Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Unix :: General :: ciach51a.txt

Vulnerability In Libxt




-----BEGIN PGP SIGNED MESSAGE-----

             __________________________________________________________

                       The U.S. Department of Energy
                    Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

                             Vulnerability in libXt

November 20, 1997 23:00 GMT                                      Number H-51a
______________________________________________________________________________
PROBLEM:       A vulnernability exist for a buffer overflow condition in the
               Xt library and the file xc/lib/Xt/Error.c.
PLATFORM:      See "Appendix A - Vendor Information" below for platforms
               effected.
DAMAGE:        Allows unauthorized file access possibly gaining root
               privilege.
SOLUTION:      Apply the patches and workarounds listed
______________________________________________________________________________
VULNERABILITY  Exploit details involving this vulnerability have been made
ASSESSMENT:    publicly available.
______________________________________________________________________________

[ Appended to H-51 on November 20,1997 with additional patch information from
Silicon Graphics Inc. ]

[  Start CERT Advisory  ]

=============================================================================
CERT* Advisory CA-97.11
Original issue date: May 1, 1997
Last revised: --

Topic: Vulnerability in libXt
- ------------------------------------------------------------------------------

There have been discussions on public mailing lists about buffer overflows in
the Xt library of the X Windowing System made freely available by The Open
Group (and previously by the now-defunct X Consortium). The specific problem
outlined in those discussions was a buffer overflow condition in the Xt
library, and the file xc/lib/Xt/Error.c. Exploitation scripts were made
available.

Since then (the latter half of 1996), The Open Group has extensively reviewed
the source code for the entire distribution to address the potential for
further buffer overflow conditions. These conditions can make it possible for
a local user to execute arbitrary instructions as a privileged user without
authorization.

The programs that pose a potential threat to sites are those programs that
have been built from source code prior to X11 Release 6.3 and have setuid or
setgid bits set. Some third-party vendors distribute derivatives of the X
Window System, and if you use a distribution that includes X tools that have
setuid or setgid bits set, you may be vulnerable as well.

The CERT/CC team recommends upgrading to X11 Release 6.3 or installing a
patch from your vendor. If you cannot do one of these, then as a last resort
we recommend that you remove the setuid or setgid bits from any executable
files contained in your distribution of X; this may have an adverse effect on
some system operations.

We will update this advisory as we receive additional information.
Please check advisory files regularly for updates that relate to your site.

- ------------------------------------------------------------------------------

I.   Description

     There have been discussions on public mailing lists about buffer
     overflows in the Xt library of the X Windowing System made freely
     available by The Open Group (and previously by the now-defunct X
     Consortium). During these discussions, exploitation scripts were made
     available for some platforms.**

     The specific problem outlined in those discussions was a buffer overflow
     condition in the Xt library and the file xc/lib/Xt/Error.c. It was
     possible for a user to execute arbitrary instructions as a privileged
     user using a program built by this distribution with setuid or setgid
     bits set.

     Note that in this case a root compromise was only possible when
     programs built from this distribution (e.g., xterm) were setuid
     root.

     Since then The Open Group has extensively reviewed the source code for
     the entire distribution to address the potential for further buffer
     overflow condition.

     If you use a distribution of the X Windowing System earlier than
     X11 Release 6.3 that you downloaded and compiled yourself, we
     encourage you to take the steps outlined in either Section IV A or C.

     If you use third-party vendor-supplied distributions of the X
     Windowing System containing setuid root programs, we encourage
     you to take the steps outlined in Sections IV B or C.

     ** Note: Discussions of this specific instance of the vulnerability
        appeared on mailing lists during the second half of 1996. Exploitation
        scripts were made public at that time.

II.  Impact

     Platforms that have X applications built with the setuid or setgid bits
     set may be vulnerable to buffer overflow conditions. These conditions can
     make it possible for a local user to execute arbitrary instructions as a
     privileged user without authorization. Access to an account on the system
     is necessary for exploitation.


III. Finding Potentially Vulnerable Distributions

     A.  For Sites That Download and Build Their Own Distributions

     As discussed earlier, the programs that pose a potential threat to sites
     are those programs that have been built from source code, prior to X11
     Release 6.3 and have setuid or setgid bits set.

     Sites that have downloaded the X source code from the X Consortium
     should be able to identify such programs by looking in the directory
     hierarchy defined by the "ProjectRoot" constant described in the
     xc/config/cf/site.def file in the source code distribution. The
     default is /usr/X11R6.3. The X11R6.3 Installation Guide states:

        "ProjectRoot
              The destination where X will be installed.  This variable
              needs to be set before you build, as some programs that read
              files at run-time have the installation directory compiled
              in to them.  Assuming you have set the variable to some value
              /path, files will be installed into /path/bin,
              /path/include/X11, /path/lib, and /path/man."


     B.  For Vendor-Supplied Distributions

     Some third-party vendors distribute derivatives of the X Window
     System. If you use a distribution that includes X tools that have
     setuid or setgid bits set, then you may need to apply Solution B or C
     in Section IV.

     If you use a distribution that does not have setuid or setgid bits
     enabled on any X tools, then you do not need to take any of the steps
     listed below.

     Below is a list of vendors who have provided information about this
     problem. If your vendor's name is not on this list and you need
     clarification, you should check directly with your vendor.


IV.  Solution

     If any X tools that you are using are potentially vulnerable (see Section
     III), we encourage you to take one of the following steps. If the setuid
     or setgid bits are not enabled on any of the tools in your distribution,
     you do not need to take any of the steps listed below.

     For distributions that were built directly from the source code
     supplied by The Open Group (and previously by the X Consortium), we
     encourage you to apply either Solutions A or C. For vendor-supplied
     distributions, we encourage you to apply either Solutions B or C.


     A.  Upgrade to X11 Release 6.3

         If you download and build your own distributions directly from the
         source code, we encourage you to install the latest version, X11
         Release 6.3. The source code can be obtained from

                ftp://ftp.x.org/pub/R6.3/tars/xc-1.tar.gz
                ftp://ftp.x.org/pub/R6.3/tars/xc-2.tar.gz
                ftp://ftp.x.org/pub/R6.3/tars/xc-3.tar.gz

         Note that these distributions are very large. The compressed
         files consume about 40M of disk space. The uncompressed tar files
         consume about 150M of disk space.


     B.  Install a patch from your vendor

         Below is a list of vendors who have provided information about
         this problem. Details are in Appendix A of this advisory; we will
         update the appendix as we receive more information. If your
         vendor's name is not on this list, the CERT/CC did not hear from
         that vendor. Please contact your vendor directly.

            Berkeley Software Design, Inc. (BSDI)
            Digital Equipment Corporation (DEC)
            FreeBSD, Inc.
            Hewlett-Packard Company
            IBM Corporation
            NEC Corporation
            NeXT Software, Inc.
            The Open Group (formerly OSF/X Consortium)
            The Santa Cruz Operation, Inc. (SCO)
            Sun Microsystems, Inc.


     C.  Remove the setuid bit from affected programs

         If you are unable to apply Solutions A or B, then as a last resort
         we recommend removing the setuid or setgid bits from the
         executable files in your distribution of X.

         Note that this may have an adverse effect on some system
         operations.  For instance, on some systems the xlock program needs
         to have the setuid bit enabled so that the shadow password file
         can be read to unlock the screen. By removing the setuid bit from
         this program, you remove the ability of the xlock program to read
         the shadow password file. This means that particular version of
         the xlock program should not be used at all, or it should be
         killed from another terminal when necessary.


_____________________________________________________________________

Appendix A - Vendor Information

Below is a list of the vendors who have provided information for this
advisory. We will update this appendix as we receive additional information.
If you do not see your vendor's name, the CERT/CC did not hear from that
vendor. Please contact the vendor directly.


Berkeley Software Design, Inc. (BSDI)
=====================================
  We released a patch for this for the 2.1 BSD/OS release,
  and it's already fixed in our current release.


Digital Equipment Corporation (DEC)
===================================
At the time of writing this document, patches(binary kits) are in progress and
final testing is expected to begin soon.  Digital will provide notice of the
completion/availability of the patches through AES services (DIA, DSNlink
FLASH) and be available from your normal Digital Support channel.


FreeBSD, Inc.
=============
We're aware of the problem and are trying to correct it with a new release of
the Xt library.


Hewlett-Packard Company
=======================
         For HP-UX, Install the applicable patches:

       PHSS_10167       9.X   X11R5/Motif1.2  Runtime
       PHSS_10168       9.X   X11R5/Motif1.2  Development

       PHSS_9809        10.0X/10.10  X11R5/Motif1.2  Runtime
       PHSS_9810        10.0X/10.10  X11R5/Motif1.2  Development

       PHSS_10688       10.20 X11R5/Motif1.2  Runtime
       PHSS_9813        10.20 X11R5/Motif1.2  Development

       PHSS_10789       10.20 X11R6/Motif1.2  Runtime
       PHSS_9815        10.20 X11R6/Motif1.2  Development


        Apply the library patches and relink any suid/sgid programs
        that are linked with the archived version of libXt.


IBM Corporation
===============
  See the appropriate release below to determine your action.


  AIX 3.2
  -------
    Apply the following fix to your system:

       APAR - IX61784,IX67047,IX66713 (PTF - U445908,U447740)

    To determine if you have this PTF on your system, run the following
    command:

       lslpp -lB U445908 U447740


  AIX 4.1
  -------
    Apply the following fix to your system:

        APAR - IX61031 IX66736 IX66449

    To determine if you have this APAR on your system, run the following
    command:


       instfix -ik IX61031 IX66736 IX66449

    Or run the following command:

       lslpp -h X11.base.lib

    Your version of X11.base.lib should be 4.1.5.2 or later.


  AIX 4.2
  -------
    Apply the following fix to your system:

        APAR - IX66824 IX66352

    To determine if you have this APAR on your system, run the following
    command:

       instfix -ik IX66824 IX66352

    Or run the following command:

       lslpp -h X11.base.lib

    Your version of X11.base.lib should be 4.2.1.0 or later.


  To Order
  --------
    APARs may be ordered using Electronic Fix Distribution (via FixDist)
    or from the IBM Support Center.  For more information on FixDist,
    reference URL:

       http://service.software.ibm.com/aixsupport/


    or send e-mail to aixserv@austin.ibm.com with a subject of "FixDist".


  IBM and AIX are registered trademarks of International Business Machines
  Corporation.


NEC Corporation
===============
   EWS-UX/V(Rel4.2) R7.x - R10.x   vulnerable
   EWS-UX/V(Rel4.2MP) R10.x        vulnerable
   UP-UX/V(Rel4.2MP) R5.x - R7.x   vulnerable
   UX/4800 R11.x - current         vulnerable

   Patches for this vulnerability are in progress.
   For further information, please contact by e-mail:
      UX48-security-support@nec.co.jp


NeXT Software, Inc.
===================
X-Windows is not part of any NextStep or OpenStep release.  We are not
vulnerable to this problem.


The Open Group (formerly OSF/X Consortium)
================================
Not vulnerable.


The Santa Cruz Operation, Inc. (SCO)
====================================
We are investigating this problem and will provide updated
information for this advisory when it becomes available.


Sun Microsystems, Inc.
======================
We are investigating.

[  End CERT Advisory  ]

[ Appended Silicon Graphics Advisory ]

- -----BEGIN PGP SIGNED MESSAGE-----

______________________________________________________________________________
                Silicon Graphics Inc. Security Advisory

        Title:   libXt Security Issues
        Title:   CERT CA-97.11
        Number:  19971101-01-PX
        Date:    November 18, 1997
______________________________________________________________________________

Silicon Graphics provides this information freely to the SGI user community
for its consideration, interpretation, implementation and use.   Silicon
Graphics recommends that this information be acted upon as soon as possible.

Silicon Graphics provides the information in this Security Advisory on
an "AS-IS" basis only, and disclaims all warranties with respect thereto,
express, implied or otherwise, including, without limitation, any warranty
of merchantability or fitness for a particular purpose.  In no event shall
Silicon Graphics be liable for any loss of profits, loss of business, loss
of data or for any indirect, special, exemplary, incidental or consequential
damages of any kind arising from your use of, failure to use or improper
use of any of the instructions or information in this Security Advisory.
______________________________________________________________________________

- ------------------------
- ---- Issue Specifics ---
- ------------------------


In disussions on public newsgroups and mailing lists, buffer overruns
in the Xt library of the X Windowing System and X application programs
have been discussed.

Silicon Graphics Inc. has investigated the issue and recommends the
following steps for neutralizing the exposure.  It is HIGHLY RECOMMENDED
that these measures be implemented on ALL SGI systems.  This issue will
be corrected in future releases of IRIX.


- ---------------
- ---- Impact ---
- ---------------

All Silicon Graphics computer systems running IRIX 4.x, IRIX 5.x
and IRIX 6.x utilize the X Windowing system and have X applications
by default.

A local account is required in order to exploit these vulnerabilities
both locally and remotely.

This issue has been publically disclosed and discussed in several
public forums newsgroups and mailing lists in addition to
security advisories CERT CA-97.11.




- ---------------------------
- ---- Temporary Solution ---
- ---------------------------

Unfortunately, there are no immediate or temporary workarounds for
this issue.  The issue can only be addressed with a patch.



- -----------------
- ---- Solution ---
- -----------------




   OS Version     Vulnerable?     Patch #      Other Actions
   ----------     -----------     -------      -------------

   IRIX 3.x          no
   IRIX 4.x          yes          not avail    Note 1
   IRIX 5.0.x        yes          not avail    Note 1
   IRIX 5.1.x        yes          not avail    Note 1
   IRIX 5.2          yes          not avail    Note 1
   IRIX 5.3          yes          2155
   IRIX 6.0.x        yes          not avail    Note 1
   IRIX 6.1          yes          not avail    Note 1
   IRIX 6.2          yes          2154
   IRIX 6.3          yes          2153
   IRIX 6.4          yes          2396


   NOTES

     1) upgrade to supported operating system version



Patches are available via anonymous FTP and your service/support provider.

The SGI anonymous FTP site is sgigate.sgi.com (204.94.209.1) or its
mirror, ftp.sgi.com.   Security information and patches can be found
in the ~ftp/security and ~ftp/patches directories, respectfully.



                 ##### Patch File Checksums ####

The actual patch will be a tar file containing the following files:


Filename:                 README.patch.2153
Algorithm #1 (sum -r):    25316 10 README.patch.2153
Algorithm #2 (sum):       65501 10 README.patch.2153
MD5 checksum:             61E23CC48D1295A14FF1BD14F1AE63E9

Filename:                 patchSG0002153
Algorithm #1 (sum -r):    63016 6 patchSG0002153
Algorithm #2 (sum):       54172 6 patchSG0002153
MD5 checksum:             283699BC58ABFF6F7C8BA3713D0AEEC4

Filename:                 patchSG0002153.idb
Algorithm #1 (sum -r):    28889 8 patchSG0002153.idb
Algorithm #2 (sum):       46999 8 patchSG0002153.idb
MD5 checksum:             B556DB55B2B5CF749C54E1AB5A4864A0

Filename:                 patchSG0002153.x_dev_sw
Algorithm #1 (sum -r):    03700 1039 patchSG0002153.x_dev_sw
Algorithm #2 (sum):       2287 1039 patchSG0002153.x_dev_sw
MD5 checksum:             2D95358E6433CDBE96D52F62D08A4CD3

Filename:                 patchSG0002153.x_dev_sw32
Algorithm #1 (sum -r):    64841 1251 patchSG0002153.x_dev_sw32
Algorithm #2 (sum):       38376 1251 patchSG0002153.x_dev_sw32
MD5 checksum:             EE7BE878CB7486BBA689DE31C49F2C2D

Filename:                 patchSG0002153.x_dev_sw64
Algorithm #1 (sum -r):    43845 1344 patchSG0002153.x_dev_sw64
Algorithm #2 (sum):       31671 1344 patchSG0002153.x_dev_sw64
MD5 checksum:             02803C4F21D9440D6B365B5E051260C6

Filename:                 patchSG0002153.x_eoe_sw
Algorithm #1 (sum -r):    43004 3102 patchSG0002153.x_eoe_sw
Algorithm #2 (sum):       56526 3102 patchSG0002153.x_eoe_sw
MD5 checksum:             4E50E4D94BFEA5652D20CE08BD120D0D

Filename:                 patchSG0002153.x_eoe_sw32
Algorithm #1 (sum -r):    38854 3358 patchSG0002153.x_eoe_sw32
Algorithm #2 (sum):       910 3358 patchSG0002153.x_eoe_sw32
MD5 checksum:             B5701DA482684D031D40249D6096971B

Filename:                 patchSG0002153.x_eoe_sw64
Algorithm #1 (sum -r):    24290 3562 patchSG0002153.x_eoe_sw64
Algorithm #2 (sum):       43506 3562 patchSG0002153.x_eoe_sw64
MD5 checksum:             73709C1BAF1B6A08DB6966DEB435B668



Filename:                 README.patch.2154
Algorithm #1 (sum -r):    02162 15 README.patch.2154
Algorithm #2 (sum):       39280 15 README.patch.2154
MD5 checksum:             5EEF5483CBDC8D804A29A0473230D277

Filename:                 patchSG0002154
Algorithm #1 (sum -r):    40324 14 patchSG0002154
Algorithm #2 (sum):       59115 14 patchSG0002154
MD5 checksum:             273ABFD8DAFDFC05BAA4727A39FB93D7

Filename:                 patchSG0002154.idb
Algorithm #1 (sum -r):    64074 7 patchSG0002154.idb
Algorithm #2 (sum):       61404 7 patchSG0002154.idb
MD5 checksum:             AF140498F7B12405046D2647E3DAFD73

Filename:                 patchSG0002154.x_dev_sw
Algorithm #1 (sum -r):    64669 1038 patchSG0002154.x_dev_sw
Algorithm #2 (sum):       43733 1038 patchSG0002154.x_dev_sw
MD5 checksum:             59113DE469DDD394ED11B9EC9E0BAD3A

Filename:                 patchSG0002154.x_dev_sw32
Algorithm #1 (sum -r):    09060 1252 patchSG0002154.x_dev_sw32
Algorithm #2 (sum):       50637 1252 patchSG0002154.x_dev_sw32
MD5 checksum:             801FBBD3B849DCCCCE32581006248194

Filename:                 patchSG0002154.x_dev_sw64
Algorithm #1 (sum -r):    45827 1344 patchSG0002154.x_dev_sw64
Algorithm #2 (sum):       7788 1344 patchSG0002154.x_dev_sw64
MD5 checksum:             4CE9812E5FBEAAA3BEE07EA1C8430C5A

Filename:                 patchSG0002154.x_eoe_sw
Algorithm #1 (sum -r):    14887 3034 patchSG0002154.x_eoe_sw
Algorithm #2 (sum):       11241 3034 patchSG0002154.x_eoe_sw
MD5 checksum:             BC5AA5A65C7560CD4734A68E73F3F853

Filename:                 patchSG0002154.x_eoe_sw32
Algorithm #1 (sum -r):    57921 2726 patchSG0002154.x_eoe_sw32
Algorithm #2 (sum):       41588 2726 patchSG0002154.x_eoe_sw32
MD5 checksum:             54C206869F69397875FD93216D991930

Filename:                 patchSG0002154.x_eoe_sw64
Algorithm #1 (sum -r):    53814 2868 patchSG0002154.x_eoe_sw64
Algorithm #2 (sum):       839 2868 patchSG0002154.x_eoe_sw64
MD5 checksum:             DB3862DE7C2E986E13E3E14C5E161E5E



Filename:                 README.patch.2155
Algorithm #1 (sum -r):    21907 13 README.patch.2155
Algorithm #2 (sum):       27373 13 README.patch.2155
MD5 checksum:             E6DABFBEE2945099D42F6063A11B6A7E

Filename:                 patchSG0002155
Algorithm #1 (sum -r):    02117 3 patchSG0002155
Algorithm #2 (sum):       5954 3 patchSG0002155
MD5 checksum:             35A01C9F197B55E05846A49F86001F33

Filename:                 patchSG0002155.idb
Algorithm #1 (sum -r):    36349 2 patchSG0002155.idb
Algorithm #2 (sum):       1931 2 patchSG0002155.idb
MD5 checksum:             7CE668036AABD4B63E65AF2E18A85079

Filename:                 patchSG0002155.x_dev_sw
Algorithm #1 (sum -r):    40176 1005 patchSG0002155.x_dev_sw
Algorithm #2 (sum):       14410 1005 patchSG0002155.x_dev_sw
MD5 checksum:             FB9E15AB9A24418A771D1A4239AACA9D

Filename:                 patchSG0002155.x_eoe_sw
Algorithm #1 (sum -r):    42558 2534 patchSG0002155.x_eoe_sw
Algorithm #2 (sum):       60261 2534 patchSG0002155.x_eoe_sw
MD5 checksum:             249A8BA0FD006A6543ED58548A961086



Filename:                 README.patch.2396
Algorithm #1 (sum -r):    21490 10 README.patch.2396
Algorithm #2 (sum):       59973 10 README.patch.2396
MD5 checksum:             51FBF3D675E4E43F2DF105FD60173D7E

Filename:                 patchSG0002396
Algorithm #1 (sum -r):    31021 6 patchSG0002396
Algorithm #2 (sum):       59122 6 patchSG0002396
MD5 checksum:             1CB84057C049D0AEEF1769147484D51D

Filename:                 patchSG0002396.eoe_sw
Algorithm #1 (sum -r):    44998 7 patchSG0002396.eoe_sw
Algorithm #2 (sum):       42468 7 patchSG0002396.eoe_sw
MD5 checksum:             948C51F29D9B18C71211551F2A9E2786

Filename:                 patchSG0002396.idb
Algorithm #1 (sum -r):    44652 6 patchSG0002396.idb
Algorithm #2 (sum):       50192 6 patchSG0002396.idb
MD5 checksum:             88153D362FE99D3C38B148649926B5E9

Filename:                 patchSG0002396.x_dev_sw
Algorithm #1 (sum -r):    21683 2337 patchSG0002396.x_dev_sw
Algorithm #2 (sum):       1525 2337 patchSG0002396.x_dev_sw
MD5 checksum:             D7A1332304D0053EE790F64C0C0D6B27

Filename:                 patchSG0002396.x_dev_sw64
Algorithm #1 (sum -r):    49044 1361 patchSG0002396.x_dev_sw64
Algorithm #2 (sum):       14474 1361 patchSG0002396.x_dev_sw64
MD5 checksum:             38F89FD774611E2D8DC65358C3CF809F

Filename:                 patchSG0002396.x_eoe_sw
Algorithm #1 (sum -r):    26996 5177 patchSG0002396.x_eoe_sw
Algorithm #2 (sum):       42378 5177 patchSG0002396.x_eoe_sw
MD5 checksum:             909745597814CC56DD5466CA4BEC3411

Filename:                 patchSG0002396.x_eoe_sw64
Algorithm #1 (sum -r):    25487 2832 patchSG0002396.x_eoe_sw64
Algorithm #2 (sum):       20908 2832 patchSG0002396.x_eoe_sw64
MD5 checksum:             E683B61D66B99B1A055AB8ACFFE28C32





- -------------------------
- ---- Acknowledgments ---
- -------------------------

Silicon Graphics wishes to thank the CERT Coordination Center
for their assistance in this matter.




- ------------------------------------------------------------
- ---- Silicon Graphics Inc. Security Information/Contacts ---
- ------------------------------------------------------------

If there are questions about this document, email can be sent to
cse-security-alert@sgi.com.

                      ------oOo------

Silicon Graphics provides security information and patches for
use by the entire SGI community.  This information is freely
available to any person needing the information and is available
via anonymous FTP and the Web.

The primary SGI anonymous FTP site for security information and patches
is sgigate.sgi.com (204.94.209.1).  Security information and patches
are located under the directories ~ftp/security and ~ftp/patches,
respectively. The Silicon Graphics Security Headquarters Web page is
accessible at the URL http://www.sgi.com/Support/security/security.html.

For issues with the patches on the FTP sites, email can be sent to
cse-security-alert@sgi.com.

For assistance obtaining or working with security patches, please
contact your SGI support provider.

                      ------oOo------

Silicon Graphics provides a free security mailing list service
called wiretap and encourages interested parties to self-subscribe
to receive (via email) all SGI Security Advisories when they are
released. Subscribing to the mailing list can be done via the Web
(http://www.sgi.com/Support/security/wiretap.html) or by sending email
to SGI as outlined below.

% mail wiretap-request@sgi.com
subscribe wiretap <YourEmailAddress>
end
^d

In the example above, <YourEmailAddress> is the email address that you
wish the mailing list information sent to.  The word end must be on a
separate line to indicate the end of the body of the message. The
control-d (^d) is used to indicate to the mail program that you are
finished composing the mail message.


                      ------oOo------

Silicon Graphics provides a comprehensive customer World Wide Web site.
This site is located at http://www.sgi.com/Support/security/security.html.

                      ------oOo------

For reporting *NEW* SGI security issues, email can be sent to
security-alert@sgi.com or contact your SGI support provider.  A
support contract is not required for submitting a security report.

______________________________________________________________________________
  This information is provided freely to all interested parties and may
  be redistributed provided that it is not altered in any way, Silicon
  Graphics is appropriately credited and the document retains and
  includes its valid PGP signature.


- -----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBNHIbU7Q4cFApAP75AQHsmwP/a1yXEj4nbsISnuabnIOdPHtsZY+EZd3U
m6HArcRazNJdn+EOncr7y6oygCce6ASpOzd//uJ+Mn0C660x3X76PpEHn7w7Exxy
4nHR2Lepor1Qck/uTJNoLwO/6BMd+jLowZtyrIkgnVXQ7z2f/Yz6CwlKa0U0s0rz
AyT9O4fFFgo=
=QaJc
- -----END PGP SIGNATURE-----


[  End Silicon Graphics Inc. Advisory  ]


______________________________________________________________________________

CIAC wishes to acknowledge the contributions of CERT, Kaleb Keithly of The
Open Group and Silicon Graphics Inc. for the information contained in this
bulletin.
______________________________________________________________________________


CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 510-422-8193
    FAX:      +1 510-423-8002
    STU-III:  +1 510-423-2604
    E-mail:   ciac@llnl.gov

For emergencies and off-hour assistance, DOE, DOE contractor sites,
and the NIH may contact CIAC 24-hours a day. During off hours (5PM -
8AM PST), call the CIAC voice number 510-422-8193 and leave a message,
or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two
Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC
duty person, and the secondary PIN number, 8550074 is for the CIAC
Project Leader.

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://ciac.llnl.gov/
   Anonymous FTP:       ciac.llnl.gov (128.115.19.53)
   Modem access:        +1 (510) 423-4753 (28.8K baud)
                        +1 (510) 423-3331 (28.8K baud)

CIAC has several self-subscribing mailing lists for electronic
publications:
1. CIAC-BULLETIN for Advisories, highest priority - time critical
   information and Bulletins, important computer security information;
2. SPI-ANNOUNCE for official news about Security Profile Inspector
   (SPI) software updates, new features, distribution and
   availability;
3. SPI-NOTES, for discussion of problems and solutions regarding the
   use of SPI products.

Our mailing lists are managed by a public domain software package
called Majordomo, which ignores E-mail header subject lines. To
subscribe (add yourself) to one of our mailing lists, send the
following request as the E-mail message body, substituting
ciac-bulletin, spi-announce OR spi-notes for list-name:

E-mail to       ciac-listproc@llnl.gov or majordomo@tholia.llnl.gov:
        subscribe list-name
  e.g., subscribe ciac-bulletin

You will receive an acknowledgment email immediately with a confirmation
that you will need to mail back to the addresses above, as per the
instructions in the email.  This is a partial protection to make sure
you are really the one who asked to be signed up for the list in question.

If you include the word 'help' in the body of an email to the above address,
it will also send back an information file on how to subscribe/unsubscribe,
get past issues of CIAC bulletins via email, etc.

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

H-42: HP MPE/iX with ICMP Echo Request (ping) Vulnerability
H-44: Solaris 2.x fdformat Buffer Overflow Vulnerability
H-45: Windows NT SAM  permission Vulnerability
H-46: Vulnerability in IMAP and POP
H-47A: AOL4FREE.COM Trojan Horse Program Destroys Hard Drives
H-48: Internet Information Server Vulnerability
H-49: NLS Buffer Overflow Vulnerability
H-22a: talkd Buffer Overrun Vulnerability
H-29a: HP-UX sendmail Patches Vulnerability
H-50: HP-UX SYN Flood and libXt patches


-----BEGIN PGP SIGNATURE-----
Version: 4.0 Business Edition

iQCVAwUBNHS88bnzJzdsy3QZAQF1gQP/Vfj2DMP8ej3feM1S9Sry6xdZwuRGqqR4
rCdGcgHEbhHmtvGgAywNb8Pz7nmn/pjEjiP5Uqdz0tbHHuYpW+JNBfvPoB+T1v/J
w1GSNyOdVtN5SGsYHumag/I5yevH+Xq/amTFim460kymlixdUM5nD4XhMLW9z8zm
jP5lLDYqoNs=
=Ctw4
-----END PGP SIGNATURE-----


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH