---------- X-Sun-Data-Type: text X-Sun-Data-Description: text X-Sun-Data-Name: text X-Sun-Charset: us-ascii X-Sun-Content-Lines: 87 Scott Chasin said, > Mark Graff relayed to me... Yup. I also thought I sent a note out to this list, on August 14th. I'll attach that message. Our general policy is not to announce a problem until we have a fix. Since Scott disclosed the hole here I responded (or tried to respond) with the information that we knew about the problem and were testing fixes. Sorry if it didn't get out for some reason! On this bug the update is that I expect to release the patches and a corresponding bulletin next week, perhaps as early as Wednesday. BTW we have been working on a patch (for all affected platforms) since July. (We got a second report on August 1, but it turns out the fix was already in the works.) The traffic on this list, including Scott's disclosure and followup exploitation script, has had no effect on our schedule. We were already in the final stages of testing when he acted. So far as the "sticky bit" workaround goes, it looks good to me so far. By the time I issue the bulletin I will be sure one way or the other. Over the last couple of days, in parallel with the testing effort, I have been looking into the conditions under which the bit is not set by the startup scripts. (Don't send me all the traffic on this list about that--I've been following it here too). -mg- p.s. Followup inquiries or other questions should generally be sent to security-alert@sun.com, not to me directly. That addressed is covered when I'm out of the office. /\ \\ \ Mark G. Graff \ \\ / Sun Security Coordinator / \/ / / MS MPK3 / / \//\ 2550 Garcia Avenue \//\ / / Mountain View, CA 94043-1100 / / /\ / Phone: 415-688-9151 / \\ \ Email: mark.graff@Sun.COM \ \\ security-alert@sun.com \/ From owner-bugtraq@CRIMELAB.COM Fri Aug 18 09:15:55 1995 Approved-By: Scott Chasin <chasin@CRIMELAB.COM> Date: Fri, 18 Aug 1995 10:03:33 MDT Subject: Re: BUGTRAQ ALERT: Solaris 2.x vulnerability X-To: bugtraq@crimelab.com To: Multiple recipients of list BUGTRAQ <BUGTRAQ@CRIMELAB.COM> [casper@HOLLAND.SUN.COM wrote]: > > Just to add my two cents to the discussion: > > - this is a known problem > So why wasn't it more publically announced. Sun could easily have issued a > new binary very publically and without saying what they had fixed. > Mark Graff relayed to me that Sun has known about this for about 2 weeks or so. [casper@HOLLAND.SUN.COM wrote]: > > - it is fixed in 2.5 (by using fchown, not chown, both versions of ps) Apparently this is *NOT* fixed in the 2.5 release. At least not the copy I have. And I believe someone else has contested to this fact as well. > So why didnt you tell people instead of negligently leaving them exposed This is the old full-disclosure debate. I don't think we should be getting into this here. > Otherwise known as the majority of people who are less technically clued up. > Vendors need to improve their methods. > > Alan --Scott chasin@crimelab.com ---------- X-Sun-Data-Type: sun-deskset-message X-Sun-Data-Name: sun-deskset-message X-Sun-Encoding-Info: uuencode X-Sun-Content-Lines: 44 begin 600 sun-deskset-message M1G)O;2!G<F%F9B!-;VX@075G(#$T(#$X.C(Y.C T(#$Y.34*5&\Z($)51U12 M05% 0U))345,04(N0T]-"E-U8FIE8W0Z(%)E.B!3;VQA<FES(#(N>"!V=6YE M<F%B:6QI='D*6"U3=6XM0VAA<G-E=#H@55,M05-#24D*0V]N=&5N="U,96YG M=&@Z(#$V,S4*6"U,:6YE<SH@-3 *4W1A='5S.B!23PH*4W5N(&ES(&%W87)E M(&]F('1H92!P<F]B;&5M+B!792!A<F4@<W1I;&P@979A;'5A=&EN9R!B=70@ M22!D;R!E>'!E8W0*=7,@=&\@<')O9'5C92!A('!A=&-H+B!)(&1O;B=T(&AA M=F4@86X@97-T:6UA=&4@>65T(&]N('=H96X@;VYE('=I;&P*8F4@879A:6QA M8FQE+B!)(&AA=F4@<V%I9"!P<F5V:6]U<VQY(&EN('1H:7,@<W!A8V4@=&AA M="!T=V\@=V5E:W,*:7,@;F]R;6%L;'D@=&AE(&UI;FEM=6T@=&EM92!N965D M960N"@I4:&4@<W5G9V5S=&5D('=O<FMA<F]U;F0@;&]O:W,@9V]O9"!T;R!M M92X*"E=H96X@22!H879E(&$@<&%T8V@@22!W:6QL(&ES<W5E(&$@4W5N(%-E M8W5R:71Y($)U;&QE=&EN(&%N9"!P;W-T"G1H870@:&5R92X*"BUM9RT*"B @ M(" @("]<(" @(" @(" @"B @(" @7%P@7" @(" @(" @36%R:R!'+B!'<F%F M9@H@(" @7"!<7" O(" @(" @(%-U;B!396-U<FET>2!#;V]R9&EN871O<@H@ M(" O(%PO("\@+R @(" @($U3($U02S,*(" O("\@("!<+R]<(" @(" R-34P M($=A<F-I82!!=F5N=64*("!<+R]<(" @+R O(" @("!-;W5N=&%I;B!6:65W M+"!#02 Y-# T,RTQ,3 P"B @("\@+R O7" O(" @(" @4&AO;F4Z(#0Q-2TV M.#@M.3$U,0H@(" @+R!<7"!<(" @(" @($5M86EL.B!M87)K+F=R869F0%-U M;BY#3TT*(" @("!<(%Q<(" @(" @(" )<V5C=7)I='DM86QE<G1 <W5N+F-O M;0H@(" @("!<+PH*($9R;VT@;W=N97(M8G5G=')A<4!#4DE-14Q!0BY#3TT@ M($UO;B!!=6<@,30@,3,Z,# Z-# @,3DY-0H@07!P<F]V960M0GDZ("!38V]T M="!#:&%S:6X@/&-H87-I;D!#4DE-14Q!0BY#3TT^"B!$871E.B @(" @(" @ M($UO;BP@,30@075G(#$Y.34@,3(Z,SDZ,3$@3414"B!3=6)J96-T.B @(" @ M(%-O;&%R:7,@,BYX('9U;F5R86)I;&ET>0H@6"U4;SH@(" @(" @("!B=6=T M<F%Q0&-R:6UE;&%B+F-O;0H@5&\Z($UU;'1I<&QE(')E8VEP:65N=',@;V8@ M;&ES="!"54=44D%1(#Q"54=44D%10$-224U%3$%"+D-/33X*( H@02!M86IO M<B!H;VQD(&AA<R!B965N(&9O=6YD(&]N(%-O;&%R:7,@,BYX('=H:6-H('=I M;&P@86QL;W<*(&%N>6]N92!W:71H(&$@=7-E<B!A8V-O=6YT('1O(&=A:6X@ M<F]O="!A8V-E<W,N"B *($D@=VEL;"!B92!S96YD:6YG('1H92!E>'!L;VET M(&-O9&4@=&\@>6]U(&EN(&$@9F5W(&AO=7)S(&9R;VT@;F]W+@H@"B!4:&4@ M8G5G(&5X<&QO:71S(&$@8V]M;6]N('9U;F5R86)I;&ET>2!T:&%T(&-A;B!B M92!F:7AE9"!W:71H"B!A;B!E87-Y('=O<FMA<F]U;F0Z(&-H;6]D("MT("]T M;7 *( H@37D@<W5G9V5S=&EO;B!T;R!Y;W4@:7,@=&AA="!Y;W4@8VAE8VL@ M86QL(&UA8VAI;F5S(')U;FYI;F<@4V]L87)I<R R+G@*('1O('-E92!I9B!T M:&4@+W1M<"!D:7)E8W1O<GD@:&%S('1H92!S=&EC:WD@8FET('-E="X*( H@ M1T]/1#H@(&1R=WAR=WAR=W0@(" S(')O;W0@(" @(')O;W0@(" @(" @(" X M-S<@075G(#$T(#$R.C0S("]T;7 *($5624PZ("!D<G=X<G=X<G=X(" @,R!R M;V]T(" @("!R;V]T(" @(" @(" @.#<W($%U9R Q-" Q,CHT,R O=&UP"B * M( H@268@>6]U(&AA=F4@86YY('%U97-T:6]N<R!A="!A;&PL('!L96%S92!% M;6%I;"!M92X*( H@4V-O='0@0VAA<VEN"B!C:&%S:6Y 8W)I;65L86(N8V]M $"B *"B!M end