Quoting Joerg Schumacher (schuma@gaertner.de):
> AIX 4.1 includes the iFOR/LS (formerly known as NetLS) license server=20
> from Gradient Technologies. Some parts of this system (NCS, server and=
=20
> client libs) use a cache file (/tmp/last_uuid, mode 0666), which will be=
=20
> created on the fly if missing. The code has the classical file open bug:=
=20
> it will happily follow any symlink.
>=20
> I guess IBM and Gradient had their chance to fix this bug, since I
> reported it back in december 1996 (no typo, more than a year ago).=20
> IIRC, HP-UX had (and may still have) this bug too.
>=20
20
Yes, we've had more than ample time to fix this and I personally thank
you for the patience you've shown. Unfortunately, it's difficult to
fix the bugs when you don't own the source code (I guess bugtraq
readers already know that ;-). For those keeping score this is PMR
1540x,025,724.
A simple workaround for this is to remove and recreate /tmp/last_uuid
in /sbin/rc.boot. This will limit the attack to filling the /tmp
partition.
> Some complaints: =20
>=20
> to IBM: I guess it's time to review the APAR process wrt security. =20
> Having a security related bug hanging around for more than a=
=20
> year at low priority is definitely a bad thing.
>=20
Hopefully, this case will be an exception. I'd like to think that the
process has improved significantly (e.g. the recent routed bug posted
to bugtraq had a pretty fast followup).
> to IBM-ERS: I've submitted a Cc of my original bug report to=20
> ers-tech@vnet.ibm.com but I never got any feedback.
> Granted, you don't want to us to send any reports via
> email, but this "small planet" isn't small enough to let me
> call you via phone for free.
> =20
> to DFN-CERT: Where have you been? No tracking seen despite my Cc.
> =20
IIRC, IBM-ERS and DFN-CERT harassed me about this several times... ;-)
> Thanks to Troy Bollinger (troy@austin.ibm.com) for pointing out some =20
> other insecurely created temporary files.=20
I also pointed out how to fix them didn't I? :-)
I'll update the list I sent you and post it here. Most of the
world-writable files (with the exception of /tmp/last_uuid) have been
fixed. I'd appreciate hearing about any I missed.
>=20
> Regards,
> Joerg=20
20
Thanks.
--=20
Troy Bollinger troy@austin.ibm.com
AIX Security Development security-alert@austin.ibm.com
PGP keyid: 1024/0xB7783129 Troy's opinions are not IBM policy
--VuxX8awAiJ7fD5gx
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
MessageID: SJbfkmWBkesktWXBo2FkQv9otPr1lElL
iQCVAwUBNN+Tw8jqvEm3eDEpAQE8bgQAwVi5z8Tm5i3WDV2rKAqY+fm9OvSjplo7
XJSJFjdG6myZA+5NdcZcg/T53LXeU60ykY3mVicQUxG6oPe0Ev7WDsZLo5pb/pqE
LsYMk8udAnvIfVMzzSS/Qp1DppVtz8q85uvnDQtEdwEO8Jwp6RO7j2hAvu5ABE02
pccwS+WXnq8=
=i3Iy
-----END PGP SIGNATURE-----
--VuxX8awAiJ7fD5gx--