SUMMARY: Is ECO SSRT0359_OSF1032C (syslog) bad? from Richard L Jackson Jr on 1995-12-07 (tru64-unix-managers)

From: Richard L Jackson Jr <rjackson_at_portal.gmu.edu>
Date: Wed, 6 Dec 1995 08:03:39 -0500 (EST)

Hello,

SUMMARY:
Two other sites report experiencing problems after installing the syslog
security patch. It is possible that we screwed up the installation.
But I am not able to determine what I did wrong. Due to the sendmail
core dumps, I had several sendmails run amok after restoring the original libc
files. You may notice lone /var/spool/mqueue/df* and pairs of
var/spool/mqueue/df* and tf* left as gifts from the core dumping sendmail.
It took me 4-5 hours to clean up /var/spool/mqueue on all three systems this
weekend after backing out the security patch.

Since I did not receive a flood of responses to my question this weekend, it
appears that not everyone is affected and the patch is doing more good than
harm for those folks.

However, keep an eye on core files in /var/spool/mqueue and use dbx to
determine if it was caused by a segvi in malloc(). If so, then think about
backing out the patch and start cleaning up your /var/spool/mqueue directory.
Healthy queue email has a df (msg body) and qf (msg header and status) pair.
tf files are simply temp copies of qf files and should have a short life.

I have appended the two reports below...

ps. I have a call open to DEC to address this issue.

-- 
Regards,
Richard Jackson                                George Mason University
Computer Systems Senior Engineer               UCIS / ISO
                                               Computer Systems Engineering
QUESTION:
I installed ECO Kit SSRT0359_OSF1032C for the syslog problem reported
by  CERT CA-95:13 on the following;
2100 5/250 running Digital UNIX 3.2c
2100 5/275 running Digital UNIX 3.2c
1000 4/200 running Digital UNIX 3.2a
I noticed when booting both 2100's I received the following
error messages;
Preserving editors files
sh: 432 Memory fault -core dumped
...
Successful SIA initiation
I noticed 2 memory fault errors on one 2100 and about 6 on the other.  I
did not watch the 1000.  I noticed on all three machines that sendmail
continuously core dumped in /var/spool/mqueue and at times caused the
sendmail queue to grow.
I then moved the old /usr/shlib/libc.so back into place on all three systems
and restarted sendmail.  The sendmail problems went away.  Anyone else
experience this problem?
ps. The three systems send and receive around 180,000 email a day.
ps. I use DEC's standard sendmail.
REPORTS:
-------------------------------------------------------------------
System Administrator <sysadmin_at_homer.bus.miami.edu>:
I know what you're talking about. My experience, though was slightly
different..after installing the two libraries and rebooting I noticed
that anyone logged in from LAT service, logs out, the utmp is not
updated and finger info shows them logged in anyways. That seriously
screws up chat, messages, mail, etc, since the tty that utmp reports does
not exist. After replacing the libraries back to the original ones,
everything went back to normal. We are running 1000/233 with DU 3.2c
I guess DEC's patch wasn't that good after all...
=-----------------------+--------------------------------------=
 Igor Natanzon,         |  Office Phone : 284-1771
 System Administrator   |  E-Mail: sysadmin_at_homer.bus.miami.edu
=-----------------------+--------------------------------------=
-------------------------------------------------------------------
Bjorn.S.Nilsson_at_nbi.dk
I copied the 36 MB SSRT0359_OSF1032C.tar file and installed the two
new libc files on one of our 3.2C systems last weekend. Since then
sendmail has dumped core several times. I.e., after I have sent a mail
with dxmail there is a core file in /var/spool/mqueue from a failing
malloc in sendmail (at least this is what dbx claims). I have not
had any coredumps when I used mailx or mail. When I reinstalled the
original libraries sendmail stopped dumping core.
Are there others who have seen and can confirm this behaviour?
SSRT0359_OSF1032C is the patch that fixes a potential security problem
in syslog.
Bjorn
===================================================================
Bjorn S. Nilsson          Email:             Bjorn.S.Nilsson_at_nbi.dk
Niels Bohr Institute                or just  nilsson_at_nbi.dk
Blegdamsvej 17
DK-2100 Copenhagen        Phone:             +45 35 32 52 83
Denmark                   Fax:               +45 31 42 10 16
-------------------------------------------------------------------

Received on Wed Dec 06 1995 - 14:32:50 NZDT

This archive was generated by hypermail 2.4.0 : Wed Nov 08 2023 - 11:53:46 NZDT