SEARCH CONTACT US SUPPORT SERVICES PRODUCTS STORE
United States    
COMPAQ STORE | PRODUCTS | SERVICES | SUPPORT | CONTACT US | SEARCH
gears
compaq support options
support home
software & drivers
ask Compaq
reference library
support forum
frequently asked questions
support tools
warranty information
service centers
contact support
product resources
parts for your system
give us feedback
associated links
.
} what's new
.
} contract access
.
} browse patch tree
.
} search patches
.
} join mailing list
.
} feedback
.
patches by topic
.
} DOS
.
} OpenVMS
.
} Security
.
} Tru64 Unix
.
} Ultrix 32
.
} Windows
.
} Windows NT
.
connection tools
.
} nameserver lookup
.
} traceroute
.
} ping
SSRT0583Q_40D_BL11 Compaq Computer Corporation Advisory

TITLE: SSRT0583Q_40D_BL11 Compaq Computer Corporation Advisory Copyright (c) Compaq Computer Corporation 1999. All rights reserved. UPDATE: APR 22, 1999 TITLE: Tru64 UNIX V4.0 through V4.0e - Potential Security Vulnerability - ref#: SSRT0583Q "Executable stacks allow suid applications to exploit security hole" SOURCE: Compaq Computer Corporation Software Security Response Team "Compaq is broadly distributing this Security Advisory in order to bring to the attention of users of Compaq products the important security information contained in this Advisory. Compaq recommends that all users determine the applicability of this information to their individual situations and take appropriate action. Compaq does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, Compaq will not be responsible for any damages resulting from user's use or disregard of the information provided in this Advisory." ---------------------------------------------------------------------- IMPACT: A potential vulnerability caused by suid application stacks being executable could allow non-authorized users to exploit a buffer- overrun flaw in applications such as "at" and "inc". ---------------------------------------------------------------------- RESOLUTION: This potential security problem has been resolved and a patch for this problem has been made available for V4.0 through V4.0E. *This solution will be included in the next distributed release of Compaq's DIGITAL UNIX. Also, the patch will be in the next base level (BL12) of the setld patch kits. This patch may be obtained from the World Wide Web at the following address: http://www.support.compaq.com/patches Use the browse access option, select DIGITAL_UNIX directory then choose the appropriate version directory and download the patch accordingly. NOTE: V4.0 and V4.0A are only available by contacting your normal Compaq Services support channel. PATCH ID: Compaq Digital UNIX V4.0B ssrt0583q_v40b_BL11.tar.Z Compaq Digital UNIX V4.0C ssrt0583q_v40c_BL11.tar.Z Compaq Digital UNIX V4.0D ssrt0583q_v40d_BL11.tar.Z Compaq Tru64 / UNIX V4.0E ssrt0583q_v40e_BL1.tar.Z NOTE: Prior to installing this patch you must have the following patches installed on your system: DIGITAL UNIX V4.0 -- Patch Kit 6 (BL9) DIGITAL UNIX V4.0A -- Patch Kit 7 (BL10) DIGITAL UNIX V4.0B -- Patch Kit 9 (BL11) DIGITAL UNIX V4.0C -- Patch Kit 6 (BL11) DIGITAL UNIX V4.0D -- Patch Kit 3 (BL11) DIGITAL UNIX V4.0E -- Patch Kit 1 (BL1) INSTALLATION INSTRUCTIONS: cp /sys/BINARY/std_kern.mod /sys/BINARY/std_kern.mod_orig cp ./std_kern.mod /sys/BINARY/std_kern.mod chmod 0644 /sys/BINARY/std_kern.mod chown bin:bin /sys/BINARY/std_kern.mod cp /sys/BINARY/proc.mod /sys/BINARY/proc.mod_orig cp ./proc.mod /sys/BINARY/proc.mod chmod 0644 /sys/BINARY/proc.mod chown bin:bin /sys/BINARY/proc.mod Rebuild the kernel. ADDITIONAL COMMENTS: This solution will default to making the stack of all suid programs to be not executable, hence closing the security hole. However, please be aware that any user applications which rely on the stack being executable will fail. For situations where the machines are being used behind firewalls and are not in fear of security violations, you may explicitly turn this option off. Meaning you may allow the stack of suid programs to be executable. Changing from default (not executable) to executable: 1. add the following two lines to /etc/sysconfigtab: proc: executable_stack = 1 OR 2. changing the executable_stack parameter from the command line as follows: # sysconfig -r proc executable_stack=1 To reiterate, if you don't change the executable_stack parameter explicitly (as shown by the two examples above) then the stack for all suid programs will be, not executable. Additional Considerations: If you believe you have, or aren't sure if you have, previously installed a patch to any of these modules you should contact your normal Compaq Service channel. Also, if you need further information, please contact your normal Compaq Services support channel. Compaq appreciates your cooperation and patience. We regret any inconvenience applying this information may cause. As always, Compaq urges you to periodically review your system management and security procedures. Compaq will continue to review and enhance the security features of its products and work with customers to maintain and improve the security and integrity of their systems. ____________________________________________________________ Copyright (c) Compaq Computer Corporation, 1999 All Rights Reserved. Unpublished Rights Reserved Under The Copyright Laws Of The United States. ____________________________________________________________



This patch can be found at any of these sites:

Colorado Site
Georgia Site



Files on this server are as follows:

ssrt0583q_40d_bl11.README
ssrt0583q_40d_bl11.CHKSUM
ssrt0583q_40d_bl11.tar.Z

privacy and legal statement