June 19 1997
I. Description
A buffer overflow vulnerability exists in the AIX libDtSvc.a library
that can allow local users to become root. There has been an exploit
posted to the Bugtraq mailing list.
UPDATE (June 19) -- The libDtSvc.a provided in the last patch
contained a bug that prevented users from logging in via the CDE
desktop. A new efix is available that fixes this problem in addition
to several other buffer overflows.
II. Fixes
IBM is currently working on the following APARs but they are not
available yet.
Abstract 4.1 APAR 4.2 APAR
====================================================================
SECURITY: buffer overflow in dtaction IX69179 IX69180
SECURITY: buffer overflow in writesrv IX69168 IX69169
SECURITY: buffer overflow in /bin/rcp IX69170 IX69171
There is a temporary fix available via anonymous ftp:
ftp://testcase.software.ibm.com/aix/fromibm/dtaction.security.tar.Z
To install these fixes see the appropriate release below:
AIX 4.1
=======
Prerequisites:
Use "lslpp -l <fileset>" to make sure that the version of
filesets listed below is at the given level or greater.
If not, install the appropriate APAR.
Fileset Level APAR
===============================================
bos.rte.libc 4.1.5.0 IX61019
X11.Dt.lib 4.1.5.2 IX62230
X11.base.lib 4.1.5.3 IX66868
X11.motif.lib 4.1.5.2 IX67462
X11.Dt.rte 4.1.5.8 IX68647
bos.net.tcp.client 4.1.5.8 IX67591
bos.rte.misc_cmds 4.1.5.2 IX67329
Installation:
Make a backup copy of the old files. Copy the new files over the
old ones and ensure that the permissions match the original
permissions. (Don't leave the old files with the setuid/setgid
bits set.)
Checksums:
File sum md5
======================================================================
41_fixes/dtmail 39063 1053 d39790e7dccdb1081c1945d5230cb279
41_fixes/dtsession 34203 136 81a6d69633c9648f920320e13e52b210
41_fixes/libDtHelp.a 56845 951 b819b80ccae96a8a9cb790b3dd4a60af
41_fixes/libDtSvc.a 59576 769 452f1a72a0885fa920a5777076ac9fdb
41_fixes/libX11.a 55619 990 a71a6bf132b0093ed755b6a7179ad732
41_fixes/libXm.a 61363 2600 f3065303e024680c76ad96c726c7d466
41_fixes/rcp 29998 22 6a56d07fad2b06288e75fe5cd82420ef
41_fixes/sbcs.im 50193 9 2a7f62852e50f3aae75fe7b6ee59e278
41_fixes/writesrv 14480 16 2bb146b59912ba5845bb4c559a50e29a
AIX 4.2
=======
Prerequisites:
Use "lslpp -l <fileset>" to make sure that the version of
filesets listed below is at the given level or greater.
If not, install the appropriate APAR.
Fileset Level APAR
===============================================
bos.rte.libc 4.2.1.0 IX60895
X11.Dt.lib 4.2.1.0 IX62473
X11.base.lib 4.2.1.1 IX68707
X11.motif.lib 4.2.1.0 IX65066
X11.Dt.rte 4.2.1.1 IX68676
bos.net.tcp.client 4.2.1.3 IX67137
bos.rte.misc_cmds 4.2.1.0 IX65960
X11.vsm.rte 4.2.1.2 IX68563
Installation:
Make a backup copy of the old files. Copy the new files over the
old ones and ensure that the permissions match the original
permissions. (Don't leave the old files with the setuid/setgid
bits set.)
Checksums:
File sum md5
======================================================================
42_fixes/dtmail 35354 1056 75e23f276e0a07c2502b43acf5fb6f8c
42_fixes/dtsession 52100 141 344ca9904249a33f8e93585858fc5234
42_fixes/libDtHelp.a 10373 961 16ee8695f780071329b506b66b9b9e61
42_fixes/libDtSvc.a 29662 822 c695cf9be044bb7a4efaed32dee2b157
42_fixes/libX11.a 09839 991 0759e863f24afe4b3fced582232686f8
42_fixes/libXm.a 18494 2613 5d20a65dc15fdd0c5b9e91adef4cc260
42_fixes/rcp 61895 22 a55d08f4511c466fbd9e76f356e8a501
42_fixes/sbcs.im 56511 10 0e1cb7e3f82b7bd5cb4b71796db3d42e
42_fixes/writesrv 27208 16 514c7419d297a096847776e1ee2d0604
42_fixes/xpasswd 38549 10 9cbe3664de73b58f12286fbd11a2b3ad
III. Contact Information
To request the PGP public key that can be used to encrypt new AIX
security vulnerabilities, send email to security-alert@austin.ibm.com
with a subject of "get key".
If you would like to subscribe to the AIX security newsletter, send a
note to aixserv@austin.ibm.com with a subject of "subscribe Security".
To cancel your subscription, use a subject of "unsubscribe Security".
To see a list of other available subscriptions, use a subject of
"help".
IBM and AIX are registered trademarks of International Business
Machines Corporation.
- --
+-------------- I do not speak for IBM! -----------------+
|Troy Bollinger | 92CBR600F2|
|AIX Security Development | troy@austin.ibm.com|
+----------------------------------------------------------+
-----BEGIN PGP SIGNATURE-----
Version: 2.7.1
iQCVAwUBM6rsLQsPbaL1YgqvAQEXZwQAhMayJGulee2S+9GVXS5kdc9M1/ghJCYn
EcHYdGmdK4Sy10H2WFtZ0JMUeTJobYmLOwltLTkTLUsbMnX7ih8pylywywDEo2HU
TtSlJ+PxiEsDpOx1hmYi2E6Nj3wfqyB8tlsBUuWvpwdca6FgmLj2ul/nShTXRaCD
fKgqGsn7SQM=
=Bhlb
-----END PGP SIGNATURE-----