Patch advisory for Sun Microsystems. Please read for details.
a9076f406dd5e0447538ca849c911978548c6555b5b5b1eec52a2f6bb18cb509
-----------------------------------------------------------------------------
SUN MICROSYSTEMS SECURITY BULLETIN: #00122, 21 October 93
-----------------------------------------------------------------------------
/\
\\ \ Send Replies or Inquiries To:
\ \\ /
/ \/ / / Sun Security Coordinator
/ / \//\ MS MPK2-04
\//\ / / 2550 Garcia Avenue
/ / /\ / Mountain View, CA 94043-1100
/ \\ \ Phone: 415-688-9081
\ \\ Fax: 415-688-9101
\/ Email: security-alert@Sun.COM
BULLETIN TOPICS
I. New security patches for "tar" and "sendmail"
A. tar
- patch 100975-02 (SunOS 5.1/Solaris 2.1)
- patch 101301-01 (SunOS 5.2/Solaris 2.2)
B. sendmail
- patch 100377-07 (SunOS 4.1.1, 4.1.2, and 4.1.3)
- patch 100840-03 (SunOS 5.1/Solaris 2.1)
- patch 101077-03 (SunOS 5.2/Solaris 2.2)
II. Advisory note concerning the potential misuse of /dev/audio devices
III. How to obtain Sun security patches
IV. How to report Sun security problems
-----------
This information is only to be used for the purpose of alerting
customers to problems. Any other use or re-broadcast of this
information without the express written consent of Sun Microsystems
shall be prohibited. Sun Microsystems expressly disclaims all liability
for any misuse of this information by any third party.
Sun Microsystems recommends that all customers concerned with the
security of their SunOS system(s) obtain and install all patches that
are applicable to their computing environment.
-----------------------------------------------------------------------------
SUN MICROSYSTEMS SECURITY BULLETIN: #00122, 21 October 93
-----------------------------------------------------------------------------
I. New Patches
A. tar
- patch 100975-02 (SunOS 5.1/Solaris 2.1)
- patch 101301-01 (SunOS 5.2/Solaris 2.2)
Bug 1145463 causes archive files produced by the Solaris 2.x tar to
contain extraneous information. The extraneous data, which can include
user id's (but not passwords), is ignored when the archive files are
restored to disk.
The patched tar produces archive files in the same format as all other
versions; but any extraneous data is set to zero. Restoring an existing
archive file to disk, and then producing a new file with the patched
tar, will result in a clean archive file with no extra non-zero data.
A version of this patch has been prepared for the upcoming release of
Solaris 2.3, and will be available as soon as 2.3 is released. The
patch ID at that time will be 101327-01. Currently available patches
are summarized in the table below.
System Patch ID Filename BSD SVR4
Checksum Checksum
------ -------- --------------- --------- -----------
Solaris 2.1 100975-02 100975-02.tar.Z 37034 374 13460 747
Solaris 2.2 101301-01 101301-01.tar.Z 22089 390 4703 779
The checksums shown above are from the BSD-based checksum
(on 4.1.x, /bin/sum; on Solaris 2.x, /usr/ucb/sum) and from the
SVR4 version that Sun has released on Solaris 2.x (/usr/bin/sum).
B. sendmail
- patch 100377-07 (SunOS 4.1.1, 4.1.2, 4.1.3, and 4.1.3c)
- patch 100840-03 (SunOS 5.1/Solaris 2.1)
- patch 101077-03 (SunOS 5.2/Solaris 2.2)
Bug 1144946 on 4.1.x systems (and, similarly, bug 1142888 on Solaris
2.x systems) creates a sendmail security hole which allows remote
users access to some files on the affected system.
A version of this patch is being prepared for the upcoming
Solaris 2.3 release, but no patch ID is available at this time.
Currently available patches are summarized in the table below.
System Patch ID Filename BSD SVR4
Checksum Checksum
------ -------- --------------- --------- -----------
SunOS 4.1.x 100377-07 100377-07.tar.Z 36122 586 11735 1171
Solaris 2.1 100840-03 100840-03.tar.Z 01153 194 39753 388
Solaris 2.2 101077-03 101077-03.tar.Z 49343 177 63311 353
The checksums shown above are from the BSD-based checksum
(on 4.1.x, /bin/sum; on Solaris 2.x, /usr/ucb/sum) and from the
SVR4 version that Sun has released on Solaris 2.x (/usr/bin/sum).
II. Advisory note concerning the potential misuse of /dev/audio devices
Recently some customers have expressed the concern that the
microphone found on Sun workstations could be used for eavesdropping.
This note, which is pertinent to both 4.1.x and 5.x systems, describes
- The default settings of permissions on the audio devices
- How to set permissions on the system to prevent unauthorized use
of the microphone
- Changes upcoming in Solaris 2.3 which improve the security of
such devices.
Note, however, that Sun recommends that customers who have a security
concern regarding the microphone either switch off or unplug the
microphone to prevent unauthorized listening.
The initial permissions for the audio data device, /dev/audio, allow
anyone to listen with the microphone when it is turned on. Also, the
permissions for the audio contol device, /dev/audioctl, allow anyone
to vary playback and record settings such as volume. "Anyone", in
this case, may include include users on a remote workstation
(depending, for example, on the settings in the user's .rhosts
file).
One way to prevent unauthorized use of the system's audio devices is
become root and change the permissions and owner of /dev/audio and
/dev/audioctl. The owner should be the user that will use the
machine's console. For example, to allow only the user "graff" read
and write access to the audio device and audio control device,
execute commands such as:
# chmod 600 /dev/audio*
# chown graff /dev/audio*
then check to see that the permissions resemble:
# ls -lL /dev/audio*
crw------- 1 graff sys 28, 0 Jul 12 14:20 /dev/audio
crw------- 1 graff sys 28,128 Jul 12 14:20 /dev/audioctl
The owner and permissions for /dev/audio and /dev/audioctl will stay
the same until manually changed, so if you want a different user to
have access to the microphone you will need to use chown to change
the owner of /dev/audio and /dev/audioctl to the new user.
On SunOS 4.1.x systems, the /etc/fbtab file can be used to
automatically have the audio data device and audio control device
accessible to only the console user. This capability does not exist
in Solaris 2.1 and 2.2; but similar functionality (see
/etc/logindevperm) has been added to the upcoming 2.3 release.
To restrict access to the audio devices using the SunOS 4.1.x
/etc/fbtab file, become root and edit /etc/fbtab, adding these lines
to the end of the file:
/dev/console 0600 /dev/audio
/dev/console 0600 /dev/audioctl
Then logout and login. Check the permissions with ls; they should
look like this if the console user is root:
# ls -lg /dev/audio*
crw------- 1 root daemon 69, 0 Jul 12 15:26 /dev/audio
crw------- 1 root daemon 69, 1 Jul 12 15:26 /dev/audioctl
If a non-root user is logged into the console the owner will be that
user and the group will be the user's default group. When no one is
logged into the console the /etc/fbtab entry above will cause
/dev/audio and /dev/audioctl to have these permissions:
# ls -lg /dev/audio*
crw------- 1 root wheel 69, 0 Jul 12 15:26 /dev/audio
crw------- 1 root wheel 69, 1 Jul 12 15:26 /dev/audioctl
III. How to obtain Sun security patches
Customers with Sun support contracts can obtain the patches listed
here, and all Sun security patches, from:
- Your local Sun answer centers, worldwide
- SunSolve Online
Please refer to the Bug ID and Patch ID when requesting patches from Sun
answer centers.
Security patches are also available without a support contract via
anonymous ftp:
- In the US, from /systems/sun/sun-dist on ftp.uu.net
- In Europe, from ~ftp/sun/fixes on ftp.eu.net
IV. How to report Sun security problems
If you discover a security problem with Sun software, please contact
one or more of the following:
- Your local Sun answer centers, worldwide
- Your representative computer security response team, such as CERT
- This office. Address postal mail to:
Sun Security Coordinator
MS MPK2-04
2550 Garcia Avenue
Mountain View, CA 94043-1100
Phone: 415-688-9081
Fax: 415-688-9101
Email: security-alert@Sun.COM
-----------
If you received this bulletin indirectly and would like to be added
to Sun's Customer Warning System mailing list in order to receive
future bulletins directly, send a request to the address above with
your affiliation and contact information. If you have e-mail access,
send mail to "security-alert@Sun.COM" with the subject "subscribe"
and your affiliation and contact information in the message body.