TITLE: SSRT2275__SSRT2229 Potential Security Vulnerabilities TITLE: (SSRT2275, SSRT2229) Potential Security Vulnerabilities Copyright (c) Hewlett-Packard Company 2002. All rights reserved. PRODUCT: Tru64 UNIX [R] 5.0A SOURCE: Hewlett-Packard Company ECO INFORMATION: ECO Name: T64V50AB17-C0018406-15268-ES-20020827 ECO Kit Approximate Size: 19MB Kit Applies To: Tru64 UNIX 5.0A PK3 (BL17) ECO Kit CHECKSUMS: /usr/bin/sum results: 21019 19430 /usr/bin/cksum results: 1208166860 19896320 MD5 results: c39e765a0f379c0a67cadcbb61375f1c SHA1 results: d726cf7e75ef40240e07a206d18955dadcd4580e ECO KIT SUMMARY: A dupatch-based, Early Release Patch kit exists for HP Tru64 UNIX 5.0A that contains solutions for the following potential security vulnerabilities: 1) Under certain circumstances the potential vulnerability may result in a denial of service. This may be in the form of local security domain risks. The potential security vulnerability in the ping command has been corrected. - SSRT2229 /usr/sbin/ping (Severity - Medium) 2) Under certain circumstances the potential vulnerability may allow a non-privileged user to gain unauthorized (root) access by exploiting a buffer overflow condition. This may be in the form of local and remote security domain risks. The potential security vulnerability has been corrected. Basic Commands and Utilities - SSRT2277 /usr/bin/ypmatch (Severity - Medium) - SSRT2261 /usr/sbin/traceroute (Severity - Medium) - SSRT2260 /usr/sbin/lpc (Severity - Medium) /usr/bin/lprm /usr/bin/lpq /usr/bin/lpr /usr/lbin/lpd - SSRT0796U /usr/bin/binmail (Severity - Medium) - SSRT0794U /usr/bin/ipcs (Severity - Medium) - SSRT2191 /usr/sbin/quot (Severity - Medium) - SSRT2189 /usb/bin/at (Severity - Medium) - SSRT2256 /usr/bin/ps (Severity - Medium) - SSRT2275 /usr/bin/uux (Severity - Medium) /usr/bin/uucp (Severity - Medium) /usr/bin/csh (Severity - Medium) /usr/bin/rdist (Severity - Medium) /usr/bin/mh/inc (Severity - Medium) /usr/bin/mh/msgchk (Severity - Medium) /usr/sbin/imapd (Severity - Medium) /usr/bin/deliver (Severity - Medium) /sbin/.upd..loader (Severity - Medium) CDE - SSRT2193 /usr/dt/bin/mailcv (Severity - Medium) - SSRT2280 /usr/dt/bin/dtterm (Severity - Medium) - SSRT2282 /usr/dt/bin/dtsession (Severity - Medium) - SSRT2274 /usr/dt/bin/rpc.ttdbserverd (Severity - High) SSRT2251 X11 - SSRT2279 /usr/bin/X11/dxterm (Severity - Medium) - SSRT2275 /usr/bin/X11/dxconsole (Severity - Medium) /usr/bin/X11/dxpause (Severity - Medium) /usr/bin/X11/dxsysinfo (Severity - Medium) Networking - SSRT2340 /usr/sbin/telnetd (Severity - High) - SSRT2270 BIND resolver glibc (Severity - High) - SSRT2309 rpc XDR_ARRAY (Severity - High) 3) Engineering has integrated the SSRT2257 early release patches into the SSRT2275/SSRT2229 ERP kits, because both need to update libc. SSRT2257 addressed the following potential security vulnerabilities: - SSRT2257 /usr/bin/su (Severity - High) - SSRT2190 /usr/bin/chsh (Severity - Medium) - SSRT2192 /usr/bin/passwd (Severity - Medium) - SSRT2259 /usr/bin/chfn (Severity - Medium) - SSRT2262 /usr/tcb/bin/dxchpwd (Severity - Medium) The SSRT2275/SSRT2229 ERP kits can be used by customers who have and have not installed the ERPs for SSRT2257. The patches in the SSRT2275/SSRT2229 ERP kits are built so they will install over the SSRT2257 ERPs. However, installation will be blocked if any other patches have been installed that affect the files delivered in the SSRT2257 ERPs. For more information regarding SSRT2257, see Security Bulletin, SSRT2257 HP Tru64 UNIX /usr/bin/su buffer overflow potential exploit. 4) Engineering has integrated the SSRT-541/SSRTM541 ERPs into the SSRT2275/SSRT2229 ERP kits, because both need to update libc. SSRT-541 addressed the following potential security vulnerabilities: - SSRT0752U dtaction - SSRT0753U ttsession - SSRT0757U dtprintinfo SSRT0788U - SSRT0782U dtspcd - SSRT0771U Environment Variable LANG and LOCPATH - SSRT0781U ypbind may core during nmap portscan - SSRT1-26 Potential packet flood denial of service The integrated ERP kits can be used by customers who have and have not installed the ERPs for SSRT-541/SSRTM541. The patches in the SSRT2275/SSRT2229 ERP kits are built so they will install over the SSRT-541/SSRTM541 ERPs. However, installation will be blocked if any other patches have been installed that affect the files delivered in the SSRT-541/SSRTM541 ERPs. For more information regarding SSRT-541/SSRTM541, see Security Bulletin, (SSRT-541/SSRTM541) Tru64 UNIX CDE, NFS and NIS related Potential Security Vulnerabilities. The Patch Kit Installation Instructions and the Patch Summary and Release Notes documents provide patch kit installation and removal instructions and a summary of each patch. Please read these documents prior to installing patches on your system. The patches in this ERP kit will also be available in the next mainstream patch kit - Tru64 UNIX 5.0A Patch Kit 4. INSTALLATION NOTES: 1) Install this kit with the dupatch utility that is included in the patch kit. You may need to baseline your system if you have manually changed system files on your system. The dupatch utility provides the baselining capability. 2) This ERP kit will NOT install over any installed Customer-Specific-Patches (CSPs) which have file intersections with this ERP kit. Contact your normal Service Provider for assistance if the installation of this ERP kit is blocked by any of your installed CSPs. 3) Some of the patches deliver updated static libraries. If you have applications that build against the affected static libraries you should relink those applications post-ERP installation. The following static libraries are updated if you have the static library subsets installed on your system: /usr/ccs/lib/libc.a OSFCMPLRS /usr/ccs/lib/libc_r.a OSFCMPLRS /usr/ccs/lib/libtermcap.a OSFPGMR /usr/ccs/lib/libtermlib.a OSFPGMR /usr/lib/libICE.a OSFXLIBA /usr/lib/libX11.a OSFXLIBA /usr/lib/libXmu.a OSFXLIBA /usr/lib/libXt.a OSFXLIBA /usr/lib/libXm.a OSFXLIBA /usr/ccs/lib/libfilsys.a OSFLIBA /usr/ccs/lib/libcurses.a OSFLIBA /usr/dt/lib/libDtSvc.a OSFCDEDEV /usr/dt/lib/libtt.a OSFCDEDEV INSTALLATION PREREQUISITES: You must have installed Tru64 UNIX 5.0A PK3 (BL17) prior to installing this Early Release Patch Kit. SUPERSEDED PATCH LIST: This patch kit supersedes the following Tru64 UNIX patch kits: 1) (SSRT-541) Potential Security Vulnerability CDE and NIS T64V50AB17-C0018303-14330-ES-20020516.tar 2) (SSRT2257) Potential Security Vulnerabilities due to Buffer Overflows T64V50AB17-C0018404-14949-ES-20020730.tar The patches in the SSRT2275/SSRT2229 ERP kits are built so they will install over the patches from the superseded patch kits. However, installation will be blocked if any other patches have been installed that affect the files delivered in the above patch kits. KNOWN PROBLEMS WITH THE PATCH KIT: 1) This patch kit does not automatically supersede the following Tru64 UNIX patches: - Tru64 UNIX Security Vulnerability SSRT1-41U, SSRT0742U, SSRT0759U T64V50AB17-C0017601-12862-E-20020115.tar The csh in the SSRT2275 5.0A ERP kit contains the csh fixes included in the SSRT1-41U 5.0A ERP kit. The following workaround enables SSRT2275 patch 5.0A C226.01 to automatically supersede the SSRT1-41U patch 5.0A C176.01. WORKAROUND: As root: 1) untar T64V50AB17-C0018406-15268-ES-20020827.tar 2) cd patch_kit/Tru64_UNIX_V5.0A/kit/instctrl 3) edit OSFPATC0022601505.ctrl replacing this line: PATCH_SUPERSEDE="OSFPATC0022600505" with this line: PATCH_SUPERSEDE="OSFPATC0022600505 OSFPATC0017601505" save the edits exit the file WARNING: do not make a copy of this file or do anything other file creation in this directory. If you want to make a copy of the original .ctrl file, copy it to a subdirectory in /tmp. 4) cd ../../../ 5) install the patch kit again RELEASE NOTES FOR T64V50AB17-C0018406-15268-ES-20020827: 1 Release Notes This Early Release Patch Kit Distribution contains: - fixes that resolve the problem(s) reported in: o SSRT-541 SSRT0752U SSRT0753U SSRT0757U SSRT0771U SSRT0781U SSRT0782U SSRT0788U SSRT0794U SSRT0796U SSRT1-26 SSRT2189 SSRT2190 SSRT2191 SSRT2192 SSRT2193 SSRT2229 SSRT2251 SSRT2256 SSRT2257 SSRT2259 SSRT2260 SSRT2261 SSRT2262 SSRT2270 SSRT2274 SSRT2275 SSRT2277 SSRT2279 SSRT2280 SSRT2297 SSRT2309 * for Tru64 UNIX V5.0A T64V50AAS0003-20010523.tar (BL17) The patches in this kit are being released early for general customer use. Refer to the Release Notes for a summary of each patch and installation prerequisites. Patches in this kit are installed by running dupatch from the directory in which the kit was untarred. For example, as root on the target system: > mkdir -p /tmp/CSPkit1 > cd /tmp/CSPkit1 > > tar -xpvf DUV40D13-C0044900-1285-20000328.tar > cd patch_kit > ./dupatch 2 Special Instructions There are no special instructions for Tru64 UNIX V5.0A Patch C184.06 There are no special instructions for Tru64 UNIX V5.0A Patch C225.01 There are no special instructions for Tru64 UNIX V5.0A Patch C212.00 There are no special instructions for Tru64 UNIX V5.0A Patch C220.01 There are no special instructions for Tru64 UNIX V5.0A Patch C214.00 There are no special instructions for Tru64 UNIX V5.0A Patch C217.00 There are no special instructions for Tru64 UNIX V5.0A Patch C222.01 There are no special instructions for Tru64 UNIX V5.0A Patch C210.01 There are no special instructions for Tru64 UNIX V5.0A Patch C224.01 There are no special instructions for Tru64 UNIX V5.0A Patch C227.01 There are no special instructions for Tru64 UNIX V5.0A Patch C233.01 There are no special instructions for Tru64 UNIX V5.0A Patch C215.00 There are no special instructions for Tru64 UNIX V5.0A Patch C213.00 There are no special instructions for Tru64 UNIX V5.0A Patch C194.03 There are no special instructions for Tru64 UNIX V5.0A Patch C226.01 There are no special instructions for Tru64 UNIX V5.0A Patch C218.02 There are no special instructions for Tru64 UNIX V5.0A Patch C234.01 There are no special instructions for Tru64 UNIX V5.0A Patch C230.00 There are no special instructions for Tru64 UNIX V5.0A Patch C231.01 There are no special instructions for Tru64 UNIX V5.0A Patch C228.01 There are no special instructions for Tru64 UNIX V5.0A Patch C229.01 There are no special instructions for Tru64 UNIX V5.0A Patch C235.01 SPECIAL INSTRUCTIONS for Tru64 UNIX V5.0A Patch C183.06 - The patches in this kit REQUIRE installation of: Tru64 UNIX 5.0A Patch Kit 3 (T64V50AAS0003-20010523.tar). - Select all patches in this kit for installation. - The patches in this kit deliver files for mandatory and optional install Operating System subsets. The following patches from this ERP kit will install on all 5.0A systems when the mandatory-install OS subsets are installed AND the requisite 5.0A PK3 patches are installed: --------------------------------------------------------------------- Patch ID MANDATORY OS Subsets --------------------------------------------------------------------- C 183.06 OSFCDEMIN C 184.06 OSFBASE OSFCMPLRS OSFCLINET C 185.06 OSFX11 The following patches from this ERP kit will install when the optionally-installed subsets AND requisite 5.0A PK3 patches are installed: --------------------------------------------------------------------- Patch ID OPTIONAL OS Subsets --------------------------------------------------------------------- C 202.04 OSFCDEDEV CDE Software Development and Programming Examples(Software Development) C 203.04 OSFXLIBA X Window and X/Motif Static Libraries C 204.03 OSFCDEDT CDE Desktop Environment (Windowing Environment) C 205.03 OSFCDEMAIL CDE Mail Interface (Mail Applications) There are no special instructions for Tru64 UNIX V5.0A Patch C185.06 There are no special instructions for Tru64 UNIX V5.0A Patch C202.04 There are no special instructions for Tru64 UNIX V5.0A Patch C204.03 There are no special instructions for Tru64 UNIX V5.0A Patch C205.03 There are no special instructions for Tru64 UNIX V5.0A Patch C203.04 3 Summary of CSPatches contained in this kit Tru64 UNIX V5.0A PatchId Summary Of Fix ---------------------------------------- C184.06 Fix for SSRT2257, 2190, 2192, 2259, 2262, M541 C225.01 Fix for SSRT2275, uux, uucp C212.00 Fix for SSRT2193, mailcv C220.01 Fix for SSRT2297, loader C214.00 Fix for SSRT2191, quot C217.00 Fix for SSRT2189, at C222.01 Fix for SSRT2251, SSRT2274, rpc.ttdbserverd C210.01 Fix for SSRT2256, ps C224.01 Fix for SSRT2280, dtterm C227.01 Fix for SSRT2275, libtermcap, libtermlib C233.01 Fix for SSRT2279, SSRT2280, dtterm, dxterm C215.00 Fix for SSRT2229, ping C213.00 Fix for SSRT0796U, binmail C194.03 Fix for SSRT0794U, ipcs C226.01 Fix for SSRT2275, csh C218.02 Fix for SSRT2260, lpq, lpr, lprm C234.01 Fix for SSRT2279, dxterm C230.00 Fix for SSRT2191, quot C231.01 Fix for SSRT2275, telnetd C228.01 Fix for SSRT2275, libcurses C229.01 Fix for SSRT2275, libcurses C235.01 Fix for SSRT2279, SSRT2280, dxterm, dtterm C183.06 Fixes for SSRT0752, SSRT0753, SSRT0757, SSRT0782, SSRT0788 C185.06 Fixes for SSRT0752U and SSRT0753U. C202.04 Fixes for SSRT0752, SSRT0753, SSRT0757, SSRT0782, SSRT0788 C204.03 Fixes for SSRT0752U & SSRT0753U. C205.03 Fixes for SSRT0752U & SSRT0753U. C203.04 Fixes for SSRT0752U and SSRT0753U. 4 Additional information from Engineering None 5 Affected system files This patch delivers the following files: Tru64 UNIX V5.0A Patch C184.06 ./sbin/mount CHECKSUM: 25142 740 SUBSET: OSFBASE505 ./sbin/umount CHECKSUM: 25847 397 SUBSET: OSFBASE505 ./shlib/.upd..libc.so CHECKSUM: 16422 1851 SUBSET: OSFBASE505 ./shlib/.upd..libc_r.so CHECKSUM: 16422 1851 SUBSET: OSFBASE505 ./usr/bin/uptime CHECKSUM: 13691 478 SUBSET: OSFBASE505 ./usr/bin/w CHECKSUM: 13691 478 SUBSET: OSFBASE505 ./usr/ccs/lib/libc.a CHECKSUM: 05438 2306 SUBSET: OSFCMPLRS505 ./usr/ccs/lib/libc_r.a CHECKSUM: 05438 2306 SUBSET: OSFCMPLRS505 ./usr/sbin/runclass CHECKSUM: 17910 388 SUBSET: OSFBASE505 ./usr/sbin/ypbind CHECKSUM: 24930 532 SUBSET: OSFCLINET505 Patch C225.01 ./usr/bin/uucp CHECKSUM: 28682 821 SUBSET: OSFUUCP505 ./usr/bin/uux CHECKSUM: 23372 792 SUBSET: OSFUUCP505 ./usr/lib/nls/msg/en_US.ISO8859-1/uucp.cat CHECKSUM: 58627 19 SUBSET: OSFUUCP505 Patch C212.00 ./usr/dt/bin/mailcv CHECKSUM: 46504 124 SUBSET: OSFCDEMAIL505 Patch C220.01 ./sbin/.upd..loader CHECKSUM: 04857 190 SUBSET: OSFBASE505 Patch C214.00 ./shlib/libfilsys.so CHECKSUM: 49727 39 SUBSET: OSFBASE505 Patch C217.00 ./usr/bin/at CHECKSUM: 63251 77 SUBSET: OSFBASE505 Patch C222.01 ./usr/dt/bin/rpc.ttdbserverd CHECKSUM: 36764 429 SUBSET: OSFCDEMIN505 Patch C210.01 ./sbin/ps CHECKSUM: 25503 105 SUBSET: OSFBASE505 ./usr/bin/ps CHECKSUM: 49075 86 SUBSET: OSFBASE505 ./usr/lib/nls/msg/en_US.ISO8859-1/ps.cat CHECKSUM: 46700 2 SUBSET: OSFBASE505 Patch C224.01 ./usr/dt/bin/dtterm CHECKSUM: 63814 492 SUBSET: OSFCDEMIN505 Patch C227.01 ./usr/ccs/lib/libtermcap.a CHECKSUM: 65048 12 SUBSET: OSFPGMR505 ./usr/ccs/lib/libtermlib.a CHECKSUM: 65048 12 SUBSET: OSFPGMR505 Patch C233.01 ./usr/lib/libICE.a CHECKSUM: 56386 132 SUBSET: OSFXLIBA505 ./usr/lib/libX11.a CHECKSUM: 40078 1535 SUBSET: OSFXLIBA505 ./usr/lib/libXmu.a CHECKSUM: 17940 127 SUBSET: OSFXLIBA505 ./usr/lib/libXt.a CHECKSUM: 00181 627 SUBSET: OSFXLIBA505 Patch C215.00 ./sbin/ping CHECKSUM: 39107 33 SUBSET: OSFCLINET505 ./usr/sbin/ping CHECKSUM: 21192 39 SUBSET: OSFCLINET505 Patch C213.00 ./usr/bin/binmail CHECKSUM: 43490 49 SUBSET: OSFBASE505 ./usr/bin/mail CHECKSUM: 43490 49 SUBSET: OSFBASE505 ./usr/lib/nls/msg/en_US.ISO8859-1/binmail.cat CHECKSUM: 00159 3 SUBSET: OSFBASE505 Patch C194.03 ./usr/bin/ipcs CHECKSUM: 58516 37 SUBSET: OSFBASE505 Patch C226.01 ./usr/bin/csh CHECKSUM: 55831 303 SUBSET: OSFBASE505 Patch C218.02 ./usr/bin/lpq CHECKSUM: 65209 80 SUBSET: OSFPRINT505 ./usr/bin/lpr CHECKSUM: 01403 88 SUBSET: OSFPRINT505 ./usr/bin/lprm CHECKSUM: 18796 79 SUBSET: OSFPRINT505 ./usr/lbin/lpd CHECKSUM: 14687 176 SUBSET: OSFPRINT505 ./usr/lib/nls/msg/en_US.ISO8859-1/printer.cat CHECKSUM: 52778 17 SUBSET: OSFPRINT505 ./usr/sbin/lpc CHECKSUM: 47911 106 SUBSET: OSFPRINT505 Patch C234.01 ./usr/bin/X11/dxterm CHECKSUM: 18144 729 SUBSET: OSFX11505 Patch C230.00 ./usr/ccs/lib/libfilsys.a CHECKSUM: 06966 25 SUBSET: OSFLIBA505 Patch C231.01 ./usr/sbin/telnetd CHECKSUM: 18205 97 SUBSET: OSFCLINET505 Patch C228.01 ./usr/ccs/lib/libcurses.a CHECKSUM: 15175 657 SUBSET: OSFLIBA505 Patch C229.01 ./usr/shlib/libcurses.so CHECKSUM: 17995 508 SUBSET: OSFBASE505 Patch C235.01 ./usr/shlib/libICE.so CHECKSUM: 45117 138 SUBSET: OSFX11505 ./usr/shlib/libX11.so CHECKSUM: 30938 1356 SUBSET: OSFX11505 ./usr/shlib/libXmu.so CHECKSUM: 42300 130 SUBSET: OSFX11505 ./usr/shlib/libXt.so CHECKSUM: 46172 584 SUBSET: OSFX11505 Patch C183.06 ./usr/dt/lib/libDtSvc.so CHECKSUM: 08340 625 SUBSET: OSFCDEMIN505 ./usr/dt/lib/libtt.so CHECKSUM: 39840 1351 SUBSET: OSFCDEMIN505 ./usr/dt/lib/nls/msg/C/dt.cat CHECKSUM: 49805 8 SUBSET: OSFCDEMIN505 Patch C185.06 ./usr/shlib/libXm.so CHECKSUM: 58613 2187 SUBSET: OSFX11505 Patch C202.04 ./usr/dt/lib/libDtSvc.a CHECKSUM: 39387 760 SUBSET: OSFCDEDEV505 ./usr/dt/lib/libtt.a CHECKSUM: 01471 1476 SUBSET: OSFCDEDEV505 Patch C204.03 ./usr/dt/bin/dtcalc CHECKSUM: 16106 325 SUBSET: OSFCDEDT505 ./usr/dt/bin/dtcreate CHECKSUM: 53515 231 SUBSET: OSFCDEDT505 ./usr/dt/bin/dtsession CHECKSUM: 08623 205 SUBSET: OSFCDEDT505 Patch C205.03 ./usr/dt/bin/dtmail CHECKSUM: 08333 1411 SUBSET: OSFCDEMAIL505 Patch C203.04 ./usr/lib/libXm.a CHECKSUM: 10292 2341 SUBSET: OSFXLIBA505 [R] UNIX is a registered trademark in the United States and other countries licensed exclusively through X/Open Company Limited. Copyright Hewlett-Packard Company 2002. All Rights reserved. This software is proprietary to and embodies the confidential technology of Hewlett-Packard Company. Possession, use, or copying of this software and media is authorized only pursuant to a valid written license from Hewlett-Packard or an authorized sublicensor. This ECO has not been through an exhaustive field test process. Due to the experimental stage of this ECO/workaround, Hewlett-Packard makes no representations regarding its use or performance. The customer shall have the sole responsibility for adequate protection and back-up data used in conjunction with this ECO/workaround.