SUN MICROSYSTEMS SECURITY BULLETIN: #00121, 29 June 93

==============================================================================

ABOUT THIS BULLETIN

This information is only to be used for the purpose of alerting
customers to problems.  Any other use or re-broadcast of this 
information without the express written consent of Sun Microsystems
shall be prohibited.

Sun Microsystems expressly disclaims all liability for any misuse of
this information by any third party.
==============================================================================

BULLETIN TOPICS

I.   New Patches
      A. 101119-01 - SunOS 5.0 (Solaris 2.0): expreserve can be used to
         overwite any file
      B. 101089-01 - SunOS 5.1 (Solaris 2.1): expreserve can be used to
         overwite any file
      C. 101090-01 - SunOS 5.2 (Solaris 2.2): expreserve can be used to
         overwite any file

II.   Related Patches
      A. 101080-01 - SunOS 4.1, 4.1.1, 4.1.2, 4.1.3: expreserve can be used to
         overwite any file {Sun Security Bulletin #120, 10 June 1993)

III.  Obtaining Patches

IV.   Acknowledgments
 

SPECIAL NOTES: 

1. The expreserve vulnerability is known to Sun to exist on SunOS 4.1,
   4.1.1, 4.1.2, 4.1.3, 5.0/Solaris 2.0, 5.1/Solaris 2.1, and
   5.2/Solaris 2.2.

2. Sun recommends that the expreserve utility be disabled immediately,
   and that official Sun patches be installed to correct the problem.
   To prevent use of the expreserve utility, execute the following
   command as root:

	/usr/bin/chmod a-x /usr/lib/expreserve

   The expreserve command normally is used to recover vi editor files
   when vi terminates unexpectedly. Disabling expreserve will disable
   this recovery feature. Users of vi should be advised of this temporary
   change and encouraged to save their work frequently.

3. Patch 101080-01, described in the Sun Security Bulletin #120 issued
   10 June 1993, fixed the problem for SunOS 4.1, 4.1.1, 4.1.2, and 4.1.3,
   and is still available from the sources described below. The README
   file does not refer to SunOS 4.1 because the patch was released before
   applicability of the patch to 4.1 was confirmed. 

4. Patches 101119-01, 101089-01, and 101090-01 fix the problem for
   5.0/Solaris 2.0, 5.1/Solaris 2.1, and 5.2/Solaris 2.2, and are now
   available from the sources described below.

5. Due to the extraordinary recent publicity surrounding this
   vulnerability, Sun decided NOT to delay the release of the first (4.x)
   patch until the other (Solaris) patches were ready. Sun especially
   regrets any inconvenience resulting from the split release.
==============================================================================

I. NEW PATCHES

A. Sun Patch ID:  101119-01, security problem with expreserve.
   Sun Bug IDs: 1044909, 1083183
   SunOS release: SunOS 5.0/Solaris 2.0
   Synopsis:    This patch fixes a problem in the expreserve program
        which allows it to be used to overwrite any file. This
        vulnerability can be used to obtain root access to the system. 
   Problem Description: 
      Bug 1044909 - race condition when file is created owned by root.
      Bug 1083183 - expreserve can be used to overwite any file.

Checksum of compressed tarfile 101119-01.tar.Z on ftp.uu.net
	BSD  (on Solaris, /usr/ucb/sum; on 4.x, /bin/sum):  33222 27
	SysV (on Solaris, /usr/bin/sum):                     1839 54

B. Sun Patch ID:  101089-01, security problem with expreserve.
   Sun Bug IDs: 1044909, 1083183
   SunOS release: SunOS 5.1/Solaris 2.1
   Synopsis:    This patch fixes a problem in the expreserve program
        which allows it to be used to overwrite any file. This
        vulnerability can be used to obtain root access to the system. 
   Problem Description: 
      Bug 1044909 - race condition when file is created owned by root.
      Bug 1083183 - expreserve can be used to overwite any file.

Checksum of compressed tarfile 101089-01.tar.Z on ftp.uu.net:
	BSD  (on Solaris, /usr/ucb/sum; on 4.x, /bin/sum):  23443 27
	SysV (on Solaris, /usr/bin/sum):                    36631 54

C. Sun Patch ID:  101090-01, security problem with expreserve.
   Sun Bug IDs: 1044909, 1083183
   SunOS release: SunOS 5.2/Solaris 2.2
   Synopsis:    This patch fixes a problem in the expreserve program
        which allows it to be used to overwrite any file. This
        vulnerability can be used to obtain root access to the system. 
   Problem Description: 
      Bug 1044909 - race condition when file is created owned by root.
      Bug 1083183 - expreserve can be used to overwite any file.

Checksum of compressed tarfile 101090-01.tar.Z on ftp.uu.net:
	BSD  (on Solaris, /usr/ucb/sum; on 4.x, /bin/sum):  53431 27
	SysV (on Solaris, /usr/bin/sum):                    53432 54
==============================================================================

II. RELATED PATCHES

A. Sun Patch ID:  101080-01, security problem with expreserve.
   Sun Bug IDs: 1044909, 1083183
   SunOS release: SunOS 4.1, 4.1.1, 4.1.2, 4.1.3
   Synopsis:    This patch fixes a problem in the expreserve program
        which allows it to be used to overwrite any file. This
        vulnerability can be used to obtain root access to the system. 
   Problem Description: 
      Bug 1044909 - race condition when file is created owned by root.
      Bug 1083183 - expreserve can be used to overwite any file.

Checksum of compressed tarfile 101080-01.tar.Z on ftp.uu.net:
	BSD  (on Solaris, /usr/ucb/sum; on 4.x, /bin/sum):  45221 13
	SysV (on Solaris, /usr/bin/sum):                     1998 25

NOTE: This patch obsoletes patch 100251-01.
==============================================================================

III. OBTAINING PATCHES

Sun Microsystems recommends that all customers concerned with the security
of their SunOS system(s) obtain and install the patches that are applicable
to their computing environment.

All patches listed are available through your local Sun answer centers
worldwide. Please refer to the Bugid and Patchid when requesting patches
from Sun answer centers.

Sun also makes security patches available through anonymous FTP. In the US,
FTP to ftp.uu.net and obtain the patch from the /systems/sun/sun-dist
directory. In Europe, FTP to mcsun.eu.net and obtain the patch from the
~ftp/sun/fixes directory. (Note that Sun does not have direct access to
mcsun.eu.net and must request that patches be copied from ftp.uu.net to
mcsun.eu.net.  Therefore, there may be a time lag before patches appear
on mcsun.eu.net.)
===========================================================================

IV. ACKNOWLEDGMENTS

Sun Microsystems acknowledges the CERT Coordination Center, the CIAC
Computer Security Technology Center, and Lawrence Livermore Laboratories
for their assistance in the resolution of the expreserve problem.
===========================================================================

Mark G. Graff
Software Security Coordinator
Sun Microsystems, Inc.

(Please address e-mail replies or inquiries to: "security-alert@Sun.COM".)