-----------------------------------------------------------------------------
         SUN MICROSYSTEMS SECURITY BULLETIN: #00124, 15 December 93
-----------------------------------------------------------------------------


BULLETIN TOPICS

I.   New security patches for "loadmodule" and "modload"

     A. loadmodule patch 100448-02 (SunOS 4.1.x, Openwindows 3.0 only)
     B. modload patch 101200-02 (SunOS 4.1.x)

II.  Protecting Solaris 2.x systems against fsck failures at system boot

III. Sendmail update

IV.  How to obtain Sun security patches

     A. If you have a support contract
     B. If you do not have a support contract

V.   How to report or inquire about Sun security problems

VI.  How to obtain Sun security bulletins

     A. Subscription information
     B. Obtaining old bulletins



          /\         
         \\ \        Send Replies or Inquiries To:
        \ \\ /       
       / \/ / /      Sun Security Coordinator
      / /   \//\     MS MPK2-04
      \//\   / /     2550 Garcia Avenue
       / / /\ /      Mountain View, CA 94043-1100
        / \\ \       Phone: 415-688-9081
         \ \\        Fax:   415-688-9101
          \/         E-mail: security-alert@Sun.COM
 
                                -----------

Permission is granted for the redistribution of this Bulletin for
the purpose of alerting Sun customers to problems, as long as the
Bulletin is not edited and is attributed to Sun Microsystems.

Any other use of this information without the express written consent
of Sun Microsystems is prohibited. Sun Microsystems expressly disclaims
all liability for any misuse of this information by any third party.

-----------------------------------------------------------------------------
         SUN MICROSYSTEMS SECURITY BULLETIN: #00124, 15 December 93
-----------------------------------------------------------------------------

I.   New security patches for "loadmodule" and "modload"

     A. loadmodule patch 100448-02 (SunOS 4.1.1, 4.1.2, 4.1.3, 4.1.3c,
     Open Windows version 3.0 only)

     Loadmodule bug 1076118 allows root access via the manipulation of
     environmental variables.
 
     System       Patch ID    Filename        BSD         SVR4
                                              Checksum    Checksum
     ------       --------   ---------------  ---------   -----------
     4.1.x        100448-02  100448-02.tar.Z   19410  5   30701 9

     Loadmodule was distributed only for OW 3.0, which means that no sun3
     or x86 machines are affected; and systems running Solaris 2.x use OW
     3.1, which excludes them as well. However, any system on which
     loadmodule is installed "setuid root"--owned by root, with the suid
     bit set, as in the standard release--is vulnerable, whether or not
     Open Windows is running on that machine.

     Note: The modload patch described below must also be installed to
     close this security hole.

     B. modload patch 101200-02 (SunOS 4.1.1, 4.1.2, 4.1.3, 4.1.3c)

     Bug 1137491 allows root access via the manipulation of environmental
     variables.

     System       Patch ID    Filename        BSD         SVR4
                                              Checksum    Checksum
     ------       --------   ---------------  ---------   -----------
     4.1.x        101200-02  101200-02.tar.Z  41677  28   56138 55

     Modload can only represent a security problem when it is installed
     setuid or setgid (which, by default, it is not); or when it is invoked
     from setuid or setgid software, such as loadmodule. Modload is often
     invoked in this latter mode and it is for this reason that Sun
     recommends running the patched version.

     Note: The loadmodule patch described above must also be installed to
     close this security hole.


II.  Protecting Solaris 2.x systems against fsck failures at system boot

     If fsck fails during system boot, a privileged shell is run
     on the system console. This behavior can represent a security
     vulnerability if it is possible for users who would normally
     not have root access to have physical access to the console at
     boot time. This bug, 1124898, does not occur in 4.1.x systems.

     A simple change to each of two system scripts can be used to
     close this potential security hole. The new behavior will cause the
     system to run the privileged shell only if the user at the console
     enters the correct root password. The changes, described below,
     have been integrated into the upcoming Solaris 2.x release.

     If you wish to make the change on your own systems, edit both
     /sbin/rcS and /sbin/mountall, changing every occurrence of:

    /sbin/sh < /dev/console
     to:
    /sbin/sulogin < /dev/console

     As distributed by Sun, /sbin/rcS contains one occurrence of this
     string, at line 152; and /sbin/mountall contains two, one at line
     66 and one at line 250.

     Once this change has been made, sulogin will request the root
     password in the event fsck fails, before starting a privileged shell.
     The success or failure of sulogin will be logged in /var/adm/sulog.


III. Sendmail update

     In our bulletin #123 issued 10 November 1993, we said:

  We are now working on fixes for the newly-discovered bugs in our
  version of sendmail, and will release a patch as soon as testing
  is complete. We expect to release the next sendmail patch...
  about 19 November.  However, the release may be delayed if more
  holes are discovered in the interim or if the known bugs prove
  more difficult than expected to resolve.

      We have almost completed testing of the new sendmail patch and 
      expect to release it no later than 21 December (Tuesday).
      We will announce the patch in a bulletin similar to this one.

    
IV. How to obtain Sun security patches

    A. If you have a support contract

    Customers with Sun support contracts can obtain the patches listed
    here--and all other Sun security patches--from:

       - Local Sun answer centers, worldwide
       - SunSolve Online

    Please refer to the bug ID and patch ID when requesting patches
    from Sun answer centers.

    You should also contact your answer center if you have a support
    contract and:

       - You need assistance in installing a patch 
       - You need additional patches
       - You want an existing patch ported to another platform
       - You believe you have encountered a bug in a Sun patch
       - You want to know if a patch exists, or when one will be ready

    B. If you do not have a support contract

    Sun also makes its security patches available to customers who do
    not have a support contract, via anonymous ftp:

       - In the US, from /systems/sun/sun-dist on ftp.uu.net
       - In Europe, from ~ftp/sun/fixes on ftp.eu.net

    Patches announced in a Sun security bulletin are uploaded to these
    two sites just before the bulletin is released, and seldom updated.
    In contrast, the "supported" patch databases are refreshed nightly,
    and will often contain newer versions of a patch incorporating
    changes which are not security-related.


V. How to report or inquire about Sun security problems

   If you discover a security problem with Sun software or wish to
   inquire about a possible problem, contact one or more of the
   following:

      - Your local Sun answer centers
      - Your representative computer security response team, such as CERT 
      - This office. Address postal mail to:

        Sun Security Coordinator
        MS MPK2-04
        2550 Garcia Avenue Mountain
  View, CA 94043-1100

  Phone: 415-688-9081
        Fax:   415-688-9101
        E-mail: security-alert@Sun.COM


VI.  How to obtain Sun security bulletins

     A. Subscription information

     Sun Security Bulletins are available free of charge as part of
     our Customer Warning System. It is not necessary to have a Sun
     support contract in order to receive them.

     To subscribe to this bulletin series, send mail to the address
     "security-alert@Sun.COM" with the subject "subscribe CWS
     [mail-address]" and a message body containing affiliation and contact
     information. To request that your name be removed from the mailing
     list, send mail to the same address with the subject "unsubscribe CWS
     [mail-address]". Do not include other requests or reports in a
     subscription message.

     Due to the volume of subscription requests which we receive, we cannot
     guarantee to acknowledge or execute requests which are not in the
     format described above. Normally we will acknowledge your request
     within 24 hours of receipt.  

     If you would like your bulletin delivered via postal mail or fax,
     please contact this office directly to make arrangements.

     B. Obtaining old bulletins

     Recent bulletins (#119 and later) are archived on ftp.uu.net, in the
     same directory as the patches. Many earlier bulletins are available
     from SunSolve. Please try these sources first before contacting this
     office for old bulletins.

                                ------------