The original question was:
"CERT Advisory CA-97.06 reports a buffer-overflow vulnerability in rlogin.
We have patches for DUNIX 3.2d/e and 4.0x but are having problems getting
a patch for 3.2c (we slowly copied a 30 MB patch kit from the US only to
find it didn't contain the patch!).
Does anyone know where I can (quickly) get a patch for 3.2c which solves
the rlogin vulnerability?"
Thanks to
Gernot Salzer <salzer_at_logic.tuwien.ac.at>
Martin Moore <martin_at_decatl.alf.dec.com>
"Matt J. L. Goebel" <goebel_at_emunix.emich.edu>
Jerry Winegarden <jbw_at_oit.duke.edu>
Mike Iglesias <iglesias_at_draco.acs.uci.edu>
for replying.
The patch was there - we had seen it, but we thought there was a more
recent one!
As Martin pointed out:
-----------
If you are talking about setld-based patch kit #001 for Digital UNIX
V3.2C, it does in fact contain the rlogin patch:
============================ << START OF PATCH >>
==============================
NEW PatchID: 275.00
PATCH ID: OSF350-275 SUBSET(s): OSFCLINET350
********************************************************************************
PROBLEM: ( QAR 48450) (Patch ID: OSF350-275)
********
A potential security vulnerability has been discovered, where under
certain circumstances, system integrity may be compromised. This may be in
the form of improper file or privilege management. Digital has corrected
this potential vulnerability.
FILE(s):
/usr/bin/rlogin subset OSFCLINET350
CHECKSUM: 16062 32 RCS: rlogin.c Revision: 4.2.23.2
-----------------------------------------------------------------
--------------------------------
We have now installed the patch.
Thanks again to all.
Alan Oborne
+==============================================================+
Alan Oborne (OBORNE_at_CARDIFF.AC.UK)
Head of Systems Support, UWC Computing Service
Cardiff University
+44 1222 874394
URL:
http://alf.cf.ac.uk/People/oborne.html
+==============================================================+
Received on Fri Feb 14 1997 - 11:33:20 NZDT