TITLE: SSRT2275__SSRT2229 Potential Security Vulnerabilities TITLE: (SSRT2275, SSRT2229) Potential Security Vulnerabilities New Kit Date: 11-SEP-2002 Modification Date: Not Applicable Modification Type: New Kit Copyright (c) Hewlett-Packard Company 2002. All rights reserved. PRODUCT: Tru64 UNIX [R] 4.0G SOURCE: Hewlett-Packard Company ECO INFORMATION: ECO Name: T64V40GB17-C0010410-15273-ES-20020827 ECO Kit Approximate Size: 18MB Kit Applies To: Tru64 UNIX 4.0G PK3 (BL17) ECO Kit CHECKSUMS: /usr/bin/sum results: 41545 17850 /usr/bin/cksum results: 1944997374 18278400 MD5 results: b669c36ddacd87e248d652826e9a7cef SHA1 results: 82925db9755f8be0a32d85a5b5f83c6ddcd0e2e4 ECO KIT SUMMARY: A dupatch-based, Early Release Patch kit exists for HP Tru64 UNIX 4.0G that contains solutions for the following potential security vulnerabilities: 1) Under certain circumstances the potential vulnerability may result in a denial of service. This may be in the form of local security domain risks. The potential security vulnerability in the ping command has been corrected. - SSRT2229 /usr/sbin/ping (Severity - Medium) 2) Under certain circumstances the potential vulnerability may allow a non-privileged user to gain unauthorized (root) access by exploiting a buffer overflow condition. This may be in the form of local and remote security domain risks. The potential security vulnerability has been corrected. Basic Commands and Utilities - SSRT2277 /usr/bin/ypmatch (Severity - Medium) - SSRT2261 /usr/sbin/traceroute (Severity - Medium) - SSRT2260 /usr/sbin/lpc (Severity - Medium) /usr/bin/lprm /usr/bin/lpq /usr/bin/lpr /usr/lbin/lpd - SSRT0796U /usr/bin/binmail (Severity - Medium) - SSRT0794U /usr/bin/ipcs (Severity - Medium) - SSRT2191 /usr/sbin/quot (Severity - Medium) - SSRT2189 /usb/bin/at (Severity - Medium) - SSRT2256 /usr/bin/ps (Severity - Medium) - SSRT2275 /usr/bin/uux (Severity - Medium) /usr/bin/uucp (Severity - Medium) /usr/bin/csh (Severity - Medium) /usr/bin/rdist (Severity - Medium) /usr/bin/mh/inc (Severity - Medium) /usr/bin/mh/msgchk (Severity - Medium) /usr/sbin/imapd (Severity - Medium) /usr/bin/deliver (Severity - Medium) /sbin/.upd..loader (Severity - Medium) CDE - SSRT2193 /usr/dt/bin/mailcv (Severity - Medium) - SSRT2280 /usr/dt/bin/dtterm (Severity - Medium) - SSRT2282 /usr/dt/bin/dtsession (Severity - Medium) - SSRT2274 /usr/dt/bin/rpc.ttdbserverd (Severity - High) SSRT2251 X11 - SSRT2279 /usr/bin/X11/dxterm (Severity - Medium) - SSRT2275 /usr/bin/X11/dxconsole (Severity - Medium) /usr/bin/X11/dxpause (Severity - Medium) /usr/bin/X11/dxsysinfo (Severity - Medium) Networking - SSRT2340 /usr/sbin/telnetd (Severity - High) - SSRT2270 BIND resolver glibc (Severity - High) - SSRT2309 rpc XDR_ARRAY (Severity - High) 3) Engineering has integrated the SSRT2257 early release patches into the SSRT2275/SSRT2229 ERP kits, because both need to update libc. SSRT2257 addressed the following potential security vulnerabilities: - SSRT2257 /usr/bin/su (Severity - High) - SSRT2190 /usr/bin/chsh (Severity - Medium) - SSRT2192 /usr/bin/passwd (Severity - Medium) - SSRT2259 /usr/bin/chfn (Severity - Medium) - SSRT2262 /usr/tcb/bin/dxchpwd (Severity - Medium) The SSRT2275/SSRT2229 ERP kits can be used by customers who have and have not installed the ERPs for SSRT2257. The patches in the SSRT2275/SSRT2229 ERP kits are built so they will install over the SSRT2257 ERPs. However, installation will be blocked if any other patches have been installed that affect the files delivered in the SSRT2257 ERPs. For more information regarding SSRT2257, see Security Bulletin, SSRT2257 HP Tru64 UNIX /usr/bin/su buffer overflow potential exploit. 4) Engineering has integrated the SSRT-541/SSRTM541 ERPs into the SSRT2275/SSRT2229 ERP kits, because both need to update libc. SSRT-541 addressed the following potential security vulnerabilities: - SSRT0752U dtaction - SSRT0753U ttsession - SSRT0757U dtprintinfo SSRT0788U - SSRT0782U dtspcd - SSRT0771U Environment Variable LANG and LOCPATH - SSRT0781U ypbind may core during nmap portscan - SSRT1-26 Potential packet flood denial of service The integrated ERP kits can be used by customers who have and have not installed the ERPs for SSRT-541/SSRTM541. The patches in the SSRT2275/SSRT2229 ERP kits are built so they will install over the SSRT-541/SSRTM541 ERPs. However, installation will be blocked if any patches have been installed that affect the files delivered in the SSRT-541/SSRTM541 ERPs. For more information regarding SSRT-541/SSRTM541, see Security Bulletin, (SSRT-541/SSRTM541) Tru64 UNIX CDE, NFS and NIS related Potential Security Vulnerabilities. The Patch Kit Installation Instructions and the Patch Summary and Release Notes documents provide patch kit installation and removal instructions and a summary of each patch. Please read these documents prior to installing patches on your system. The patches in this ERP kit will also be available in the next mainstream patch kit - Tru64 UNIX 4.0G Patch Kit 4. INSTALLATION NOTES: 1) Install this kit with the dupatch utility that is included in the patch kit. You may need to baseline your system if you have manually changed system files on your system. The dupatch utility provides the baselining capability. 2) This ERP kit will NOT install over any installed Customer-Specific-Patches (CSPs) which have file intersections with this ERP kit. Contact your normal Service Provider for assistance if the installation of this ERP kit is blocked by any of your installed CSPs. 3) Some of the patches deliver updated static libraries. If you have applications that build against the affected static libraries you should relink those applications post-ERP installation. The following static libraries are updated if you have the static library subsets installed on your system: /usr/ccs/lib/libc.a OSFCMPLRS /usr/ccs/lib/libc_r.a OSFCMPLRS /usr/ccs/lib/libtermcap.a OSFPGMR /usr/ccs/lib/libtermlib.a OSFPGMR /usr/lib/libX11.a OSFXLIBA /usr/ccs/lib/libcurses.a OSFLIBA /usr/dt/lib/libDtSvc.a OSFCDEDEV /usr/dt/lib/libtt.a OSFCDEDEV /usr/lib/libXm.a OSFXLIBA INSTALLATION PREREQUISITES: You must have installed Tru64 UNIX 4.0G PK3 (BL17) prior to installing this Early Release Patch Kit. SUPERSEDED PATCH LIST: This patch kit supersedes the following Tru64 UNIX patches: 1) (SSRT-541) Potential Security Vulnerability CDE and NIS T64V40GB17-C0010303-14314-ES-20020515.tar 2) (SSRT2257) Potential Security Vulnerabilities due to Buffer Overflows T64V40GB17-C0010404-14948-ES-20020730.tar The patches in the SSRT2275/SSRT2229 ERP kits are built so they will install over the patches from the superseded patch kits. However, installation will be blocked if any other patches have been installed that affect the files delivered in the above patch kits. KNOWN PROBLEMS WITH THE PATCH KIT: 1) This patch kit does not automatically supersede the following Tru64 UNIX patches: - Tru64 UNIX Security Vulnerability SSRT1-41U, SSRT0742U, SSRT0759U T64V40GB17-C0009303-12856-E-20020115.tar WORKAROUND: The csh in the SSRT2275 4.0G ERP kit contains the csh fixes included in the SSRT1-41U 4.0G ERP kit. The following workaround enables SSRT2275 patch 4.0G C104.10 to automatically supersede the SSRT1-41U patch 4.0G C93.03. As root: 1) untar T64V40GB17-C0010410-15273-ES-2002082 2) cd patch_kit/Tru64_UNIX_V4.0G/kit/instctrl 3) edit OSFPATC0019006445.ctrl replacing this line: PATCH_SUPERSEDE="OSFPATC0019000445" with this line: PATCH_SUPERSEDE="OSFPATC0019000445 OSFPATC0009303445" save the edits exit the file WARNING: do not make a copy of this file or do anything other file creation in this directory. If you want to make a copy of the original .ctrl file, copy it to a subdirectory in /tmp. 4) cd ../../../ 5) install the patch kit again RELEASE NOTES FOR T64V40GB17-C0010410-15273-ES-20020827: 1 Release Notes This Early Release Patch Kit Distribution contains: - fixes that resolve the problem(s) reported in: o SSRT-541 SSRT0752U SSRT0753U SSRT0757U SSRT0771U SSRT0781U SSRT0782U SSRT0788U SSRT0794U SSRT0796U SSRT1-26 SSRT2189 SSRT2190 SSRT2192 SSRT2193 SSRT2229 SSRT2251 SSRT2256 SSRT2257 SSRT2259 SSRT2260 SSRT2261 SSRT2262 SSRT2270 SSRT2274 SSRT2275 SSRT2277 SSRT2279 SSRT2280 SSRT2297 SSRT2309 * for Tru64 UNIX V4.0G T64V40GAS0003-20010613.tar (BL17) The patches in this kit are being released early for general customer use. Refer to the Release Notes for a summary of each patch and installation prerequisites. Patches in this kit are installed by running dupatch from the directory in which the kit was untarred. For example, as root on the target system: > mkdir -p /tmp/CSPkit1 > cd /tmp/CSPkit1 > > tar -xpvf DUV40D13-C0044900-1285-20000328.tar > cd patch_kit > ./dupatch 2 Special Instructions There are no special instructions for Tru64 UNIX V4.0G Patch C104.10 There are no special instructions for Tru64 UNIX V4.0G Patch C189.02 There are no special instructions for Tru64 UNIX V4.0G Patch C173.00 There are no special instructions for Tru64 UNIX V4.0G Patch C183.01 There are no special instructions for Tru64 UNIX V4.0G Patch C178.00 There are no special instructions for Tru64 UNIX V4.0G Patch C187.01 There are no special instructions for Tru64 UNIX V4.0G Patch C172.01 There are no special instructions for Tru64 UNIX V4.0G Patch C188.03 There are no special instructions for Tru64 UNIX V4.0G Patch C191.05 There are no special instructions for Tru64 UNIX V4.0G Patch C200.03 There are no special instructions for Tru64 UNIX V4.0G Patch C177.00 There are no special instructions for Tru64 UNIX V4.0G Patch C175.00 There are no special instructions for Tru64 UNIX V4.0G Patch C117.03 There are no special instructions for Tru64 UNIX V4.0G Patch C190.06 There are no special instructions for Tru64 UNIX V4.0G Patch C180.05 There are no special instructions for Tru64 UNIX V4.0G Patch C201.05 There are no special instructions for Tru64 UNIX V4.0G Patch C194.05 There are no special instructions for Tru64 UNIX V4.0G Patch C192.03 There are no special instructions for Tru64 UNIX V4.0G Patch C193.05 There are no special instructions for Tru64 UNIX V4.0G Patch C198.05 SPECIAL INSTRUCTIONS for Tru64 UNIX V4.0G Patch C103.07 - The patches in this kit REQUIRE installation of: Tru64 UNIX 4.0G Patch Kit 3 (T64V40GAS0003-20010613.tar). - Select all patches in this kit for installation. - The patches in this kit deliver files for mandatory and optional install Operating System subsets. The following patches from this ERP kit will install on all 4.0G systems when the mandatory-install OS subsets are installed AND the requisite 4.0G PK3 patches are installed: --------------------------------------------------------------------- Patch ID MANDATORY OS Subsets --------------------------------------------------------------------- C 104.03 OSFBASE OSFCMPLRS OSFCLINET The following patches from this ERP kit will install when the optionally-installed subsets AND requisite 4.0G PK3 patches are installed: --------------------------------------------------------------------- Patch ID OPTIONAL OS Subsets --------------------------------------------------------------------- C 103.03 OSFCDEMIN CDE Minimum Runtime Environment (Windowing Environment) C 105.03 OSFX11 Basic X Environment (Windowing Environment) C 139.01 OSFCDEDEV CDE Software Development and Programming Examples(Software Development) C 140.01 OSFX11A X Window and X/Motif Static Libraries C 144.01 OSFCDEDT CDE Desktop Environment (Windowing Environment) C 145.01 OSFCDEMAIL CDE Mail Interface (Mail Applications) There are no special instructions for Tru64 UNIX V4.0G Patch C144.05 There are no special instructions for Tru64 UNIX V4.0G Patch C145.05 There are no special instructions for Tru64 UNIX V4.0G Patch C139.04 There are no special instructions for Tru64 UNIX V4.0G Patch C105.06 There are no special instructions for Tru64 UNIX V4.0G Patch C140.04 3 Summary of CSPatches contained in this kit Tru64 UNIX V4.0G PatchId Summary Of Fix ---------------------------------------- C104.10 Fix for SSRT2257, 2190, 2192, 2259, 2262, M541, 2275, 2270 C189.02 Fix for SSRT2275, uux, uucp C173.00 Fix for SSRT2193, mailcv C183.01 Fix for SSRT2297, loader C178.00 Fix for SSRT2189, at C187.01 Fix for SSRT2251, SSRT2274, rpc.ttdbserverd C172.01 Fix for SSRT2256, ps C188.03 Fix for SSRT2280, dtterm C191.05 Fix for SSRT2275, libtermcap, libtermlib C200.03 Fix for SSRT2279, SSRT2280, dtterm, dxterm C177.00 Fix for SSRT2229, ping C175.00 Fix for SSRT0796U, binmail C117.03 Fix for SSRT0794U, ipcs C190.06 Fix for SSRT2275, csh C180.05 Fix for SSRT2260, lpq, lpr, lprm C201.05 Fix for SSRT2279, dxterm C194.05 Fix for SSRT2275, telnetd C192.03 Fix for SSRT2275, libcurses C193.05 Fix for SSRT2275, libcurses C198.05 Fix for SSRT2279 and SSRT2280, dtterm, dxterm C103.07 Fixes for SSRT0752, SSRT0753, SSRT0757, SSRT0782, SSRT0788 C144.05 Fixes for SSRT0752U & SSRT0753U. C145.05 Fixes for SSRT0752U & SSRT0753U. C139.04 Fixes for SSRT0752, SSRT0753, SSRT0757, SSRT0782, SSRT0788 C105.06 Fixes for SSRT0752U and SSRT0753U. C140.04 Fixes for SSRT0752U and SSRT0753U. 4 Additional information from Engineering None 5 Affected system files This patch delivers the following files: Tru64 UNIX V4.0G Patch C104.10 ./sbin/mount CHECKSUM: 55140 576 SUBSET: OSFBASE445 ./sbin/umount CHECKSUM: 57961 368 SUBSET: OSFBASE445 ./shlib/.upd..libc.so CHECKSUM: 29917 1634 SUBSET: OSFBASE445 ./shlib/.upd..libc_r.so CHECKSUM: 29917 1634 SUBSET: OSFBASE445 ./usr/bin/uptime CHECKSUM: 13844 376 SUBSET: OSFBASE445 ./usr/bin/w CHECKSUM: 13844 376 SUBSET: OSFBASE445 ./usr/ccs/lib/libc.a CHECKSUM: 37392 2021 SUBSET: OSFCMPLRS445 ./usr/ccs/lib/libc_r.a CHECKSUM: 37392 2021 SUBSET: OSFCMPLRS445 ./usr/sbin/runclass CHECKSUM: 52170 272 SUBSET: OSFBASE445 ./usr/sbin/ypbind CHECKSUM: 55484 504 SUBSET: OSFCLINET445 Patch C189.02 ./usr/bin/uucp CHECKSUM: 10889 656 SUBSET: OSFUUCP445 ./usr/bin/uux CHECKSUM: 06688 656 SUBSET: OSFUUCP445 ./usr/lib/nls/msg/en_US.ISO8859-1/uucp.cat CHECKSUM: 58627 19 SUBSET: OSFUUCP445 Patch C173.00 ./usr/dt/bin/mailcv CHECKSUM: 18316 56 SUBSET: OSFCDEMAIL445 Patch C183.01 ./sbin/.upd..loader CHECKSUM: 63876 184 SUBSET: OSFBASE445 Patch C178.00 ./usr/bin/at CHECKSUM: 44001 72 SUBSET: OSFBASE445 Patch C187.01 ./usr/dt/bin/rpc.ttdbserverd CHECKSUM: 24388 424 SUBSET: OSFCDEMIN445 Patch C172.01 ./sbin/ps CHECKSUM: 05287 104 SUBSET: OSFBASE445 ./usr/bin/ps CHECKSUM: 12291 88 SUBSET: OSFBASE445 ./usr/lib/nls/msg/en_US.ISO8859-1/ps.cat CHECKSUM: 46700 2 SUBSET: OSFBASE445 Patch C188.03 ./usr/dt/bin/dtterm CHECKSUM: 43440 496 SUBSET: OSFCDEDT445 Patch C191.05 ./usr/ccs/lib/libtermcap.a CHECKSUM: 02447 12 SUBSET: OSFPGMR445 ./usr/ccs/lib/libtermlib.a CHECKSUM: 02447 12 SUBSET: OSFPGMR445 Patch C200.03 ./usr/lib/libX11.a CHECKSUM: 12049 1507 SUBSET: OSFXLIBA445 Patch C177.00 ./sbin/ping CHECKSUM: 13250 32 SUBSET: OSFCLINET445 ./usr/sbin/ping CHECKSUM: 34515 40 SUBSET: OSFCLINET445 Patch C175.00 ./usr/bin/binmail CHECKSUM: 58291 56 SUBSET: OSFBASE445 ./usr/bin/mail CHECKSUM: 58291 56 SUBSET: OSFBASE445 ./usr/lib/nls/msg/en_US.ISO8859-1/binmail.cat CHECKSUM: 09023 3 SUBSET: OSFBASE445 Patch C117.03 ./usr/bin/ipcs CHECKSUM: 21481 40 SUBSET: OSFBASE445 Patch C190.06 ./usr/bin/csh CHECKSUM: 32388 304 SUBSET: OSFBASE445 Patch C180.05 ./usr/bin/lpq CHECKSUM: 64341 80 SUBSET: OSFPRINT445 ./usr/bin/lpr CHECKSUM: 17922 88 SUBSET: OSFPRINT445 ./usr/bin/lprm CHECKSUM: 23815 72 SUBSET: OSFPRINT445 ./usr/lbin/lpd CHECKSUM: 48095 160 SUBSET: OSFPRINT445 ./usr/lib/nls/msg/en_US.ISO8859-1/printer.cat CHECKSUM: 00169 15 SUBSET: OSFPRINT445 ./usr/sbin/lpc CHECKSUM: 06903 96 SUBSET: OSFPRINT445 Patch C201.05 ./usr/bin/X11/dxterm CHECKSUM: 43911 736 SUBSET: OSFX11445 Patch C194.05 ./usr/sbin/telnetd CHECKSUM: 19738 104 SUBSET: OSFCLINET445 Patch C192.03 ./usr/ccs/lib/libcurses.a CHECKSUM: 30616 656 SUBSET: OSFLIBA445 Patch C193.05 ./usr/shlib/libcurses.so CHECKSUM: 61925 512 SUBSET: OSFBASE445 Patch C198.05 ./usr/shlib/libVX11.so CHECKSUM: 50828 1384 SUBSET: OSFX11445 ./usr/shlib/libX11.so CHECKSUM: 64379 1352 SUBSET: OSFX11445 ./usr/shlib/libX11.so.pre.O3D CHECKSUM: 64379 1352 SUBSET: OSFX11445 Patch C103.07 ./usr/dt/lib/libDtSvc.so CHECKSUM: 54331 624 SUBSET: OSFCDEMIN445 ./usr/dt/lib/libtt.so CHECKSUM: 61453 1336 SUBSET: OSFCDEMIN445 ./usr/dt/lib/nls/msg/C/dt.cat CHECKSUM: 47757 8 SUBSET: OSFCDEMIN445 Patch C144.05 ./usr/dt/bin/dtcalc CHECKSUM: 07931 328 SUBSET: OSFCDEDT445 ./usr/dt/bin/dtcreate CHECKSUM: 01046 232 SUBSET: OSFCDEDT445 ./usr/dt/bin/dtsession CHECKSUM: 01075 216 SUBSET: OSFCDEDT445 Patch C145.05 ./usr/dt/bin/dtmail CHECKSUM: 32387 1368 SUBSET: OSFCDEMAIL445 Patch C139.04 ./usr/dt/lib/libDtSvc.a CHECKSUM: 57151 748 SUBSET: OSFCDEDEV445 ./usr/dt/lib/libtt.a CHECKSUM: 01104 1457 SUBSET: OSFCDEDEV445 Patch C105.06 ./usr/shlib/libXm.so CHECKSUM: 43133 2184 SUBSET: OSFX11445 Patch C140.04 ./usr/lib/libXm.a CHECKSUM: 05373 2334 SUBSET: OSFXLIBA445 [R] UNIX is a registered trademark in the United States and other countries licensed exclusively through X/Open Company Limited. Copyright Hewlett-Packard Company 2002. All Rights reserved. This software is proprietary to and embodies the confidential technology of Hewlett-Packard Company. Possession, use, or copying of this software and media is authorized only pursuant to a valid written license from Hewlett-Packard or an authorized sublicensor. This ECO has not been through an exhaustive field test process. Due to the experimental stage of this ECO/workaround, Hewlett-Packard makes no representations regarding its use or performance. The customer shall have the sole responsibility for adequate protection and back-up data used in conjunction with this ECO/workaround.