On Thu, 16 Sep 1999, Eric Gatenby wrote: > I just installed this patch and noticed a major omission in the instructions > for the installation of the patch. > > Here are the instructions from the README: > # cd /usr/dt/bin > # cp /patches/dtaction dtaction.new > # chown root:system dtaction.new > # chmod 6555 dtaction.new > # ln dtaction dtaction.orig > # mv dtaction.new dtaction > > The major problem is that it leaves the dtaction.orig file (the one with the > overflow) setuid to root. Some admins will notice it, some won't... > > Solution? chmod 0100 /usr/dt/bin/dtaction.orig > > BTW, anyone know a general security address @ compaq where I can send info > like this? I cannot seem to find one... I'm not sure if that will help, as I was in the same position, finding the same problem, earlier this year, and here it is happening again. I asked the security team to change their boilerplate instructions (which they claimed were the source of the problem - find security bug, patch programs, grab boilerplate instructions, change program names, send to customer). Seems they only fix the message *after* you point it out to them, on a patch-by-patch basis, leaving the boilerplate the same to repeat the problem over and over again. Here is the (elided) message I got after pointing this out to them in February and specifically asking that they change the BOILERPLATE as well: ---------------------------------------------------------------------------------- ---------- Forwarded message ---------- Date: Thu, 4 Feb 1999 16:08:52 -0500 Subject: RE: Problem with SSRT0583U patch instructions From: XXXXXXXXXX <XXXXXXXXXXat_private> To: 'Dave Dittrich' <dittrichat_private>, Lamont Granquist <lamontgat_private> Cc: XXXXXXXXXXXX <XXXXXXXXXXXXat_private> The engineer has corrected this in the patch - thanks for the information Here are the updated installation instructions. They are the same for all versions of the operating system. The only changes are the addition of the "chmod 400" commands. Installation Instructions: The following instructions assume the patched files are in directory /patches. Become superuser and enter the following commands: # cd /usr/bin # cp /patches/at at.new # chown root:bin at.new # chmod 4755 at.new # ln at at.orig # mv at.new at # chmod 400 at.orig # cd /usr/bin/mh # cp /patches/inc inc.new # chown root:bin inc.new # chmod 4755 inc.new # ln inc inc.orig # mv inc.new inc # chmod 400 inc.orig # cd /usr/shlib # cp /patches/libmh.so libmh.so.new # chown bin:bin libmh.so.new # chmod 444 libmh.so.new # ln libmh.so libmh.so.orig # mv libmh.so.new libmh.so # chmod 400 libmh.so.orig ---------------------------------------------------------------------------------- Perhaps a little "light of day" will prompt the owner of the boilerplate (or the person who writes general procedures for producing patches) to finally learn this lesson. ;) -- Dave Dittrich Client Services dittrichat_private Computing & Communications University of Washington <a href="http://www.washington.edu/People/dad/"> Dave Dittrich / dittrichat_private [PGP Key]</a>
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:04:53 PDT