CA-95:09.README
Issue date: August 29, 1995
Date of last revision: September 20, 1995

This file is a supplement to CERT advisory CA-95:09, "Solaris ps
Vulnerability," distributed on August 29, 1995.  We update this file
as additional information becomes available.
									
Note: After we publish checksums in advisories and READMEs, files are
sometimes updated at individual locations because of system upgrades or
patch installation. For current MD5 checksum values, we recommend that
you check with your vendor.

As of September 20, 1995 information about Sun Microsystems, Inc., has
been added to the original text.  Also included below are several
changes and new information for the advisory and its appendix (excerpts
excerpted from the AUSCERT checklist).
 
//////////////////
Added September 20, 1995

* If you have trouble retrieving the file CA-95:09.Solaris.ps.vul,
  please use the file name CA-95:09.Solaris-ps.vul.

1.  In Section III.A.1, the advisory states:

         To verify if your configuration is currently vulnerable, the
	 following command may be used:

	      % /usr/bin/ls -ld /tmp
	      drwxrwxrwt   2 sys      sys        61 Aug 15 12:12 /tmp

        If the sticky bit (t) is not set (it will be an x), then the system 
	is vulnerable.

The directory ownerships were incorrect and should be "root".  Also
there is additional information that should be added, so the text should read
as follows:

         To verify if your configuration is currently vulnerable, the
	 following command may be used:

	      % /usr/bin/ls -ld /tmp
	      drwxrwxrwt   2 root     root       61 Aug 15 12:12 /tmp

         If the sticky bit (t) is not set (it will be an x), then the
	 system is vulnerable.  In addition, we recommend that the owner
	 and group for /tmp be changed to root and root, respectively.


2. In Section III.B.1, the advisory states:

         In addition, the ownership and group membership of the /tmp
         directory should be verified using /usr/bin/ls -ld /tmp, and if
         incorrect may be reset by: 

           # /usr/bin/chown sys /tmp
           # /usr/bin/chgrp sys /tmp

It should read:

         In addition, the ownership and group membership of the /tmp
         directory should be verified using /usr/bin/ls -ld /tmp, and if
         incorrect may be reset by: 

           # /usr/bin/chown root /tmp
           # /usr/bin/chgrp root /tmp



3. Section III.B.2 of the advisory is incorrect and should be replaced
   with the following text:

     2. Permanent - make the above change to /tmp permissions permanent

		The change noted in item B.1 above will be lost upon
		reboot. To make the changes permanent, create the
		following script as /etc/init.d/tmpfsfix: 

     -----------------------------cut here--8<----------------------------
     #!/bin/sh

     if [ -d /tmp ]
     then
	/usr/bin/chmod 1777 /tmp
	/usr/bin/chgrp root /tmp
	/usr/bin/chown root /tmp
     fi
     ------------------------------cut here---8<--------------------------

     After creating this file, the following commands should be issued
     as root to make the file executable, set appropriate owner and group,
     and create the necessary symbolic link to ensure that it is executed
     upon reboot appropriately:

  	     # /usr/bin/ln -s /etc/init.d/tmpfsfix /etc/rc2.d/S06tmpfix
             # /usr/bin/chmod 744  /etc/init.d/tmpfsfix
             # /usr/bin/chown root /etc/init.d/tmpfsfix
             # /usr/bin/chgrp sys /etc/init.d/tmpfsfix
             # /bin/rm -f /etc/rc3.d/S79tmpfix

     If you have done item B.1 above, you can reboot at your leisure.
     Otherwise, reboot your system now. In either case, verify the 
     permissions of /tmp immediately after your next system reboot.


4.  The text for Section III.B.3 of the advisory should read:

       We recommend that you also check and correct the /var/tmp
       directory.  Note that this directory is not usually mounted as
       tmpfs, so it normally would not be subject to automatic resetting
       of its permission bits on reboot.

         % /usr/bin/ls -ld /var/tmp
         drwxrwxrwt   2 root     root      512 Aug 15 11:35 /var/tmp


5. In the AUSCERT excerpt in the appendix, the tenth item should read:


       *    ENSURE that there are no unexpected world writable files or
            directories on your system.  The following commands find world
            writeable files and directories.

                # /bin/find / -type f -perm -2 -exec ls -l {} \;
                # /bin/find / -type d -perm -2 -exec ls -ld {} \;

End of advisory changes 
/////////////////

/////////////////
Added September 20, 1995

Sun Microsystems, Inc. has provided the following information
in their advisory.

---------------------------------------------------------------------------
			Begin Text provided by vendor

II. Announcement of patches for Solaris 2.x "ps_data" vulnerability

    A. Patch list

    We have produced patches for the versions of SunOS shown below.

         OS version      Patch ID    Patch File Name
         ----------      ---------   --------------- 
         5.3             101545-02   101545-02.tar.Z
         5.4             102711-01   102711-01.tar.Z
         5.4_x86         102712-01   102712-01.tar.Z

    B. Patch notes
 
    1. SunOS 4.1.x systems are not affected by this bug.

    2. The fix has been applied to the upcoming version of Solaris.


III. Checksum Table

    In the checksum table we show the BSD and SVR4 checksums and MD5
    digital signatures for the compressed tar archives.

   File            BSD          SVR4        MD5
   Name            Checksum     Checksum    Digital Signature
   --------------- -----------  ----------  --------------------------------
   101545-02.tar.Z 41218    77  47754  153  A8FB866780E7207D26CF16210BCFDC83
   102711-01.tar.Z 17256    69  20376  138  98A449372C5ABBDB7C37B08BFE0E6ED7
   102712-01.tar.Z 29867    68  56717  136  E324004BB8C09990B2790CB5D29D3AF5

   The checksums shown above are from the BSD-based checksum
   (on 4.1.x, /bin/sum;  on Solaris 2.x, /usr/ucb/sum) and from
   the SVR4 version on Solaris 2.x (/usr/bin/sum).

			End Text provided by vendor
---------------------------------------------------------------------------
/////////////////
