-----BEGIN PGP SIGNED MESSAGE-----

- -----BEGIN PRIVACY-ENHANCED MESSAGE-----
Proc-Type: 4,MIC-CLEAR
Content-Domain: RFC822
Originator-Certificate: MIICozCCAgwCAREwDQYJKoZIhvcNAQECBQAwgYYxC
 zAJBgNVBAYTAlVTMSswKQYDVQQKEyJEZWZlbnNlIEluZm9ybWF0aW9uIFN5c3Rlb
 XMgQWdlbmN5MTAwLgYDVQQLEydDZW50ZXIgZm9yIEluZm9ybWF0aW9uIFN5c3Rlb
 XMgU2VjdXJpdHkxGDAWBgNVBAsTD0NvdW50ZXJtZWFzdXJlczAeFw05MzEyMDkxO
 DU5MTZaFw05NTEyMDkxODU5MTZaMIGxMQswCQYDVQQGEwJVUzErMCkGA1UEChMiR
 GVmZW5zZSBJbmZvcm1hdGlvbiBTeXN0ZW1zIEFnZW5jeTEwMC4GA1UECxMnQ2Vud
 GVyIGZvciBJbmZvcm1hdGlvbiBTeXN0ZW1zIFNlY3VyaXR5MRgwFgYDVQQLEw9Db
 3VudGVybWVhc3VyZXMxEzARBgNVBAsTCk9wZXJhdGlvbnMxFDASBgNVBAMTC1Bld
 GUgSGFtbWVzMIGaMAoGBFUIAQECAgQAA4GLADCBhwKBgQDFFJkcaDOuS+6Ai2vmT
 bwY6JRbhdzPsl6X60hnXruOw2WvrAhc8BTFB+id75m3M55i+Th6MxWH20QHyQq5u
 yVghOu/s37OxIrj7irNPjtUdPv8b2m4hNGEW53QH6GmXkxLmgLzOhookpoYPC+uw
 2MzibDnleVI50d2m//XsWs7hwIBAzANBgkqhkiG9w0BAQIFAAOBgQDHH6CmBoyWU
 zPlqVnEWYKIBsifqdTJzkKfnoST7NDRIakUP49FP86Cyy1+2AKpUCWaxjq+wGHCH
 RCNFCCrOwdC9z8XwJal/c69ml6eLRhOoX77ANndpU9E5+eHxP+6Ute6lc63K7+Lz
 5xOULjmgaMmKDkTXveVcQO6R2CTY37vcA==
Issuer-Certificate: MIICNTCCAZ4CASIwDQYJKoZIhvcNAQECBQAwRDELMAkGA
 1UEBhMCVVMxCzAJBgNVBAgTAk1EMSgwJgYDVQQKEx9UcnVzdGVkIEluZm9ybWF0a
 W9uIFN5c3RlbXMgUENBMB4XDTk0MDIyNTE0NDkxMloXDTk0MDMwNzE0NDkxMlowg
 YYxCzAJBgNVBAYTAlVTMSswKQYDVQQKEyJEZWZlbnNlIEluZm9ybWF0aW9uIFN5c
 3RlbXMgQWdlbmN5MTAwLgYDVQQLEydDZW50ZXIgZm9yIEluZm9ybWF0aW9uIFN5c
 3RlbXMgU2VjdXJpdHkxGDAWBgNVBAsTD0NvdW50ZXJtZWFzdXJlczCBmjAKBgRVC
 AEBAgIEAAOBiwAwgYcCgYEA19l6BN7iTGYEU61qJETIjBh3iAeHzoL8sZ5KwFRZD
 S/a1KnYlD1zJHR/KeQCOBWW2HzX43TFLCNGU7UD9i6m8AymLe5IJf/bGh0Rne7Jd
 Q1GAOLw7/J4hE57IMbGETZpzeU1D9IYxiERRNio/oa422lUlS9JZHLA5jaPNcUrX
 P8CAQMwDQYJKoZIhvcNAQECBQADgYEApkliqAdudoOxvOFmQkOZbSgtlpn61VcNC
 R7azDNJa2ulevaebptwSTs2OvMeuR/J0Ez4TC7XrJXLVjI5huRAqc+EWGRpZYRMa
 CARZyE7gGYjUqS7DIQazfskeWiB8zheyW5tCVn+jnB09AZXtgbM6qRjyqrmSdCpg
 CtfgazIKqI=
Issuer-Certificate: MIIB8jCCAVsCAQEwDQYJKoZIhvcNAQECBQAwRDELMAkGA
 1UEBhMCVVMxCzAJBgNVBAgTAk1EMSgwJgYDVQQKEx9UcnVzdGVkIEluZm9ybWF0a
 W9uIFN5c3RlbXMgUENBMB4XDTkzMDUyODE3MTEyN1oXDTk1MDUyODE3MTEyN1owR
 DELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk1EMSgwJgYDVQQKEx9UcnVzdGVkIEluZ
 m9ybWF0aW9uIFN5c3RlbXMgUENBMIGaMAoGBFUIAQECAgQAA4GLADCBhwKBgQDbL
 xaRlS3u54yyRgVDI5dcE9nlasL8fJqOGlyo7xH2FZnr3kUfsFj7OGiYsr6UbvqwK
 nyfMIRUrXDUa64leGmft3SK27psDUHOynRSCc40d/HrDf810U5tnTamBKUIMqivK
 4GoL0tMRA1eX6hALAvLLgK1HbnwZAo6GqQGW8CIJQIBAzANBgkqhkiG9w0BAQIFA
 AOBgQDBp5aC6oV6IuFi8JCctq57bew604HHNllgjjp7zdXafq6jctRg2g91k/yFW
 h19bJC/tNrb0WVwuZOs5L/FToPMNIIHzaW/YSROBmyhTDYaKHZGj0P1+iNjMbHt9
 dm1QEHGIfKgBwFidItnOa74DfkXdijlPRnr/+E2Ib6PM+hEfQ==
MIC-Info: RSA-MD5,RSA,mxs4wXfM82AeASKqmzJZhR3kt+y8ujMvxP0/JYWEIGK
 Dvi0eeNKWg2hz5AvehqTVjvA1wqHnF7JVnJKnD2x9GMmXkJb2tQQ6APZFsXF7cBw
 7+Eg92B90VMGu5T5kietNTHzZo+zwU0an1uJMeuRQzTJRwLHimIq53lTKBXOGLx0
 =


<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>  
    
          Automated Systems Security Incident Support Team
                                                _____
             ___   ___  _____   ___  _____     |     /
      /\    /   \ /   \   |    /   \   |       |    / Integritas
     /  \   \___  \___    |    \___    |       |   <      et
    /____\      \     \   |        \   |       |    \ Celeritas
   /      \ \___/ \___/ __|__  \___/   |       |_____\
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>  
    
                       Bulletin  95-10
 
       Release date: 8 March, 1995, 6:30 PM EST (GMT -5)
 
SUBJECT: Vulnerability in Silicon Graphics (SGI) IRIX 5.2, 6.0, 6.0.1 
Desktop Permissions Tool.

SUMMARY: A vulnerability exists within the Desktop Permissions Tool
of SGI IRIX 5.2, 6.0, and 6.0.1 operating systems.  This problem has 
been corrected in IRIX 5.3 and future releases.

BACKGROUND: The Desktop Permissions Tool should only allow users to 
modify the permissions on files they own or have privileges to modify.  
By exploiting a vulnerability in Desktop Permissions Tool, users  
can modify the permissions for any file. 

IMPACT: Users can gain unauthorized and/or privileged access to
system resources. 
 
RECOMMENDED SOLUTION: The following fixes have been provided by SGI
Engineering.   

A. Immediate Solution. 

Either remove the setuid/setgid bits on /usr/lib/permissions, or
entirely remove the Desktop Permissions Tool.  Removing the 
setuid/setgid bits will limit the tool to only function on files 
owned by the user using the tool.

        1) Become the root user on the system.

                % /bin/su -
                Password:
                #

        2) Change the unix permissions level on the desktop
        permissions program.

                # chmod u-s /usr/lib/desktop/permissions
                # chmod g-s /usr/lib/desktop/permissions

        3) Return to previous user.

                # exit
                %

B.  Long Term Solution.

IRIX 5.0.x, 5.1.x 
- - -----------------
The versions 5.0.x and 5.1.x of IRIX were limited hardware specific
releases and have since been made obsolete by later versions of IRIX
and are not subject to this vulnerability.  For supportability reasons, 
SGI recommends upgrading to at least IRIX 5.2 as a first step for all 
problem resolution in these versions. 

IRIX 5.2, 6.0, 6.0.1 (IRIX 5.3 IS NOT SUBJECT TO THIS VULNERABILITY)
- - --------------------------------------------------------------------
For the IRIX operating system versions 5.2, 6.0 and 6.0.1, an inst-able 
patch has been generated and can be obtained via anonymous ftp and/or 
from your service/support provider.  The patch is number 373 and will 
install on IRIX 5.2, 6.0 and 6.0.1.  NOTE: Inst-able patches require a 
patch-aware inst program.  The stock 5.2 inst program with the base 
install is not patch-aware.  The 6.0 and 6.0.1 inst programs are.  A 
patch-aware inst program for IRIX 5.2 is available as patch number 0, 34, 
or 84.  Any one of these may be used, but SGI recommends using 84 (the 
latest) which is available from your service provider or the usual SGI 
anonymous ftp sites.

The primary SGI anonymous ftp site is ftp.sgi.com (192.48.153.1).  
Additionally, the alternative SGI anonymous ftp site, sgigate.sgi.com
(204.94.209.1) can be accessed for the same files.  On each of these 
servers, patch 373 can be found in the following directories:

        ~ftp/Security

                or

        ~ftp/Patches/5.2
        ~ftp/Patches/6.0
        ~ftp/Patches/6.0.1

Checksums
- - ---------
The actual patch will be a tar file containing the following files:

Filename:                 patchSG0000373
Algorithm #1 (sum -r):    51249 1 patchSG0000373
Algorithm #2 (sum):       21641 1 patchSG0000373
MD5 checksum:             40A604013A05C2521152ED4B51C5D9A5

Filename:                 patchSG0000373.desktop_eoe_sw
Algorithm #1 (sum -r):    09134 88 patchSG0000373.desktop_eoe_sw
Algorithm #2 (sum):       63013 88 patchSG0000373.desktop_eoe_sw
MD5 checksum:             D74F9BDED3D51E9D28666CADF1B31945

Filename:                 patchSG0000373.idb
Algorithm #1 (sum -r):    50435 1 patchSG0000373.idb
Algorithm #2 (sum):       41363 1 patchSG0000373.idb
MD5 checksum:             790E9A47909BC32D8E9FCE14EA4077D8

For additional information about SGI security, patches or assistance, 
please contact your SGI support provider.  Questions can be sent via 
e-mail to cse-security-alert@csd.sgi.com.  To report new SGI security 
vulnerability information, send e-mail to security-alert@sgi.com.

ASSIST would like to thank Silicon Graphics Customer Services
Engineering for information contained in this bulletin.

<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

ASSIST is an element of the Defense Information Systems Agency 
(DISA), Center for Information Systems Security (CISS), that 
provides service to the entire DoD community. Constituents 
of the DoD with questions about ASSIST or computer security 
security issues, can contact ASSIST using one of the methods
listed below.  Non-DoD organizations/institutions, contact
the Forum of Incident Response and Security Teams (FIRST)
(FIRST) representative.  To obtain a list of FIRST member
organizations and their constituencies send an email to
docserver@first.org with an empty "subject" line and a message body
containing the line "send first-contacts".

ASSIST Information Resources: To be included in the distribution
list for the ASSIST bulletins, send your Milnet (Internet) e-mail
address to assist-request@assist.mil.  Back issues of ASSIST 
bulletins, and other security related information, are available
from the ASSIST BBS at 703-756-7993/1154 DSN 289-7993/1154,
and through anonymous FTP from assist.mil (IP address
199.211.123.11).  Note: assist.mil will only accept anonymous FTP
connections from Milnet addresses that are registered with the
NIC or DNS.
 
ASSIST Contact Information: 
PHONE: 800-357-4231 (or 703-756-7974 DSN 289), duty hours are 06:00
to 22:30 EDT (GMT -4) Monday through Friday.  During off duty hours, 
weekends and holidays, ASSIST can be reached via pager at 800-791-
4857.  The page will be answered within 30 minutes, however if a 
quicker response is required, prefix the phone number with "999".
ELECTRONIC MAIL: Send to assist@assist.mil. 
ASSIST BBS: Leave a message for the "sysop". 

As of 1 April 1995, ASSIST will cease using Privacy Enhanced Mail
(PEM) as the primary digital signature mechanism for ASSIST
bulletins and begin using Pretty Good Privacy (PGP) 2.6.2.  In the
interim from now until 1 April 1995, ASSIST will use both PEM and 
PGP to sign e-mail bulletins.  PGP 2.6.2 incorporates the 
RSAREF(tm) Cryptographic Toolkit under license from RSA Data 
Security, Inc.  A copy of that license is available via anonymous 
FTP from net-dist.mit.edu (IP 18.72.0.3) in the file 
/pub/PGP/rsalicen.txt.  In accordance with the terms of that 
license,  PGP 2.6.2 may be used for non-commercial purposes only.  
Instructions for downloading the PGP 2.6.2 software can also be 
obtained from net-dist.mit.edu in the pub/PGP/README file.  PGP 
2.6.2 and RSAREF may be subject to the export control laws of the 
United States of America as implemented by the United States 
Department of State Office of Defense Trade Controls.  The PGP 
signature information will be attached to the end of ASSIST 
bulletins.
  
Reference herein to any specific commercial product, process, or
service by trade name, trademark manufacturer, or otherwise, does
not constitute or imply its endorsement, recommendation, or
favoring by ASSIST.  The views and opinions of authors expressed
herein shall not be used for advertising or product endorsement
purposes. 

- -----END PRIVACY-ENHANCED MESSAGE-----


- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6

mQCNAi4uZ40AAAEEAM1uraimCNeh5PtzX7KoGxC2u8uMTdl8V5sujk3MHbWvCuOM
W0FqDy5s9iwfQLZWzJ7cbM6L0mNOj8eJGoz7TqGKZDDRFlKAwg0x8joleZLC2gXw
FVdF/g6Mdv7ok7heoa+Y//YMeADnsSrmzqLCnhFbKYffww3EbdH6sbnW3Io9AAUR
tB9BU1NJU1QgVGVhbSA8YXNzaXN0QGFzc2lzdC5taWw+iQCVAwUQL1xx7tH6sbnW
3Io9AQEBYwP9FvIJbnKjtMLUj8ghd6hophSx8WZnfQsOmZX/BbX8vKz1a5BkBn4q
ANvW+uKGdUlE8LLMEm1PD59Cihcb3OoWDOU8zIOIErvry4eqa+LzEXV8nnBdes+A
a1MCMGSz+K3OaP78lQ7JCGoY9TXTWIelfAdBVBG4VQcSQRn8tjRdG2e0KEFTU0lT
VCBUZWFtIDxhc3Npc3RAYXNzaXN0Lmltcy5kaXNhLm1pbD6JAJUCBRAuLnHoh0Y9
0jC+b6kBAU0TA/4yXSL7K6tcfVm9ACnP4crCoutFM2w10e7YKxD850ajhWrh6rI9
O+sjU5WObqiPJ7sZHdEw/KARzPSijH/5h8HlyYa6ClksWxYuymzCsUYYJctdjcGr
uakfXgYQ1TkkyUfNrN5G90NuRK/vTRe7bkmyGNYjN9Njac1Q18WVF59Chg==
=d5rP
- -----END PGP PUBLIC KEY BLOCK-----

-----BEGIN PGP SIGNATURE-----
Version: 2.6

iQCVAwUBL15IM9H6sbnW3Io9AQHRkwQApxnaAhymyXjpN2V6WApok5yZmDU9UvST
hnlIp3ITnduri4rJQQObKezwvv0B+U/X18/Qxyx4dO4rKLSMYmSY95TEbH1o7n3r
EhUcPompLvAJeGZSympctvMVuLOzKgBKPzvhYlVTouz5bh+Q9w9kPePWE6d/EK4+
PuE/orwDwOY=
=mY5q
-----END PGP SIGNATURE-----