TITLE: SSRT2257__SSRT2275__SSRT2229 Potential Security Vulnerabilities TITLE: (SSRT2257, SSRT2275, SSRT2229) Potential Security Vulnerabilities Copyright (c) Hewlett-Packard Company 2002. All rights reserved. New Kit: September 4, 2002 Modification Date: N/A Modification Type: New Kit PRODUCT: Tru64 UNIX [R] 5.1A SOURCE: Hewlett-Packard Company ECO INFORMATION: ECO Name: T64V51AB3-C0043701-15279-ES-20020828 ECO Kit Approximate Size: 14MB Kit Applies To: Tru64 UNIX 5.1A PK3 (BL3) ECO Kit CHECKSUMS: /usr/bin/sum results: 57846 13710 /usr/bin/cksum results: 606485521 14039040 MD5 results: ac7e73ad759fce8887e899235716c1b9 SHA1 results: bd788796152f34a865739b581f1915dcd7a67b6c ECO KIT SUMMARY: A dupatch-based, Early Release Patch kit exists for HP Tru64 UNIX 5.1A that contains solutions for the following potential security vulnerabilities: 1) Under certain circumstances the potential vulnerability may result in a denial of service. This may be in the form of local security domain risks. The potential security vulnerability in the ping command has been corrected. - SSRT2229 /usr/sbin/ping (Severity - Medium) 2) Under certain circumstances the potential vulnerability may allow a non-privileged user to gain unauthorized (root) access by exploiting a buffer overflow condition. This may be in the form of local and remote security domain risks. The potential security vulnerability has been corrected. Basic Commands and Utilities - SSRT2277 /usr/bin/ypmatch (Severity - Medium) - SSRT2261 /usr/sbin/traceroute (Severity - Medium) - SSRT2260 /usr/sbin/lpc (Severity - Medium) /usr/bin/lprm /usr/bin/lpq /usr/bin/lpr /usr/lbin/lpd - SSRT0796U /usr/bin/binmail (Severity - Medium) - SSRT0794U /usr/bin/ipcs (Severity - Medium) - SSRT2191 /usr/sbin/quot (Severity - Medium) - SSRT2189 /usb/bin/at (Severity - Medium) - SSRT2256 /usr/bin/ps (Severity - Medium) - SSRT2275 /usr/bin/uux (Severity - Medium) /usr/bin/uucp (Severity - Medium) /usr/bin/csh (Severity - Medium) /usr/bin/rdist (Severity - Medium) /usr/bin/mh/inc (Severity - Medium) /usr/bin/mh/msgchk (Severity - Medium) /usr/sbin/imapd (Severity - Medium) /usr/bin/deliver (Severity - Medium) /sbin/.upd..loader (Severity - Medium) CDE - SSRT2193 /usr/dt/bin/mailcv (Severity - Medium) - SSRT2280 /usr/dt/bin/dtterm (Severity - Medium) - SSRT2282 /usr/dt/bin/dtsession (Severity - Medium) - SSRT2274 /usr/dt/bin/rpc.ttdbserverd (Severity - High) SSRT2251 X11 - SSRT2279 /usr/bin/X11/dxterm (Severity - Medium) - SSRT2275 /usr/bin/X11/dxconsole (Severity - Medium) /usr/bin/X11/dxpause (Severity - Medium) /usr/bin/X11/dxsysinfo (Severity - Medium) Networking - SSRT2340 /usr/sbin/telnetd (Severity - High) - SSRT2270 BIND resolver glibc (Severity - High) - SSRT2309 rpc XDR_ARRAY (Severity - High) 3) Engineering has integrated the SSRT2257 fixes into the SSRT2275/SSRT2229 ERP kits, because both need to update libc. SSRT2257 addressed the following potential security vulnerabilities: - SSRT2257 /usr/bin/su (Severity - High) - SSRT2190 /usr/bin/chsh (Severity - Medium) - SSRT2192 /usr/bin/passwd (Severity - Medium) - SSRT2259 /usr/bin/chfn (Severity - Medium) - SSRT2262 /usr/tcb/bin/dxchpwd (Severity - Medium) For more information regarding SSRT2257, see Security Bulletin, SSRT2257 HP Tru64 UNIX /usr/bin/su buffer overflow potential exploit. The Patch Kit Installation Instructions and the Patch Summary and Release Notes documents provide patch kit installation and removal instructions and a summary of each patch. Please read these documents prior to installing patches on your system. The patches in this ERP kit will also be available in the next mainstream patch kit - Tru64 UNIX 5.1A Patch Kit 4. INSTALLATION NOTES: 1) Install this kit with the dupatch utility that is included in the patch kit. You may need to baseline your system if you have manually changed system files on your system. The dupatch utility provides the baselining capability. 2) This ERP kit will NOT install over any installed Customer-Specific-Patches (CSPs) which have file intersections with this ERP kit. Contact your normal Service Provider for assistance if the installation of this ERP kit is blocked by any of your installed CSPs. 3) Some of the patches deliver updated static libraries. If you have applications that build against the affected static libraries you should relink those applications post-ERP installation. The following static libraries are updated if you have the static library subsets installed on your system: /usr/ccs/lib/libc.a OSFCMPLRS /usr/ccs/lib/libc_r.a OSFCMPLRS /usr/ccs/lib/libtermcap.a OSFPGMR /usr/ccs/lib/libtermlib.a OSFPGMR /usr/ccs/lib/libfilsys.a OSFLIBA /usr/ccs/lib/libcurses.a OSFLIBA /usr/lib/libX11.a OSFXLIBA /usr/lib/libXt.a OSFXLIBA INSTALLATION PREREQUISITES: You must have installed Tru64 UNIX 5.1A PK3 (BL3) prior to installing this Early Release Patch Kit. KNOWN PROBLEMS WITH THE PATCH KIT: None RELEASE NOTES FOR T64V51AB3-C0043701-15279-ES-20020828: 1 Release Notes This Early Release Patch Kit Distribution contains: - fixes that resolve the problem(s) reported in: o SSRT0796U SSRT2189 SSRT2190 SSRT2191 SSRT2192 SSRT2193 SSRT2229 SSRT2251 SSRT2256 SSRT2257 SSRT2259 SSRT2260 SSRT2261 SSRT2262 SSRT2270 SSRT2274 SSRT2275 SSRT2277 SSRT2279 SSRT2280 SSRT2297 SSRT2309 * for Tru64 UNIX V5.1A T64V51AB03AS0003-20020725.tar (BL3) * for Tru64 UNIX V5.1A T64V51AB03AS0003-20020827.tar (BL3) The patches in this kit are being released early for general customer use. Refer to the Release Notes for a summary of each patch and installation prerequisites. Patches in this kit are installed by running dupatch from the directory in which the kit was untarred. For example, as root on the target system: > mkdir -p /tmp/CSPkit1 > cd /tmp/CSPkit1 > > tar -xpvf DUV40D13-C0044900-1285-20000328.tar > cd patch_kit > ./dupatch 2 Special Instructions There are no special instructions for Tru64 UNIX V5.1A Patch C437.01 There are no special instructions for Tru64 UNIX V5.1A Patch C547.00 There are no special instructions for Tru64 UNIX V5.1A Patch C482.00 There are no special instructions for Tru64 UNIX V5.1A Patch C495.00 There are no special instructions for Tru64 UNIX V5.1A Patch C536.00 There are no special instructions for Tru64 UNIX V5.1A Patch C493.00 There are no special instructions for Tru64 UNIX V5.1A Patch C483.00 There are no special instructions for Tru64 UNIX V5.1A Patch C494.00 There are no special instructions for Tru64 UNIX V5.1A Patch C499.00 There are no special instructions for Tru64 UNIX V5.1A Patch C542.00 There are no special instructions for Tru64 UNIX V5.1A Patch C496.00 There are no special instructions for Tru64 UNIX V5.1A Patch C538.00 There are no special instructions for Tru64 UNIX V5.1A Patch C446.00 There are no special instructions for Tru64 UNIX V5.1A Patch C541.00 There are no special instructions for Tru64 UNIX V5.1A Patch C484.00 There are no special instructions for Tru64 UNIX V5.1A Patch C527.00 There are no special instructions for Tru64 UNIX V5.1A Patch C537.00 There are no special instructions for Tru64 UNIX V5.1A Patch C549.00 There are no special instructions for Tru64 UNIX V5.1A Patch C543.00 There are no special instructions for Tru64 UNIX V5.1A Patch C544.00 There are no special instructions for Tru64 UNIX V5.1A Patch C497.00 3 Summary of CSPatches contained in this kit Tru64 UNIX V5.1A PatchId Summary Of Fix ---------------------------------------- C437.01 Fix for SSRT2257, 2190, 2192, 2259, 2262, 2275, 2270, 2277 C547.00 Fix for SSRT2275, uux, uucp C482.00 Fix for SSRT2193, mailcv C495.00 Fix for SSRT2297, loader C536.00 Fix for SSRT2191, quot C493.00 Fix for SSRT2189, at C483.00 Fix for SSRT2251, SSRT2274, rpc.ttdbserverd C494.00 Fix for SSRT2256, ps C499.00 Fix for SSRT2280, dtterm C542.00 Fix for SSRT2275, libtermcap, libtermlib C496.00 Fix for SSRT2279, SSRT2280, dtterm, dxterm C538.00 Fix for SSRT2229, ping C446.00 Fix for SSRT0796U, binmail C541.00 Fix for SSRT2275, csh C484.00 Fix for SSRT2260, lpq, lpr, lprm C527.00 Fix for SSRT2279, dxterm C537.00 Fix for SSRT2191, quot C549.00 Fix for SSRT2275, telnetd C543.00 Fix for SSRT2275, libcurses C544.00 Fix for SSRT2275, libcurses C497.00 Fix for SSRT2279, SSRT2280, dtterm, dxterm 4 Additional information from Engineering None 5 Affected system files This patch delivers the following files: Tru64 UNIX V5.1A Patch C437.01 ./sbin/mount CHECKSUM: 34943 993 SUBSET: OSFBASE520 ./sbin/umount CHECKSUM: 33339 486 SUBSET: OSFBASE520 ./shlib/.upd..libc.so CHECKSUM: 30148 2232 SUBSET: OSFBASE520 ./shlib/.upd..libc_r.so CHECKSUM: 30148 2232 SUBSET: OSFBASE520 ./usr/bin/uptime CHECKSUM: 36897 611 SUBSET: OSFBASE520 ./usr/bin/w CHECKSUM: 36897 611 SUBSET: OSFBASE520 ./usr/ccs/lib/libc.a CHECKSUM: 62390 2619 SUBSET: OSFCMPLRS520 ./usr/ccs/lib/libc_r.a CHECKSUM: 62390 2619 SUBSET: OSFCMPLRS520 ./usr/sbin/runclass CHECKSUM: 39141 491 SUBSET: OSFBASE520 ./usr/sbin/ypbind CHECKSUM: 27412 621 SUBSET: OSFCLINET520 Patch C547.00 ./usr/bin/uucp CHECKSUM: 14312 1137 SUBSET: OSFUUCP520 ./usr/bin/uux CHECKSUM: 51531 1109 SUBSET: OSFUUCP520 ./usr/lib/nls/msg/en_US.ISO8859-1/uucp.cat CHECKSUM: 58627 19 SUBSET: OSFUUCP520 Patch C482.00 ./usr/dt/bin/mailcv CHECKSUM: 08025 125 SUBSET: OSFCDEMAIL520 Patch C495.00 ./sbin/.upd..loader CHECKSUM: 13812 202 SUBSET: OSFBASE520 Patch C536.00 ./shlib/libfilsys.so CHECKSUM: 35453 40 SUBSET: OSFBASE520 Patch C493.00 ./usr/bin/at CHECKSUM: 02171 69 SUBSET: OSFBASE520 Patch C483.00 ./usr/dt/bin/rpc.ttdbserverd CHECKSUM: 31467 421 SUBSET: OSFCDEMIN520 Patch C494.00 ./sbin/ps CHECKSUM: 01928 121 SUBSET: OSFBASE520 ./usr/bin/ps CHECKSUM: 18334 95 SUBSET: OSFBASE520 ./usr/lib/nls/msg/en_US.ISO8859-1/ps.cat CHECKSUM: 42057 2 SUBSET: OSFBASE520 Patch C499.00 ./usr/dt/bin/dtterm CHECKSUM: 16334 517 SUBSET: OSFCDEMIN520 Patch C542.00 ./usr/ccs/lib/libtermcap.a CHECKSUM: 07335 13 SUBSET: OSFPGMR520 ./usr/ccs/lib/libtermlib.a CHECKSUM: 07335 13 SUBSET: OSFPGMR520 Patch C496.00 ./usr/lib/libX11.a CHECKSUM: 63679 1708 SUBSET: OSFXLIBA520 ./usr/lib/libXt.a CHECKSUM: 10468 686 SUBSET: OSFXLIBA520 Patch C538.00 ./sbin/ping CHECKSUM: 31386 49 SUBSET: OSFCLINET520 ./usr/sbin/ping CHECKSUM: 23604 58 SUBSET: OSFCLINET520 Patch C446.00 ./usr/bin/binmail CHECKSUM: 62827 58 SUBSET: OSFBASE520 ./usr/bin/mail CHECKSUM: 62827 58 SUBSET: OSFBASE520 ./usr/lib/nls/msg/en_US.ISO8859-1/binmail.cat CHECKSUM: 00159 3 SUBSET: OSFBASE520 Patch C541.00 ./usr/bin/csh CHECKSUM: 10847 328 SUBSET: OSFBASE520 Patch C484.00 ./usr/bin/lpq CHECKSUM: 58886 89 SUBSET: OSFPRINT520 ./usr/bin/lpr CHECKSUM: 25441 98 SUBSET: OSFPRINT520 ./usr/bin/lprm CHECKSUM: 40573 80 SUBSET: OSFPRINT520 ./usr/lbin/lpd CHECKSUM: 42298 187 SUBSET: OSFPRINT520 ./usr/lib/nls/msg/en_US.ISO8859-1/printer.cat CHECKSUM: 36641 17 SUBSET: OSFPRINT520 ./usr/sbin/lpc CHECKSUM: 63511 115 SUBSET: OSFPRINT520 Patch C527.00 ./usr/bin/X11/dxterm CHECKSUM: 09224 793 SUBSET: OSFX11520 Patch C537.00 ./usr/ccs/lib/libfilsys.a CHECKSUM: 19321 26 SUBSET: OSFLIBA520 Patch C549.00 ./usr/sbin/telnetd CHECKSUM: 09958 106 SUBSET: OSFCLINET520 Patch C543.00 ./usr/ccs/lib/libcurses.a CHECKSUM: 31022 696 SUBSET: OSFLIBA520 Patch C544.00 ./usr/shlib/libcurses.so CHECKSUM: 17198 536 SUBSET: OSFBASE520 Patch C497.00 ./usr/shlib/libX11.so CHECKSUM: 33493 1530 SUBSET: OSFX11520 ./usr/shlib/libXt.so CHECKSUM: 00735 637 SUBSET: OSFX11520 [R] UNIX is a registered trademark in the United States and other countries licensed exclusively through X/Open Company Limited. Copyright Hewlett-Packard Company 2002. All Rights reserved. This software is proprietary to and embodies the confidential technology of Hewlett-Packard Company. Possession, use, or copying of this software and media is authorized only pursuant to a valid written license from Hewlett-Packard or an authorized sublicensor. This ECO has not been through an exhaustive field test process. Due to the experimental stage of this ECO/workaround, Hewlett-Packard makes no representations regarding its use or performance. The customer shall have the sole responsibility for adequate protection and back-up data used in conjunction with this ECO/workaround.