From BITFTP1@pucc.PRINCETON.EDU Thu Dec 20 22:02:50 1990 Received: from pucc.Princeton.EDU by po.CWRU.Edu with SMTP (5.61+ida+/CWRU-1.7.1) id AA01566; Thu, 20 Dec 90 22:02:50 -0500 (from BITFTP1@pucc.PRINCETON.EDU for /usr/local/bin/m2mbox /u/38/al636/mbox) Message-Id: <9012210302.AA01566@po.CWRU.Edu> Received: from PUCC.PRINCETON.EDU by pucc.PRINCETON.EDU (IBM VM SMTP R1.2.2MX) with BSMTP id 2767; Thu, 20 Dec 90 21:32:55 EST Received: by PUCC (Mailer R2.08B) id 9159; Thu, 20 Dec 90 21:32:53 EST Date: 20 Dec 1990 21:32:54 From: BITFTP1@pucc.PRINCETON.EDU To: al636@cleveland.Freenet.Edu Subject: BITFTP output, CA-90:08.irix.mail, Part 1 of 1 (uuencoded) CA-90:08 CERT Advisory October 31, 1990 IRIX 3.3 & 3.31 /usr/sbin/Mail --------------------------------------------------------------------------- The CERT/CC has received the following report of a vulnerability in /usr/sbin/Mail, present only in IRIX 3.3 and 3.3.1. This information was provided to the CERT/CC by Robert Stephens, of Silicon Graphics Inc. ---------------------------------------------------------------------------- DESCRIPTION: /usr/sbin/Mail can fail to reset its group id to the group id of the caller. IMPACT: Can allow any user logged onto the system to read any other user's (including root's) mail. SOLUTION: A fixed /usr/sbin/Mail binary has been made available for anonymous ftp from SGI.COM ([192.48.153.1]). The correct binary can be found at: sgi/Mail/Mail under the ftp directory. Note that this binary must be installed with the same group (mail) and permissions (2755) as your existing 3.3 or 3.3.1 /usr/sbin/Mail. -------------------------------------------------------------------------- CONTACT INFORMATION For further questions, please contact your Silicon Graphics support center (Geometry Partners HOTLINE number: (800) 345-0222) -------------------------------------------------------------------------- Dan Farmer Computer Emergency Response Team/Coordination Center (CERT/CC) Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Internet E-mail: cert@cert.sei.cmu.edu Telephone: 412-268-7090 24-hour hotline: CERT personnel answer 7:30a.m.-6:00p.m. EST, on call for emergencies other hours. Past advisories and other information are available for anonymous ftp from cert.sei.cmu.edu (128.237.253.5).