TITLE: SSRT2275__SSRT2229 Potential Security Vulnerabilities TITLE: (SSRT2275, SSRT2229) Potential Security Vulnerabilities Copyright (c) Hewlett-Packard Company 2002. All rights reserved. PRODUCT: Tru64 UNIX [R] 5.1A SOURCE: Hewlett-Packard Company ECO INFORMATION: ECO Name: T64V51AB2-C0041402-15271-ES-20020827 ECO Kit Approximate Size: 14MB Kit Applies To: Tru64 UNIX 5.1A PK2 (BL2) ECO Kit CHECKSUMS: /usr/bin/sum results: 26606 13640 /usr/bin/cksum results: 1596349806 13967360 MD5 results: e7f20b173b1d92d52a8f153aa6d4de72 SHA1 results: fd114bc14f4f4306ad7211d90db3e025243c01d0 ECO KIT SUMMARY: A dupatch-based, Early Release Patch kit exists for HP Tru64 UNIX 5.1A that contains solutions for the following potential security vulnerabilities: 1) Under certain circumstances the potential vulnerability may result in a denial of service. This may be in the form of local security domain risks. The potential security vulnerability in the ping command has been corrected. - SSRT2229 /usr/sbin/ping (Severity - Medium) 2) Under certain circumstances the potential vulnerability may allow a non-privileged user to gain unauthorized (root) access by exploiting a buffer overflow condition. This may be in the form of local and remote security domain risks. The potential security vulnerability has been corrected. Basic Commands and Utilities - SSRT2277 /usr/bin/ypmatch (Severity - Medium) - SSRT2261 /usr/sbin/traceroute (Severity - Medium) - SSRT2260 /usr/sbin/lpc (Severity - Medium) /usr/bin/lprm /usr/bin/lpq /usr/bin/lpr /usr/lbin/lpd - SSRT0796U /usr/bin/binmail (Severity - Medium) - SSRT0794U /usr/bin/ipcs (Severity - Medium) - SSRT2191 /usr/sbin/quot (Severity - Medium) - SSRT2189 /usb/bin/at (Severity - Medium) - SSRT2256 /usr/bin/ps (Severity - Medium) - SSRT2275 /usr/bin/uux (Severity - Medium) /usr/bin/uucp (Severity - Medium) /usr/bin/csh (Severity - Medium) /usr/bin/rdist (Severity - Medium) /usr/bin/mh/inc (Severity - Medium) /usr/bin/mh/msgchk (Severity - Medium) /usr/sbin/imapd (Severity - Medium) /usr/bin/deliver (Severity - Medium) /sbin/.upd..loader (Severity - Medium) CDE - SSRT2193 /usr/dt/bin/mailcv (Severity - Medium) - SSRT2280 /usr/dt/bin/dtterm (Severity - Medium) - SSRT2282 /usr/dt/bin/dtsession (Severity - Medium) - SSRT2274 /usr/dt/bin/rpc.ttdbserverd (Severity - High) SSRT2251 X11 - SSRT2279 /usr/bin/X11/dxterm (Severity - Medium) - SSRT2275 /usr/bin/X11/dxconsole (Severity - Medium) /usr/bin/X11/dxpause (Severity - Medium) /usr/bin/X11/dxsysinfo (Severity - Medium) Networking - SSRT2340 /usr/sbin/telnetd (Severity - High) - SSRT2270 BIND resolver glibc (Severity - High) - SSRT2309 rpc XDR_ARRAY (Severity - High) 3) Engineering has integrated the SSRT2257 early release patches into the SSRT2275/SSRT2229 ERP kits, because both need to update libc. SSRT2257 addressed the following potential security vulnerabilities: - SSRT2257 /usr/bin/su (Severity - High) - SSRT2190 /usr/bin/chsh (Severity - Medium) - SSRT2192 /usr/bin/passwd (Severity - Medium) - SSRT2259 /usr/bin/chfn (Severity - Medium) - SSRT2262 /usr/tcb/bin/dxchpwd (Severity - Medium) The SSRT2275/SSRT2229 ERP kits can be used by customers who have and have not installed the ERPs for SSRT2257. The patches in the SSRT2275/SSRT2229 ERP kits are built so they will install over the SSRT2257 ERPs. However, installation will be blocked if any other patches have been installed that affect the files delivered in the SSRT2257 ERPs. For more information regarding SSRT2257, see Security Bulletin, SSRT2257 HP Tru64 UNIX /usr/bin/su buffer overflow potential exploit. The Patch Kit Installation Instructions and the Patch Summary and Release Notes documents provide patch kit installation and removal instructions and a summary of each patch. Please read these documents prior to installing patches on your system. The patches in this ERP kit will also be available in the next mainstream patch kit - Tru64 UNIX 5.1A Patch Kit 4. INSTALLATION NOTES: 1) Install this kit with the dupatch utility that is included in the patch kit. You may need to baseline your system if you have manually changed system files on your system. The dupatch utility provides the baselining capability. 2) This ERP kit will NOT install over any installed Customer-Specific-Patches (CSPs) which have file intersections with this ERP kit. Contact your normal Service Provider for assistance if the installation of this ERP kit is blocked by any of your installed CSPs. 3) Some of the patches deliver updated static libraries. If you have applications that build against the affected static libraries you should relink those applications post-ERP installation. The following static libraries are updated if you have the static library subsets installed on your system: /usr/ccs/lib/libc.a OSFCMPLRS /usr/ccs/lib/libc_r.a OSFCMPLRS /usr/ccs/lib/libtermcap.a OSFPGMR /usr/ccs/lib/libtermlib.a OSFPGMR /usr/ccs/lib/libfilsys.a OSFLIBA /usr/ccs/lib/libcurses.a OSFLIBA /usr/lib/libX11.a OSFXLIBA /usr/lib/libXt.a OSFXLIBA INSTALLATION PREREQUISITES: You must have installed Tru64 UNIX 5.1A PK2 (BL2) prior to installing this Early Release Patch Kit. SUPERSEDED PATCH LIST: This patch kit supersedes the following Tru64 UNIX patch kits: 1) (SSRT2257) Potential Security Vulnerabilities due to Buffer Overflows T64V51AB2-C0041400-14950-ES-20020730.tar The patches in the SSRT2275/SSRT2229 ERP kits are built so they will install over the patches from the superseded patch kits. However, installation will be blocked if any other patches have been installed that affect the files delivered in the above patch kits. KNOWN PROBLEMS WITH THE PATCH KIT: None RELEASE NOTES FOR T64V51AB2-C0041402-15271-ES-20020827: 1 Release Notes This Early Release Patch Kit Distribution contains: - fixes that resolve the problem(s) reported in: o SSRT0794U SSRT0796U SSRT2189 SSRT2190 SSRT2191 SSRT2192 SSRT2193 SSRT2229 SSRT2251 SSRT2256 SSRT2257 SSRT2259 SSRT2260 SSRT2261 SSRT2262 SSRT2270 SSRT2274 SSRT2275 SSRT2277 SSRT2279 SSRT2280 SSRT2297 SSRT2309 * for Tru64 UNIX V5.1A T64V51AB02AS0002-20020513.tar (BL2) The patches in this kit are being released early for general customer use. Refer to the Release Notes for a summary of each patch and installation prerequisites. Patches in this kit are installed by running dupatch from the directory in which the kit was untarred. For example, as root on the target system: > mkdir -p /tmp/CSPkit1 > cd /tmp/CSPkit1 > > tar -xpvf DUV40D13-C0044900-1285-20000328.tar > cd patch_kit > ./dupatch 2 Special Instructions There are no special instructions for Tru64 UNIX V5.1A Patch C414.02 There are no special instructions for Tru64 UNIX V5.1A Patch C440.01 There are no special instructions for Tru64 UNIX V5.1A Patch C386.00 There are no special instructions for Tru64 UNIX V5.1A Patch C445.01 There are no special instructions for Tru64 UNIX V5.1A Patch C389.00 There are no special instructions for Tru64 UNIX V5.1A Patch C453.00 There are no special instructions for Tru64 UNIX V5.1A Patch C407.00 There are no special instructions for Tru64 UNIX V5.1A Patch C415.02 There are no special instructions for Tru64 UNIX V5.1A Patch C380.03 There are no special instructions for Tru64 UNIX V5.1A Patch C432.00 There are no special instructions for Tru64 UNIX V5.1A Patch C425.01 There are no special instructions for Tru64 UNIX V5.1A Patch C403.00 There are no special instructions for Tru64 UNIX V5.1A Patch C388.00 There are no special instructions for Tru64 UNIX V5.1A Patch C158.08 There are no special instructions for Tru64 UNIX V5.1A Patch C448.01 There are no special instructions for Tru64 UNIX V5.1A Patch C449.01 There are no special instructions for Tru64 UNIX V5.1A Patch C450.01 There are no special instructions for Tru64 UNIX V5.1A Patch C454.01 There are no special instructions for Tru64 UNIX V5.1A Patch C462.01 There are no special instructions for Tru64 UNIX V5.1A Patch C438.01 There are no special instructions for Tru64 UNIX V5.1A Patch C461.01 There are no special instructions for Tru64 UNIX V5.1A Patch C463.01 3 Summary of CSPatches contained in this kit Tru64 UNIX V5.1A PatchId Summary Of Fix ---------------------------------------- C414.02 Fix for SSRT2257, 2190, 2192, 2259, 2262, 2275, 2270, 2277 C440.01 Fix for SSRT2275, uux, uucp C386.00 Fix for SSRT2193, mailcv C445.01 Fix for SSRT2275, csh C389.00 Fix for SSRT2191 C453.00 Fix for SSRT2191 C407.00 Fix for SSRT2189, at C415.02 Fix for SSRT2260, lpq, lpr, lprm C380.03 Fix for SSRT2256, ps C432.00 Fix for SSRT2251, SSRT2274, rpc.ttdbserverd C425.01 Fix for SSRT2297, loader C403.00 Fix for SSRT2229, ping C388.00 Fix for SSRT0796U, binmail C158.08 Fix for SSRT0794U, ipcs C448.01 Fix for SSRT2275 C449.01 Fix for SSRT2275, libcurses C450.01 Fix for SSRT2275,libcurses C454.01 Fix for SSRT2275,telnetd C462.01 Fix for SSRT2279, dxterm C438.01 Fix for SSRT2280, dtterm C461.01 Fix for SSRT2279, SSRT2280 C463.01 Fix for SSRT2279 and SSRT2280 4 Additional information from Engineering None 5 Affected system files This patch delivers the following files: Tru64 UNIX V5.1A Patch C414.02 ./sbin/mount CHECKSUM: 09976 985 SUBSET: OSFBASE520 ./sbin/umount CHECKSUM: 22944 478 SUBSET: OSFBASE520 ./shlib/.upd..libc.so CHECKSUM: 02196 2212 SUBSET: OSFBASE520 ./shlib/.upd..libc_r.so CHECKSUM: 02196 2212 SUBSET: OSFBASE520 ./usr/bin/uptime CHECKSUM: 15992 600 SUBSET: OSFBASE520 ./usr/bin/w CHECKSUM: 15992 600 SUBSET: OSFBASE520 ./usr/ccs/lib/libc.a CHECKSUM: 19078 2589 SUBSET: OSFCMPLRS520 ./usr/ccs/lib/libc_r.a CHECKSUM: 19078 2589 SUBSET: OSFCMPLRS520 ./usr/sbin/runclass CHECKSUM: 15789 480 SUBSET: OSFBASE520 ./usr/sbin/ypbind CHECKSUM: 52462 610 SUBSET: OSFCLINET520 Patch C440.01 ./usr/bin/uucp CHECKSUM: 33236 1127 SUBSET: OSFUUCP520 ./usr/bin/uux CHECKSUM: 39719 1099 SUBSET: OSFUUCP520 ./usr/lib/nls/msg/en_US.ISO8859-1/uucp.cat CHECKSUM: 58627 19 SUBSET: OSFUUCP520 Patch C386.00 ./usr/dt/bin/mailcv CHECKSUM: 24471 125 SUBSET: OSFCDEMAIL520 Patch C445.01 ./usr/bin/csh CHECKSUM: 21532 328 SUBSET: OSFBASE520 Patch C389.00 ./shlib/libfilsys.so CHECKSUM: 32186 40 SUBSET: OSFBASE520 Patch C453.00 ./usr/ccs/lib/libfilsys.a CHECKSUM: 15229 26 SUBSET: OSFLIBA520 Patch C407.00 ./usr/bin/at CHECKSUM: 42245 69 SUBSET: OSFBASE520 Patch C415.02 ./usr/bin/lpq CHECKSUM: 64669 89 SUBSET: OSFPRINT520 ./usr/bin/lpr CHECKSUM: 50665 98 SUBSET: OSFPRINT520 ./usr/bin/lprm CHECKSUM: 31048 80 SUBSET: OSFPRINT520 ./usr/lbin/lpd CHECKSUM: 00471 187 SUBSET: OSFPRINT520 ./usr/lib/nls/msg/en_US.ISO8859-1/printer.cat CHECKSUM: 36641 17 SUBSET: OSFPRINT520 ./usr/sbin/lpc CHECKSUM: 33726 115 SUBSET: OSFPRINT520 Patch C380.03 ./sbin/ps CHECKSUM: 23188 121 SUBSET: OSFBASE520 ./usr/bin/ps CHECKSUM: 08892 95 SUBSET: OSFBASE520 ./usr/lib/nls/msg/en_US.ISO8859-1/ps.cat CHECKSUM: 42057 2 SUBSET: OSFBASE520 Patch C432.00 ./usr/dt/bin/rpc.ttdbserverd CHECKSUM: 02439 421 SUBSET: OSFCDEMIN520 Patch C425.01 ./sbin/.upd..loader CHECKSUM: 64973 201 SUBSET: OSFBASE520 Patch C403.00 ./sbin/ping CHECKSUM: 52652 49 SUBSET: OSFCLINET520 ./usr/sbin/ping CHECKSUM: 47306 58 SUBSET: OSFCLINET520 Patch C388.00 ./usr/bin/binmail CHECKSUM: 14823 58 SUBSET: OSFBASE520 ./usr/bin/mail CHECKSUM: 14823 58 SUBSET: OSFBASE520 ./usr/lib/nls/msg/en_US.ISO8859-1/binmail.cat CHECKSUM: 00159 3 SUBSET: OSFBASE520 Patch C158.08 ./usr/bin/ipcs CHECKSUM: 10991 38 SUBSET: OSFBASE520 Patch C448.01 ./usr/ccs/lib/libtermcap.a CHECKSUM: 36447 13 SUBSET: OSFPGMR520 ./usr/ccs/lib/libtermlib.a CHECKSUM: 36447 13 SUBSET: OSFPGMR520 Patch C449.01 ./usr/ccs/lib/libcurses.a CHECKSUM: 23903 696 SUBSET: OSFLIBA520 Patch C450.01 ./usr/shlib/libcurses.so CHECKSUM: 12810 536 SUBSET: OSFBASE520 Patch C454.01 ./usr/sbin/telnetd CHECKSUM: 38071 106 SUBSET: OSFCLINET520 Patch C462.01 ./usr/bin/X11/dxterm CHECKSUM: 43340 793 SUBSET: OSFX11520 Patch C438.01 ./usr/dt/bin/dtterm CHECKSUM: 36304 517 SUBSET: OSFCDEMIN520 Patch C461.01 ./usr/lib/libX11.a CHECKSUM: 17163 1707 SUBSET: OSFXLIBA520 ./usr/lib/libXt.a CHECKSUM: 10526 685 SUBSET: OSFXLIBA520 Patch C463.01 ./usr/shlib/libX11.so CHECKSUM: 22291 1530 SUBSET: OSFX11520 ./usr/shlib/libXt.so CHECKSUM: 07848 637 SUBSET: OSFX11520 [R] UNIX is a registered trademark in the United States and other countries licensed exclusively through X/Open Company Limited. Copyright Hewlett-Packard Company 2002. All Rights reserved. This software is proprietary to and embodies the confidential technology of Hewlett-Packard Company. Possession, use, or copying of this software and media is authorized only pursuant to a valid written license from Hewlett-Packard or an authorized sublicensor. This ECO has not been through an exhaustive field test process. Due to the experimental stage of this ECO/workaround, Hewlett-Packard makes no representations regarding its use or performance. The customer shall have the sole responsibility for adequate protection and back-up data used in conjunction with this ECO/workaround.