George Staikos wrote:
>
> There appears to be an exploitable buffer overflow in xlock, the X based
> screensaver/locker. Xlock is installed suid root on machines with
> shadowed passwords. I have verified this on xlock versions on AIX 4.x
There's a temporary fix for the AIX v4 xlock available for anonymous ftp
from testcase.software.ibm.com:/aix/fromibm/xlock.overflow_fix.aix4.Z.
Checksums:
sum 01445 73 xlock.overflow_fix.aix4
sum -i 41749 73 xlock.overflow_fix.aix4
sum -o 14725 73 xlock.overflow_fix.aix4
MD5 (xlock.overflow_fix.aix4) = e5e679a73b5a28ef471751bfee67d00c
Official APARs are in progress and will be available shortly.
If there are any questions regarding this fix or any other AIX security
bug, please contact security-alert@austin.ibm.com. Sensitive
information can be encrypted using the AIX Security PGP key. To
retrieve this key send email with a subject of "get key" to
security-alert@austin.ibm.com.
- --
+---------------- I do not speak for IBM! ------------------+
|Troy Bollinger | email: troy@austin.ibm.com|
|AIX Security Development | Sometimes the old ways are best.|
+-------------------------------------------------------------+
-----BEGIN PGP SIGNATURE-----
Version: 2.7.1
iQCVAwUBM2NjHQsPbaL1YgqvAQGnIwP9Ep9XFmNKDMgUkzJyK8c9kHKM4J76SQkU
OPE8VvWKBGu9BezomMDd/RLf9b1lxA+lW0+vQvp+cEq8DRbGnI9V2pHiZBi6ESRG
9fwkFa07Uy5+6lDsO1HXYLwpLa8JBxqgH8wonUVFABrLBdaHXs3pxwdmHD1npBKA
P4o7hGikIzk=
=0kSc
-----END PGP SIGNATURE-----