AOH :: SGI :: A6138.HTM

AOH :: SGI :: A6138.HTM
xfsdump insecure file creation

11th Apr 2003 [SBWID-6138]

COMMAND

	xfsdump insecure file creation

SYSTEMS AFFECTED

	IRIX versions prior to 6.5.20 (6.5.20 is immune)

PROBLEM

	In SGI Security Advisory 20030404-01-P:
	
	It's  been  reported  that  xfsdump  creates  quota  information   files
	insecurely, possibly leading to a root exploit by a local user.
	
	See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0173
	
	SGI has investigated the issue and recommends the  following  steps  for
	neutralizing the exposure. It is HIGHLY RECOMMENDED that these  measures
	be implemented on ALL vulnerable SGI systems.
	
	These issues have been corrected with patches and in future releases  of
	IRIX.

SOLUTION

	There is no effective workaround available for  these  problems  if  you
	need to use xfsdump on  xfs  filesystems  with  quotas.  SGI  recommends
	either upgrading to IRIX 6.5.20  (when  available),  or  installing  the
	appropriate patch available from vendor.

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better). Site design & layout copyright © 1986-2009 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.