--VuxX8awAiJ7fD5gx Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Quoting Joerg Schumacher (schumaat_private): > AIX 4.1 includes the iFOR/LS (formerly known as NetLS) license server=20 > from Gradient Technologies. Some parts of this system (NCS, server and= =20 > client libs) use a cache file (/tmp/last_uuid, mode 0666), which will be= =20 > created on the fly if missing. The code has the classical file open bug:= =20 > it will happily follow any symlink. >=20 > I guess IBM and Gradient had their chance to fix this bug, since I > reported it back in december 1996 (no typo, more than a year ago).=20 > IIRC, HP-UX had (and may still have) this bug too. >=20 20 Yes, we've had more than ample time to fix this and I personally thank you for the patience you've shown. Unfortunately, it's difficult to fix the bugs when you don't own the source code (I guess bugtraq readers already know that ;-). For those keeping score this is PMR 1540x,025,724. A simple workaround for this is to remove and recreate /tmp/last_uuid in /sbin/rc.boot. This will limit the attack to filling the /tmp partition. > Some complaints: =20 >=20 > to IBM: I guess it's time to review the APAR process wrt security. =20 > Having a security related bug hanging around for more than a= =20 > year at low priority is definitely a bad thing. >=20 Hopefully, this case will be an exception. I'd like to think that the process has improved significantly (e.g. the recent routed bug posted to bugtraq had a pretty fast followup). > to IBM-ERS: I've submitted a Cc of my original bug report to=20 > ers-techat_private but I never got any feedback. > Granted, you don't want to us to send any reports via > email, but this "small planet" isn't small enough to let me > call you via phone for free. > =20 > to DFN-CERT: Where have you been? No tracking seen despite my Cc. > =20 IIRC, IBM-ERS and DFN-CERT harassed me about this several times... ;-) > Thanks to Troy Bollinger (troyat_private) for pointing out some =20 > other insecurely created temporary files.=20 I also pointed out how to fix them didn't I? :-) I'll update the list I sent you and post it here. Most of the world-writable files (with the exception of /tmp/last_uuid) have been fixed. I'd appreciate hearing about any I missed. >=20 > Regards, > Joerg=20 20 Thanks. --=20 Troy Bollinger troyat_private AIX Security Development security-alertat_private PGP keyid: 1024/0xB7783129 Troy's opinions are not IBM policy --VuxX8awAiJ7fD5gx Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 MessageID: SJbfkmWBkesktWXBo2FkQv9otPr1lElL iQCVAwUBNN+Tw8jqvEm3eDEpAQE8bgQAwVi5z8Tm5i3WDV2rKAqY+fm9OvSjplo7 XJSJFjdG6myZA+5NdcZcg/T53LXeU60ykY3mVicQUxG6oPe0Ev7WDsZLo5pb/pqE LsYMk8udAnvIfVMzzSS/Qp1DppVtz8q85uvnDQtEdwEO8Jwp6RO7j2hAvu5ABE02 pccwS+WXnq8= =i3Iy -----END PGP SIGNATURE----- --VuxX8awAiJ7fD5gx--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:42:14 PDT