-----BEGIN PGP SIGNED MESSAGE-----
______________________________________________________________________________
SGI Security Advisory
Title : Potential Denial of Service using PIOCSWATCH ioctl
Number : 20030603-01-P
Date : June 10, 2003
Reference : CVE CAN-2003-0175
Reference : SGI BUG 886309
Fixed in : IRIX 6.5.21 (when available)
Fixed in : Patches 5058, 5064, 5079, 5080, 5087, 5088, 5099-5102
______________________________________________________________________________
SGI provides this information freely to the SGI user community for its
consideration, interpretation, implementation and use. SGI recommends that
this information be acted upon as soon as possible.
SGI provides the information in this Security Advisory on an "AS-IS" basis
only, and disclaims all warranties with respect thereto, express, implied
or otherwise, including, without limitation, any warranty of merchantability
or fitness for a particular purpose. In no event shall SGI be liable for
any loss of profits, loss of business, loss of data or for any indirect,
special, exemplary, incidental or consequential damages of any kind arising
from your use of, failure to use or improper use of any of the instructions
or information in this Security Advisory.
______________________________________________________________________________
- -----------------------
- --- Issue Specifics ---
- -----------------------
It's been reported that non-root users can call the PIOCSWATCH ioctl() in
its various invocations via a user space program and crash IRIX with a kernel
panic. This could be used as a potential Denial of Service attack on the
system. A local account on the system is required.
SGI has investigated the issue and recommends the following steps for
neutralizing the exposure. It is HIGHLY RECOMMENDED that these measures be
implemented on ALL vulnerable SGI systems.
These issues have been corrected with patches and in future releases of IRIX.
- --------------
- --- Impact ---
- --------------
The PIOCSWATCH ioctl (see proc(4) man page) is a standard function available
in all IRIX systems.
To determine the version of IRIX you are running, execute the following
command:
# /bin/uname -R
That will return a result similar to the following:
# 6.5 6.5.19f
The first number ("6.5") is the release name, the second ("6.5.16f" in this
case) is the extended release name. The extended release name is the
"version" we refer to throughout this document.
- ----------------------------
- --- Temporary Workaround ---
- ----------------------------
There is no effective workaround available for these problems.
SGI recommends either upgrading to IRIX 6.5.21 (when available),
or installing the appropriate patch from the listing below.
- ----------------
- --- Solution ---
- ----------------
SGI has provided a series of patches for these vulnerabilities. Our
recommendation is to upgrade to IRIX 6.5.21 (when available) when available,
or install the appropriate patch.
OS Version Vulnerable? Patch # Other Actions
---------- ----------- ------- -------------
IRIX 3.x unknown Note 1
IRIX 4.x unknown Note 1
IRIX 5.x unknown Note 1
IRIX 6.0.x unknown Note 1
IRIX 6.1 unknown Note 1
IRIX 6.2 unknown Note 1
IRIX 6.3 unknown Note 1
IRIX 6.4 unknown Note 1
IRIX 6.5 yes Notes 2 & 3
IRIX 6.5.1 yes Notes 2 & 3
IRIX 6.5.2 yes Notes 2 & 3
IRIX 6.5.3 yes Notes 2 & 3
IRIX 6.5.4 yes Notes 2 & 3
IRIX 6.5.5 yes Notes 2 & 3
IRIX 6.5.6 yes Notes 2 & 3
IRIX 6.5.7 yes Notes 2 & 3
IRIX 6.5.8 yes Notes 2 & 3
IRIX 6.5.9 yes Notes 2 & 3
IRIX 6.5.10 yes Notes 2 & 3
IRIX 6.5.11 yes Notes 2 & 3
IRIX 6.5.12 yes Notes 2 & 3
IRIX 6.5.13 yes Notes 2 & 3
IRIX 6.5.14 yes Notes 2 & 3
IRIX 6.5.15 yes Notes 2 & 3
IRIX 6.5.16 yes Notes 2 & 3
IRIX 6.5.17m yes 5087 Notes 2,3,4
IRIX 6.5.17f yes 5088 Notes 2,3,4
IRIX 6.5.18m yes 5097 Notes 2,3,4
IRIX 6.5.18f yes 5098 Notes 2,3,4
IRIX 6.5.19m yes 5101 or 5058 Notes 2,3,5
IRIX 6.5.19f yes 5102 or 5064 Notes 2,3,6
IRIX 6.5.20m yes 5079 or 5099 Notes 2,3,7
IRIX 6.5.20f yes 5080 or 5100 Notes 2,3,8
IRIX 6.5.21 no
NOTES
1) This version of the IRIX operating has been retired. Upgrade to an
actively supported IRIX operating system. See
http://support.sgi.com for more information.
2) If you have not received an IRIX 6.5.X CD for IRIX 6.5, contact your
SGI Support Provider or URL: http://support.sgi.com
3) Upgrade to IRIX 6.5.21 (when available) or install the patch.
4) This patch is for all platforms
5) Patch 5101 is for all platforms except IP35 systems.
Patch 5058 is for IP35 only.
6) Patch 5102 is for all platforms except IP35 systems.
Patch 5064 is for IP35 only.
7) Patch 5079 is for all platforms except IP35 systems.
Patch 5099 is for IP 35 only.
8) Patch 5080 is for all platforms except IP35 systems.
Patch 5100 is for IP 35 only.
##### Patch File Checksums ####
The actual patch will be a tar file containing the following files:
Filename: README.patch.5058
Algorithm #1 (sum -r): 15071 21 README.patch.5058
Algorithm #2 (sum): 28694 21 README.patch.5058
MD5 checksum: 6DEAC2FF469764D3CE75D83C512271C1
Filename: patchSG0005058
Algorithm #1 (sum -r): 52445 6 patchSG0005058
Algorithm #2 (sum): 64272 6 patchSG0005058
MD5 checksum: 57E879018C715EE06659C0C56EDE6382
Filename: patchSG0005058.eoe_man
Algorithm #1 (sum -r): 58730 28 patchSG0005058.eoe_man
Algorithm #2 (sum): 53579 28 patchSG0005058.eoe_man
MD5 checksum: C45CFA5847A4A277933B66E7BC75270B
Filename: patchSG0005058.eoe_sw
Algorithm #1 (sum -r): 43583 10958 patchSG0005058.eoe_sw
Algorithm #2 (sum): 54242 10958 patchSG0005058.eoe_sw
MD5 checksum: F2BD54C96018B8F1A67400EE742FAE4A
Filename: patchSG0005058.idb
Algorithm #1 (sum -r): 41930 24 patchSG0005058.idb
Algorithm #2 (sum): 25686 24 patchSG0005058.idb
MD5 checksum: 3C37A3A83DEB2DE905476C9A47F3910B
Filename: README.patch.5064
Algorithm #1 (sum -r): 11746 22 README.patch.5064
Algorithm #2 (sum): 55007 22 README.patch.5064
MD5 checksum: 5E6BAF794EC173B74783B178D5F8EA7D
Filename: patchSG0005064
Algorithm #1 (sum -r): 03080 6 patchSG0005064
Algorithm #2 (sum): 51829 6 patchSG0005064
MD5 checksum: F9D5DE085AEDBB8741CA440927C39DDF
Filename: patchSG0005064.eoe_man
Algorithm #1 (sum -r): 58730 28 patchSG0005064.eoe_man
Algorithm #2 (sum): 53579 28 patchSG0005064.eoe_man
MD5 checksum: C45CFA5847A4A277933B66E7BC75270B
Filename: patchSG0005064.eoe_sw
Algorithm #1 (sum -r): 45823 11128 patchSG0005064.eoe_sw
Algorithm #2 (sum): 20226 11128 patchSG0005064.eoe_sw
MD5 checksum: 177B0E74F8F5DDE158385D2FDA8A8C76
Filename: patchSG0005064.idb
Algorithm #1 (sum -r): 58885 24 patchSG0005064.idb
Algorithm #2 (sum): 25588 24 patchSG0005064.idb
MD5 checksum: 8BF1C053EA2F15E06275695015800D7F
Filename: README.patch.5079
Algorithm #1 (sum -r): 36520 8 README.patch.5079
Algorithm #2 (sum): 40192 8 README.patch.5079
MD5 checksum: D81033F8806007C83DEA9D5A80698587
Filename: patchSG0005079
Algorithm #1 (sum -r): 14932 2 patchSG0005079
Algorithm #2 (sum): 54507 2 patchSG0005079
MD5 checksum: EB102288DECCA6BC8917606723BE0E93
Filename: patchSG0005079.eoe_sw
Algorithm #1 (sum -r): 43373 33054 patchSG0005079.eoe_sw
Algorithm #2 (sum): 35340 33054 patchSG0005079.eoe_sw
MD5 checksum: 8874B5C3F2FCF3D20771C9AFF0C2C882
Filename: patchSG0005079.idb
Algorithm #1 (sum -r): 22467 13 patchSG0005079.idb
Algorithm #2 (sum): 55062 13 patchSG0005079.idb
MD5 checksum: 298A3C2A5C0BD5A2635E20A620CF98FD
Filename: README.patch.5080
Algorithm #1 (sum -r): 35658 8 README.patch.5080
Algorithm #2 (sum): 40105 8 README.patch.5080
MD5 checksum: 81F5ABD77CE88BBD5DADBFA3466BD8A3
Filename: patchSG0005080
Algorithm #1 (sum -r): 32061 2 patchSG0005080
Algorithm #2 (sum): 55640 2 patchSG0005080
MD5 checksum: F5AF5480DE9C7EF737DC937916324D7D
Filename: patchSG0005080.eoe_sw
Algorithm #1 (sum -r): 63615 33707 patchSG0005080.eoe_sw
Algorithm #2 (sum): 8967 33707 patchSG0005080.eoe_sw
MD5 checksum: 89EF7EDCFAF1D4249973730343CB949B
Filename: patchSG0005080.idb
Algorithm #1 (sum -r): 43997 13 patchSG0005080.idb
Algorithm #2 (sum): 55014 13 patchSG0005080.idb
MD5 checksum: E4655AA98032E6A744E342F4144DA28D
Filename: README.patch.5087
Algorithm #1 (sum -r): 64157 8 README.patch.5087
Algorithm #2 (sum): 49402 8 README.patch.5087
MD5 checksum: 854E2BCF202843093740AA33C7AF70A2
Filename: patchSG0005087
Algorithm #1 (sum -r): 12645 2 patchSG0005087
Algorithm #2 (sum): 59890 2 patchSG0005087
MD5 checksum: 15C529A0906C448ADD63A85DA31C55FB
Filename: patchSG0005087.eoe_sw
Algorithm #1 (sum -r): 24505 32275 patchSG0005087.eoe_sw
Algorithm #2 (sum): 56630 32275 patchSG0005087.eoe_sw
MD5 checksum: 506C8665E1B902E942D348C5F560C546
Filename: patchSG0005087.idb
Algorithm #1 (sum -r): 47425 7 patchSG0005087.idb
Algorithm #2 (sum): 16222 7 patchSG0005087.idb
MD5 checksum: 618FF7431AAFA5668452701192BAB789
Filename: README.patch.5088
Algorithm #1 (sum -r): 36381 9 README.patch.5088
Algorithm #2 (sum): 59343 9 README.patch.5088
MD5 checksum: 34C3FF6DFD1BBD623A2295B2CAC23C49
Filename: patchSG0005088
Algorithm #1 (sum -r): 22060 2 patchSG0005088
Algorithm #2 (sum): 3620 2 patchSG0005088
MD5 checksum: BB9D80855217CA34011CE6970747EAA8
Filename: patchSG0005088.eoe_sw
Algorithm #1 (sum -r): 25501 33563 patchSG0005088.eoe_sw
Algorithm #2 (sum): 59889 33563 patchSG0005088.eoe_sw
MD5 checksum: FB71B84354E8F7B1D92BB0E98EDE0CA7
Filename: patchSG0005088.idb
Algorithm #1 (sum -r): 32773 7 patchSG0005088.idb
Algorithm #2 (sum): 16112 7 patchSG0005088.idb
MD5 checksum: 3E0D26CEA45FCEBE0500E03CD7AFB46A
Filename: README.patch.5097
Algorithm #1 (sum -r): 59158 9 README.patch.5097
Algorithm #2 (sum): 11494 9 README.patch.5097
MD5 checksum: 22D21F5F7E803FCDF6C53342ACB90A61
Filename: patchSG0005097
Algorithm #1 (sum -r): 53315 3 patchSG0005097
Algorithm #2 (sum): 12713 3 patchSG0005097
MD5 checksum: 6BFA8E9DE6C7AB732A39259E367E657B
Filename: patchSG0005097.eoe_sw
Algorithm #1 (sum -r): 57431 32720 patchSG0005097.eoe_sw
Algorithm #2 (sum): 45473 32720 patchSG0005097.eoe_sw
MD5 checksum: 67E1351058CA7D25227BAC8F24345AEB
Filename: patchSG0005097.idb
Algorithm #1 (sum -r): 14608 7 patchSG0005097.idb
Algorithm #2 (sum): 16285 7 patchSG0005097.idb
MD5 checksum: 152EC2F41F33695C4AF3D7CAFCD4351A
Filename: README.patch.5098
Algorithm #1 (sum -r): 15978 9 README.patch.5098
Algorithm #2 (sum): 13991 9 README.patch.5098
MD5 checksum: 349BACBB17DA911B09887BF86B0CFCAB
Filename: patchSG0005098
Algorithm #1 (sum -r): 08006 4 patchSG0005098
Algorithm #2 (sum): 11963 4 patchSG0005098
MD5 checksum: FABF856D5E6410E75049E8916FC624AD
Filename: patchSG0005098.eoe_sw
Algorithm #1 (sum -r): 15158 34088 patchSG0005098.eoe_sw
Algorithm #2 (sum): 25637 34088 patchSG0005098.eoe_sw
MD5 checksum: E2C53EC193CAD9ED415C7FBB6E4FA313
Filename: patchSG0005098.idb
Algorithm #1 (sum -r): 42688 9 patchSG0005098.idb
Algorithm #2 (sum): 9682 9 patchSG0005098.idb
MD5 checksum: 9E45608160B1A34CEE6DF769A3059E20
Filename: README.patch.5099
Algorithm #1 (sum -r): 20723 11 README.patch.5099
Algorithm #2 (sum): 47645 11 README.patch.5099
MD5 checksum: 4DBE557092619218809E59C5290824D6
Filename: patchSG0005099
Algorithm #1 (sum -r): 03805 2 patchSG0005099
Algorithm #2 (sum): 40746 2 patchSG0005099
MD5 checksum: 2D796B78C7B40868F0D88F93D23D9BFB
Filename: patchSG0005099.eoe_sw
Algorithm #1 (sum -r): 03886 7441 patchSG0005099.eoe_sw
Algorithm #2 (sum): 46009 7441 patchSG0005099.eoe_sw
MD5 checksum: 6261AA3734999A7D3AF8D9B3B19FCC8D
Filename: patchSG0005099.idb
Algorithm #1 (sum -r): 65490 7 patchSG0005099.idb
Algorithm #2 (sum): 59168 7 patchSG0005099.idb
MD5 checksum: 79F61D623D40E8B9BA9AF28D14C2DA75
Filename: README.patch.5100
Algorithm #1 (sum -r): 57778 11 README.patch.5100
Algorithm #2 (sum): 47318 11 README.patch.5100
MD5 checksum: FCDFA68E29D354F96A8DD58852065AD8
Filename: patchSG0005100
Algorithm #1 (sum -r): 20958 2 patchSG0005100
Algorithm #2 (sum): 41324 2 patchSG0005100
MD5 checksum: EC8E5720AE464F8FFBDA0806413F6D6F
Filename: patchSG0005100.eoe_sw
Algorithm #1 (sum -r): 45129 7526 patchSG0005100.eoe_sw
Algorithm #2 (sum): 56977 7526 patchSG0005100.eoe_sw
MD5 checksum: 0EFF67F92B312928995A81381AF4831C
Filename: patchSG0005100.idb
Algorithm #1 (sum -r): 13322 7 patchSG0005100.idb
Algorithm #2 (sum): 57684 7 patchSG0005100.idb
MD5 checksum: 6B39059BB878C33CE431231B9321AF08
Filename: README.patch.5101
Algorithm #1 (sum -r): 64087 8 README.patch.5101
Algorithm #2 (sum): 49332 8 README.patch.5101
MD5 checksum: 07702C6B15B7384DFF403A615F22C029
Filename: patchSG0005101
Algorithm #1 (sum -r): 49723 3 patchSG0005101
Algorithm #2 (sum): 7510 3 patchSG0005101
MD5 checksum: 9FCCEE5872B9505FB2A95F4197309B8F
Filename: patchSG0005101.eoe_sw
Algorithm #1 (sum -r): 47522 34815 patchSG0005101.eoe_sw
Algorithm #2 (sum): 32551 34815 patchSG0005101.eoe_sw
MD5 checksum: 061E93138EA6812DE807D5C639E5CD48
Filename: patchSG0005101.idb
Algorithm #1 (sum -r): 35104 14 patchSG0005101.idb
Algorithm #2 (sum): 11821 14 patchSG0005101.idb
MD5 checksum: 0900CE4140D1E607DE317BEC2060EE81
Filename: README.patch.5102
Algorithm #1 (sum -r): 62183 8 README.patch.5102
Algorithm #2 (sum): 49371 8 README.patch.5102
MD5 checksum: F0DB91D422BF9AEC8CC716BC2D6AF4D1
Filename: patchSG0005102
Algorithm #1 (sum -r): 15140 3 patchSG0005102
Algorithm #2 (sum): 11203 3 patchSG0005102
MD5 checksum: 92BCD2AB4DD0CE01D893126036BC5FF6
Filename: patchSG0005102.eoe_sw
Algorithm #1 (sum -r): 18492 36150 patchSG0005102.eoe_sw
Algorithm #2 (sum): 12442 36150 patchSG0005102.eoe_sw
MD5 checksum: 1FF77B260F4C699647E995510AA506D4
Filename: patchSG0005102.idb
Algorithm #1 (sum -r): 08852 14 patchSG0005102.idb
Algorithm #2 (sum): 11757 14 patchSG0005102.idb
MD5 checksum: 7467607559296AED086D155D1FF7ED72
- -------------
- --- Links ---
- -------------
SGI Security Advisories can be found at:
http://www.sgi.com/support/security/ and
ftp://patches.sgi.com/support/free/security/advisories/
SGI Security Patches can be found at:
http://www.sgi.com/support/security/ and
ftp://patches.sgi.com/support/free/security/patches/
SGI patches for IRIX can be found at the following patch servers:
http://support.sgi.com/ and ftp://patches.sgi.com/
SGI freeware updates for IRIX can be found at:
http://freeware.sgi.com/
SGI fixes for SGI open sourced code can be found on:
http://oss.sgi.com/projects/
SGI patches and RPMs for Linux can be found at:
http://support.sgi.com/
SGI patches for Windows NT or 2000 can be found at:
http://support.sgi.com/
IRIX 5.2-6.4 Recommended/Required Patch Sets can be found at:
http://support.sgi.com/ and ftp://patches.sgi.com/support/patchset/
IRIX 6.5 Maintenance Release Streams can be found at:
http://support.sgi.com/
IRIX 6.5 Software Update CDs can be obtained from:
http://support.sgi.com/
The primary SGI anonymous FTP site for security advisories and patches is
patches.sgi.com. Security advisories and patches are located under the URL
ftp://patches.sgi.com/support/free/security/
For security and patch management reasons, ftp.sgi.com (mirrors
patches.sgi.com security FTP repository) lags behind and does not do a
real-time update.
- -----------------------------------------
- --- SGI Security Information/Contacts ---
- -----------------------------------------
If there are questions about this document, email can be sent to
security-infoat_private
------oOo------
SGI provides security information and patches for use by the entire SGI
community. This information is freely available to any person needing the
information and is available via anonymous FTP and the Web.
The primary SGI anonymous FTP site for security advisories and patches is
patches.sgi.com. Security advisories and patches are located under the URL
ftp://patches.sgi.com/support/free/security/
The SGI Security Headquarters Web page is accessible at the URL:
http://www.sgi.com/support/security/
For issues with the patches on the FTP sites, email can be sent to
security-infoat_private
For assistance obtaining or working with security patches, please
contact your SGI support provider.
------oOo------
SGI provides a free security mailing list service called wiretap and
encourages interested parties to self-subscribe to receive (via email) all
SGI Security Advisories when they are released. Subscribing to the mailing
list can be done via the Web
(http://www.sgi.com/support/security/wiretap.html) or by sending email to
SGI as outlined below.
% mail wiretap-requestat_private
subscribe wiretap <YourEmailAddress such as zedwatchat_private >
end
^d
In the example above, <YourEmailAddress> is the email address that you wish
the mailing list information sent to. The word end must be on a separate
line to indicate the end of the body of the message. The control-d (^d) is
used to indicate to the mail program that you are finished composing the
mail message.
------oOo------
SGI provides a comprehensive customer World Wide Web site. This site is
located at http://www.sgi.com/support/security/ .
------oOo------
If there are general security questions on SGI systems, email can be sent to
security-infoat_private
For reporting *NEW* SGI security issues, email can be sent to
security-alertat_private or contact your SGI support provider. A support
contract is not required for submitting a security report.
______________________________________________________________________________
This information is provided freely to all interested parties
and may be redistributed provided that it is not altered in any
way, SGI is appropriately credited and the document retains and
includes its valid PGP signature.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBPuYy3bQ4cFApAP75AQHF+AQAoh1bDKK8afzzVGvbwi8mSiNsAOJ50mvX
wf2QGuBRBt5K7XRh55izxEzblOeqXzbbqbkiqKYRwiJPvgZTjGIg07Pgq/VEZ7RG
ZEKF7RpVDqsl+f5AORbnW5F4WHaYxTVpyDCDH5J7bAddWRiDLXFfpHBZDT3XX18Q
4C1IO8oE/NU=
=/sgq
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
This archive was generated by hypermail 2b30 : Tue Jun 10 2003 - 13:37:38 PDT