[ SOURCE: http://www.secureroot.com/security/advisories/9640248454.html ] -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CA-90:08 Last Revised: September 17,1997 Attached Copyright statement CERT Advisory October 31, 1990 IRIX 3.3 & 3.31 /usr/sbin/Mail - --------------------------------------------------------------------------- The CERT/CC has received the following report of a vulnerability in /usr/sbin/Mail, present only in IRIX 3.3 and 3.3.1. This information was provided to the CERT/CC by Robert Stephens, of Silicon Graphics Inc. - ---------------------------------------------------------------------------- DESCRIPTION: /usr/sbin/Mail can fail to reset its group id to the group id of the caller. IMPACT: Can allow any user logged onto the system to read any other user's (including root's) mail. SOLUTION: A fixed /usr/sbin/Mail binary has been made available for anonymous ftp from SGI.COM ([192.48.153.1]). The correct binary can be found at: sgi/Mail/Mail under the ftp directory. Note that this binary must be installed with the same group (mail) and permissions (2755) as your existing 3.3 or 3.3.1 /usr/sbin/Mail. - -------------------------------------------------------------------------- CONTACT INFORMATION For further questions, please contact your Silicon Graphics support center (Geometry Partners HOTLINE number: (800) 345-0222) - -------------------------------------------------------------------------- Computer Emergency Response Team/Coordination Center (CERT/CC) Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Internet E-mail: cert@cert.org Telephone: 412-268-7090 24-hour hotline: CERT personnel answer 7:30a.m.-6:00p.m. EST, on call for emergencies other hours. Past advisories and other information are available for anonymous ftp from cert.org (192.88.209.5). - -------------------------------------------------------------------------- Copyright 1990 Carnegie Mellon University. Conditions for use, disclaimers, and sponsorship information can be found in http://www.cert.org/legal_stuff.html and ftp://ftp.cert.org/pub/legal_stuff . If you do not have FTP or web access, send mail to cert@cert.org with "copyright" in the subject line. CERT is registered in the U.S. Patent and Trademark Office. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Revision History September 17,1997 Attached Copyright Statement -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQA/AwUBOBS8Nlr9kb5qlZHQEQLi3QCgoVHY9vfVKY6Ee0O5coW7gzg3frwAoLZ0 15S7IceE2Qt5jrUIAfDpCoVm =fwfk -----END PGP SIGNATURE-----