Patch advisory for Sun Microsystems. Please read for details.
4f7c27b45bf433e918f00ff8c93b38e966fe45bbb0500794213c541732a478fc
SUN MICROSYSTEMS SECURITY BULLETIN: #00121, 29 June 93
==============================================================================
ABOUT THIS BULLETIN
This information is only to be used for the purpose of alerting
customers to problems. Any other use or re-broadcast of this
information without the express written consent of Sun Microsystems
shall be prohibited.
Sun Microsystems expressly disclaims all liability for any misuse of
this information by any third party.
==============================================================================
BULLETIN TOPICS
I. New Patches
A. 101119-01 - SunOS 5.0 (Solaris 2.0): expreserve can be used to
overwite any file
B. 101089-01 - SunOS 5.1 (Solaris 2.1): expreserve can be used to
overwite any file
C. 101090-01 - SunOS 5.2 (Solaris 2.2): expreserve can be used to
overwite any file
II. Related Patches
A. 101080-01 - SunOS 4.1, 4.1.1, 4.1.2, 4.1.3: expreserve can be used to
overwite any file {Sun Security Bulletin #120, 10 June 1993)
III. Obtaining Patches
IV. Acknowledgments
SPECIAL NOTES:
1. The expreserve vulnerability is known to Sun to exist on SunOS 4.1,
4.1.1, 4.1.2, 4.1.3, 5.0/Solaris 2.0, 5.1/Solaris 2.1, and
5.2/Solaris 2.2.
2. Sun recommends that the expreserve utility be disabled immediately,
and that official Sun patches be installed to correct the problem.
To prevent use of the expreserve utility, execute the following
command as root:
/usr/bin/chmod a-x /usr/lib/expreserve
The expreserve command normally is used to recover vi editor files
when vi terminates unexpectedly. Disabling expreserve will disable
this recovery feature. Users of vi should be advised of this temporary
change and encouraged to save their work frequently.
3. Patch 101080-01, described in the Sun Security Bulletin #120 issued
10 June 1993, fixed the problem for SunOS 4.1, 4.1.1, 4.1.2, and 4.1.3,
and is still available from the sources described below. The README
file does not refer to SunOS 4.1 because the patch was released before
applicability of the patch to 4.1 was confirmed.
4. Patches 101119-01, 101089-01, and 101090-01 fix the problem for
5.0/Solaris 2.0, 5.1/Solaris 2.1, and 5.2/Solaris 2.2, and are now
available from the sources described below.
5. Due to the extraordinary recent publicity surrounding this
vulnerability, Sun decided NOT to delay the release of the first (4.x)
patch until the other (Solaris) patches were ready. Sun especially
regrets any inconvenience resulting from the split release.
==============================================================================
I. NEW PATCHES
A. Sun Patch ID: 101119-01, security problem with expreserve.
Sun Bug IDs: 1044909, 1083183
SunOS release: SunOS 5.0/Solaris 2.0
Synopsis: This patch fixes a problem in the expreserve program
which allows it to be used to overwrite any file. This
vulnerability can be used to obtain root access to the system.
Problem Description:
Bug 1044909 - race condition when file is created owned by root.
Bug 1083183 - expreserve can be used to overwite any file.
Checksum of compressed tarfile 101119-01.tar.Z on ftp.uu.net
BSD (on Solaris, /usr/ucb/sum; on 4.x, /bin/sum): 33222 27
SysV (on Solaris, /usr/bin/sum): 1839 54
B. Sun Patch ID: 101089-01, security problem with expreserve.
Sun Bug IDs: 1044909, 1083183
SunOS release: SunOS 5.1/Solaris 2.1
Synopsis: This patch fixes a problem in the expreserve program
which allows it to be used to overwrite any file. This
vulnerability can be used to obtain root access to the system.
Problem Description:
Bug 1044909 - race condition when file is created owned by root.
Bug 1083183 - expreserve can be used to overwite any file.
Checksum of compressed tarfile 101089-01.tar.Z on ftp.uu.net:
BSD (on Solaris, /usr/ucb/sum; on 4.x, /bin/sum): 23443 27
SysV (on Solaris, /usr/bin/sum): 36631 54
C. Sun Patch ID: 101090-01, security problem with expreserve.
Sun Bug IDs: 1044909, 1083183
SunOS release: SunOS 5.2/Solaris 2.2
Synopsis: This patch fixes a problem in the expreserve program
which allows it to be used to overwrite any file. This
vulnerability can be used to obtain root access to the system.
Problem Description:
Bug 1044909 - race condition when file is created owned by root.
Bug 1083183 - expreserve can be used to overwite any file.
Checksum of compressed tarfile 101090-01.tar.Z on ftp.uu.net:
BSD (on Solaris, /usr/ucb/sum; on 4.x, /bin/sum): 53431 27
SysV (on Solaris, /usr/bin/sum): 53432 54
==============================================================================
II. RELATED PATCHES
A. Sun Patch ID: 101080-01, security problem with expreserve.
Sun Bug IDs: 1044909, 1083183
SunOS release: SunOS 4.1, 4.1.1, 4.1.2, 4.1.3
Synopsis: This patch fixes a problem in the expreserve program
which allows it to be used to overwrite any file. This
vulnerability can be used to obtain root access to the system.
Problem Description:
Bug 1044909 - race condition when file is created owned by root.
Bug 1083183 - expreserve can be used to overwite any file.
Checksum of compressed tarfile 101080-01.tar.Z on ftp.uu.net:
BSD (on Solaris, /usr/ucb/sum; on 4.x, /bin/sum): 45221 13
SysV (on Solaris, /usr/bin/sum): 1998 25
NOTE: This patch obsoletes patch 100251-01.
==============================================================================
III. OBTAINING PATCHES
Sun Microsystems recommends that all customers concerned with the security
of their SunOS system(s) obtain and install the patches that are applicable
to their computing environment.
All patches listed are available through your local Sun answer centers
worldwide. Please refer to the Bugid and Patchid when requesting patches
from Sun answer centers.
Sun also makes security patches available through anonymous FTP. In the US,
FTP to ftp.uu.net and obtain the patch from the /systems/sun/sun-dist
directory. In Europe, FTP to mcsun.eu.net and obtain the patch from the
~ftp/sun/fixes directory. (Note that Sun does not have direct access to
mcsun.eu.net and must request that patches be copied from ftp.uu.net to
mcsun.eu.net. Therefore, there may be a time lag before patches appear
on mcsun.eu.net.)
===========================================================================
IV. ACKNOWLEDGMENTS
Sun Microsystems acknowledges the CERT Coordination Center, the CIAC
Computer Security Technology Center, and Lawrence Livermore Laboratories
for their assistance in the resolution of the expreserve problem.
===========================================================================
Mark G. Graff
Software Security Coordinator
Sun Microsystems, Inc.
(Please address e-mail replies or inquiries to: "security-alert@Sun.COM".)