NNNNOOOOTTTTIIIICCCCEEEE OOOOFFFF AAAAVVVVAAAAIIIILLLLAAAABBBBIIIILLLLIIIITTTTYYYY OOOOFFFF SSSSUUUUNNNN PPPPAAAATTTTCCCCHHHH FFFFOOOORRRR RRRRCCCCPPPP AAAANNNNDDDD RRRRDDDDIIIISSSSTTTT Several weeks ago, the DOE Computer Incident Advisory Capability (CIAC) reported a UNIX security problem involving rcp and rdist in 4.3BSD, 4.3BSD-tahoe, and all versions of UNIX using BSD networking code, as well as SunOS (all versions). Patches for BSD but not SUN systems were available at the time you received an announcement about the rcp and rdist vulnerabilities. However, patches for SUN3 and SUN4 systems are now available. You may obtain these patches from several sources, to be described shortly. TTTToooo ttttrrrraaaannnnssssffffeeeerrrr tttthhhheeee ppppaaaattttcccchhhheeeessss:::: Log in to your local SUN machine. Get into the directory into which you want the patches to be transferred. You can accomplish this by typing: _c_d "dir", where "dir" is the name of the directory to which you want to copy the patches. Use one of the following options: OOOOPPPPTTTTIIIIOOOONNNN IIII---- TTTTrrrraaaannnnssssffffeeeerrrr tttthhhheeee PPPPaaaattttcccchhhheeeessss ffffrrrroooommmm uuuuuuuunnnneeeetttt....uuuuuuuu....nnnneeeetttt TTTTyyyyppppeeee:::: _f_t_p _u_u_n_e_t._u_u._n_e_t The remote system will prompt you as follows: Name: ttttyyyyppppeeee:::: _a_n_o_n_y_m_o_u_s Passwd: ttttyyyyppppeeee:::: _g_u_e_s_t ftp> When you get an "ftp>" prompt then TTTTyyyyppppeeee:::: _c_d _s_u_n-_f_i_x_e_s and then type: _l_s (this will help you see what directory you are in.) Then ttttyyyyppppeeee:::: _t_y_p_e _i_m_a_g_e Now you are ready to copy the patches. If you are running a SUN3 system, i.e. 68020., TTTTyyyyppppeeee:::: _g_e_t rcp.sun3.Z Or for SUN4 systems, i.e. SPARC architecture., ttttyyyyppppeeee:::: _g_e_t rcp.sun4.Z Do the same for: _g_e_t "rdist.sun3.Z" or _g_e_t "rdist.sun4.Z" Finally ttttyyyyppppeeee:::: _q_u_i_t June 12, 1996 - 2 - OOOOPPPPTTTTIIIIOOOONNNN IIIIIIII---- TTTTrrrraaaannnnssssffffeeeerrrr tttthhhheeee ppppaaaattttcccchhhheeeessss ffffrrrroooommmm llllllllllll----ccccrrrrgggg....llllllllnnnnllll....ggggoooovvvv If you cannot connect to uunet.uu.net, then try the following: TTTTyyyyppppeeee:::: _f_t_p _l_l_l-_c_r_g._l_l_n_l._g_o_v The remote system will prompt you as follows: Name: ttttyyyyppppeeee:::: _a_n_o_n_y_m_o_u_s Passwd: ttttyyyyppppeeee:::: _g_u_e_s_t ftp> TTTTyyyyppppeeee:::: _c_d _s_u_n GGGGeeeetttt the files as shown above. (Refer to I.c and I.d above) Finally ttttyyyyppppeeee:::: _q_u_i_t TTTToooo iiiinnnnssssttttaaaallllllll tttthhhheeee ppppaaaattttcccchhhheeeessss oooonnnn yyyyoooouuuurrrr ssssyyyysssstttteeeemmmm:::: After you get the patches and are back to your local machine, do the following: MMMMaaaakkkkeeee yyyyoooouuuurrrr ffffiiiilllleeeessss rrrreeeeaaaaddddaaaabbbblllleeee.... TTTTyyyyppppeeee:::: _u_n_c_o_m_p_r_e_s_s _r_c_p._s_u_n_3._Z. TTTTyyyyppppeeee:::: _u_n_c_o_m_p_r_e_s_s _r_d_i_s_t._s_u_n_3._Z. the _r_d_i_s_t._s_u_n_3._Z is for SUN3 systems, if you have a SUN4 it will be _r_d_i_s_t._s_u_n_4._Z. The same naming rule is being used on _r_c_p._s_u_n_3._Z. RRRReeeeppppllllaaaacccceeee tttthhhheeee oooorrrriiiiggggiiiinnnnaaaallll rrrrccccpppp aaaannnndddd rrrrddddiiiisssstttt.... You can achieve this by: 2.1) TTTTyyyyppppeeee:::: _w_h_e_r_e_i_s _r_c_p Your computer will return a pathname such as: /usr/ucb/rcp. Write down that pathname. 2.2) Do the same for "rdist". TTTTyyyyppppeeee:::: _w_h_e_r_e_i_s _r_d_i_s_t 2.3) TTTTyyyyppppeeee:::: _c_p "_r_c_p-_p_a_t_h_n_a_m_e" "_r_c_p-_p_a_t_h_n_a_m_e._o_r_i_g" (where "rcp-pathname" is the pathname from step 2.1 above.) TTTTyyyyppppeeee:::: _c_p "_r_d_i_s_t-_p_a_t_h_n_a_m_e" "_r_d_i_s_t-_p_a_t_h_n_a_m_e._o_r_i_g" (where "rdist-pathname" is the pathname from step 2.2 above.) TTTTyyyyppppeeee:::: _c_p _r_c_p._s_u_n_3 "_r_c_p-_p_a_t_h_n_a_m_e" <_R_E_T_U_R_N> TTTTyyyyppppeeee:::: _c_p _r_d_i_s_t._s_u_n_3 "_r_c_p-_p_a_t_h_n_a_m_e" You can now test these utilities. If you cannot connect to either uunet.uu.net or lll-crg.llnl.gov via the network or need further assistance, please contact: Ana Maria De Alvare' anamaria@lll-lcc.llnl.gov (415) 422-7007 or (FTS) 532-7007 or send e-mail to: ciac@tiger.llnl.gov June 12, 1996