SUN MICROSYSTEMS SECURITY BULLETIN: #00120, 10 June 93 This information is only to be used for the purpose of alerting customers to problems. Any other use or re-broadcast of this information without the express written consent of Sun Microsystems shall be prohibited. Sun Microsystems expressly disclaims all liability for any misuse of this information by any third party. Sun Microsystems recommends that all customers concerned with the security of their SunOS system(s) obtain and install the patches that are applicable to their computing environment. ----------------------------------------------------------------------------- All patches listed are available through your local Sun answer centers worldwide as well as through anonymous FTP: in the US, FTP to ftp.uu.net and obtain the patch from the /systems/sun/sun-dist directory; in Europe, FTP to mcsun.eu.net and obtain the patch from the ~ftp/sun/fixes directory. Note that Sun does not have direct access to mcsun.eu.net and must request that patches be copied from ftp.uu.net to mcsun.eu.net. Therefore, there may be a time lag before patches appear on mcsun.eu.net. Please refer to the BugId and PatchId when requesting patches from Sun answer centers. ------------------------------------------------------------------------------ BULLETIN TOPICS I. New Patches A. 101080-01 - SunOS 4.1, 4.1.1, 4.1.2, 4.1.3: expreserve can be used to overwite any file ============================================================================== SPECIAL NOTES: 1. The expreserve vulnerability is known to Sun to exist on SunOS 4.1, 4.1.1, 4.1.2, 4.1.3, 5.1/Solaris 2.1, and 5.2/Solaris 2.2. 2. Sun recommends that the expreserve utility be disabled immediately, and that official Sun patches be installed to correct the problem as soon as they become available. To prevent use of the expreserve utility, execute the following command as root: /usr/bin/chmod a-x /usr/lib/expreserve The expreserve command normally is used to recover vi editor files when vi terminates unexpectedly. Disabling expreserve will disable this recovery feature. Users of vi should be advised of this temporary change and encouraged to save their work frequently. 3. Patch 101080-01, described below, fixes the problem for SunOS 4.1, 4.1.1, 4.1.2, and 4.1.3., and is now available from the sources described above. The README file does not refer to SunOS 4.1 because the patch was released before applicability of the patch to 4.1 was confirmed. 4. A patch for all SunOS 5.x/Solaris 2.x systems is under development and will be released as soon as testing is complete. A notice similar to this one will accompany the release. 5. Due to the extraordinary recent publicity surrounding this vulnerability, Sun has opted NOT to delay the release of the first patch until the second patch is ready. Sun especially regrets any inconvenience resulting from the split release. ============================================================================== I. PATCHES THAT CONTAIN FIXES FOR NEW BUGS A. Sun Patch ID: 101080-01, security problem with expreserve. Sun Bug IDs: 1044909, 1083183 SunOS release: SunOS 4.1, 4.1.1, 4.1.2, 4.1.3 Synopsis: This patch fixes a problem in the expreserve program which allows it to be used to overwrite any file. This vulnerability can be used to obtain root access to the system. Problem Description: Bug 1044909 - race condition when file is created owned by root. Bug 1083183 - expreserve can be used to overwite any file. Checksum of compressed tarfile 101080-01.tar.Z on ftp.uu.net = 45221 13 NOTE: This patch obsoletes patch 100251-01. Sun Microsystems acknowledges the CERT Coordination Center, the CIAC Computer Security Technology Center, and Lawrence Livermore Laboratories for their assistance in the resolution of the expreserve problem. =========================================================================== Mark G. Graff Software Security Coordinator Sun Microsystems, Inc.