_____________________________________________________
             The Computer Incident Advisory Capability
                         ___  __ __    _     ___
                        /       |     / \   /
                        \___  __|__  /___\  \___
        _____________________________________________________
                         Information Bulletin       
           
February 22, 1991, 1300 PST          Number B-14

Additional Information about UNIX Security Problem with /bin/mail in SunOS

Sun Microsystems has released additional information about the security
problem with /bin/mail described in CIAC Bulletin B-13. There are
significant changes to the patch installation procedure. The new patch
installation procedure is:
________________________________________________________________________

Patch ID: 100224-01
BugIDs fixed by this patch: 1045636 and 1047340
Availability: Anonymous FTP from ftp.uu.net:/sun-dist/100224-01.tar.Z
        Checksum of the compressed tarfile 
              100224-01.tar.Z = 64102   109 
Patches Obsoleted: 100161-01 
Obsoleted by: SysV Release 4

Patch installation instructions are as follows:

              (Login as root - you must have root access to apply this patch!)
              (Create a temporary directory and "cd" to it)
              (Use anonymous FTP to obtain the file sun-dist/100224-01.tar.Z
               from ftp.uu.net)
              # uncompress 100224-01.tar
              # tar xvf 100224-01.tar
              # mv /bin/mail /bin/mail.old
  NEW -->     # chmod 400 /bin/mail.old
              # cp $arch/$os/mail /bin/mail
                 (where $arch is either sun3 sun4 sun4c or sun3x)
                 (and where $os is either 4.0.3 4.1 or 4.1.1)
              (change the permissions for the newly installed mail binary)
  UPDATED --> # chmod 4711 /bin/mail
                 (Sun actually recommends setting the permissions to 4111,
                  but CIAC considers 4711 a wiser choice.)
  NEW -->     # ls -l /bin/mail
              (Verify that /bin/mail is owned by "root" and the file
               permissions are correct.)
              (You will probably wish to delete the 100224-01.tar file and 
               the files created by "de-tar-ing" 100224-01.tar at this time!)
________________________________________________________________________


CIAC recommends that you delete /bin/mail.old altogether after
verifying that the new version of /bin/mail just installed is
functioning correctly.  If you take this course of action, you should
first make a backup copy of /bin/mail.old and store it off-line.

For your information, we have included the Sun addendum below:
________________________________________________________________________

This is an addendum to the Security bulletin (#00105) that went out
recently.  Two points were brought to Sun's attention by the security
community.

First point:  It is not advisable to leave the old version of /bin/mail
around as this version can be exploited. After first verifying that the
new version was not mangled in the transfer, either remove the old
version (/bin/mail.old) or change the permissions to 100.  example:
chmod 100 /bin/mail.old

Second point:  The permissions on the new version of /bin/mail do not
have to be set to 4755 as they come on the installation tape. setting
the mode to 4111 allows /bin/mail to work, but keeps people from
reading the binary (with strings)

Special Thanks to Gordon O'Connor and Hal Brand for pointing out these
flaws in the posting.

Brad Powell
Sun Microsystems
________________________________________________________________________

For additional information or assistance contact:

        Hal R. Brand
  (415) 422-6312 or (FTS) 532-6312

  During working hours, call CIAC at (415) 422-8193 or (FTS)
  532-8193.  For non-working hour emergencies , call (415)
  422-7222 or (FTS) 532-7222 and ask for CIAC (this is a new
  emergency number).

        send e-mail to ciac@cheetah.llnl.gov (this is a new Internet 
        address)

  send FAX messages to:  (415) 423-0913 or (FTS) 543-0913

Joe Ilacqua and Sun Microsystems provided information contained in this
bulletin.  Neither the United States Government nor the University of
California nor any of their employees, makes any warranty,  expressed
or implied, or assumes any legal liability or responsibility for the
accuracy, completeness, or usefulness of any information, product, or
process disclosed, or represents that its use would not infringe
privately owned rights.  Reference herein to any specific commercial
products, process, or service by trade name, trademark manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation, or favoring by the United States Government or the
University of California.  The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government nor the University of California, and shall not be used for
advertising or product endorsement purposes.