[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CIAC Bulletin F-09



   [Note: Document reformated for mailing by [email protected].  
   If in doubt contact CIAC for original: 
   ciac.llnl.gov:/pub/ciac/bulletin/f-fy95/f-09.ciac.(doc).] 
 
   ________________________________________________________ 
 
                   The U.S. Department of Energy 
               Computer Incident Advisory Capability 
                   ___  __ __    _     ___ 
                  /       |     /_\   / 
                  \___  __|__  /   \  \___ 
     _________________________________________________________ 
 
                       INFORMATION BULLETIN 
 
                  Unix /bin/mail Vulnerabilities 
 
   January 27, 1995 1030 PST                     Number F-09 
   _________________________________________________________ 
 
   PROBLEM:   The Unix /bin/mail utility contains security 
              vulnerabilities. 
 
 
   PLATFORMS: DEC OSF/1 1.2, 1.3, and 2.0 
              DEC Ultrix 4.3, 4.3A, and 4.4 
              SCO Unix System V/386 Release 3.2 OS Version 
              4.2 
              SCO Open Desktop Lite Release 3.0 
              SCO Open Desktop Release 3.0 
              SCO Open Server Enterprise System Release 3.0 
              SCO Open Server Network System Release 3.0 
              Solbourne OS4.1x 
              SunOS 4.x 
 
 
   DAMAGE:    Local users may gain privileged (root) access. 
 
 
   SOLUTION:  Apply appropriate vendor patch as described 
              below. 
   _________________________________________________________ 
 
 
   VULNERABILITY 
   ASSESSMENT The vulnerabilities in the /bin/mail program 
              have been openly discussed in several Internet 
              forums, and automated scripts exploiting the 
              vulnerabilities have been widely distributed. 
              These tools have been used in many recent 
              attacks.  CIAC recommends sites install these 
              patches as soon as possible. 
   _________________________________________________________ 
 
 
   Critical Information about Unix /bin/mail Vulnerabilities 
 
 
   The /bin/mail utility on several Unix versions based on BSD 
   4.3 Unix contain a security vulnerability.  The 
   vulnerability is the result of race conditions that exist 
   during the delivery of messages to local users.  These race 
   conditions will allow intruders to create or modify files 
   on the system, resulting in privileged access to the 
   system. 
 
 
   Below is a summary of systems known to be either vulnerable 
   or not vulnerable.  If your vendor's name is not listed, 
   please contact the vendor or CIAC for more information. 
 
   Vendor or Source                   Status 
   ----------------                   ------------ 
   Apple Computer, Inc.               Not vulnerable 
   Berkeley SW Design, Inc. (BSDI)    Not vulnerable 
   Cray Research, Inc.                Not vulnerable 
   Data General Corp.                 Not vulnerable       
   Digital Equipment Corp.            Vulnerable 
   FreeBSD                            Not vulnerable 
   Harris                             Not vulnerable 
   IBM                                Not vulnerable  
   NetBSD                             Not vulnerable 
   NeXT, Inc.                         Not vulnerable  
   Pyramid                            Not vulnerable 
   The Santa Cruz Operation (SCO)     Vulnerable 
   Solbourne (Grumman)                Vulnerable 
   Sun Microsystems, Inc.             SunOS 4.x vulnerable 
                                      Solaris 2.x not         
                                      vulnerable 
 
   Patch Information 
   ----------------- 
 
   DEC        The /bin/mail patch is a part of a 
              comprehensive Security Enhanced Kit that 
              addresses other security problems as well. This 
              kit was released on May 17, 1994 and was 
              described in DEC Security Advisory #0505 and 
              CIAC Notes 94-03. 
 
 
              OSF/1 users should upgrade to a minimum of 
              version 2.0 and install Security Enhanced Kit 
              CSCPAT_4061 v1.0.  Ultrix users should upgrade 
              to at least version 4.4 and install Security 
              Enhanced Kit CSCPAT_4060 v1.0. 
 
 
              Both kits are available from your Digital 
              support channel or electronically by request 
              via DSNlink. 
 
 
   SCO        Vulnerabilities in SCO's /bin/mail utility are 
              removed by applying SCO's Support Level 
              Supplement (SLS) uod392a. It is available via 
              anonymous FTP from ftp.sco.com in the /SLS 
              directory: 
 
   Description   Filename       MD5 Checksum 
   -----------   ------------   -------------------------------- 
   Disk image    uod392a.Z      2c26669d89f61174f751774115f367a5 
 
   Cover letter  uod392a.ltr.Z  52db39424d5d23576e065af2b80aee49 
 
 
Solbourne     Grumman System Support Corporation now performs 
              all Solbourne software and hardware support.  
              Please contact them for further information: 
 
              E-mail: [email protected] 
              Phone:  1-800-447-2861 
              FTP:    ftp.nts.gssc.com 
 
 
Sun           Sun has made patches available to remove 
              vulnerabilities in /bin/mail.  These patches 
              address all vulnerabilities CIAC has seen 
              exploited to date, and CIAC recommends they be 
              installed. However, the patches will be updated 
              again in the near future to remove additional 
              vulnerabilities that have recently come to 
              light.  CIAC will announce the availability of 
              the new patches when they are released. 
 
 
              The patches may be obtained from your local Sun 
              Answer Center or through anonymous FTP from 
              sunsolve1.sun.com in the /pub/patches 
              directory: 
 
   SunOS    Filename         MD5 Checksum 
   -------  ---------------  -------------------------------- 
   4.1.x    100224-13.tar.Z  90a507017a1a40c4622b3f1f00ce5d2d 
 
   4.1.3U1  101436-08.tar.Z  0e64560edc61eb4b3da81a932e8b11e1 
                  
 
   Alternative Solution 
   -------------------- 
 
   For those sites unable to obtain a vendor patch From owner-cypherpunks  Fri Jan 27 13:19:28 1995
Return-Path: <owner-cypherpunks>
Received: by toad.com id AA15273; Fri, 27 Jan 95 13:19:28 PST
Received: from gateway.informix.com by toad.com id AA15259; Fri, 27 Jan 95 13:19:22 PST
Received: from informix.com (infmx.informix.com) by gateway.informix.com (4.1/SMI-4.1)
	id AA10439; Fri, 27 Jan 95 13:19:16 PST
Received: from carbon.informix.com by informix.com (4.1/SMI-4.1)
	id AA02110; Fri, 27 Jan 95 13:19:08 PST
Received: by carbon.informix.com (5.0/SMI-SVR4)
	id AA00461; Fri, 27 Jan 1995 13:19:01 +0800
Date: Fri, 27 Jan 1995 13:19:01 +0800
From: [email protected]
Message-Id: <[email protected]>
Subject: Oops, Correction: one big error in "Even more unix holy war." 
Apparently-To: [email protected]
Apparently-To: [email protected]
Apparently-To: [email protected]
Apparently-To: [email protected]
Content-Length: 2646
Sender: [email protected]
Precedence: bulk

I wrote:
> The great strength is of course symbolic debugging -- you can
> single step your compiled code, and see it displayed symbolicly,
> with the symbols and statements of your source code,
> and with the contents memory displayed in terms of your
> source code variables.

On this I was of course totally wrong:

Unix has symbolic debugging equal to DOS/Windows.
I was under the false impression that it only had
C code interpretation.

This is an error -- what I said was true for C++, but 
then in Windows we too are forced to primarily use
interpretation to debug C++.   C++ symbolic debuggers
are not up to acceptable capabilities in either system.

Sorry.

But my statement concerning internationalization and
resource files was correct.

Unix has no equivalent of App Studio, etc.  I have made
a little tour of people in my company who work on both
unix and Windows.  I (fortunately) work primarily on
Windows, as you may have guessed.

The company I presently work for is making a tool they
call Window Painter.  This is in some respects similar
to App Studio.  It works with their unix database 
language.

But it is no App Studio, as the unix folk who are
working on it freely admit, those few of them that
have used App Studio.

Most of my correspondents had replies along the lines
of "Huh -- internationalization -- what source code
tools could possibly help you with internationalization."

Others listed irregular bands of random unix tools which
are essentially irrelevant to the problem of 
internationalization.

Most international unix programs have string files
that the compiled program refers to a string by a number, and
a font size by a number, and the position of the button
on screen by a number -- site customizable information,
Xdefaults, *.cfg

This is functionally equivalent to the Windows Resource
file, in that in principle one can keep translatable elements
separate from source code.  But is certainly not equivalent 
in ease of use.  One can do the job, but in essense one
does it by hand.

Resource files, and dialog box editing tools such as App Studio,
provide a clean separation between visual user interface
elements that typically require translation, and functiona
code that does not.

 ---------------------------------------------------------------------
                                          |  
We have the right to defend ourselves     |   http://www.catalog.com/jamesd/
and our property, because of the kind     |  
of animals that we are. True law          |   James A. Donald
derives from this right, not from the     |  
arbitrary power of the omnipotent state.  |   [email protected]