TITLE: SSRT2275__SSRT2229 Potential Security Vulnerabilities TITLE: (SSRT2275, SSRT2229) Potential Security Vulnerabilities New Kit Date: 11-SEP-2002 Modification Date: Not Applicable Modification Type: New Kit Copyright (c) Hewlett-Packard Company 2002. All rights reserved. PRODUCT: Tru64 UNIX [R] 5.1 SOURCE: Hewlett-Packard Company ECO INFORMATION: ECO Name: T64V51B19-C0136901-15143-ES-20020817 ECO Kit Approximate Size: 13MB Kit Applies To: Tru64 UNIX 5.1 PK5 (BL19) ECO Kit CHECKSUMS: /usr/bin/sum results: 35317 13080 /usr/bin/cksum results: 3507241763 13393920 MD5 results: 8531a8cd69457e60297086731dea6af3 SHA1 results: 9af089932f294105777266f48fd6e55bb24b484b ECO KIT SUMMARY: A dupatch-based, Early Release Patch kit exists for HP Tru64 UNIX 5.1 that contains solutions for the following potential security vulnerabilities: 1) Under certain circumstances the potential vulnerability may result in a denial of service. This may be in the form of local security domain risks. The potential security vulnerability in the ping command has been corrected. - SSRT2229 /usr/sbin/ping (Severity - Medium) 2) Under certain circumstances the potential vulnerability may allow a non-privileged user to gain unauthorized (root) access by exploiting a buffer overflow condition. This may be in the form of local and remote security domain risks. The potential security vulnerability has been corrected. Basic Commands and Utilities - SSRT2277 /usr/bin/ypmatch (Severity - Medium) - SSRT2261 /usr/sbin/traceroute (Severity - Medium) - SSRT2260 /usr/sbin/lpc (Severity - Medium) /usr/bin/lprm /usr/bin/lpq /usr/bin/lpr /usr/lbin/lpd - SSRT0796U /usr/bin/binmail (Severity - Medium) - SSRT0794U /usr/bin/ipcs (Severity - Medium) - SSRT2191 /usr/sbin/quot (Severity - Medium) - SSRT2189 /usb/bin/at (Severity - Medium) - SSRT2256 /usr/bin/ps (Severity - Medium) - SSRT2275 /usr/bin/uux (Severity - Medium) /usr/bin/uucp (Severity - Medium) /usr/bin/csh (Severity - Medium) /usr/bin/rdist (Severity - Medium) /usr/bin/mh/inc (Severity - Medium) /usr/bin/mh/msgchk (Severity - Medium) /usr/sbin/imapd (Severity - Medium) /usr/bin/deliver (Severity - Medium) /sbin/.upd..loader (Severity - Medium) CDE - SSRT2193 /usr/dt/bin/mailcv (Severity - Medium) - SSRT2280 /usr/dt/bin/dtterm (Severity - Medium) - SSRT2282 /usr/dt/bin/dtsession (Severity - Medium) - SSRT2274 /usr/dt/bin/rpc.ttdbserverd (Severity - High) SSRT2251 X11 - SSRT2279 /usr/bin/X11/dxterm (Severity - Medium) - SSRT2275 /usr/bin/X11/dxconsole (Severity - Medium) /usr/bin/X11/dxpause (Severity - Medium) /usr/bin/X11/dxsysinfo (Severity - Medium) Networking - SSRT2340 /usr/sbin/telnetd (Severity - High) - SSRT2270 BIND resolver glibc (Severity - High) - SSRT2309 rpc XDR_ARRAY (Severity - High) 3) Engineering has integrated the SSRT2257 early release patches into the SSRT2275/SSRT2229 ERP kits, because both need to update libc. SSRT2257 addressed the following potential security vulnerabilities: - SSRT2257 /usr/bin/su (Severity - High) - SSRT2190 /usr/bin/chsh (Severity - Medium) - SSRT2192 /usr/bin/passwd (Severity - Medium) - SSRT2259 /usr/bin/chfn (Severity - Medium) - SSRT2262 /usr/tcb/bin/dxchpwd (Severity - Medium) The SSRT2275/SSRT2229 ERP kits can be used by customers who have and have not installed the ERPs for SSRT2257. The patches in the SSRT2275/SSRT2229 ERP kits are built so they will install over the SSRT2257 ERPs. However, installation will be blocked if any other patches have been installed that affect the files delivered in the SSRT2257 ERPs. For more information regarding SSRT2257, see Security Bulletin, SSRT2257 HP Tru64 UNIX /usr/bin/su buffer overflow potential exploit. The Patch Kit Installation Instructions and the Patch Summary and Release Notes documents provide patch kit installation and removal instructions and a summary of each patch. Please read these documents prior to installing patches on your system. The patches in this ERP kit will also be available in the next mainstream patch kit - Tru64 UNIX 5.1 Patch Kit 7. INSTALLATION NOTES: 1) Install this kit with the dupatch utility that is included in the patch kit. You may need to baseline your system if you have manually changed system files on your system. The dupatch utility provides the baselining capability. 2) This ERP kit will NOT install over any installed Customer-Specific-Patches (CSPs) which have file intersections with this ERP kit. Contact your normal Service Provider for assistance if the installation of this ERP kit is blocked by any of your installed CSPs. 3) Some of the patches deliver updated static libraries. If you have applications that build against the affected static libraries you should relink those applications post-ERP installation. The following static libraries are updated if you have the static library subsets installed on your system: /usr/ccs/lib/libc.a OSFCMPLRS /usr/ccs/lib/libc_r.a OSFCMPLRS /usr/ccs/lib/libtermcap.a OSFPGMR /usr/ccs/lib/libtermlib.a OSFPGMR /usr/lib/libICE.a OSFXLIBA /usr/lib/libX11.a OSFXLIBA /usr/lib/libXmu.a OSFXLIBA /usr/lib/libXt.a OSFXLIBA /usr/ccs/lib/libfilsys.a OSFLIBA /usr/ccs/lib/libcurses.a OSFLIBA INSTALLATION PREREQUISITES: You must have installed Tru64 UNIX 5.1 PK5 (BL19) prior to installing this Early Release Patch Kit. SUPERSEDED PATCH LIST: This patch kit supersedes the following Tru64 UNIX patch kits: 1) (SSRT2257) Potential Security Vulnerabilities due to Buffer Overflows T64V51B19-C0136900-14951-ES-20020730.tar The patches in the SSRT2275/SSRT2229 ERP kits are built so they will install over the patches from the superseded patch kits. However, installation will be blocked if any other patches have been installed that affect the files delivered in the above patch kits. KNOWN PROBLEMS WITH THE PATCH KIT: None RELEASE NOTES FOR T64V51B19-C0136901-15143-ES-20020817: 1 Release Notes This Early Release Patch Kit Distribution contains: - fixes that resolve the problem(s) reported in: o SSRT0794U SSRT0796U SSRT2189 SSRT2190 SSRT2191 SSRT2192 SSRT2193 SSRT2229 SSRT2251 SSRT2256 SSRT2257 SSRT2259 SSRT2260 SRT2261 SSRT2262 SSRT2270 SSRT2274 SSRT2275 SSRT2277 SSRT2279 SSRT2280 SSRT2297 SSRT2309 * for Tru64 UNIX V5.1 T64V51B19AS0005-20020411.tar (BL19) The patches in this kit are being released early for general customer use. Refer to the Release Notes for a summary of each patch and installation prerequisites. Patches in this kit are installed by running dupatch from the directory in which the kit was untarred. For example, as root on the target system: > mkdir -p /tmp/CSPkit1 > cd /tmp/CSPkit1 > > tar -xpvf DUV40D13-C0044900-1285-20000328.tar > cd patch_kit > ./dupatch 2 Special Instructions There are no special instructions for Tru64 UNIX V5.1 Patch C1369.01 There are no special instructions for Tru64 UNIX V5.1 Patch C1395.00 There are no special instructions for Tru64 UNIX V5.1 Patch C1341.00 There are no special instructions for Tru64 UNIX V5.1 Patch C1378.01 There are no special instructions for Tru64 UNIX V5.1 Patch C1345.00 There are no special instructions for Tru64 UNIX V5.1 Patch C1360.01 There are no special instructions for Tru64 UNIX V5.1 Patch C1388.00 There are no special instructions for Tru64 UNIX V5.1 Patch C1333.03 There are no special instructions for Tru64 UNIX V5.1 Patch C1394.00 There are no special instructions for Tru64 UNIX V5.1 Patch C1400.00 There are no special instructions for Tru64 UNIX V5.1 Patch C1409.00 There are no special instructions for Tru64 UNIX V5.1 Patch C1358.00 There are no special instructions for Tru64 UNIX V5.1 Patch C1344.00 There are no special instructions for Tru64 UNIX V5.1 Patch C1097.07 There are no special instructions for Tru64 UNIX V5.1 Patch C1399.00 There are no special instructions for Tru64 UNIX V5.1 Patch C1370.01 There are no special instructions for Tru64 UNIX V5.1 Patch C1410.00 There are no special instructions for Tru64 UNIX V5.1 Patch C1403.00 There are no special instructions for Tru64 UNIX V5.1 Patch C1404.00 There are no special instructions for Tru64 UNIX V5.1 Patch C1402.00 There are no special instructions for Tru64 UNIX V5.1 Patch C1401.00 There are no special instructions for Tru64 UNIX V5.1 Patch C1411.00 3 Summary of CSPatches contained in this kit Tru64 UNIX V5.1 PatchId Summary Of Fix ---------------------------------------- C1369.01 Fix for SSRT2257, 2190, 2192, 2259, 2262, 2275, 2270, 2277 C1395.00 Fix for SSRT2275, uux, uucp C1341.00 Fix for SSRT2193, mailcv C1378.01 Fix for SSRT2297, loader C1345.00 Fix for SSRT2191, quot C1360.01 Fix for SSRT2189, at C1388.00 Fix for SSRT2251, SSRT2274, rpc.ttdbserverd C1333.03 Fix for SSRT2256, ps C1394.00 Fix for SSRT2280, dtterm C1400.00 Fix for SSRT2275, libtermcap, libtermlib C1409.00 Fix for SSRT2279, SSRT2280 dxterm, dtterm C1358.00 Fix for SSRT2229, ping C1344.00 Fix for SSRT0796U, binmail C1097.07 Fix for SSRT0794U, ipcs C1399.00 Fix for SSRT2275, csh C1370.01 Fix for SSRT2260, lpq, lpr, lprm C1410.00 Fix for SSRT2279, dxterm C1403.00 Fix for SSRT2191, quot C1404.00 Fix for SSRT2275, telnetd C1402.00 Fix for SSRT2275, libcurses C1401.00 Fix for SSRT2275, libcurses C1411.00 Fix for SSRT2279, SSRT2280, dtterm, dxterm 4 Additional information from Engineering None 5 Affected system files This patch delivers the following files: Tru64 UNIX V5.1 Patch C1369.01 ./sbin/mount CHECKSUM: 41407 773 SUBSET: OSFBASE510 ./sbin/umount CHECKSUM: 27878 405 SUBSET: OSFBASE510 ./shlib/.upd..libc.so CHECKSUM: 11040 1953 SUBSET: OSFBASE510 ./shlib/.upd..libc_r.so CHECKSUM: 11040 1953 SUBSET: OSFBASE510 ./usr/bin/uptime CHECKSUM: 15840 486 SUBSET: OSFBASE510 ./usr/bin/w CHECKSUM: 15840 486 SUBSET: OSFBASE510 ./usr/ccs/lib/libc.a CHECKSUM: 26791 2341 SUBSET: OSFCMPLRS510 ./usr/ccs/lib/libc_r.a CHECKSUM: 26791 2341 SUBSET: OSFCMPLRS510 ./usr/sbin/runclass CHECKSUM: 52799 397 SUBSET: OSFBASE510 ./usr/sbin/ypbind CHECKSUM: 09533 536 SUBSET: OSFCLINET510 Patch C1395.00 ./usr/bin/uucp CHECKSUM: 24574 859 SUBSET: OSFUUCP510 ./usr/bin/uux CHECKSUM: 46839 831 SUBSET: OSFUUCP510 ./usr/lib/nls/msg/en_US.ISO8859-1/uucp.cat CHECKSUM: 58627 19 SUBSET: OSFUUCP510 Patch C1341.00 ./usr/dt/bin/mailcv CHECKSUM: 15466 125 SUBSET: OSFCDEMAIL510 Patch C1378.01 ./sbin/.upd..loader CHECKSUM: 23415 184 SUBSET: OSFBASE510 Patch C1345.00 ./shlib/libfilsys.so CHECKSUM: 06183 40 SUBSET: OSFBASE510 Patch C1360.01 ./usr/bin/at CHECKSUM: 21522 69 SUBSET: OSFBASE510 Patch C1388.00 ./usr/dt/bin/rpc.ttdbserverd CHECKSUM: 17701 429 SUBSET: OSFCDEMIN510 Patch C1333.03 ./sbin/ps CHECKSUM: 39027 105 SUBSET: OSFBASE510 ./usr/bin/ps CHECKSUM: 14705 87 SUBSET: OSFBASE510 ./usr/lib/nls/msg/en_US.ISO8859-1/ps.cat CHECKSUM: 46700 2 SUBSET: OSFBASE510 Patch C1394.00 ./usr/dt/bin/dtterm CHECKSUM: 20945 493 SUBSET: OSFCDEMIN510 Patch C1400.00 ./usr/ccs/lib/libtermcap.a CHECKSUM: 03513 12 SUBSET: OSFPGMR510 ./usr/ccs/lib/libtermlib.a CHECKSUM: 03513 12 SUBSET: OSFPGMR510 Patch C1409.00 ./usr/lib/libICE.a CHECKSUM: 46944 133 SUBSET: OSFXLIBA510 ./usr/lib/libX11.a CHECKSUM: 48257 1606 SUBSET: OSFXLIBA510 ./usr/lib/libXmu.a CHECKSUM: 19281 129 SUBSET: OSFXLIBA510 ./usr/lib/libXt.a CHECKSUM: 59965 639 SUBSET: OSFXLIBA510 Patch C1358.00 ./sbin/ping CHECKSUM: 31688 49 SUBSET: OSFCLINET510 ./usr/sbin/ping CHECKSUM: 24183 58 SUBSET: OSFCLINET510 Patch C1344.00 ./usr/bin/binmail CHECKSUM: 49678 50 SUBSET: OSFBASE510 ./usr/bin/mail CHECKSUM: 49678 50 SUBSET: OSFBASE510 ./usr/lib/nls/msg/en_US.ISO8859-1/binmail.cat CHECKSUM: 00159 3 SUBSET: OSFBASE510 Patch C1097.07 ./usr/bin/ipcs CHECKSUM: 40682 38 SUBSET: OSFBASE510 Patch C1399.00 ./usr/bin/csh CHECKSUM: 34243 304 SUBSET: OSFBASE510 Patch C1370.01 ./usr/bin/lpq CHECKSUM: 18967 81 SUBSET: OSFPRINT510 ./usr/bin/lpr CHECKSUM: 39165 90 SUBSET: OSFPRINT510 ./usr/bin/lprm CHECKSUM: 11223 80 SUBSET: OSFPRINT510 ./usr/lbin/lpd CHECKSUM: 13886 179 SUBSET: OSFPRINT510 ./usr/lib/nls/msg/en_US.ISO8859-1/printer.cat CHECKSUM: 36641 17 SUBSET: OSFPRINT510 ./usr/sbin/lpc CHECKSUM: 42653 107 SUBSET: OSFPRINT510 Patch C1410.00 ./usr/bin/X11/dxterm CHECKSUM: 52584 737 SUBSET: OSFX11510 Patch C1403.00 ./usr/ccs/lib/libfilsys.a CHECKSUM: 13363 25 SUBSET: OSFLIBA510 Patch C1404.00 ./usr/sbin/telnetd CHECKSUM: 57319 98 SUBSET: OSFCLINET510 Patch C1402.00 ./usr/ccs/lib/libcurses.a CHECKSUM: 42419 666 SUBSET: OSFLIBA510 Patch C1401.00 ./usr/shlib/libcurses.so CHECKSUM: 50356 511 SUBSET: OSFBASE510 Patch C1411.00 ./usr/shlib/libICE.so CHECKSUM: 34156 139 SUBSET: OSFX11510 ./usr/shlib/libX11.so CHECKSUM: 28875 1409 SUBSET: OSFX11510 ./usr/shlib/libXmu.so CHECKSUM: 46923 131 SUBSET: OSFX11510 ./usr/shlib/libXt.so CHECKSUM: 11551 585 SUBSET: OSFX11510 [R] UNIX is a registered trademark in the United States and other countries licensed exclusively through X/Open Company Limited. Copyright Hewlett-Packard Company 2002. All Rights reserved. This software is proprietary to and embodies the confidential technology of Hewlett-Packard Company. Possession, use, or copying of this software and media is authorized only pursuant to a valid written license from Hewlett-Packard or an authorized sublicensor. This ECO has not been through an exhaustive field test process. Due to the experimental stage of this ECO/workaround, Hewlett-Packard makes no representations regarding its use or performance. The customer shall have the sole responsibility for adequate protection and back-up data used in conjunction with this ECO/workaround.