SUMMARY: Large Security hole in Solaris 2.5 and 2.5.1. Where is the patch???

From: Randall S. Winchester (rsw@Glue.umd.edu)
Date: Thu Jan 29 1998 - 11:02:08 CST


I have received the following information from Sun regarding this issue.
First, Solaris 2.6 is fine in this regard.

Bug ID:4053228
Patch OS Arch
105051-01 2.5.1 1386
105052-01 2.5.0 sparc
105053-01 2.5.0 intel
102711-02 2.4.0 sparc
102712-02 2.4.0 intel

Bug ID:1262666
Patch OS Arch
103187-33 2.5 sparc
103188-33 2.5 intel
103612-38 2.5.1 sparc
103613-37 2.5.1 intel
There is no patch for 2.4 as it is related to "nscd".

Actually it is the "nscd client side" that has the problem, so you must make
sure you replace the "/usr/lib/libnsl*" files in the appropriate patch.

Randall

On Tue, 27 Jan 1998, Randall S. Winchester wrote:

:
: A root exploit for ping was published on the net 3 weeks ago (That is 21
: days). It is trivial for anyone with gcc to compile, execute, and exploit
: the published buffer overflow problem.
:
: You can get a root shell any time, every time, and instantly!
:
: Does Sun not track these well known sites that publish these exploits?
: The fix is trivial, you just need to limit the length of of the "hostname"
: field to MAXHOSTNAMELEN. (If you have source....)
:
: The possibility for a problem probably exists in Solaris 2.6 as well however
: the exploit needs to be modified for the different libraries.
:
: So WHERE IS THE PATCH?
:
: Until then you should *all* "chmod u-s /usr/sbin/ping", as root of course.
:
:
: Randall
:
:
:



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:12:30 CDT