AUSCERT External Security Bulletin Redistribution

                 ESB-97.045 -- SUN Security Bulletin #00138
                              18 April 1997

Last Revised:	2 May 1997
		Removed incorrect pointer to AL-96.04

		A complete revision history is at the end of this file.


Sun Microsystems has released the following security bulletin giving patch
information which addresses vulnerabilities in the volume management
library, libvolmgt.so.1. These vulnerabilities may allow root access to
unauthorized users if exploited.

This bulletin addresses the vulnerabilities previously described in the
AUSCERT Advisories:

    AA-97.11 - fdformat Buffer Overflow Vulnerability
    AA-97.10 - eject Buffer Overrun Vulnerability

AUSCERT advises that all sites apply the appropriate patches described in
this bulletin as soon as possible.

The following security bulletin is provided as a service to AUSCERT's
members.  As AUSCERT did not write this document, AUSCERT has had no
control over its content.  As such, the decision to use any or all of this
information is the responsibility of each user or organisation, and should
be done so in accordance with site policies and procedures.

Contact information for Sun Microsystems is included in the Security
Bulletin below.  If you have any questions or need further information,
please contact them directly.

If you believe that your system has been compromised, contact AUSCERT or
your representative in FIRST (Forum of Incident Response and Security

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 4477
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
	AUSCERT personnel answer during Queensland business hours
	which are GMT+10:00 (AEST).
	On call after hours for emergencies.

- --------------------------BEGIN INCLUDED TEXT--------------------



In this bulletin Sun announces the release of security-related patches
for Solaris 2.5 (SunOS 5.5) and Solaris 2.5.1 (SunOS 5.5.1). These patches
relate to vulnerabilities in the volume management library, libvolmgt.so.1,
which can result in root access if exploited. The programs eject and fdformat
dynamically link the libvolmgt.so.1 library.

Sun estimates that patches for Solaris 2.3 (SunOS 5.3) and Solaris 2.4
(SunOS 5.4) for the same vulnerabilities will be available within 1 week of
the date of this bulletin.

Sun strongly recommends that you install these patches immediately on
every affected system. Exploitation scripts for eject and fdformat were made
public last month.

I.   Who is Affected, and What to Do

II.  Understanding the Vulnerabilities

III. List of Patches

IV.  Checksum Table


A.   How to obtain Sun security patches

B.   How to report or inquire about Sun security problems

C.   How to obtain Sun security bulletins or short status updates

Sun acknowledges with thanks the CERT Coordination Center (Carnegie
Mellon University) and AUSCERT for their assistance in the preparation of
this bulletin.

Sun, CERT/CC, and AUSCERT are members of FIRST, the Forum of Incident
Response and Security Teams. For more information about FIRST, visit
the FIRST web site at "http://www.first.org/".

Keywords:	eject, fdformat, volume management
Patchlist: 	104776-01, 104777-01
		103024-02, 103044-02
		101907-14, 101908-14, 101331-07

Permission is granted for the redistribution of this Bulletin, so long
as the Bulletin is not edited and is attributed to Sun Microsystems.
Portions may also be excerpted for re-use in other security advisories
so long as proper attribution is included.

Any other use of this information without the express written consent
of Sun Microsystems is prohibited. Sun Microsystems expressly disclaims
all liability for any misuse of this information by any third party.


I.   Who is Affected, and What to Do
     SunOS versions 5.3, 5.4, 5.5, 5.5_x86, 5.5.1, and 5.5.1_x86 are vulnerable.
     SunOS versions 4.1.3_U1 and 4.1.4 are not vulnerable.

     Install the patches listed in III. for SunOS versions 5.5, 5.5_x86, 5.5.1,
     and 5.5.1_x86.
     Sun estimates that patches for SunOS 5.4, SunOS 5.4_x86, and 5.3 will be
     released within 1 week from the date of this bulletin. In the meantime,
     Sun recommends, as a workaround, that setuid permission be removed from
     the eject and fdformat programs by using commands such as the following:
		chmod 555 /usr/bin/eject
		chmod 555 /usr/bin/fdformat
     The same vulnerabilities have been fixed in the upcoming release of
     Solaris 2.6.

II.  Understanding the Vulnerabilities

     A. eject Buffer Overflow Vulnerability

Removable media devices that do not have an eject button or removable media
devices that are managed by Volume Management use the eject program. Due to
insufficient bounds checking on arguments in the volume management library,
libvolmgt.so.1, it is possible to overwrite the internal stack space of the
eject program. If exploited, this vulnerability can be used to gain root
access on attacked systems.

     B. fdformat Buffer Overflow Vulnerability

The fdformat program formats diskettes and PCMCIA memory cards. The program
also uses the same volume management library, libvolmgt.so.1, and is exposed
to the same vulnerability as the eject program.

III. List of Patches

The vulnerabilities relating to eject and fdformat in the volume management
library are fixed by the following patches:

	OS version		Patch ID
	----------		--------
	SunOS 5.5.1		104776-01
	SunOS 5.5.1_x86		104777-01
     	SunOS 5.5		103024-02
	SunOS 5.5_x86		103044-02
	SunOS 5.4		101907-14	(to be released in 1 week)
	SunOS 5.4_x86		101908-14	(to be released in 1 week)
	SunOS 5.3		101331-07	(to be released in 1 week)

IV.  Checksum Table

In the checksum table we show the BSD and SVR4 checksums and MD5 digital
signatures for the compressed tar archives.

File              BSD          SVR4            MD5
Name              Checksum     Checksum        Digital Signature
- ---------------   ---------    ---------       --------------------------------

104776-01.tar.Z   01572 121    22359 241       21E84190D22646A7A7C330D2C88AF1A9
104777-01.tar.Z   16759 122    5357 243        7D1E7640C98E308CB829B3C0754291CC
103024-02.tar.Z   04867 121    18968 241       F9451B9BE28389EC4A5B7B79E8B04B44
103044-02.tar.Z   26729 121    63537 241       D3FB1C1AD4CF72422F6002E56D357988

The checksums shown above are from the BSD-based checksum (on 4.1.x,
/bin/sum; on SunOS 5.x, /usr/ucb/sum) and from the SVR4 version on
on SunOS 5.x (/usr/bin/sum).


A.   How to obtain Sun security patches

    1. If you have a support contract

    Customers with Sun support contracts can obtain any patches listed
    in this bulletin (and any other patches--and a list of patches) from:

       - SunSolve Online
       - Local Sun answer centers, worldwide
       - SunSITEs worldwide

    The patches are available via World Wide Web at http://sunsolve.sun.com.

    You should also contact your answer center if you have a support
    contract and:

       - You need assistance in installing a patch
       - You need additional patches
       - You want an existing patch ported to another platform
       - You believe you have encountered a bug in a Sun patch
       - You want to know if a patch exists, or when one will be ready

    2. If you do not have a support contract

    Customers without support contracts may now obtain security patches,
    "recommended" patches, and patch lists via SunSolve Online.

    Sun does not furnish patches to any external distribution sites
    other than the ones mentioned here. The ftp.uu.net and ftp.eu.net
    sites are no longer supported.

    3. About the checksums

    So that you can quickly verify the integrity of the patch files
    themselves, we supply in each bulletin checksums for the tar archives.

    Occasionally, you may find that the listed checksums do not match
    the patches on the SunSolve or SunSite database. This does not
    necessarily mean that the patch has been tampered with. More likely,
    a non-substantive change (such as a revision to the README file)
    has altered the checksum of the tar file. The SunSolve patch database
    is refreshed nightly, and will sometimes contain versions of a patch
    newer than the one on which the checksums were based.

    In the future we may provide checksum information for the
    individual components of a patch as well as the compressed archive
    file. This would allow customers to determine, if need be, which
    file(s) have been changed since we issued the bulletin containing
    the checksums.

    In the meantime, if you would like assistance in verifying the
    integrity of a patch file please contact this office or your local
    answer center.

B.   How to report or inquire about Sun security problems

If you discover a security problem with Sun software or wish to
inquire about a possible problem, contact one or more of the

   - Your local Sun answer centers
   - Your representative computer security response team, such as CERT
   - This office. Address postal mail to:

         Sun Security Coordinator
         MS MPK17-103
         2550 Garcia Avenue
	 Mountain View, CA 94043-1100
         Email: security-alert@sun.com

We strongly recommend that you report problems to your local Answer
Center. In some cases they will accept a report of a security bug
even if you do not have a support contract. An additional notification
to the security-alert alias is suggested but should not be used as your
primary vehicle for reporting a bug.

C.   How to obtain Sun security bulletins or short status updates

    1. Subscription information

    Sun Security Bulletins are available free of charge as part of
    our Customer Warning System. It is not necessary to have a Sun
    support contract in order to receive them.

    To receive information or to subscribe or unsubscribe from our
    mailing list, send mail to security-alert@sun.com with a subject
    line containing one of the following commands.

        Subject         Information Returned/Action Taken
        -------         ---------------------------------

        HELP            An explanation of how to get information

        LIST            A list of current security topics

        QUERY [topic]   The mail containing the question is relayed to
                        a Security Coordinator for a response.

        REPORT [topic]  The mail containing the text is treated as a
                        security bug report and forwarded to a Security
                        Coordinator for handling. Please note that this
                        channel of communications does not supersede
                        the use of Sun Solution Centers for this
                        purpose.  Note also that we do not recommend
                        that detailed problem descriptions be sent in
                        plain text.

        SEND topic      Summary of the status of selected topic. (To
                        retrieve a Sun Security Bulletin, supply the
                        number of the bulletin, as in "SEND #103".)

        SUBSCRIBE       Sender is added to the CWS (Customer
                        Warning System) list.  The subscribe feature
                        requires that the sender include on the subject
                        line the word "cws" and the reply email
                        address.  So the subject line might look like
                        the following:

                                SUBSCRIBE cws your-email-address

        UNSUBSCRIBE     Sender is removed from the CWS list.

    Should your email not fit into one of the above subjects, a help
    message will be returned to you.

    Due to the volume of subscription requests we receive, we cannot
    guarantee to acknowledge requests. Please contact this office if
    you wish to verify that your subscription request was received, or
    if you would like your bulletin delivered via postal mail or fax.

    2. Obtaining old bulletins

    Sun Security Bulletins are available via the security-alert alias
    and on SunSolve. Please try these sources first before contacting
    this office for old bulletins.


- --------------------------END INCLUDED TEXT--------------------

Revision History

2 May 1997      Removed reference to AL-96.04 as the patches given in
		the Sun bulletin do not address the problems for all
		operating systems.  See AL-96.04 for correct patches.


Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key