TITLE: Tru64 UNIX 4.0F PK7 BL18 TITLE: (SSRT2275, SSRT2229) Potential Security Vulnerabilities New Kit Date: 11-SEP-2002 Modification Date: Not Applicable Modification Type: New Kit Copyright (c) Hewlett-Packard Company 2002. All rights reserved. PRODUCT: Tru64 UNIX [R] 4.0F SOURCE: Hewlett-Packard Company ECO INFORMATION: ECO Name: DUV40FB18-C0067405-15263-ES-20020827 ECO Kit Approximate Size: 18MB Kit Applies To: Tru64 UNIX 4.0F PK7 (BL18) ECO Kit CHECKSUMS: /usr/bin/sum results: 51813 17910 /usr/bin/cksum results: 3173377783 18339840 MD5 results: 1729e6f55aee06ff795ffffef1dfd8c7 SHA1 results: 3efa144c98539b85e0253b26111be014a0eb63c6 ECO KIT SUMMARY: A dupatch-based, Early Release Patch kit exists for HP Tru64 UNIX 4.0F that contains solutions for the following potential security vulnerabilities: 1) Under certain circumstances the potential vulnerability may result in a denial of service. This may be in the form of local security domain risks. The potential security vulnerability in the ping command has been corrected. - SSRT2229 /usr/sbin/ping (Severity - Medium) 2) Under certain circumstances the potential vulnerability may allow a non-privileged user to gain unauthorized (root) access by exploiting a buffer overflow condition. This may be in the form of local and remote security domain risks. The potential security vulnerability has been corrected. Basic Commands and Utilities - SSRT2277 /usr/bin/ypmatch (Severity - Medium) - SSRT2261 /usr/sbin/traceroute (Severity - Medium) - SSRT2260 /usr/sbin/lpc (Severity - Medium) /usr/bin/lprm /usr/bin/lpq /usr/bin/lpr /usr/lbin/lpd - SSRT0796U /usr/bin/binmail (Severity - Medium) - SSRT0794U /usr/bin/ipcs (Severity - Medium) - SSRT2191 /usr/sbin/quot (Severity - Medium) - SSRT2189 /usb/bin/at (Severity - Medium) - SSRT2256 /usr/bin/ps (Severity - Medium) - SSRT2275 /usr/bin/uux (Severity - Medium) /usr/bin/uucp (Severity - Medium) /usr/bin/csh (Severity - Medium) /usr/bin/rdist (Severity - Medium) /usr/bin/mh/inc (Severity - Medium) /usr/bin/mh/msgchk (Severity - Medium) /usr/sbin/imapd (Severity - Medium) /usr/bin/deliver (Severity - Medium) /sbin/.upd..loader (Severity - Medium) CDE - SSRT2193 /usr/dt/bin/mailcv (Severity - Medium) - SSRT2280 /usr/dt/bin/dtterm (Severity - Medium) - SSRT2282 /usr/dt/bin/dtsession (Severity - Medium) - SSRT2274 /usr/dt/bin/rpc.ttdbserverd (Severity - High) SSRT2251 X11 - SSRT2279 /usr/bin/X11/dxterm (Severity - Medium) - SSRT2275 /usr/bin/X11/dxconsole (Severity - Medium) /usr/bin/X11/dxpause (Severity - Medium) /usr/bin/X11/dxsysinfo (Severity - Medium) Networking - SSRT2340 /usr/sbin/telnetd (Severity - High) - SSRT2270 BIND resolver glibc (Severity - High) - SSRT2309 rpc XDR_ARRAY (Severity - High) 3) Engineering has integrated the SSRT2257 early release patches into the SSRT2275/SSRT2229 ERP kits, because both need to update libc. SSRT2257 addressed the following potential security vulnerabilities: - SSRT2257 /usr/bin/su (Severity - High) - SSRT2190 /usr/bin/chsh (Severity - Medium) - SSRT2192 /usr/bin/passwd (Severity - Medium) - SSRT2259 /usr/bin/chfn (Severity - Medium) - SSRT2262 /usr/tcb/bin/dxchpwd (Severity - Medium) The SSRT2275/SSRT2229 ERP kits can be used by customers who have and have not installed the ERPs for SSRT2257. The patches in the SSRT2275/SSRT2229 ERP kits are built so they will install over the SSRT2257 ERPs. However, installation will be blocked if any other patches have been installed that affect the files delivered in the SSRT2257 ERPs. For more information regarding SSRT2257, see Security Bulletin, SSRT2257 HP Tru64 UNIX /usr/bin/su buffer overflow potential exploit. 4) Engineering has integrated the SSRT-541/SSRTM541 ERPs into the SSRT2275/SSRT2229 ERP kits, because both need to update libc. SSRT-541 addressed the following potential security vulnerabilities: - SSRT0752U dtaction - SSRT0753U ttsession - SSRT0757U dtprintinfo SSRT0788U - SSRT0782U dtspcd - SSRT0771U Environment Variable LANG and LOCPATH - SSRT0781U ypbind may core during nmap portscan The integrated ERP kits can be used by customers who have and have not installed the ERPs for SSRT-541/SSRTM541. The patches in the SSRT2275/SSRT2229 ERP kits are built so they will install over the SSRT-541/SSRTM541 ERPs. However, installation will be blocked if any other patches have been installed that affect the files delivered in the SSRT-541/SSRTM541 ERPs. For more information regarding SSRT-541/SSRTM541, see Security Bulletin, SSRT-541/SSRTM541 Tru64 UNIX CDE, NFS and NIS related Potential Security Vulnerabilities. The Patch Kit Installation Instructions and the Patch Summary and Release Notes documents provide patch kit installation and removal instructions and a summary of each patch. Please read these documents prior to installing patches on your system. The patches in this ERP kit will also be available in the next mainstream patch kit - Tru64 UNIX 4.0F Patch Kit 8 . INSTALLATION NOTES: 1) Install this kit with the dupatch utility that is included in the patch kit. You may need to baseline your system if you have manually changed system files on your system. The dupatch utility provides the baselining capability. 2) This ERP kit will NOT install over any installed Customer-Specific-Patches (CSPs) which have file intersections with this ERP kit. Contact your normal Service Provider for assistance if the installation of this ERP kit is blocked by any of your installed CSPs. 3) Some of the patches deliver updated static libraries. If you have applications that build against the affected static libraries you should relink those applications post-ERP installation. The following static libraries are updated if you have the static library subsets installed on your system: /usr/ccs/lib/libc.a OSFCMPLRS /usr/ccs/lib/libc_r.a OSFCMPLRS /usr/ccs/lib/libtermcap.a OSFPGMR /usr/ccs/lib/libtermlib.a OSFPGMR /usr/lib/libX11.a OSFXLIBA /usr/ccs/lib/libcurses.a OSFLIBA /usr/dt/lib/libDtSvc.a OSFCDEDEV /usr/dt/lib/libtt.a OSFCDEDEV /usr/lib/libXm.a OSFXLIBA INSTALLATION PREREQUISITES: You must have installed Tru64 UNIX 4.0F PK7 (BL18) prior to installing this Early Release Patch Kit. SUPERSEDED PATCH LIST: This patch kit supersedes the following Tru64 UNIX patch kits: 1) (SSRT-541) Potential Security Vulnerability CDE and NIS DUV40FB18-C0067302-14158-ES-20020429.tar 2) (SSRT2257) Potential Security Vulnerabilities due to Buffer Overflows DUV40FB18-C0067403-14947-ES-20020730.tar The patches in the SSRT2275/SSRT2229 ERP kits are built so they will install over the patches from the superseded patch kits. However, installation will be blocked if any other patches have been installed that affect the files delivered in the above patch kits. KNOWN PROBLEMS WITH THE PATCH KIT: None RELEASE NOTES FOR DUV40FB18-C0067405-15263-ES-20020827: 1 Release Notes This Early Release Patch Kit Distribution contains: - fixes that resolve the problem(s) reported in: o SSRT-541 SSRT0752U SSRT0753U SSRT0757U SSRT0771U SSRT0781U SSRT0782U SSRT0788U SSRT0794U SSRT0796U SSRT2189 SSRT2190 SSRT2192 SSRT2193 SSRT2229 SSRT2251 SSRT2256 SSRT2257 SSRT2259 SSRT2260 SSRT2261 SSRT2262 SSRT2270 SSRT2274 SSRT2275 SSRT2277 SSRT2279 SSRT2280 SSRT2297 SSRT2309 * for Digital UNIX V4.0F DUV40FB18AS0007-20020102.tar (BL18) The patches in this kit are being released early for general customer use. Refer to the Release Notes for a summary of each patch and installation prerequisites. Patches in this kit are installed by running dupatch from the directory in which the kit was untarred. For example, as root on the target system: > mkdir -p /tmp/CSPkit1 > cd /tmp/CSPkit1 > > tar -xpvf DUV40D13-C0044900-1285-20000328.tar > cd patch_kit > ./dupatch 2 Special Instructions There are no special instructions for Digital UNIX V4.0F Patch C674.05 There are no special instructions for Digital UNIX V4.0F Patch C812.01 There are no special instructions for Digital UNIX V4.0F Patch C786.00 There are no special instructions for Digital UNIX V4.0F Patch C805.01 There are no special instructions for Digital UNIX V4.0F Patch C791.00 There are no special instructions for Digital UNIX V4.0F Patch C810.01 There are no special instructions for Digital UNIX V4.0F Patch C784.01 There are no special instructions for Digital UNIX V4.0F Patch C811.01 There are no special instructions for Digital UNIX V4.0F Patch C815.01 There are no special instructions for Digital UNIX V4.0F Patch C821.01 There are no special instructions for Digital UNIX V4.0F Patch C790.00 There are no special instructions for Digital UNIX V4.0F Patch C787.00 There are no special instructions for Digital UNIX V4.0F Patch C697.06 There are no special instructions for Digital UNIX V4.0F Patch C814.01 There are no special instructions for Digital UNIX V4.0F Patch C802.02 There are no special instructions for Digital UNIX V4.0F Patch C823.01 There are no special instructions for Digital UNIX V4.0F Patch C819.01 There are no special instructions for Digital UNIX V4.0F Patch C817.01 There are no special instructions for Digital UNIX V4.0F Patch C818.01 There are no special instructions for Digital UNIX V4.0F Patch C822.01 SPECIAL INSTRUCTIONS for Digital UNIX V4.0F Patch C673.05 - The patches in this kit REQUIRE installation of: Tru64 UNIX 4.0F Patch Kit 7 (DUV40FB18AS0007-20020102.tar). - Select all patches in this kit for installation. - The patches in this kit deliver files for mandatory and optional install Operating System subsets. The following patches from this ERP kit will install on all 4.0F systems when the mandatory-install OS subsets are installed AND the requisite 4.0F PK7 patches are installed: --------------------------------------------------------------------- Patch ID MANDATORY OS Subsets --------------------------------------------------------------------- C 674.05 OSFBASE OSFCMPLRS OSFCLINET The following patches from this ERP kit will install when the optionally-installed subsets AND requisite 4.0F PK7 patches are installed: --------------------------------------------------------------------- Patch ID OPTIONAL OS Subsets --------------------------------------------------------------------- C 673.05 OSFCDEMIN CDE Minimum Runtime Environment (Windowing Environment) C 675.05 OSFX11 Basic X Environment (Windowing Environment) C 745.03 OSFCDEDEV CDE Software Development and Programming Examples(Software C 754.03 OSFCDEDT CDE Desktop Environment (Windowing Environment) C 755.03 OSFCDEMAIL CDE Mail Interface (Mail Applications) C 756.03 OSFXLIBA X Window and X/Motif Static Libraries There are no special instructions for Digital UNIX V4.0F Patch C755.03 There are no special instructions for Digital UNIX V4.0F Patch C675.05 There are no special instructions for Digital UNIX V4.0F Patch C745.03 There are no special instructions for Digital UNIX V4.0F Patch C754.03 There are no special instructions for Digital UNIX V4.0F Patch C756.03 3 Summary of CSPatches contained in this kit Digital UNIX V4.0F PatchId Summary Of Fix ---------------------------------------- C674.05 Fix for SSRT2257, 2190, 2192, 2259, 2262, M541, 2275, 2270 C812.01 Fix for SSRT2275, uux, uucp C786.00 Fix for SSRT2193, mailcv C805.01 Fix for SSRT2297, loader C791.00 Fix for SSRT2189, at C810.01 Fix for SSRT2251, SSRT2274, rpc.ttdbserverd C784.01 Fix for SSRT2256, ps C811.01 Fix for SSRT2280, dtterm C815.01 Fix for SSRT2275, libtermcap, libtermlib C821.01 Fix for SSRT2279, SSRT2280, dtterm, dxterm C790.00 Fix for SSRT2229, ping C787.00 Fix for SSRT0796U, binmail C697.06 Fix for SSRT0794U, ipcs C814.01 Fix for SSRT2275, csh C802.02 Fix for SSRT2260, lpq, lpr, lprm C823.01 Fix for SSRT2279, dxterm C819.01 Fix for SSRT2275, telnetd C817.01 Fix for SSRT2275, libcurses C818.01 Fix for SSRT2275, libcurses C822.01 Fix for SSRT2279 and SSRT2280, dtterm, dxterm C673.05 Fixes for SSRT0752, SSRT0753, SSRT0757, SSRT0782, SSRT0788 C755.03 Fixes for SSRT0752U & SSRT0753U. C675.05 Fixes for SSRT0752U and SSRT0753U. C745.03 Fixes for SSRT0752, SSRT0753, SSRT0757, SSRT0782, SSRT0788 C754.03 Fixes for SSRT0752U & SSRT0753U. C756.03 Fixes for SSRT0752U and SSRT0753U. 4 Additional information from Engineering None 5 Affected system files This patch delivers the following files: Digital UNIX V4.0F Patch C674.05 ./sbin/mount CHECKSUM: 47298 584 SUBSET: OSFBASE440 ./sbin/umount CHECKSUM: 57625 368 SUBSET: OSFBASE440 ./shlib/.upd..libc.so CHECKSUM: 46202 1633 SUBSET: OSFBASE440 ./shlib/.upd..libc_r.so CHECKSUM: 46202 1633 SUBSET: OSFBASE440 ./usr/bin/uptime CHECKSUM: 51701 376 SUBSET: OSFBASE440 ./usr/bin/w CHECKSUM: 51701 376 SUBSET: OSFBASE440 ./usr/ccs/lib/libc.a CHECKSUM: 50377 2015 SUBSET: OSFCMPLRS440 ./usr/ccs/lib/libc_r.a CHECKSUM: 50377 2015 SUBSET: OSFCMPLRS440 ./usr/sbin/runclass CHECKSUM: 15068 272 SUBSET: OSFBASE440 ./usr/sbin/ypbind CHECKSUM: 28642 504 SUBSET: OSFCLINET440 Patch C812.01 ./usr/bin/uucp CHECKSUM: 15011 656 SUBSET: OSFUUCP440 ./usr/bin/uux CHECKSUM: 44848 656 SUBSET: OSFUUCP440 ./usr/lib/nls/msg/en_US.ISO8859-1/uucp.cat CHECKSUM: 58627 19 SUBSET: OSFUUCP440 Patch C786.00 ./usr/dt/bin/mailcv CHECKSUM: 42125 56 SUBSET: OSFCDEMAIL440 Patch C805.01 ./sbin/.upd..loader CHECKSUM: 15953 184 SUBSET: OSFBASE440 Patch C791.00 ./usr/bin/at CHECKSUM: 53392 72 SUBSET: OSFBASE440 Patch C810.01 ./usr/dt/bin/rpc.ttdbserverd CHECKSUM: 15991 424 SUBSET: OSFCDEMIN440 Patch C784.01 ./sbin/ps CHECKSUM: 41177 104 SUBSET: OSFBASE440 ./usr/bin/ps CHECKSUM: 31397 88 SUBSET: OSFBASE440 ./usr/lib/nls/msg/en_US.ISO8859-1/ps.cat CHECKSUM: 46700 2 SUBSET: OSFBASE440 Patch C811.01 ./usr/dt/bin/dtterm CHECKSUM: 34219 504 SUBSET: OSFCDEDT440 Patch C815.01 ./usr/ccs/lib/libtermcap.a CHECKSUM: 32783 12 SUBSET: OSFPGMR440 ./usr/ccs/lib/libtermlib.a CHECKSUM: 32783 12 SUBSET: OSFPGMR440 Patch C821.01 ./usr/lib/libX11.a CHECKSUM: 29388 1504 SUBSET: OSFXLIBA440 Patch C790.00 ./sbin/ping CHECKSUM: 26730 32 SUBSET: OSFCLINET440 ./usr/sbin/ping CHECKSUM: 28604 40 SUBSET: OSFCLINET440 Patch C787.00 ./usr/bin/binmail CHECKSUM: 56869 56 SUBSET: OSFBASE440 ./usr/bin/mail CHECKSUM: 56869 56 SUBSET: OSFBASE440 ./usr/lib/nls/msg/en_US.ISO8859-1/binmail.cat CHECKSUM: 09023 3 SUBSET: OSFBASE440 Patch C697.06 ./usr/bin/ipcs CHECKSUM: 56664 40 SUBSET: OSFBASE440 Patch C814.01 ./usr/bin/csh CHECKSUM: 41427 304 SUBSET: OSFBASE440 Patch C802.02 ./usr/bin/lpq CHECKSUM: 46386 80 SUBSET: OSFPRINT440 ./usr/bin/lpr CHECKSUM: 26300 88 SUBSET: OSFPRINT440 ./usr/bin/lprm CHECKSUM: 12968 72 SUBSET: OSFPRINT440 ./usr/lbin/lpd CHECKSUM: 36560 160 SUBSET: OSFPRINT440 ./usr/lib/nls/msg/en_US.ISO8859-1/printer.cat CHECKSUM: 00169 15 SUBSET: OSFPRINT440 ./usr/sbin/lpc CHECKSUM: 07605 96 SUBSET: OSFPRINT440 Patch C823.01 ./usr/bin/X11/dxterm CHECKSUM: 16485 736 SUBSET: OSFX11440 Patch C819.01 ./usr/sbin/telnetd CHECKSUM: 28099 104 SUBSET: OSFCLINET440 Patch C817.01 ./usr/ccs/lib/libcurses.a CHECKSUM: 27321 655 SUBSET: OSFLIBA440 Patch C818.01 ./usr/shlib/libcurses.so CHECKSUM: 31592 512 SUBSET: OSFBASE440 Patch C822.01 ./usr/shlib/libVX11.so CHECKSUM: 01017 1376 SUBSET: OSFX11440 ./usr/shlib/libX11.so CHECKSUM: 20433 1344 SUBSET: OSFX11440 ./usr/shlib/libX11.so.pre.O3D CHECKSUM: 20433 1344 SUBSET: OSFX11440 Patch C673.05 ./usr/dt/lib/libDtSvc.so CHECKSUM: 21926 632 SUBSET: OSFCDEMIN440 ./usr/dt/lib/libtt.so CHECKSUM: 49189 1336 SUBSET: OSFCDEMIN440 ./usr/dt/lib/nls/msg/C/dt.cat CHECKSUM: 45709 8 SUBSET: OSFCDEMIN440 Patch C755.03 ./usr/dt/bin/dtmail CHECKSUM: 48114 1368 SUBSET: OSFCDEMAIL440 Patch C675.05 ./usr/shlib/libXm.so CHECKSUM: 56586 2192 SUBSET: OSFX11440 Patch C745.03 ./usr/dt/lib/libDtSvc.a CHECKSUM: 53673 751 SUBSET: OSFCDEDEV440 ./usr/dt/lib/libtt.a CHECKSUM: 53407 1456 SUBSET: OSFCDEDEV440 Patch C754.03 ./usr/dt/bin/dtcalc CHECKSUM: 18826 328 SUBSET: OSFCDEDT440 ./usr/dt/bin/dtcreate CHECKSUM: 32447 232 SUBSET: OSFCDEDT440 ./usr/dt/bin/dtsession CHECKSUM: 17173 208 SUBSET: OSFCDEDT440 Patch C756.03 ./usr/lib/libXm.a CHECKSUM: 23287 2343 SUBSET: OSFXLIBA440 [R] UNIX is a registered trademark in the United States and other countries licensed exclusively through X/Open Company Limited. Copyright Hewlett-Packard Company 2002. All Rights reserved. This software is proprietary to and embodies the confidential technology of Hewlett-Packard Company. Possession, use, or copying of this software and media is authorized only pursuant to a valid written license from Hewlett-Packard or an authorized sublicensor. This ECO has not been through an exhaustive field test process. Due to the experimental stage of this ECO/workaround, Hewlett-Packard makes no representations regarding its use or performance. The customer shall have the sole responsibility for adequate protection and back-up data used in conjunction with this ECO/workaround.