----------------------------------------------------------------------------- SUN MICROSYSTEMS SECURITY BULLETIN: #00122, 21 October 93 ----------------------------------------------------------------------------- /\ \\ \ Send Replies or Inquiries To: \ \\ / / \/ / / Sun Security Coordinator / / \//\ MS MPK2-04 \//\ / / 2550 Garcia Avenue / / /\ / Mountain View, CA 94043-1100 / \\ \ Phone: 415-688-9081 \ \\ Fax: 415-688-9101 \/ Email: security-alert@Sun.COM BULLETIN TOPICS I. New security patches for "tar" and "sendmail" A. tar - patch 100975-02 (SunOS 5.1/Solaris 2.1) - patch 101301-01 (SunOS 5.2/Solaris 2.2) B. sendmail - patch 100377-07 (SunOS 4.1.1, 4.1.2, and 4.1.3) - patch 100840-03 (SunOS 5.1/Solaris 2.1) - patch 101077-03 (SunOS 5.2/Solaris 2.2) II. Advisory note concerning the potential misuse of /dev/audio devices III. How to obtain Sun security patches IV. How to report Sun security problems ----------- This information is only to be used for the purpose of alerting customers to problems. Any other use or re-broadcast of this information without the express written consent of Sun Microsystems shall be prohibited. Sun Microsystems expressly disclaims all liability for any misuse of this information by any third party. Sun Microsystems recommends that all customers concerned with the security of their SunOS system(s) obtain and install all patches that are applicable to their computing environment. ----------------------------------------------------------------------------- SUN MICROSYSTEMS SECURITY BULLETIN: #00122, 21 October 93 ----------------------------------------------------------------------------- I. New Patches A. tar - patch 100975-02 (SunOS 5.1/Solaris 2.1) - patch 101301-01 (SunOS 5.2/Solaris 2.2) Bug 1145463 causes archive files produced by the Solaris 2.x tar to contain extraneous information. The extraneous data, which can include user id's (but not passwords), is ignored when the archive files are restored to disk. The patched tar produces archive files in the same format as all other versions; but any extraneous data is set to zero. Restoring an existing archive file to disk, and then producing a new file with the patched tar, will result in a clean archive file with no extra non-zero data. A version of this patch has been prepared for the upcoming release of Solaris 2.3, and will be available as soon as 2.3 is released. The patch ID at that time will be 101327-01. Currently available patches are summarized in the table below. System Patch ID Filename BSD SVR4 Checksum Checksum ------ -------- --------------- --------- ----------- Solaris 2.1 100975-02 100975-02.tar.Z 37034 374 13460 747 Solaris 2.2 101301-01 101301-01.tar.Z 22089 390 4703 779 The checksums shown above are from the BSD-based checksum (on 4.1.x, /bin/sum; on Solaris 2.x, /usr/ucb/sum) and from the SVR4 version that Sun has released on Solaris 2.x (/usr/bin/sum). B. sendmail - patch 100377-07 (SunOS 4.1.1, 4.1.2, 4.1.3, and 4.1.3c) - patch 100840-03 (SunOS 5.1/Solaris 2.1) - patch 101077-03 (SunOS 5.2/Solaris 2.2) Bug 1144946 on 4.1.x systems (and, similarly, bug 1142888 on Solaris 2.x systems) creates a sendmail security hole which allows remote users access to some files on the affected system. A version of this patch is being prepared for the upcoming Solaris 2.3 release, but no patch ID is available at this time. Currently available patches are summarized in the table below. System Patch ID Filename BSD SVR4 Checksum Checksum ------ -------- --------------- --------- ----------- SunOS 4.1.x 100377-07 100377-07.tar.Z 36122 586 11735 1171 Solaris 2.1 100840-03 100840-03.tar.Z 01153 194 39753 388 Solaris 2.2 101077-03 101077-03.tar.Z 49343 177 63311 353 The checksums shown above are from the BSD-based checksum (on 4.1.x, /bin/sum; on Solaris 2.x, /usr/ucb/sum) and from the SVR4 version that Sun has released on Solaris 2.x (/usr/bin/sum). II. Advisory note concerning the potential misuse of /dev/audio devices Recently some customers have expressed the concern that the microphone found on Sun workstations could be used for eavesdropping. This note, which is pertinent to both 4.1.x and 5.x systems, describes - The default settings of permissions on the audio devices - How to set permissions on the system to prevent unauthorized use of the microphone - Changes upcoming in Solaris 2.3 which improve the security of such devices. Note, however, that Sun recommends that customers who have a security concern regarding the microphone either switch off or unplug the microphone to prevent unauthorized listening. The initial permissions for the audio data device, /dev/audio, allow anyone to listen with the microphone when it is turned on. Also, the permissions for the audio contol device, /dev/audioctl, allow anyone to vary playback and record settings such as volume. "Anyone", in this case, may include include users on a remote workstation (depending, for example, on the settings in the user's .rhosts file). One way to prevent unauthorized use of the system's audio devices is become root and change the permissions and owner of /dev/audio and /dev/audioctl. The owner should be the user that will use the machine's console. For example, to allow only the user "graff" read and write access to the audio device and audio control device, execute commands such as: # chmod 600 /dev/audio* # chown graff /dev/audio* then check to see that the permissions resemble: # ls -lL /dev/audio* crw------- 1 graff sys 28, 0 Jul 12 14:20 /dev/audio crw------- 1 graff sys 28,128 Jul 12 14:20 /dev/audioctl The owner and permissions for /dev/audio and /dev/audioctl will stay the same until manually changed, so if you want a different user to have access to the microphone you will need to use chown to change the owner of /dev/audio and /dev/audioctl to the new user. On SunOS 4.1.x systems, the /etc/fbtab file can be used to automatically have the audio data device and audio control device accessible to only the console user. This capability does not exist in Solaris 2.1 and 2.2; but similar functionality (see /etc/logindevperm) has been added to the upcoming 2.3 release. To restrict access to the audio devices using the SunOS 4.1.x /etc/fbtab file, become root and edit /etc/fbtab, adding these lines to the end of the file: /dev/console 0600 /dev/audio /dev/console 0600 /dev/audioctl Then logout and login. Check the permissions with ls; they should look like this if the console user is root: # ls -lg /dev/audio* crw------- 1 root daemon 69, 0 Jul 12 15:26 /dev/audio crw------- 1 root daemon 69, 1 Jul 12 15:26 /dev/audioctl If a non-root user is logged into the console the owner will be that user and the group will be the user's default group. When no one is logged into the console the /etc/fbtab entry above will cause /dev/audio and /dev/audioctl to have these permissions: # ls -lg /dev/audio* crw------- 1 root wheel 69, 0 Jul 12 15:26 /dev/audio crw------- 1 root wheel 69, 1 Jul 12 15:26 /dev/audioctl III. How to obtain Sun security patches Customers with Sun support contracts can obtain the patches listed here, and all Sun security patches, from: - Your local Sun answer centers, worldwide - SunSolve Online Please refer to the Bug ID and Patch ID when requesting patches from Sun answer centers. Security patches are also available without a support contract via anonymous ftp: - In the US, from /systems/sun/sun-dist on ftp.uu.net - In Europe, from ~ftp/sun/fixes on ftp.eu.net IV. How to report Sun security problems If you discover a security problem with Sun software, please contact one or more of the following: - Your local Sun answer centers, worldwide - Your representative computer security response team, such as CERT - This office. Address postal mail to: Sun Security Coordinator MS MPK2-04 2550 Garcia Avenue Mountain View, CA 94043-1100 Phone: 415-688-9081 Fax: 415-688-9101 Email: security-alert@Sun.COM ----------- If you received this bulletin indirectly and would like to be added to Sun's Customer Warning System mailing list in order to receive future bulletins directly, send a request to the address above with your affiliation and contact information. If you have e-mail access, send mail to "security-alert@Sun.COM" with the subject "subscribe" and your affiliation and contact information in the message body.