Patch advisory for Sun Microsystems. Please read for details.
9357cc01f54834dca33acf0fdace60b672b52c366eb4705cd2450b39e9cea4c8
-----------------------------------------------------------------------------
SUN MICROSYSTEMS SECURITY BULLETIN: #00124, 15 December 93
-----------------------------------------------------------------------------
BULLETIN TOPICS
I. New security patches for "loadmodule" and "modload"
A. loadmodule patch 100448-02 (SunOS 4.1.x, Openwindows 3.0 only)
B. modload patch 101200-02 (SunOS 4.1.x)
II. Protecting Solaris 2.x systems against fsck failures at system boot
III. Sendmail update
IV. How to obtain Sun security patches
A. If you have a support contract
B. If you do not have a support contract
V. How to report or inquire about Sun security problems
VI. How to obtain Sun security bulletins
A. Subscription information
B. Obtaining old bulletins
/\
\\ \ Send Replies or Inquiries To:
\ \\ /
/ \/ / / Sun Security Coordinator
/ / \//\ MS MPK2-04
\//\ / / 2550 Garcia Avenue
/ / /\ / Mountain View, CA 94043-1100
/ \\ \ Phone: 415-688-9081
\ \\ Fax: 415-688-9101
\/ E-mail: security-alert@Sun.COM
-----------
Permission is granted for the redistribution of this Bulletin for
the purpose of alerting Sun customers to problems, as long as the
Bulletin is not edited and is attributed to Sun Microsystems.
Any other use of this information without the express written consent
of Sun Microsystems is prohibited. Sun Microsystems expressly disclaims
all liability for any misuse of this information by any third party.
-----------------------------------------------------------------------------
SUN MICROSYSTEMS SECURITY BULLETIN: #00124, 15 December 93
-----------------------------------------------------------------------------
I. New security patches for "loadmodule" and "modload"
A. loadmodule patch 100448-02 (SunOS 4.1.1, 4.1.2, 4.1.3, 4.1.3c,
Open Windows version 3.0 only)
Loadmodule bug 1076118 allows root access via the manipulation of
environmental variables.
System Patch ID Filename BSD SVR4
Checksum Checksum
------ -------- --------------- --------- -----------
4.1.x 100448-02 100448-02.tar.Z 19410 5 30701 9
Loadmodule was distributed only for OW 3.0, which means that no sun3
or x86 machines are affected; and systems running Solaris 2.x use OW
3.1, which excludes them as well. However, any system on which
loadmodule is installed "setuid root"--owned by root, with the suid
bit set, as in the standard release--is vulnerable, whether or not
Open Windows is running on that machine.
Note: The modload patch described below must also be installed to
close this security hole.
B. modload patch 101200-02 (SunOS 4.1.1, 4.1.2, 4.1.3, 4.1.3c)
Bug 1137491 allows root access via the manipulation of environmental
variables.
System Patch ID Filename BSD SVR4
Checksum Checksum
------ -------- --------------- --------- -----------
4.1.x 101200-02 101200-02.tar.Z 41677 28 56138 55
Modload can only represent a security problem when it is installed
setuid or setgid (which, by default, it is not); or when it is invoked
from setuid or setgid software, such as loadmodule. Modload is often
invoked in this latter mode and it is for this reason that Sun
recommends running the patched version.
Note: The loadmodule patch described above must also be installed to
close this security hole.
II. Protecting Solaris 2.x systems against fsck failures at system boot
If fsck fails during system boot, a privileged shell is run
on the system console. This behavior can represent a security
vulnerability if it is possible for users who would normally
not have root access to have physical access to the console at
boot time. This bug, 1124898, does not occur in 4.1.x systems.
A simple change to each of two system scripts can be used to
close this potential security hole. The new behavior will cause the
system to run the privileged shell only if the user at the console
enters the correct root password. The changes, described below,
have been integrated into the upcoming Solaris 2.x release.
If you wish to make the change on your own systems, edit both
/sbin/rcS and /sbin/mountall, changing every occurrence of:
/sbin/sh < /dev/console
to:
/sbin/sulogin < /dev/console
As distributed by Sun, /sbin/rcS contains one occurrence of this
string, at line 152; and /sbin/mountall contains two, one at line
66 and one at line 250.
Once this change has been made, sulogin will request the root
password in the event fsck fails, before starting a privileged shell.
The success or failure of sulogin will be logged in /var/adm/sulog.
III. Sendmail update
In our bulletin #123 issued 10 November 1993, we said:
We are now working on fixes for the newly-discovered bugs in our
version of sendmail, and will release a patch as soon as testing
is complete. We expect to release the next sendmail patch...
about 19 November. However, the release may be delayed if more
holes are discovered in the interim or if the known bugs prove
more difficult than expected to resolve.
We have almost completed testing of the new sendmail patch and
expect to release it no later than 21 December (Tuesday).
We will announce the patch in a bulletin similar to this one.
IV. How to obtain Sun security patches
A. If you have a support contract
Customers with Sun support contracts can obtain the patches listed
here--and all other Sun security patches--from:
- Local Sun answer centers, worldwide
- SunSolve Online
Please refer to the bug ID and patch ID when requesting patches
from Sun answer centers.
You should also contact your answer center if you have a support
contract and:
- You need assistance in installing a patch
- You need additional patches
- You want an existing patch ported to another platform
- You believe you have encountered a bug in a Sun patch
- You want to know if a patch exists, or when one will be ready
B. If you do not have a support contract
Sun also makes its security patches available to customers who do
not have a support contract, via anonymous ftp:
- In the US, from /systems/sun/sun-dist on ftp.uu.net
- In Europe, from ~ftp/sun/fixes on ftp.eu.net
Patches announced in a Sun security bulletin are uploaded to these
two sites just before the bulletin is released, and seldom updated.
In contrast, the "supported" patch databases are refreshed nightly,
and will often contain newer versions of a patch incorporating
changes which are not security-related.
V. How to report or inquire about Sun security problems
If you discover a security problem with Sun software or wish to
inquire about a possible problem, contact one or more of the
following:
- Your local Sun answer centers
- Your representative computer security response team, such as CERT
- This office. Address postal mail to:
Sun Security Coordinator
MS MPK2-04
2550 Garcia Avenue Mountain
View, CA 94043-1100
Phone: 415-688-9081
Fax: 415-688-9101
E-mail: security-alert@Sun.COM
VI. How to obtain Sun security bulletins
A. Subscription information
Sun Security Bulletins are available free of charge as part of
our Customer Warning System. It is not necessary to have a Sun
support contract in order to receive them.
To subscribe to this bulletin series, send mail to the address
"security-alert@Sun.COM" with the subject "subscribe CWS
[mail-address]" and a message body containing affiliation and contact
information. To request that your name be removed from the mailing
list, send mail to the same address with the subject "unsubscribe CWS
[mail-address]". Do not include other requests or reports in a
subscription message.
Due to the volume of subscription requests which we receive, we cannot
guarantee to acknowledge or execute requests which are not in the
format described above. Normally we will acknowledge your request
within 24 hours of receipt.
If you would like your bulletin delivered via postal mail or fax,
please contact this office directly to make arrangements.
B. Obtaining old bulletins
Recent bulletins (#119 and later) are archived on ftp.uu.net, in the
same directory as the patches. Many earlier bulletins are available
from SunSolve. Please try these sources first before contacting this
office for old bulletins.
------------