TITLE: SSRT2275__SSRT2229 Potential Security Vulnerability Patches New Kit Date: 01-APR-2003 Modification Date: Not Applicable Modification Type: NEW KIT Copyright (c) Hewlett-Packard Company 2003. All rights reserved. PRODUCT: HP Tru64 UNIX [R] 5.1 SOURCE: Hewlett-Packard Company ECO INFORMATION: ECO Name: T64V51B20-C0173100-17539-ES-20030324 ECO Kit Approximate Size: 14.67MB Kit Applies To: HP Tru64 UNIX 5.1 PK6 (BL20) ECO Kit CHECKSUMS: /usr/bin/sum results: 14811 15020 T64V51B20-C0173100-17539-ES-20030324.tar /usr/bin/cksum results: 2597551721 15380480 MD5 results: f01f5c3b6bd6fbe15405a699216a530c SHA1 results: 714ed3aa20ea0324480a23a7033c2f3ca2a4b297 ECO KIT SUMMARY: A dupatch-based, Early Release Patch kit exists for HP Tru64 UNIX 5.1 that contains solutions to the following problems: 1) Under certain circumstances the potential vulnerability may result in a denial of service. This may be in the form of local security domain risks. The potential security vulnerability in the ping command has been corrected. - SSRT2229 /usr/sbin/ping (Severity - Medium) 2) Under certain circumstances the potential vulnerability may allow a non-privileged user to gain unauthorized (root) access by exploiting a buffer overflow condition. This may be in the form of local and remote security domain risks. The potential security vulnerability has been corrected. Basic Commands and Utilities - SSRT2277 /usr/bin/ypmatch (Severity - Medium) - SSRT2261 /usr/sbin/traceroute (Severity - Medium) - SSRT2260 /usr/sbin/lpc (Severity - Medium) /usr/bin/lprm /usr/bin/lpq /usr/bin/lpr /usr/lbin/lpd - SSRT0796U /usr/bin/binmail (Severity - Medium) - SSRT0794U /usr/bin/ipcs (Severity - Medium) - SSRT2191 /usr/sbin/quot (Severity - Medium) - SSRT2189 /usb/bin/at (Severity - Medium) - SSRT2256 /usr/bin/ps (Severity - Medium) - SSRT2275 /usr/bin/uux (Severity - Medium) /usr/bin/uucp (Severity - Medium) /usr/bin/csh (Severity - Medium) /usr/bin/rdist (Severity - Medium) /usr/bin/mh/inc (Severity - Medium) /usr/bin/mh/msgchk (Severity - Medium) /usr/sbin/imapd (Severity - Medium) /usr/bin/deliver (Severity - Medium) /sbin/.upd..loader (Severity - Medium) CDE - SSRT2193 /usr/dt/bin/mailcv (Severity - Medium) - SSRT2280 /usr/dt/bin/dtterm (Severity - Medium) - SSRT2282 /usr/dt/bin/dtsession (Severity - Medium) - SSRT2274 /usr/dt/bin/rpc.ttdbserverd (Severity - High) SSRT2251 X11 - SSRT2279 /usr/bin/X11/dxterm (Severity - Medium) - SSRT2275 /usr/bin/X11/dxconsole (Severity - Medium) /usr/bin/X11/dxpause (Severity - Medium) /usr/bin/X11/dxsysinfo (Severity - Medium) Networking - SSRT2340 /usr/sbin/telnetd (Severity - High) - SSRT2270 BIND resolver glibc (Severity - High) - SSRT2309 rpc XDR_ARRAY (Severity - High) 3) Engineering has integrated the SSRT2257 early release patches into the SSRT2275/SSRT2229 ERP kits, because both need to update libc. SSRT2257 addressed the following potential security vulnerabilities: - SSRT2257 /usr/bin/su (Severity - High) - SSRT2190 /usr/bin/chsh (Severity - Medium) - SSRT2192 /usr/bin/passwd (Severity - Medium) - SSRT2259 /usr/bin/chfn (Severity - Medium) - SSRT2262 /usr/tcb/bin/dxchpwd (Severity - Medium) The SSRT2275/SSRT2229 ERP kits can be used by customers who have and have not installed the ERPs for SSRT2257. The patches in the SSRT2275/SSRT2229 ERP kits are built so they will install over the SSRT2257 ERPs. However, installation will be blocked if any other patches have been installed that affect the files delivered in the SSRT2257 ERPs. For more information regarding SSRT2257, see Security Bulletin, SSRT2257 HP Tru64 UNIX /usr/bin/su buffer overflow potential exploit 4) Engineering has also integrated fixes for additional potential security vulnerabilities into the SSRT2275/SSRT2229 V5.1 BL20 kit. The fixes all update libc. The description of the additional potential vulnerabilities follows. The following potential security vulnerabilities have been identified or reported in the HP Tru64 UNIX operating system that may result in unauthorized Privileged Access or a Denial of Service (DoS). These potential vulnerabilities may be in the form of local and remote security domain risks. Severity is (HIGH) on all the potential vulnerabilities: - SSRT2322 Bind resolver exploit in ISC - SSRT2384 TCP exploit denies all RPC service - SSRT2341 calloc() potential overflow - SSRT2439 xdrmem_getbytes() potential overflow - SSRT2412 portmapper hang after port scan with C2 enabled The Patch Kit Installation Instructions and the Patch Summary and Release Notes documents provide patch kit installation and removal instructions and a summary of each patch. Please read these documents prior to installing patches on your system. INSTALLATION NOTES: 1) Install this kit with the dupatch utility that is included in the patch kit. You may need to baseline your system if you have manually changed system files on your system. The dupatch utility provides the baselining capability. 2) This ERP kit will NOT install over any installed Customer Specific Patches (CSPs) that have file intersections with this ERP kit. Contact your normal Service Provider for assistance if the installation of this ERP kit is blocked by any of your installed CSPs. 3) Some of the patches deliver updated static libraries. If you have applications that build against the affected static libraries you should relink those applications post-ERP installation. The following static libraries are updated if you have the static library subsets installed on your system: /usr/ccs/lib/libc.a OSFCMPLRS /usr/ccs/lib/libc_r.a OSFCMPLRS /usr/ccs/lib/libtermcap.a OSFPGMR /usr/ccs/lib/libtermlib.a OSFPGMR /usr/lib/libICE.a OSFXLIBA /usr/lib/libX11.a OSFXLIBA /usr/lib/libXmu.a OSFXLIBA /usr/lib/libXt.a OSFXLIBA /usr/ccs/lib/libfilsys.a OSFLIBA /usr/ccs/lib/libcurses.a OSFLIBA INSTALLATION PREREQUISITES: You must have installed HP Tru64 UNIX 5.1 PK6 (BL20) prior to installing this Early Release Patch Kit. KNOWN PROBLEMS WITH THE PATCH KIT: None. RELEASE NOTES FOR T64V51B20-C0173100-17539-ES-20030324: Release Notes This document summarizes the contents and special instructions for the Tru64 UNIX V5.1 patches contained in this kit. For information about installing or removing patches, baselining, and general patch management, see the Patch Kit Installation Instructions document. 1 Release Notes This Early Release Patch Kit Distribution contains: - fixes that resolve the problem(s) reported in: o 117-2-690 93749 93750 93939 94006 94255 94297 94442 94599 SSRT0796U SSRT2189 SSRT2190 SSRT2191 SSRT2192 SSRT2193 SSRT2229 SSRT2251 SSRT2256 SSRT2257 SSRT2259 SSRT2260 SSRT2261 SSRT2262 SSRT2270 SSRT2274 SSRT2275 SSRT2277 SSRT2279 SSRT2280 SSRT2297 SSRT2309 SSRT2322 SSRT2341 SSRT2384 SSRT2412 SSRT2439 * for Tru64 UNIX V5.1 T64V51B20AS0006-20030210.tar (BL20) The patches in this kit are being released early for general customer use. Refer to the Release Notes for a summary of each patch and installation prerequisites. Patches in this kit are installed by running dupatch from the directory in which the kit was untarred. For example, as root on the target system: > mkdir -p /tmp/CSPkit1 > cd /tmp/CSPkit1 > copy the kit to /tmp/CSPkit1 > tar -xpvf DUV40D13-C0044900-1285-20000328.tar > cd patch_kit > ./dupatch 2 Special Instructions There are no special instructions for Tru64 UNIX V5.1 Patch C1731.00 There are no special instructions for Tru64 UNIX V5.1 Patch C1733.00 There are no special instructions for Tru64 UNIX V5.1 Patch C1341.01 There are no special instructions for Tru64 UNIX V5.1 Patch C1743.00 There are no special instructions for Tru64 UNIX V5.1 Patch C1744.00 There are no special instructions for Tru64 UNIX V5.1 Patch C1745.00 There are no special instructions for Tru64 UNIX V5.1 Patch C1746.00 There are no special instructions for Tru64 UNIX V5.1 Patch C1388.01 There are no special instructions for Tru64 UNIX V5.1 Patch C1747.00 There are no special instructions for Tru64 UNIX V5.1 Patch C1742.00 There are no special instructions for Tru64 UNIX V5.1 Patch C1732.00 There are no special instructions for Tru64 UNIX V5.1 Patch C1737.00 There are no special instructions for Tru64 UNIX V5.1 Patch C1739.00 There are no special instructions for Tru64 UNIX V5.1 Patch C1735.00 There are no special instructions for Tru64 UNIX V5.1 Patch C1734.00 There are no special instructions for Tru64 UNIX V5.1 Patch C1740.00 There are no special instructions for Tru64 UNIX V5.1 Patch C1741.00 There are no special instructions for Tru64 UNIX V5.1 Patch C1748.00 There are no special instructions for Tru64 UNIX V5.1 Patch C1749.00 There are no special instructions for Tru64 UNIX V5.1 Patch C1736.00 There are no special instructions for Tru64 UNIX V5.1 Patch C1738.00 3 Summary of CSPatches contained in this kit Tru64 UNIX V5.1 PatchId Summary Of Fix ---------------------------------------- C1731.00 Fix for SSRT2275, 2322, 2384, 2341, 2439, 2412 ... C1733.00 Fix for SSRT2275, uux, uucp C1341.01 Fix for SSRT2193, mailcv C1743.00 Fix for SSRT2297, loader C1744.00 Fix for SSRT2191, quot C1745.00 Fix for SSRT2191, quot C1746.00 Fix for SSRT2189, at C1388.01 Fix for SSRT2251, SSRT2274, rpc.ttdbserverd C1747.00 Fix for SSRT2256, ps C1742.00 Fix for SSRT2280, dtterm C1732.00 Fix for SSRT2275, csh C1737.00 Fix for SSRT2260, lpq, lpr, lprm C1739.00 Fix for SSRT2275, libcurses C1735.00 Fix for SSRT2275, libcurses C1734.00 Fix for SSRT2275, libtermcap, libtermlib C1740.00 Fix for SSRT2279, SSRT2280, dtterm, dxterm C1741.00 Fix for SSRT2279, SSRT2280 dxterm, dtterm C1748.00 Fix for SSRT2229, ping C1749.00 Fix for SSRT0796U, binmail C1736.00 Fix for SSRT2275, telnetd C1738.00 Fix for SSRT2279, dxterm 4 Additional information from Engineering None 5 Affected system files This patch delivers the following files: Tru64 UNIX V5.1 Patch C1731.00 ./sbin/mount CHECKSUM: 20814 782 SUBSET: OSFBASE510 ./sbin/umount CHECKSUM: 47374 414 SUBSET: OSFBASE510 ./shlib/.upd..libc.so CHECKSUM: 40761 1981 SUBSET: OSFBASE510 ./shlib/.upd..libc_r.so CHECKSUM: 40761 1981 SUBSET: OSFBASE510 ./usr/bin/uptime CHECKSUM: 59053 496 SUBSET: OSFBASE510 ./usr/bin/w CHECKSUM: 59053 496 SUBSET: OSFBASE510 ./usr/ccs/lib/libc.a CHECKSUM: 02797 2370 SUBSET: OSFCMPLRS510 ./usr/ccs/lib/libc_r.a CHECKSUM: 02797 2370 SUBSET: OSFCMPLRS510 ./usr/sbin/runclass CHECKSUM: 16653 408 SUBSET: OSFBASE510 ./usr/sbin/ypbind CHECKSUM: 60127 547 SUBSET: OSFCLINET510 ./usr/shlib/libsecurity.so CHECKSUM: 05397 1430 SUBSET: OSFBASE510 Patch C1733.00 ./usr/bin/uucp CHECKSUM: 31576 862 SUBSET: OSFUUCP510 ./usr/bin/uux CHECKSUM: 02097 850 SUBSET: OSFUUCP510 ./usr/lib/nls/msg/en_US.ISO8859-1/uucp.cat CHECKSUM: 58627 19 SUBSET: OSFUUCP510 Patch C1341.01 ./usr/dt/bin/mailcv CHECKSUM: 55665 125 SUBSET: OSFCDEMAIL510 Patch C1743.00 ./sbin/.upd..loader CHECKSUM: 38401 185 SUBSET: OSFBASE510 Patch C1744.00 ./shlib/libfilsys.so CHECKSUM: 23268 40 SUBSET: OSFBASE510 Patch C1745.00 ./usr/ccs/lib/libfilsys.a CHECKSUM: 10168 25 SUBSET: OSFLIBA510 Patch C1746.00 ./usr/bin/at CHECKSUM: 31067 69 SUBSET: OSFBASE510 Patch C1388.01 ./usr/dt/bin/rpc.ttdbserverd CHECKSUM: 27803 429 SUBSET: OSFCDEMIN510 Patch C1747.00 ./sbin/ps CHECKSUM: 04398 105 SUBSET: OSFBASE510 ./usr/bin/ps CHECKSUM: 02118 87 SUBSET: OSFBASE510 ./usr/lib/nls/msg/en_US.ISO8859-1/ps.cat CHECKSUM: 46700 2 SUBSET: OSFBASE510 Patch C1742.00 ./usr/dt/bin/dtterm CHECKSUM: 35197 493 SUBSET: OSFCDEMIN510 Patch C1732.00 ./usr/bin/csh CHECKSUM: 39598 304 SUBSET: OSFBASE510 Patch C1737.00 ./usr/bin/lpq CHECKSUM: 06112 81 SUBSET: OSFPRINT510 ./usr/bin/lpr CHECKSUM: 38252 90 SUBSET: OSFPRINT510 ./usr/bin/lprm CHECKSUM: 54353 80 SUBSET: OSFPRINT510 ./usr/lbin/lpd CHECKSUM: 21547 179 SUBSET: OSFPRINT510 ./usr/lib/nls/msg/en_US.ISO8859-1/printer.cat CHECKSUM: 36641 17 SUBSET: OSFPRINT510 ./usr/sbin/lpc CHECKSUM: 37605 115 SUBSET: OSFPRINT510 Patch C1739.00 ./usr/ccs/lib/libcurses.a CHECKSUM: 65251 666 SUBSET: OSFLIBA510 Patch C1735.00 ./usr/shlib/libcurses.so CHECKSUM: 46856 511 SUBSET: OSFBASE510 Patch C1734.00 ./usr/ccs/lib/libtermcap.a CHECKSUM: 33004 12 SUBSET: OSFPGMR510 ./usr/ccs/lib/libtermlib.a CHECKSUM: 33004 12 SUBSET: OSFPGMR510 Patch C1740.00 ./usr/shlib/libICE.so CHECKSUM: 21071 139 SUBSET: OSFX11510 ./usr/shlib/libX11.so CHECKSUM: 14243 1409 SUBSET: OSFX11510 ./usr/shlib/libXmu.so CHECKSUM: 53157 131 SUBSET: OSFX11510 ./usr/shlib/libXt.so CHECKSUM: 18684 585 SUBSET: OSFX11510 Patch C1741.00 ./usr/lib/libICE.a CHECKSUM: 63211 133 SUBSET: OSFXLIBA510 ./usr/lib/libX11.a CHECKSUM: 23168 1606 SUBSET: OSFXLIBA510 ./usr/lib/libXmu.a CHECKSUM: 06281 129 SUBSET: OSFXLIBA510 ./usr/lib/libXt.a CHECKSUM: 59876 639 SUBSET: OSFXLIBA510 Patch C1748.00 ./sbin/ping CHECKSUM: 40160 49 SUBSET: OSFCLINET510 ./usr/sbin/ping CHECKSUM: 60060 58 SUBSET: OSFCLINET510 Patch C1749.00 ./usr/bin/binmail CHECKSUM: 59170 50 SUBSET: OSFBASE510 ./usr/bin/mail CHECKSUM: 59170 50 SUBSET: OSFBASE510 ./usr/lib/nls/msg/en_US.ISO8859-1/binmail.cat CHECKSUM: 00159 3 SUBSET: OSFBASE510 Patch C1736.00 ./usr/sbin/telnetd CHECKSUM: 22981 98 SUBSET: OSFCLINET510 Patch C1738.00 ./usr/bin/X11/dxterm CHECKSUM: 43707 737 SUBSET: OSFX11510 [R] UNIX is a registered trademark in the United States and other countries licensed exclusively through X/Open Company Limited. Copyright Hewlett-Packard Company 2003. All Rights reserved. This software is proprietary to and embodies the confidential technology of Hewlett-Packard Company. Possession, use, or copying of this software and media is authorized only pursuant to a valid written license from Hewlett-Packard or an authorized sublicensor. This ECO has not been through an exhaustive field test process. Due to the experimental stage of this ECO/workaround, Hewlett-Packard makes no representations regarding its use or performance. The customer shall have the sole responsibility for adequate protection and back-up data used in conjunction with this ECO/workaround.