches
     A.  100833-02 - Solaris 2.1/SunOS 5.1: auditing hooks missing from some 
         system programs.
     B.  100884-01 - Solaris 2.1/SunOS 5.1: cumulative fixes to /kernel/unix 
         including srmmu window handler does not check %sp
     C.  100891-01 - SunOS 4.1.3: international libc replacement (Note:
         Patch 100890-01, SunOS 4.1.3: domestic libc replacement, cannot
         be made available via anonymous FTP because of export restrictions.
   Please contact your Sun Answer Center for this patch, if applicable.)

II.  Upgraded Patches
     A.  100121-09 - SunOS 4.1 NFS Jumbo Patch
     B.  100173-10 - SunOS 4.1, 4.1.1, 4.1.2, 4.1.3: NFS Jumbo Patch
     C.  100224-06 - SunOS 4.1.1, 4.1.2, 4.1.3: /bin/mail, /bin/rmail
     D.  100305-11 - SunOS 4.1, 4.1.1, 4.1.2, 4.1.3: lpr, lpd, lpstat
     E.  100383-06 - SunOS 4.0.3, 4.1, 4.1.1, 4.1.2, 4.1.3: rdist security 
         and hard links enhancement
     F.  100448-01 - SunOS 4.1.1 4.1.2 4.1.3: OpenWindows 3.0: loadmodule is 
         a security hole
     G.  100452-28 - OpenWindows 3.0: XView/3.0 CTE Jumbo Patch
     H.  100482-04 - SunOS 4.1, 4.1.1, 4.1.2, 4.1.3: ypserv, ypxfrd
     I.  100513-02 - SunOS 4.1 4.1.1 4.1.2 4.1.3: jumbo tty patch
     J.  100623-03 - SunOS 4.1.2 4.1.3: UFS jumbo patch

III. Security Fixes not available by Patch Installation
     A.  DNI (DECnet Interface)
     B.  PC-NFS

==============================================================================
 
SPECIAL NOTE:  SunOS 4.x patches 100121-09, 100173-10, 100513-02, and
100623-03 all require that a new kernel be configured, made, and installed.
All four patches provide significant security enhancements.  Note that the
installer need only build a new kernel once, after loading in the object files
(".o" files) from one or more of the mentioned patches.

==============================================================================


I. PATCHES THAT CONTAIN FIXES FOR NEW BUGS

A. Sun Patch ID:  100833-02, auditing hooks missing from some system programs.
   Sun Bug IDs: 1107949, 1108803
   SunOS release: Solaris 2.1/SunOS 5.1
   Synopsis:    This patch is required for using the unbundled Basic Security
        Module product on the Solaris 2.1 release.  It fixes the problem
        of several programs not being dynamically linked with the libc2
        security auditing library and other programs that were missing
        the appropriate auditing hooks.
   Problem Description: 
      Bug 1107949 - The makefile for libc2 needs to be modified to allow for 
          dynamic linking.
      Bug 1108803 - inetd, rshd, ftpd, rexecd, mountd, cron, and rexd need to 
          have the C2 auditing hooks added and the program dynamically linked 
          with the C2 library.

Checksum of compressed tarfile 100833-02.tar.Z on ftp.uu.net =  49753   155


B. Sun Patch ID:  100884-01, cumulative fixes to /kernel/unix
   Sun Bug IDs: 1108813, 1107190, 1108112, 1108947, 1110653, 1110373, 1105806,
       1100073, 1103645, 1106404, 1111011, 1112756, 1113153, 1114791
   SunOS release: Solaris 2.1/SunOS 5.1
   Synopsis:  cumulative fixes to /kernel/unix including srmmu security fix.
      Note that patches 100825-01, 100828-01, 100829-02, and 100848-01
      are obsoleted by this patch.
   Problem Description: 
      Bug 1108813 - security, srmmu window handler does not check %sp

Checksum of compressed tarfile 100884-01.tar.Z on ftp.uu.net =  03775  2610


C. Sun Patch ID:  100891-01, SunOS 4.1.3: international libc replacement
   Sun Bug IDs: 1108813
   SunOS release: Solaris 2.1/SunOS 5.1
   Synopsis:  Several bug fixes for 4.1.3, including two for security
   Problem Description: 
      Bug 1033104 - when /etc/hosts.equiv file begins with -@netgroup, any 
          machine gets equivalent access
      Bug 1053431 - innetgr may acknowledge false netgroup membership
      Bug 1077337 - xlock crashes when handling many return keypresses 
          leaving system open

Checksum of compressed tarfile 100891-01.tar.Z on ftp.uu.net =  33195  3075


==============================================================================

II. UPGRADED PATCH INFORMATION

A. Sun Patch ID:  100121-09, NFS Jumbo Patch for SunOS 4.1
   Sun Bug IDs:   1026933, 1034007, 1039977, 1029628, 1037476, 1038327, 
      1038302, 1034328, 1045536, 1045993, 1047557, 1030884, 1052330, 1053679
   SunOS release: 4.1
   Synopsis:  This revision adds sun4e 4.1 support.
   Problem Description: 
       Security relevant bug fixes:
       Bug 1026933 - Pages (not just bytes) of one file appear in another.
           This only happens on the client; the file on the server is not
           affected.  This problem disappears when the system is rebooted.
       Bug 1029628 - When a program with the setuid bit set is copied between
           local files the setuid bit is cleared. If the same file is copied 
           to an NFS file system the setuid bit is not cleared on the new file.
       Bug 1034328 - An NFS client can crash if two procedures unlink the
           same file at once.
       Bug 1045536 - NFS exports to non-sun systems can allow file truncation.

Checksum of compressed tarfile 100121-09.tar.Z on ftp.uu.net =  57589   360
 

B. Sun Patch ID:  100173-10, NFS Jumbo Patch
   Sun Bug IDs:   1039977, 1032959, 1029628, 1037476, 1038302, 1034328, 
      1045536, 1030884, 1045993, 1047557, 1052330, 1053679, 1041409, 
      1065361, 1066287, 1064433, 1070654, 1076985, 1095935, 1097593, 1111816
   SunOS release: 4.1.1, 4.1.2, 4.1.3
   Synopsis:  Patch revised to fix bugid 1111816
   Problem Description: 
       Bug 1111816 - NFS write/append performance is poor (nfs_vnodeops.o 
     modified).

Checksum of compressed tarfile 100173-10.tar.Z on ftp.uu.net =  48086   788
 

C. Sun Patch ID:  100224-06, /bin/mail, /bin/rmail
   Sun Bug IDs:   1045636, 1047340, 1051832, 1092987
   SunOS release: 4.1.1, 4.1.2, 4.1.3
   Synopsis:  Fixes bugids 1092987 and 1115042; old security fix for 1047340
   Problem Description: 
       Bug 1047340 - /bin/mail can be used to invoke a root shell.
       Bug 1092987 - mail signal handlers cause recursing SIGBUS errors.
       Bug 1115042 - mail crashes when value for MAXLET exceeded.

Checksum of compressed tarfile 100224-06.tar.Z on ftp.uu.net =  57647    54
 

D. Sun Patch ID:  100305-11, passwd, lpd, lpr, delete, system, lpstat -v
   Sun Bug IDs:   1016437, 1040453, 1057834, 1058003, 1059620, 1061504, 
      1063772, 1081850, 1081968, 1090527, 1048004
   SunOS release: 4.1, 4.1.1, 4.1.2, 4.1.3
   Synopsis:  Patch revised for bugid 1048004 fix
   Problem Description: 
      Bug 1048004 - lpr checks on the real user rather than the effective user.

Checksum of compressed tarfile 100305-11.tar.Z on ftp.uu.net =  38582   500


E. Sun Patch ID:  100383-06, rdist security and hard links enhancement
   Sun Bug IDs:   1069497, 1074961, 1059506
   SunOS release:  4.0.3, 4.1, 4.1.1, 4.1.2 4.1.3
   Synopsis:  Patch upgraded to fix bugid 1059506
   Problem Description:
       Bug 1069497 - user can gain root access using rdist (chmod(2)).
       Bug 1074961 - /usr/ucb/rdist under some conditions can be forced
     to create setuid root programs thus causing a security problem.
       Bug 1059506 - /usr/ucb/rdist does not transfer hard linked files.

Checksum of compressed tarfile 100383-06.tar.Z on ftp.uu.net =  58984   121

F. Sun Patch ID:  100448-01, OpenWindows 3.0: loadmodule
   Sun Bug IDs:   1076118
   SunOS release: SunOS 4.1.1 4.1.2 4.1.3
   Synopsis:  Patch tested on SunOS 4.1.3.  The revision number of this
       patch in Sun's patch database was not revised.
   Problem Description:
       Bug 1076118 - loadmodule has a security hole.

Checksum of compressed tarfile 100448-01.tar.Z on ftp.uu.net =  29285     5


G. Sun Patch ID:  100452-28, OpenWindows 3.0: XView/3.0 CTE Jumbo Patch
   Sun Bug IDs:   Many, security related bugs are 1077164 and 1091601.
   SunOS release: All compatible with OpenWindows 3.0
   Problem Description:
       Bug 1077164 - cmdtool L2/AGAIN key displays unechoed characters.
       Bug 1091601 - cmdtool feature has potential for revealing passwords.

Checksum of compressed tarfile 100452-28.tar.Z on ftp.uu.net =  07299  1688


H. Sun Patch ID:  100482-04, ypserv and ypxfrd security patch
   Sun Bug IDs:   1036869, 1039839, 1082319, 1082320, 1080353, 1078977
   SunOS release: 4.1, 4.1.1, 4.1.2, 4.1.3
   Synopsis:  Patch upgraded for bugid 1078977 and obsoletes patch 100465
   Problem Description:
       Bug 1078977 - DNS lookup will fail if the first nameserver in 
           /etc/resolv.conf is up but has no nameserver daemon running. 
           The ECONNREFUSED will be carried on down to the other nameservers 
           listed in resolv.conf even if they are up and their nameserver 
           daemons are running.

Please note that the /var/yp/securenets configuration file that is provided
in this patch does not support blank lines.

Checksum of compressed tarfile 100482-04.tar.Z on ftp.uu.net =  06594   342


I. Sun Patch ID:  100513-02, Jumbo tty patch
   Sun Bug IDs:   1008324, 1040722, 1048128, 1060689, 1064320, 1069768, 
                  1070495, 1104557
   SunOS release: 4.1, 4.1.1, 4.1.2, 4.1.3
   Synopsis:  This patch is a consolidation of patches 100225-02, 100194-02,
      100397-01, 100188-02 (TIOCCONS), 100358-01, and 100414-01.  It
      obsoletes these previous patches.  The current revision includes
      a fix for bug 1104557.
   Problem Description: 
      Bug 1008324 - TIOCCONS can be used to re-direct console output/input 
          away from "console" (from obsoleted patch 100188-02).
      Bug 1104557 - In rare circumstances, attempting a TIOCSTI ioctl on a pty,
          when the read side of the stream is full, can panic Bad Trap from 
          ttycommon_qfull, after passing that routine a faulty pointer to the 
          queue.

Checksum of compressed tarfile 100513-02.tar.Z on ftp.uu.net =  34315   483


J. Sun Patch ID:  100623-03, UFS jumbo patch
   Sun Bug IDs:   1078521, 1039693, 1082206, 1071839, 1102884, 1100860, 
      1077035, 1063470, 1075369
   SunOS release: 4.1.2, 4.1.3
   Synopsis:  The following information was derived from the patch's 
      README file:
      Patches which may conflict with this patch: 100505-01, 100548-01, 
          100575-02, 100731-01
      This patch and patch 100575-02 both modify ufs_bmap.o.  The version
          of ufs_bmap.o in this patch also contains the fix made for 100575-02.
          100575-02 is the galaxy performance/watchdog reset/system hang
          patch for SunOS 4.1.2.
      This patch should be applied in conjunction with the latest version
          of the NFS jumbo patch, 100173.  The NFS jumbo patch should be 
          applied before this patch.
   Problem Description: 
      Bug 1063470 - Non-random NFS file handles can be guessed

Checksum of compressed tarfile 100623-03.tar.Z on ftp.uu.net =  56063   141

===========================================================================

III. SECURITY FIXES NOT AVAILABLE BY PATCH INSTALLATION

A. DNI (DECnet Interface)
   Sun Bug IDs:   1060768, 1083426
   Synopsis:  To close the vulnerability described, obtain upgraded DNI 
      version 7.0.1.  The stated security bugs were fixed in obsoleted
      patch 100827-01, the DNI 7.0.1 jumbo patch, which obsoleted patches
      100611-01 and 100472-02.
   Problem Description: 
      Bug  1060768 - dni_rc_ins creates the rc script with world write.
      Bug  1083426 - DNI permissions on files copied by dnicp to Vax/VMS 
           systems are not set properly.

B. PC-NFS
   Sun Bug IDs:   1107553, 1109375
   Synopsis:  To close the vulnerability described, obtain the most recent 
      version of pcnfsd by anonymous FTP.  pcnfsd is available from the
      following FTP servers:  bcm.tmc.edu, src.doc.ic.ac.uk, and 
      ftpserver.massey.ac.nz.  Obtain pcnfsd.93.02.16.tar.Z if available;
      else use pcnfsd.92.11.05.tar.Z.
   Problem Description: 
      Bug  1107553 - pcnfsd, security hole SDR# pcn2251
      Bug  1109375 - pcnfsd, need to control printer, login SDR# pcn2325

   Sun Microsystems acknowledges Brian Fitzgerald of Rensselaer Polytechnic
   Institute and the CERT Coordination Center for their assistance in the 
   resolution of the aforementioned PC-NFS problems.

===========================================================================

Sun Microsystems recommends that all customers concerned with the security
of their SunOS system(s) obtain and install the patches that are applicable
to their computing environment.

Kenneth L. Pon
Software Security Coordinator
Sun Microsystems Computer Corporation