SUN MICROSYSTEMS SECURITY BULLETIN: #00117, 16 July 92 This information is only to be used for the purpose of alerting customers to problems. Any other use or re-broadcast of this information without the express written consent of Sun Microsystems shall be prohibited. Sun expressly disclaims all liability for any misuse of this information by any third party. --------------------------------------------------------------------------- All patches listed are available through your local Sun answer centers worldwide as well as through anonymous ftp: in the US, ftp to ftp.uu.net and obtain the patch from the /systems/sun/sun-dist directory; in Europe, ftp to mcsun.eu.net and obtain the patch from the ~ftp/sun/fixes directory. Note that Sun does not have direct access to mcsun.eu.net and must request that patches be copied from ftp.uu.net to mcsun.eu.net. Therefore, there may be a time lag before patches appear on mcsun.eu.net. Please refer to the BugId and PatchId when requesting patches from Sun answer centers. ---------------------------------------------------------------------------- BULLETIN TOPICS I. New Patches A. 100633-01, SunOS 4.1.1,4.1.2: unbundled SunSHIELD ARM 1.0, "LD_" environment variables can be used to exploit login/su, International version. II. Upgraded Patches A. 100173-08, SunOS 4.1.1,4.1.2: NFS Jumbo, uid truncation problem B. 100376-04, SunOS 4.1,4.1.1,4.1.2: integer mul/div, crashme C. 100567-02, SunOS 4.1,4.1.1,4.1.2: icmp redirects can be used to make a host drop connections; mfree panic ============================================================================== SPECIAL NOTE: Upgraded patches 100173-08, 100376-04, and 100567-02 all require that a new kernel be configured, made, and installed. All three patches provide significant security enhancements. Note that the installer need only build a new kernel once, after loading in the object files (".o" files) from one or more of the mentioned patches. ============================================================================== NEW PATCH INFORMATION Sun Patch ID: 100633-01 Sun Bug IDs: 1085851 SunOS release: 4.1.1, 4.1.2; unbundled SunSHIELD ARM 1.0 Synopsis: "LD_" environment variables can be used to exploit login and su Problem Description: Bug 1085851 - a dynamically-linked program that is invoked by a setuid/setgid program has access to the caller's environmental variables if the setuid/setgid program sets the real and effective UIDs to be equal and the real and effective GIDs to be equal before the dynamically-linked program is executed. A vulnerability exists if the UIDs and GIDs are not equal to those of the user that invoked the setuid/setgid program. Checksum of compressed tarfile 100633-01.tar.Z on ftp.uu.net = 43774 20 ============================================================================== UPGRADED PATCH INFORMATION Sun Patch ID: 100173-08 Sun Bug IDs: 1076985, 1095935 (new for -08 version) SunOS release: 4.1.1, 4.1.2 Synopsis: This patch fixes two additional problems in NFS. Problem Description: This patch adds two fixes for the -08 version of the NFS Jumbo: 1. Bug 1076985 - NFS client crashes when accessing mounted file from a non-sun NFS server. 2. Bug 1095935 - A type mismatch in the declaration of UID can be exploited to obtain unauthorized privileges. Checksum of compressed tarfile 100173-08.tar.Z on ftp.uu.net = 32598 475 Sun Patch ID: 100376-04 Sun Bug IDs: 1032053, 1069072, 1071053, 1082751 SunOS release: 4.1, 4.1.1, 4.1.2 Synopsis: This patch fixes previous problems with the -02 version of the patch for integer multiplication and will make your system resistant against the publically available "crashme" program, version 1.8. Note that there is no -03 version for this patch. Problem Description: This patch combines 4 fixes: 1. Bug 1032053 - getreg should use fuword() when simulating instructions. 2. Bug 1069072 - Integer division on sparc can be used to gain root access. 3. Bug 1071053 - Integer multiplication on sparc can be used to gain root access. 4. Bug 1082751 - segmentation violation caused by sdiv, udiv NOTE: The SunOS 4.1.2, sun4m version of this patch requires changes made by patch 100542-04 (IPI - Galaxy jumbo patch). To install this version, obtain patch 100542-04 and follow the instructions in the README file for patch 100376-04. Sun Microsystems acknowledges many customer contributions in the test of this patch. Checksum of compressed tarfile 100376-04.tar.Z on ftp.uu.net = 12884 100 Checksum of compressed tarfile 100542-04.tar.Z on ftp.uu.net = 34068 242 Sun Patch ID: 100567-02 Sun Bug IDs: 1087460, 1093937 SunOS release: 4.1, 4.1.1, 4.1.2 Synopsis: This patch fixes two problems in ip_icmp.o. Problem Description: 1. Bug 1087460 - freeing the same mbuf a second time causes mfree to panic. This bug was fixed in the -01 version. 2. Bug 1093937 - icmp redirects can be used to make a host drop connections. The current fix will make your networked systems more resistant to attacks based on the spoofing of icmp messages, but may not prevent all forms of such attacks. Sun Microsystems acknowledges Darren Reed of the Australian National University, Canberra, for the permission to use his source code modifications in the above patch. Sun also thanks the CERT/CC computer security emergency response team for its assistance in the test of this patch. Checksum of compressed tarfile 100567-02.tar.Z on ftp.uu.net = 23118 13 =========================================================================== Sun Microsystems recommends that all customers concerned with the security of their SunOS systems obtain and load the patches that are applicable to their system(s). Kenneth L. Pon Software Security Coordinator Sun Microsystems, Inc.