December 2005

ID: 01109
Ref: 1041/2005
Date: 16 December 2005:09:09:08
Version: 1

---

Title: Five IBM Security Advisories
Abstract:

---

Title
=====

Five IBM Security Advisories:

1. A buffer overflow vulnerability in muxatmd may allow any local user to gain root privileges.

2. A local user in the system group with the RunDiagnostics role can execute arbitrary code.

3. A buffer overflow vulnerability in muxatmd may allow any local user to gain root privileges.

4. A buffer overflow vulnerability in the debug malloc tools allow a user to gain privileges.

5. A buffer overflow vulnerability in slocal may allow any local user to gain root privileges.

Detail
======

1. A buffer overflow vulnerability in muxatmd may allow any local user to gain root privileges.

2. A vulnerability was discovered in the diagela script that allows a local user that is in the system group and that has the RunDiagnostics role to execute arbitrary code. Exploits for this vulnerability may be publicly available.

3. A vulnerability in the getShell and getCommand commands may allow a local users to overwrite arbitrary files. These commands are used by WebSM.

4. A buffer overflow vulnerability was discovered in the debug malloc tools that allow a local user to gain privileges. To exploit this vulnerability an attacker must use the debug malloc tools with an executable that gains privileges. Exploits for this vulnerability may be publicly available.

5. A buffer overflow vulnerability in slocal may allow any local user to gain root privileges. The slocal command is used to perform various actions when mail is received for a user.





1.



AIX 5.3 : Security advisories (2005.12.15)

Buffer overflow vulnerability in muxatmd

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

IBM SECURITY ADVISORY

First Issued: Thu Dec 15 09:00:44 CST 2005

==========================================================================
VULNERABILITY SUMMARY

VULNERABILITY: A buffer overflow vulnerability in muxatmd may allow
any local user to gain root privileges.

PLATFORMS: AIX 5.1, 5.2 and 5.3.

SOLUTION: Apply the APAR, interim fix or workaround as
described below.

THREAT: A local user may gain root privileges.

CERT VU Number: N/A
CVE Number: N/A
=========================================================================
DETAILED INFORMATION


I. Description
===============

A buffer overflow vulnerability in muxatmd may allow any local user to gain root privileges.

The command affected by this issue ships as part of the devices.common.IBM.atm.rte fileset. To determine if this fileset is installed, execute the following command:

# lslpp -L devices.common.IBM.atm.rte

If the fileset is installed it will be listed along with its version information, state, type and a description.


II. Impact
==========

A local user may gain root privileges.


III. Solutions
===============

A. Official Fix

IBM provides the following fixes:

APAR number for AIX 5.1.0: IY78221 (available approx. 01/30/06)
APAR number for AIX 5.2.0: IY78222 (available approx. 01/30/06)
APAR number for AIX 5.3.0: IY78223 (available approx. 01/30/06)

NOTE: Affected customers are urged to upgrade to 5.1.0, 5.2.0 or 5.3.0 at
the latest maintenance level.

B. Interim Fix

Interim fixes are available for AIX 5.1.0, 5.2.0 and 5.3.0. The ifixes can
be downloaded via ftp from:

ftp://aix.software.ibm.com/aix/efixes/security/libisode_ifix.tar.Z

libisode_ifix.tar.Z is a compressed tarball containing this advisory,
ifix packages and cleartext PGP signatures for each ifix package.


Verify you have retrieved the fixes intact:
- - --------------------------------------------
The interim fixes below are named by using the APAR corresponding to the
release that the fix applies to. The APAR is followed by an underscore and
the maintenance level for the particular AIX release that a fix applies to.

The checksums below were generated using the "sum" and "md5sum" commands
and are as follows:

Filename sum md5
========================================================================
IY78221_09.051109.epkg.Z 24042 1104 3b917ab19512e4613904a2222d0fac49
IY78222_05.051028.epkg.Z 17112 1081 dcd99ad0e710d04520a6229b55abb731
IY78222_06.051028.epkg.Z 03605 1082 e660aa65f81d9674b45c1de8f394684a
IY78222_07.051028.epkg.Z 21113 1082 8d62c78ff3918f01f2937005a8413f23
IY78223_01.051028.epkg.Z 37334 1108 f53f57ce4e33aa0fe9661af3a9ba2230
IY78223_02.051028.epkg.Z 17692 1110 861f1ed6e37590ca872da2b31b1960f0
IY78223_03.051028.epkg.Z 48165 1101 bd6f54ea569be551b9a34da445772b62


These sums should match exactly. The PGP signatures in the compressed
tarball and on this advisory can also be used to verify the integrity of
the various files they correspond to. If the sums or signatures cannot be
confirmed, double check the command results and the download site
address. If those are OK, contact IBM AIX Security at
security-alert@austin.ibm.com and describe the discrepancy.

IMPORTANT: If possible, it is recommended that a mksysb backup of the
system is created. Verify it is both bootable, and readable before
proceeding.

These ifixes have not been fully regression tested; thus, IBM does not
warrant the fully correct functioning of the ifix. Customers install the
ifix and operate the modified version of AIX at their own risk.

Interim Installation Instructions:
- - ----------------------------------
These packages use the new Interim Fix Management Solution to install
and manage ifixes. More information can be found at:

http://techsupport.services.ibm.com/server/aix.efixmgmt

To preview an epkg ifix installation execute the following command:

# emgr -e ipkg_name -p # where ipkg_name is the name of the
# ifix package being previewed.

To install an epkg ifix package, execute the following command:

# emgr -e ipkg_name -X # where ipkg_name is the name of the
# ifix package being installed.

The "X" flag will expand any filesystems if required.


C. Workaround

Remote the setuid file mode bit
- - -------------------------------
Removing the setuid root file mode bit will prevent non-root users from
exploiting the vulnerability. To remove the setuid bit, execute the
following command:

# chmod 555 /usr/sbin/muxatmd

Verify that the file mode bits have been updated:

# ls -la /usr/sbin/muxatmd
- - -r-xr-xr-x 1 root bin 62850 Apr 10 2005 /usr/sbin/muxatmd

muxatmd should be started by the root user to function normally.


IV. Obtaining Fixes
===================

AIX Version 5 APARs can be downloaded from:

http://www-1.ibm.com/servers/eserver/support/pseries/aixfixes.html

Security related Interim Fixes can be downloaded from:

ftp://aix.software.ibm.com/aix/efixes/security


V. Acknowledgments
==================

This vulnerability was reported by David Litchfield of NGS Software.


VI. Contact Information
========================

If you would like to receive AIX Security Advisories via email, please
visit:

https://techsupport.services.ibm.com/server/pseries.subscriptionSvcs

Comments regarding the content of this announcement can be directed to:

security-alert@austin.ibm.com

To request the PGP public key that can be used to communicate securely
with the AIX Security Team send email to security-alert@austin.ibm.com
with a subject of "get key". The key can also be downloaded from a PGP
Public Key Server. The key id is 0x9391C1F2.

Please contact your local IBM AIX support center for any assistance.

eServer is a trademark of International Business Machines Corporation.
IBM, AIX and pSeries are registered trademarks of International Business
Machines Corporation. All other trademarks are property of their respective
holders.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDnxoIxwSSvpORwfIRAv78AJ4gIywN1ltzfDaCYWIflRd2qCiZ7QCfQfkX
jJxifzzQI2iG9s2K1/0SUFo=
=6NCz
- -----END PGP SIGNATURE-----


- ---------------------------------------------------------------------

Related URLs:

Find end of support dates for AIX and software running on AIX
http://www.ibm.com/services/sl/products

Visit Unix Servers Support for a wide array of technical resources.
http://www.ibm.com/servers/eserver/support/unixservers

Download fixes for AIX V5 and 4.3 OS, Java, Compilers:
https://techsupport.services.ibm.com/server/aix.fdc

Update your Subscription Service profile
https://techsupport.services.ibm.com/server/pseries.subscriptionSvcs?mode=2

Sign up for customized weekly newsletter from IBM
https://isource.ibm.com/world/index.shtml

- ----------------------------------------------------------------------
IBM and AIX are trademarks or registered trademarks of the International Business Machines Corporation in the United States or other

countries, or both.


2.



AIX 5.3 : Security advisories (2005.12.15)

A user in the system group with RunDiagnostics role can execute arbitrray code

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

IBM SECURITY ADVISORY

First Issued: Thu Dec 15 09:00:44 CST 2005

==========================================================================
VULNERABILITY SUMMARY

VULNERABILITY: A local user in the system group with the
RunDiagnostics role can execute arbitrary code.

PLATFORMS: AIX 5.1, 5.2 and 5.3.

SOLUTION: Apply the APAR, interim fix or workaround as
described below.

THREAT: A local user may execute arbitrary code.

CERT VU Number: N/A
CVE Number: N/A
=========================================================================
DETAILED INFORMATION


I. Description
===============

A vulnerability was discovered in the diagela script that allows a local
user that is in the system group and that has the RunDiagnostics role to
execute arbitrary code. Exploits for this vulnerability may be publicly
available.

The command affected by this issue ships as part of the bos.diag.rte
fileset. To determine if this fileset is installed, execute the following
command:

# lslpp -L bos.diag.rte

If the fileset is installed it will be listed along with its version
information, state, type and a description.


II. Impact
==========

A local user in the system group with the RunDiagnostics role can execute
arbitrary code.


III. Solutions
===============

A. Official Fix

IBM provides the following fixes:

APAR number for AIX 5.1.0: IY78926 (available approx. 01/18/06)
APAR number for AIX 5.2.0: IY78800 (available approx. 01/30/06)
APAR number for AIX 5.3.0: IY78801 (available approx. 01/30/06)

NOTE: Affected customers are urged to upgrade to 5.1.0, 5.2.0 or 5.3.0 at
the latest maintenance level.

B. Interim Fix

Interim fixes are available for AIX 5.1.0, 5.2.0 and 5.3.0. The ifixes can
be downloaded via ftp from:

ftp://aix.software.ibm.com/aix/efixes/security/diagela_ifix.tar.Z

diagela_ifix.tar.Z is a compressed tarball containing this advisory,
ifix packages and cleartext PGP signatures for each ifix package.


Verify you have retrieved the fixes intact:
- - --------------------------------------------
The interim fixes below are named by using the APAR corresponding to the
release that the fix applies to. The APAR is followed by an underscore and
the maintenance level for the particular AIX release that a fix applies to.

The checksums below were generated using the "sum" and "md5sum" commands
and are as follows:

Filename sum md5
========================================================================
IY78926_09.051114.epkg.Z 24109 15 5aa6f69cb12fa758b634102e5afe4f6e
IY78800_05.051111.epkg.Z 38413 16 aaa731994f6f4b09130776999132fab0
IY78800_06.051111.epkg.Z 09920 16 45e69cde7159844f03cba1765cda888e
IY78800_07.051111.epkg.Z 02376 16 1bfd12cea05f8b3ec0c2ae9a60900c78
IY78801_01.051111.epkg.Z 41809 16 223434e1859ff2c77dbe0fc38e8093dd
IY78801_02.051111.epkg.Z 40981 16 a87ce306026e96cb2c998108fa2cb5a7
IY78801_03.051111.epkg.Z 48032 16 785f52be01224e9fbe80129e628e72a1

These sums should match exactly. The PGP signatures in the compressed
tarball and on this advisory can also be used to verify the integrity of
the various files they correspond to. If the sums or signatures cannot be
confirmed, double check the command results and the download site
address. If those are OK, contact IBM AIX Security at
security-alert@austin.ibm.com and describe the discrepancy.

IMPORTANT: If possible, it is recommended that a mksysb backup of the
system is created. Verify it is both bootable, and readable before
proceeding.

These ifixes have not been fully regression tested; thus, IBM does not
warrant the fully correct functioning of the ifix. Customers install the
ifix and operate the modified version of AIX at their own risk.

Interim Installation Instructions:
- - ----------------------------------
These packages use the new Interim Fix Management Solution to install
and manage ifixes. More information can be found at:

http://techsupport.services.ibm.com/server/aix.efixmgmt

To preview an epkg ifix installation execute the following command:

# emgr -e ipkg_name -p # where ipkg_name is the name of the
# ifix package being previewed.

To install an epkg ifix package, execute the following command:

# emgr -e ipkg_name -X # where ipkg_name is the name of the
# ifix package being installed.

The "X" flag will expand any filesystems if required.


C. Workaround

Changing diagela_exec file mode bits
- - ------------------------------------
Setting the file mode bits of diagela_exec to 500 will allow only the root
user to execute the diagela script to carry out diagnostics This can be
done by executing the following command as root:

# chmod 500 /usr/lpp/diagnostics/bin/diagela_exec

Verify that the file mode bits have been updated:

# cd /usr/lpp/diagnostics/bin
# ls -la diagela_exec
- - -r-x------ 1 root system 3578 Aug 28 2004 diagela_exec

The diagela script uses to the diagela_exec command. Changing the file
permissions of diagela_exec to 500 implies that only the root users will be
able to use diagela properly.

Assign the RunDiagnostics role to trusted users
- - -----------------------------------------------
A user must be in the system group and have the RunDiagnostics role to
exploit this vulnerability. This vulnerability can be mitigated by ensuring
that only trusted users have this role. This workaround will not totally
protect against this vulnerability being exploited unless all users are
removed from the RunDiagnostics role.


IV. Obtaining Fixes
===================

AIX Version 5 APARs can be downloaded from:

http://www-1.ibm.com/servers/eserver/support/pseries/aixfixes.html

Security related Interim Fixes can be downloaded from:

ftp://aix.software.ibm.com/aix/efixes/security


V. Contact Information
=======================

If you would like to receive AIX Security Advisories via email, please
visit:

https://techsupport.services.ibm.com/server/pseries.subscriptionSvcs

Comments regarding the content of this announcement can be directed to:

security-alert@austin.ibm.com

To request the PGP public key that can be used to communicate securely
with the AIX Security Team send email to security-alert@austin.ibm.com
with a subject of "get key". The key can also be downloaded from a PGP
Public Key Server. The key id is 0x9391C1F2.

Please contact your local IBM AIX support center for any assistance.

eServer is a trademark of International Business Machines Corporation.
IBM, AIX and pSeries are registered trademarks of International Business
Machines Corporation. All other trademarks are property of their respective
holders.

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD4DBQFDnxssxwSSvpORwfIRAkQMAJ95cAKnEv3b7sVrutk444B5b7sMrACXaDui
XXPBG+eVJljMUcdYf7gwqA==
=Z/66
- -----END PGP SIGNATURE-----


- ---------------------------------------------------------------------

Related URLs:

Find end of support dates for AIX and software running on AIX
http://www.ibm.com/services/sl/products

Visit Unix Servers Support for a wide array of technical resources.
http://www.ibm.com/servers/eserver/support/unixservers

Download fixes for AIX V5 and 4.3 OS, Java, Compilers:
https://techsupport.services.ibm.com/server/aix.fdc

Update your Subscription Service profile
https://techsupport.services.ibm.com/server/pseries.subscriptionSvcs?mode=2

Sign up for customized weekly newsletter from IBM
https://isource.ibm.com/world/index.shtml

- ----------------------------------------------------------------------
IBM and AIX are trademarks or registered trademarks of the International Business Machines Corporation in the United States or other

countries, or both.



3.


AIX 5.3 : Security advisories (2005.12.15)

A vulnerability in getShell and getCommand allow arbitrary file overwrite.

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

IBM SECURITY ADVISORY


First Issued: Thu Dec 15 09:00:44 CST 2005
==========================================================================
VULNERABILITY SUMMARY

VULNERABILITY: A vulnerability in getShell and getCommand commands
allow any user to overwrite arbitrary files.

PLATFORMS: AIX 5.3.

SOLUTION: Apply the APAR, interim fix or workaround as
described below.

THREAT: A local user may overwrite arbitrary files.

CERT VU Number: N/A
CVE Number: N/A
=========================================================================
DETAILED INFORMATION


I. Description
===============

A vulnerability in the getShell and getCommand commands may allow a local
users to overwrite arbitrary files. These commands are used by WebSM.

The commands affected by this issue ships as part of the sysmgt.websm.apps
fileset. To determine if this fileset is installed, execute the following
command:

# lslpp -L sysmgt.websm.apps

If the fileset is installed it will be listed along with its version
information, state, type and a description.


II. Impact
==========

A local user may overwrite arbitrary files.


III. Solutions
===============

A. Official Fix

IBM provides the following fixes:

APAR number for AIX 5.3.0: IY79092 (available approx. 01/30/06)

NOTE: Affected customers are urged to upgrade to AIX 5.3.0 at the latest
maintenance level.

B. Interim Fix

Interim fixes are available for AIX 5.3.0. The ifixes can be downloaded via
ftp from:

ftp://aix.software.ibm.com/aix/efixes/security/getshell_ifix.tar.Z

getshell_ifix.tar.Z is a compressed tarball containing this advisory,
ifix packages and cleartext PGP signatures for each ifix package.


Verify you have retrieved the fixes intact:
- - --------------------------------------------
The interim fixes below are named by using the APAR corresponding to the
release that the fix applies to. The APAR is followed by an underscore and
the maintenance level for the particular AIX release that a fix applies to.

The checksums below were generated using the "sum" and "md5sum" commands
and are as follows:

Filename sum md5
========================================================================
IY79092_01.051213.epkg.Z 48672 7 412ab7eec9790d4a08bdef6436b1e404
IY79092_02.051213.epkg.Z 27291 7 e252888244ff0c2d9548f9c9e69f39db
IY79092_03.051213.epkg.Z 16135 7 259951daa37f142ea97bb896e6abd280


These sums should match exactly. The PGP signatures in the compressed
tarball and on this advisory can also be used to verify the integrity of
the various files they correspond to. If the sums or signatures cannot be
confirmed, double check the command results and the download site
address. If those are OK, contact IBM AIX Security at
security-alert@austin.ibm.com and describe the discrepancy.

IMPORTANT: If possible, it is recommended that a mksysb backup of the
system is created. Verify it is both bootable, and readable before
proceeding.

These ifixes have not been fully regression tested; thus, IBM does not
warrant the fully correct functioning of the ifix. Customers install the
ifix and operate the modified version of AIX at their own risk.

Interim Installation Instructions:
- - ----------------------------------
These packages use the new Interim Fix Management Solution to install
and manage ifixes. More information can be found at:

http://techsupport.services.ibm.com/server/aix.efixmgmt

To preview an epkg ifix installation execute the following command:

# emgr -e ipkg_name -p # where ipkg_name is the name of the
# ifix package being previewed.

To install an epkg ifix package, execute the following command:

# emgr -e ipkg_name -X # where ipkg_name is the name of the
# ifix package being installed.

The "X" flag will expand any filesystems if required.


C. Workaround

Remove the setuid bit
- - ---------------------
getShell and getCommand ship with the setuid bit on. Removing this bit will
prevent users from exploiting this vulnerability. However, it may prevent
WebSM from functioning normally for non-root users.

To remove the setuid root bit, execute the following commands:

# cd /usr/websm/bin/
# chmod 555 getCommand
# chmod 555 getShell

Verify that the setuid bit has been removed:

# ls -la getCommand
- - -r-xr-xr-x 1 root system 3468 Apr 09 2005 getCommand
# ls -la getShell
- - -r-xr-xr-x 1 root system 3750 Apr 09 2005 getShell


Remove WebSM
- - ------------
If WebSM is not being used on the system, uninstall it.


IV. Obtaining Fixes
===================

AIX Version 5 APARs can be downloaded from:

http://www-1.ibm.com/servers/eserver/support/pseries/aixfixes.html

Security related Interim Fixes can be downloaded from:

ftp://aix.software.ibm.com/aix/efixes/security


V. Acknowledgments
==================

This vulnerability was reported by David Litchfield of NGS Software.


VI. Contact Information
=======================

If you would like to receive AIX Security Advisories via email, please
visit:

https://techsupport.services.ibm.com/server/pseries.subscriptionSvcs

Comments regarding the content of this announcement can be directed to:

security-alert@austin.ibm.com

To request the PGP public key that can be used to communicate securely
with the AIX Security Team send email to security-alert@austin.ibm.com
with a subject of "get key". The key can also be downloaded from a PGP
Public Key Server. The key id is 0x9391C1F2.

Please contact your local IBM AIX support center for any assistance.

eServer is a trademark of International Business Machines Corporation.
IBM, AIX and pSeries are registered trademarks of International Business
Machines Corporation. All other trademarks are property of their respective
holders.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDoJqLxwSSvpORwfIRAjVrAJ4uzuRpt+6W2S4JYdx3/nBoNzVr1wCfWUjU
gsdAeRUrUVtoSg3LWXTVJB0=
=kdEU
- -----END PGP SIGNATURE-----


- ---------------------------------------------------------------------

Related URLs:

Find end of support dates for AIX and software running on AIX
http://www.ibm.com/services/sl/products

Visit Unix Servers Support for a wide array of technical resources.
http://www.ibm.com/servers/eserver/support/unixservers

Download fixes for AIX V5 and 4.3 OS, Java, Compilers:
https://techsupport.services.ibm.com/server/aix.fdc

Update your Subscription Service profile
https://techsupport.services.ibm.com/server/pseries.subscriptionSvcs?mode=2

Sign up for customized weekly newsletter from IBM
https://isource.ibm.com/world/index.shtml

- ----------------------------------------------------------------------
IBM and AIX are trademarks or registered trademarks of the International Business Machines Corporation in the United States or other

countries, or both.



4.


AIX 5.3 : Security advisories (2005.12.15)

Buffer overflow vulnerability in the debug malloc tools

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

IBM SECURITY ADVISORY

First Issued: Thu Dec 15 09:00:44 CST 2005

=========================================================================
VULNERABILITY SUMMARY

VULNERABILITY: A buffer overflow vulnerability in the debug malloc
tools allow a user to gain privileges.

PLATFORMS: AIX 5.3.

SOLUTION: Apply the APAR or interim fix as described below.

THREAT: A local user may gain privileges.

CERT VU Number: N/A
CVE Number: N/A
=========================================================================
DETAILED INFORMATION


I. Description
===============

A buffer overflow vulnerability was discovered in the debug malloc tools
that allow a local user to gain privileges. To exploit this vulnerability
an attacker must use the debug malloc tools with an executable that gains
privileges. Exploits for this vulnerability may be publicly available.


II. Impact
==========

A local user may exploit this buffer overflow vulnerability to gain
privileges.


III. Solutions
===============

A. Official Fix

IBM provides the following fixes:

APAR number for AIX 5.3.0: IY78227 (available 01/30/06)

NOTE: Affected customers are urged to upgrade to 5.3.0 at the latest
maintenance level.

B. Interim Fix

Interim fixes are available for AIX 5.3.0. The ifixes can be downloaded via
ftp from:

ftp://aix.software.ibm.com/aix/efixes/security/dbgmalloc_ifix.tar.Z

dbgmalloc_ifix.tar.Z is a compressed tarball containing this advisory,
three ifix packages cleartext PGP signatures for each ifix package.

Verify you have retrieved the fixes intact:
- - --------------------------------------------
The interim fixes below are named by using the APAR corresponding to the
release that the fix applies to. The APAR is followed by an underscore and
the maintenance level for the particular AIX release that a fix applies to.

The checksums below were generated using the "sum" and "md5sum" commands
and are as follows:

Filename sum md5
=======================================================================
IY78227_01.epkg.Z 24084 3450 8be8e5b7f693aeb40685d92281f143f7
IY78227_02.epkg.Z 10592 3452 4ad769012ce48ca4c41fc2f8c56d9f63
IY78227_03.epkg.Z 34398 3518 848c8eadfab36f6c83dd4cf7f55d94f3

These sums should match exactly. The PGP signatures in the compressed
tarball and on this advisory can also be used to verify the integrity of
the various files they correspond to. If the sums or signatures cannot be
confirmed, double check the command results and the download site address.
If those are OK, contact IBM AIX Security at security-alert@austin.ibm.com
and describe the discrepancy.

IMPORTANT: If possible, it is recommended that a mksysb backup of the
system is created. Verify it is both bootable, and readable before
proceeding.

These ifixes have not been fully regression tested; thus, IBM does not
warrant the fully correct functioning of the ifix. Customers install the
ifix and operate the modified version of AIX at their own risk.

Interim Fix Installation Instructions:
- - --------------------------------------
These packages use the new Interim Fix Management Solution to install and
manage ifixes. More information can be found at:

http://techsupport.services.ibm.com/server/aix.efixmgmt

To preview an epkg ifix installation execute the following command:

# emgr -e ipkg_name -p # where ipkg_name is the name of the
# ifix package being previewed.

To install an epkg ifix package, execute the following command:

# emgr -e ipkg_name -X # where ipkg_name is the name of the
# ifix package being installed.

The "X" flag will expand any filesystems if required.


IV. Obtaining Fixes
===================

AIX Version 5 APARs can be downloaded from:

http://www-1.ibm.com/servers/eserver/support/pseries/aixfixes.html

Security related Interim Fixes can be downloaded from:

ftp://aix.software.ibm.com/aix/efixes/security


V. Acknowledgments
==================

This vulnerability was reported by David Litchfield of NGS Software.


VI. Contact Information
========================

If you would like to receive AIX Security Advisories via email, please
visit:

https://techsupport.services.ibm.com/server/pseries.subscriptionSvcs

Comments regarding the content of this announcement can be directed to:

security-alert@austin.ibm.com

To request the PGP public key that can be used to communicate securely
with the AIX Security Team send email to security-alert@austin.ibm.com
with a subject of "get key". The key can also be downloaded from a PGP
Public Key Server. The key id is 0x9391C1F2.

Please contact your local IBM AIX support center for any assistance.

eServer is a trademark of International Business Machines Corporation.
IBM, AIX and pSeries are registered trademarks of International Business
Machines Corporation. All other trademarks are property of their respective
holders.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDnxXRxwSSvpORwfIRAlRmAJ0XoKQnetUOUHmMlw5KOnA25x2WPQCfTWVI
VMq6coZM62aTqILcbLGrckk=
=Uxh2
- -----END PGP SIGNATURE-----


- ---------------------------------------------------------------------

Related URLs:

Find end of support dates for AIX and software running on AIX
http://www.ibm.com/services/sl/products

Visit Unix Servers Support for a wide array of technical resources.
http://www.ibm.com/servers/eserver/support/unixservers

Download fixes for AIX V5 and 4.3 OS, Java, Compilers:
https://techsupport.services.ibm.com/server/aix.fdc

Update your Subscription Service profile
https://techsupport.services.ibm.com/server/pseries.subscriptionSvcs?mode=2

Sign up for customized weekly newsletter from IBM
https://isource.ibm.com/world/index.shtml

- ----------------------------------------------------------------------
IBM and AIX are trademarks or registered trademarks of the International Business Machines Corporation in the United States or other

countries, or both.


5.

AIX 5.3 : Security advisories (2005.12.15)

Buffer overflow vulnerability in slocal

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

IBM SECURITY ADVISORY

First Issued: Thu Dec 15 09:00:44 CST 2005

==========================================================================
VULNERABILITY SUMMARY

VULNERABILITY: A buffer overflow vulnerability in slocal may allow
any local user to gain root privileges.

PLATFORMS: AIX 5.1, 5.2 and 5.3.

SOLUTION: Apply the APAR, interim fix or workaround as
described below.

THREAT: A local user may gain root privileges.

CERT VU Number: N/A
CVE Number: N/A
=========================================================================
DETAILED INFORMATION


I. Description
===============

A buffer overflow vulnerability in slocal may allow any local user to gain
root privileges. The slocal command is used to perform various actions when
mail is received for a user.

The command affected by this issue ships as part of the bos.mh fileset. To
determine if this fileset is installed, execute the following command:

# lslpp -L bos.mh

If the fileset is installed it will be listed along with its version
information, state, type and a description.


II. Impact
==========

A local user may gain root privileges.


III. Solutions
===============

A. Official Fix

IBM provides the following fixes:

APAR number for AIX 5.1.0: IY78224 (available approx. 01/30/06)
APAR number for AIX 5.2.0: IY78225 (available approx. 01/30/06)
APAR number for AIX 5.3.0: IY78226 (available approx. 01/30/06)

NOTE: Affected customers are urged to upgrade to 5.1.0, 5.2.0 or 5.3.0 at
the latest maintenance level.

B. Interim Fix

Interim fixes are available for AIX 5.1.0, 5.2.0 and 5.3.0. The ifixes can
be downloaded via ftp from:

ftp://aix.software.ibm.com/aix/efixes/security/slocal_ifix.tar.Z

slocal_ifix.tar.Z is a compressed tarball containing this advisory,
ifix packages and cleartext PGP signatures for each ifix package.


Verify you have retrieved the fixes intact:
- - --------------------------------------------
The interim fixes below are named by using the APAR corresponding to the
release that the fix applies to. The APAR is followed by an underscore and
the maintenance level for the particular AIX release that a fix applies to.

The checksums below were generated using the "sum" and "md5sum" commands
and are as follows:

Filename sum md5
========================================================================
IY78224_09.051030.epkg.Z 40220 42 c87ca388a41a6c6b5463ceaac0281477
IY78225_05.051030.epkg.Z 03039 40 36e272bed902efc571c6081fb2181100
IY78225_06.051030.epkg.Z 33105 40 20085be1b87209c4d8aa947b26ea508e
IY78225_07.051030.epkg.Z 27898 40 f435b1d6289ff3149baab5e871b9a21b
IY78226_01.051030.epkg.Z 23364 40 32cc3c485e9cff7c2174155885a84cae
IY78226_02.051030.epkg.Z 52233 40 b0fe8a00a26e8a2738bb50676861a6de
IY78226_03.051030.epkg.Z 20347 40 27dca198577a8eaf242649738ef2c896

These sums should match exactly. The PGP signatures in the compressed
tarball and on this advisory can also be used to verify the integrity of
the various files they correspond to. If the sums or signatures cannot be
confirmed, double check the command results and the download site
address. If those are OK, contact IBM AIX Security at
security-alert@austin.ibm.com and describe the discrepancy.

IMPORTANT: If possible, it is recommended that a mksysb backup of the
system is created. Verify it is both bootable, and readable before
proceeding.

These ifixes have not been fully regression tested; thus, IBM does not
warrant the fully correct functioning of the ifix. Customers install the
ifix and operate the modified version of AIX at their own risk.

Interim Installation Instructions:
- - ----------------------------------
These packages use the new Interim Fix Management Solution to install
and manage ifixes. More information can be found at:

http://techsupport.services.ibm.com/server/aix.efixmgmt

To preview an epkg ifix installation execute the following command:

# emgr -e ipkg_name -p # where ipkg_name is the name of the
# ifix package being previewed.

To install an epkg ifix package, execute the following command:

# emgr -e ipkg_name -X # where ipkg_name is the name of the
# ifix package being installed.

The "X" flag will expand any filesystems if required.


C. Workaround

Remote the setuid file mode bit
- - -------------------------------
Removing the setuid root file mode bit will prevent non-root users from
exploiting the vulnerability. To remove the setuid bit, execute the
following command:

# chmod 555 /usr/lib/mh/slocal

Verify that the file mode bits have been updated:

# ls -la /usr/lib/mh/slocal
- - -r-xr-xr-x 1 root bin 85304 Apr 10 2005 /usr/lib/mh/slocal

sendmail starts slocal if a user's .forward file contains
"/usr/lib/mh/slocal". If slocal is not used, the suidroot bit can be safely
removed.


IV. Obtaining Fixes
===================

AIX Version 5 APARs can be downloaded from:

http://www-1.ibm.com/servers/eserver/support/pseries/aixfixes.html

Security related Interim Fixes can be downloaded from:

ftp://aix.software.ibm.com/aix/efixes/security


V. Acknowledgments
==================

This vulnerability was reported by David Litchfield of NGS Software.


VI. Contact Information
=======================

If you would like to receive AIX Security Advisories via email, please
visit:

https://techsupport.services.ibm.com/server/pseries.subscriptionSvcs

Comments regarding the content of this announcement can be directed to:

security-alert@austin.ibm.com

To request the PGP public key that can be used to communicate securely
with the AIX Security Team send email to security-alert@austin.ibm.com
with a subject of "get key". The key can also be downloaded from a PGP
Public Key Server. The key id is 0x9391C1F2.

Please contact your local IBM AIX support center for any assistance.

eServer is a trademark of International Business Machines Corporation.
IBM, AIX and pSeries are registered trademarks of International Business
Machines Corporation. All other trademarks are property of their respective
holders.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDnxihxwSSvpORwfIRArVAAJ903xGHHbkN4iesynhyfOsvTjj6uQCfZlMw
NWG779qteOd9KQ3jdMhUFns=
=f87m
- -----END PGP SIGNATURE-----


- ---------------------------------------------------------------------

Related URLs:

Find end of support dates for AIX and software running on AIX
http://www.ibm.com/services/sl/products

Visit Unix Servers Support for a wide array of technical resources.
http://www.ibm.com/servers/eserver/support/unixservers

Download fixes for AIX V5 and 4.3 OS, Java, Compilers:
https://techsupport.services.ibm.com/server/aix.fdc

Update your Subscription Service profile
https://techsupport.services.ibm.com/server/pseries.subscriptionSvcs?mode=2

Sign up for customized weekly newsletter from IBM
https://isource.ibm.com/world/index.shtml

- ----------------------------------------------------------------------
IBM and AIX are trademarks or registered trademarks of the International Business Machines Corporation in the United States or other

countries, or both.



- ----------------------------------------------------------------------------------