[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : IRIX 5.3, 6.1, 6.2 Desktop Permissions Panel

Title: IRIX 5.3, 6.1, 6.2 Desktop Permissions Panel
Released by: SGI
Date: 21st May 1996
Printable version: Click here
_____________________________________________________________________________

                Silicon Graphics Inc. Security Advisory



        Title:   IRIX 5.3, 6.1, 6.2 Desktop Permissions Panel

        Number:  19960501-01-PX

        Date:    May 21, 1996

_____________________________________________________________________________

Silicon Graphics provides this information freely to the SGI user community

for its consideration, interpretation, implementation and use.   Silicon

Graphics recommends that this information be acted upon as soon as possible.



Silicon Graphics  will  not  be  liable  for any  indirect, special, or

consequential damages arising from the use of, failure to use or improper

use of any of the instructions or information in this Security Advisory.

_____________________________________________________________________________





- --------------

- --- Impact ---

- --------------





A vulnerability has been discovered in the IRIX 5.3, 6.1, and 6.2

operating systems regarding the permissions tool under the IRIX

desktop environment.



Normally, this tool is used by users to modify the permissions on their

files and files they are privileged for.  Under certain conditions, a user

may be able to modify the permissions for restricted files.  This is SGI

Bug #375613.



In order to exploit this vulnerability, it is necessary to have access

to a local account that can start the graphical permissions tool.

Refer to SGI Security Advisory 19951002 and/or system documentation

regarding password issues.



SGI Engineering has investigated this issue and recommends the following

steps for neutralizing the exposure.  It is HIGHLY RECOMMENDED that these

measures be done on ALL SGI systems running IRIX 5.3, 6.1, and 6.2.

This issue will be corrected in future releases of IRIX.







- ----------------

- --- Solution ---

- ----------------





**** IRIX 5.2, 6.0, 6.0.1 ****



IRIX operating system versions 5.2, 6.0, and 6.0.1 are not vulnerable.

No further action is required.





**** IRIX 5.3 ****



For the IRIX operating system version 5.3, an inst-able patch has been

generated and made available via anonymous FTP and your service/support

provider.  The patch is number 1324 and will only install on IRIX 5.3.



The SGI anonymous FTP site is sgigate.sgi.com (204.94.209.1) or its

mirror, ftp.sgi.com.   Patch 1324 can be found in the following

directories on the FTP server:



        ~ftp/Security



                or



        ~ftp/Patches/5.3



                        ##### Checksums ####



The actual patch will be a tar file containing the following files:





Filename:                 README.patch.1324

Algorithm #1 (sum -r):    36453 8 README.patch.1324

Algorithm #2 (sum):       40114 8 README.patch.1324

MD5 checksum:             028F5506433A1B9F770F1809D741EF98



Filename:                 patchSG0001324

Algorithm #1 (sum -r):    10430 1 patchSG0001324

Algorithm #2 (sum):       35624 1 patchSG0001324

MD5 checksum:             F7C85F5A0870BA4C08DD62F181C81F2E



Filename:                 patchSG0001324.desktop_eoe_sw

Algorithm #1 (sum -r):    40704 106 patchSG0001324.desktop_eoe_sw

Algorithm #2 (sum):       32497 106 patchSG0001324.desktop_eoe_sw

MD5 checksum:             EAF31E523E150A29FCF487B1C2802F50



Filename:                 patchSG0001324.idb

Algorithm #1 (sum -r):    62749 2 patchSG0001324.idb

Algorithm #2 (sum):       58166 2 patchSG0001324.idb

MD5 checksum:             96E559406CA6ABD75ACAA879776D028E







**** IRIX 6.1 ****



For the IRIX operating system version 6.1, an inst-able patch has been

generated and made available via anonymous FTP and your service/support

provider.  The patch is number 1325 and will only install on IRIX 6.1.



The SGI anonymous FTP site is sgigate.sgi.com (204.94.209.1) or its

mirror, ftp.sgi.com.   Patch 1325 can be found in the following

directories on the FTP server:



        ~ftp/Security



                or



        ~ftp/Patches/6.1



                        ##### Checksums ####



The actual patch will be a tar file containing the following files:





Filename:                 README.patch.1325

Algorithm #1 (sum -r):    64561 8 README.patch.1325

Algorithm #2 (sum):       40513 8 README.patch.1325

MD5 checksum:             846AECCEA5658BAFC843999968EC1F19



Filename:                 patchSG0001325

Algorithm #1 (sum -r):    49679 1 patchSG0001325

Algorithm #2 (sum):       31737 1 patchSG0001325

MD5 checksum:             277DC0914388DB42CAF4F67166B6AD84



Filename:                 patchSG0001325.desktop_eoe_sw

Algorithm #1 (sum -r):    23688 106 patchSG0001325.desktop_eoe_sw

Algorithm #2 (sum):       16622 106 patchSG0001325.desktop_eoe_sw

MD5 checksum:             F9C6CBB8085916980F6FB0E750ED2739



Filename:                 patchSG0001325.idb

Algorithm #1 (sum -r):    44246 2 patchSG0001325.idb

Algorithm #2 (sum):       58029 2 patchSG0001325.idb

MD5 checksum:             7B5A50A754D4F2BCF43B2FB36402D2B9







**** IRIX 6.2 ****



For the IRIX operating system version 6.2, an inst-able patch has been

generated and made available via anonymous FTP and your service/support

provider.  The patch is number 1326 and will only install on IRIX 6.2.



The SGI anonymous FTP site is sgigate.sgi.com (204.94.209.1) or its

mirror, ftp.sgi.com.   Patch 1326 can be found in the following

directories on the FTP server:



        ~ftp/Security



                or



        ~ftp/Patches/6.2



                        ##### Checksums ####



The actual patch will be a tar file containing the following files:





Filename:                 README.patch.1326

Algorithm #1 (sum -r):    26556 8 README.patch.1326

Algorithm #2 (sum):       40503 8 README.patch.1326

MD5 checksum:             100284465A0FC83BCDA9F51276628C2F



Filename:                 patchSG0001326

Algorithm #1 (sum -r):    09453 1 patchSG0001326

Algorithm #2 (sum):       33991 1 patchSG0001326

MD5 checksum:             F22B45302095D815129FCDB52204F947



Filename:                 patchSG0001326.desktop_eoe_sw

Algorithm #1 (sum -r):    33276 105 patchSG0001326.desktop_eoe_sw

Algorithm #2 (sum):       65086 105 patchSG0001326.desktop_eoe_sw

MD5 checksum:             10798EFCDAB679BC26DE18A007666599



Filename:                 patchSG0001326.idb

Algorithm #1 (sum -r):    34209 2 patchSG0001326.idb

Algorithm #2 (sum):       57308 2 patchSG0001326.idb

MD5 checksum:             3F7CA27CB954C83ACA7E711B1F29139F







- ------------------------

- --- Acknowledgments ---

- ------------------------



Silicon Graphics wishes to thank Aaron Mantel of NASA for his

assistance in this matter.





- -----------------------------------------

- --- SGI Security Information/Contacts ---

- -----------------------------------------



Past SGI Advisories and security patches can be obtained via

anonymous FTP from sgigate.sgi.com or its mirror, ftp.sgi.com.

These security patches and advisories are provided freely to

all interested parties.   For issues with the patches on the

FTP sites, email can be sent to cse-security-alert@csd.sgi.com.



For assistance obtaining or working with security patches, please

contact your SGI support provider.



If there are questions about this document, email can be sent to

cse-security-alert@csd.sgi.com.



Silicon Graphics provides a free security mailing list service. The

wiretap service allows interested parties to self-subscribe to receive

(via email) all SGI Security Advisories when released.



     mail external-majordomo@postofc.corp.sgi.com



     [BODY of "subscribe wiretap YourEmailAddress"]



For reporting *NEW* SGI security issues, email can be sent to

security-alert@sgi.com or contact your SGI support provider.  A

support contract is not required for submitting a security report.



For those customers with WWW capability, the Silicon Graphics Security

Headquarters webpages serve as a focal point for security related

information for the Silicon Graphics environment.  The URL is:



     http://www.sgi.com/Support/Secur/security.html










(C) 1999-2000 All rights reserved.