lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 10 Jun 2003 12:53:19 -0700
From: SGI Security Coordinator <agent99@....com>
To: agent99@....com
Cc: bugtraq@...urityfocus.com, full-disclosure@...ts.netsys.com,
   vulnwatch@...nwatch.org
Subject: Potential Denial of Service using PIOCSWATCH ioctl on IRIX


-----BEGIN PGP SIGNED MESSAGE-----

______________________________________________________________________________
                           SGI Security Advisory

Title     : Potential Denial of Service using PIOCSWATCH ioctl
Number    : 20030603-01-P
Date      : June 10, 2003

Reference : CVE CAN-2003-0175
Reference : SGI BUG 886309
Fixed in  : IRIX 6.5.21 (when available)
Fixed in  : Patches 5058, 5064, 5079, 5080, 5087, 5088, 5099-5102
______________________________________________________________________________

SGI provides this information freely to the SGI user community for its
consideration, interpretation, implementation and use.  SGI recommends that
this information be acted upon as soon as possible.

SGI provides the information in this Security Advisory on an "AS-IS" basis
only, and disclaims all warranties with respect thereto, express, implied
or otherwise, including, without limitation, any warranty of merchantability
or fitness for a particular purpose.  In no event shall SGI be liable for
any loss of profits, loss of business, loss of data or for any indirect,
special, exemplary, incidental or consequential damages of any kind arising
from your use of, failure to use or improper use of any of the instructions
or information in this Security Advisory.
______________________________________________________________________________

- -----------------------
- --- Issue Specifics ---
- -----------------------

It's been reported that non-root users can call the PIOCSWATCH ioctl() in
its various invocations via a user space program and crash IRIX with a kernel
panic.  This could be used as a potential Denial of Service attack on the
system.  A local account on the system is required.

SGI has investigated the issue and recommends the following steps for
neutralizing the exposure.  It is HIGHLY RECOMMENDED that these measures be
implemented on ALL vulnerable SGI systems.

These issues have been corrected with patches and in future releases of IRIX.


- --------------
- --- Impact ---
- --------------

The PIOCSWATCH ioctl (see proc(4) man page) is a standard function available
in all IRIX systems.

To determine the version of IRIX you are running, execute the following
command:

  # /bin/uname -R

That will return a result similar to the following:

  # 6.5 6.5.19f

The first number ("6.5") is the release name, the second ("6.5.16f" in this
case) is the extended release name.  The extended release name is the
"version" we refer to throughout this document.


- ----------------------------
- --- Temporary Workaround ---
- ----------------------------

There is no effective workaround available for these problems.
SGI recommends either upgrading to IRIX 6.5.21 (when available),
or installing the appropriate patch from the listing below.


- ----------------
- --- Solution ---
- ----------------

SGI has provided a series of patches for these vulnerabilities. Our
recommendation is to upgrade to IRIX 6.5.21 (when available) when available,
or install the appropriate patch.

   OS Version     Vulnerable?     Patch #      Other Actions
   ----------     -----------     -------      -------------
   IRIX 3.x        unknown                     Note 1
   IRIX 4.x        unknown                     Note 1
   IRIX 5.x        unknown                     Note 1
   IRIX 6.0.x      unknown                     Note 1
   IRIX 6.1        unknown                     Note 1
   IRIX 6.2        unknown                     Note 1
   IRIX 6.3        unknown                     Note 1
   IRIX 6.4        unknown                     Note 1
   IRIX 6.5          yes                       Notes 2 & 3
   IRIX 6.5.1        yes                       Notes 2 & 3
   IRIX 6.5.2        yes                       Notes 2 & 3
   IRIX 6.5.3        yes                       Notes 2 & 3
   IRIX 6.5.4        yes                       Notes 2 & 3
   IRIX 6.5.5        yes                       Notes 2 & 3
   IRIX 6.5.6        yes                       Notes 2 & 3
   IRIX 6.5.7        yes                       Notes 2 & 3
   IRIX 6.5.8        yes                       Notes 2 & 3
   IRIX 6.5.9        yes                       Notes 2 & 3
   IRIX 6.5.10       yes                       Notes 2 & 3
   IRIX 6.5.11       yes                       Notes 2 & 3
   IRIX 6.5.12       yes                       Notes 2 & 3
   IRIX 6.5.13       yes                       Notes 2 & 3
   IRIX 6.5.14       yes                       Notes 2 & 3
   IRIX 6.5.15       yes                       Notes 2 & 3
   IRIX 6.5.16       yes                       Notes 2 & 3
   IRIX 6.5.17m      yes          5087         Notes 2,3,4
   IRIX 6.5.17f      yes          5088         Notes 2,3,4
   IRIX 6.5.18m      yes          5097         Notes 2,3,4
   IRIX 6.5.18f      yes          5098         Notes 2,3,4
   IRIX 6.5.19m      yes      5101 or 5058     Notes 2,3,5
   IRIX 6.5.19f      yes      5102 or 5064     Notes 2,3,6
   IRIX 6.5.20m      yes      5079 or 5099     Notes 2,3,7
   IRIX 6.5.20f      yes      5080 or 5100     Notes 2,3,8
   IRIX 6.5.21        no


   NOTES

     1) This version of the IRIX operating has been retired. Upgrade to an
        actively supported IRIX operating system.  See
        http://support.sgi.com for more information.

     2) If you have not received an IRIX 6.5.X CD for IRIX 6.5, contact your
        SGI Support Provider or URL: http://support.sgi.com

     3) Upgrade to IRIX 6.5.21 (when available) or install the patch.

     4) This patch is for all platforms

     5) Patch 5101 is for all platforms except IP35 systems.
        Patch 5058 is for IP35 only.

     6) Patch 5102 is for all platforms except IP35 systems.
        Patch 5064 is for IP35 only.

     7) Patch 5079 is for all platforms except IP35 systems.
        Patch 5099 is for IP 35 only.

     8) Patch 5080 is for all platforms except IP35 systems.
        Patch 5100 is for IP 35 only.

             ##### Patch File Checksums ####

The actual patch will be a tar file containing the following files:
Filename:                 README.patch.5058
Algorithm #1 (sum -r):    15071 21 README.patch.5058
Algorithm #2 (sum):       28694 21 README.patch.5058
MD5 checksum:             6DEAC2FF469764D3CE75D83C512271C1

Filename:                 patchSG0005058
Algorithm #1 (sum -r):    52445 6 patchSG0005058
Algorithm #2 (sum):       64272 6 patchSG0005058
MD5 checksum:             57E879018C715EE06659C0C56EDE6382

Filename:                 patchSG0005058.eoe_man
Algorithm #1 (sum -r):    58730 28 patchSG0005058.eoe_man
Algorithm #2 (sum):       53579 28 patchSG0005058.eoe_man
MD5 checksum:             C45CFA5847A4A277933B66E7BC75270B

Filename:                 patchSG0005058.eoe_sw
Algorithm #1 (sum -r):    43583 10958 patchSG0005058.eoe_sw
Algorithm #2 (sum):       54242 10958 patchSG0005058.eoe_sw
MD5 checksum:             F2BD54C96018B8F1A67400EE742FAE4A

Filename:                 patchSG0005058.idb
Algorithm #1 (sum -r):    41930 24 patchSG0005058.idb
Algorithm #2 (sum):       25686 24 patchSG0005058.idb
MD5 checksum:             3C37A3A83DEB2DE905476C9A47F3910B

Filename:                 README.patch.5064
Algorithm #1 (sum -r):    11746 22 README.patch.5064
Algorithm #2 (sum):       55007 22 README.patch.5064
MD5 checksum:             5E6BAF794EC173B74783B178D5F8EA7D

Filename:                 patchSG0005064
Algorithm #1 (sum -r):    03080 6 patchSG0005064
Algorithm #2 (sum):       51829 6 patchSG0005064
MD5 checksum:             F9D5DE085AEDBB8741CA440927C39DDF

Filename:                 patchSG0005064.eoe_man
Algorithm #1 (sum -r):    58730 28 patchSG0005064.eoe_man
Algorithm #2 (sum):       53579 28 patchSG0005064.eoe_man
MD5 checksum:             C45CFA5847A4A277933B66E7BC75270B

Filename:                 patchSG0005064.eoe_sw
Algorithm #1 (sum -r):    45823 11128 patchSG0005064.eoe_sw
Algorithm #2 (sum):       20226 11128 patchSG0005064.eoe_sw
MD5 checksum:             177B0E74F8F5DDE158385D2FDA8A8C76

Filename:                 patchSG0005064.idb
Algorithm #1 (sum -r):    58885 24 patchSG0005064.idb
Algorithm #2 (sum):       25588 24 patchSG0005064.idb
MD5 checksum:             8BF1C053EA2F15E06275695015800D7F

Filename:                 README.patch.5079
Algorithm #1 (sum -r):    36520 8 README.patch.5079
Algorithm #2 (sum):       40192 8 README.patch.5079
MD5 checksum:             D81033F8806007C83DEA9D5A80698587

Filename:                 patchSG0005079
Algorithm #1 (sum -r):    14932 2 patchSG0005079
Algorithm #2 (sum):       54507 2 patchSG0005079
MD5 checksum:             EB102288DECCA6BC8917606723BE0E93

Filename:                 patchSG0005079.eoe_sw
Algorithm #1 (sum -r):    43373 33054 patchSG0005079.eoe_sw
Algorithm #2 (sum):       35340 33054 patchSG0005079.eoe_sw
MD5 checksum:             8874B5C3F2FCF3D20771C9AFF0C2C882

Filename:                 patchSG0005079.idb
Algorithm #1 (sum -r):    22467 13 patchSG0005079.idb
Algorithm #2 (sum):       55062 13 patchSG0005079.idb
MD5 checksum:             298A3C2A5C0BD5A2635E20A620CF98FD

Filename:                 README.patch.5080
Algorithm #1 (sum -r):    35658 8 README.patch.5080
Algorithm #2 (sum):       40105 8 README.patch.5080
MD5 checksum:             81F5ABD77CE88BBD5DADBFA3466BD8A3

Filename:                 patchSG0005080
Algorithm #1 (sum -r):    32061 2 patchSG0005080
Algorithm #2 (sum):       55640 2 patchSG0005080
MD5 checksum:             F5AF5480DE9C7EF737DC937916324D7D

Filename:                 patchSG0005080.eoe_sw
Algorithm #1 (sum -r):    63615 33707 patchSG0005080.eoe_sw
Algorithm #2 (sum):       8967 33707 patchSG0005080.eoe_sw
MD5 checksum:             89EF7EDCFAF1D4249973730343CB949B

Filename:                 patchSG0005080.idb
Algorithm #1 (sum -r):    43997 13 patchSG0005080.idb
Algorithm #2 (sum):       55014 13 patchSG0005080.idb
MD5 checksum:             E4655AA98032E6A744E342F4144DA28D

Filename:                 README.patch.5087
Algorithm #1 (sum -r):    64157 8 README.patch.5087
Algorithm #2 (sum):       49402 8 README.patch.5087
MD5 checksum:             854E2BCF202843093740AA33C7AF70A2

Filename:                 patchSG0005087
Algorithm #1 (sum -r):    12645 2 patchSG0005087
Algorithm #2 (sum):       59890 2 patchSG0005087
MD5 checksum:             15C529A0906C448ADD63A85DA31C55FB

Filename:                 patchSG0005087.eoe_sw
Algorithm #1 (sum -r):    24505 32275 patchSG0005087.eoe_sw
Algorithm #2 (sum):       56630 32275 patchSG0005087.eoe_sw
MD5 checksum:             506C8665E1B902E942D348C5F560C546

Filename:                 patchSG0005087.idb
Algorithm #1 (sum -r):    47425 7 patchSG0005087.idb
Algorithm #2 (sum):       16222 7 patchSG0005087.idb
MD5 checksum:             618FF7431AAFA5668452701192BAB789

Filename:                 README.patch.5088
Algorithm #1 (sum -r):    36381 9 README.patch.5088
Algorithm #2 (sum):       59343 9 README.patch.5088
MD5 checksum:             34C3FF6DFD1BBD623A2295B2CAC23C49

Filename:                 patchSG0005088
Algorithm #1 (sum -r):    22060 2 patchSG0005088
Algorithm #2 (sum):       3620 2 patchSG0005088
MD5 checksum:             BB9D80855217CA34011CE6970747EAA8

Filename:                 patchSG0005088.eoe_sw
Algorithm #1 (sum -r):    25501 33563 patchSG0005088.eoe_sw
Algorithm #2 (sum):       59889 33563 patchSG0005088.eoe_sw
MD5 checksum:             FB71B84354E8F7B1D92BB0E98EDE0CA7

Filename:                 patchSG0005088.idb
Algorithm #1 (sum -r):    32773 7 patchSG0005088.idb
Algorithm #2 (sum):       16112 7 patchSG0005088.idb
MD5 checksum:             3E0D26CEA45FCEBE0500E03CD7AFB46A

Filename:                 README.patch.5097
Algorithm #1 (sum -r):    59158 9 README.patch.5097
Algorithm #2 (sum):       11494 9 README.patch.5097
MD5 checksum:             22D21F5F7E803FCDF6C53342ACB90A61

Filename:                 patchSG0005097
Algorithm #1 (sum -r):    53315 3 patchSG0005097
Algorithm #2 (sum):       12713 3 patchSG0005097
MD5 checksum:             6BFA8E9DE6C7AB732A39259E367E657B

Filename:                 patchSG0005097.eoe_sw
Algorithm #1 (sum -r):    57431 32720 patchSG0005097.eoe_sw
Algorithm #2 (sum):       45473 32720 patchSG0005097.eoe_sw
MD5 checksum:             67E1351058CA7D25227BAC8F24345AEB

Filename:                 patchSG0005097.idb
Algorithm #1 (sum -r):    14608 7 patchSG0005097.idb
Algorithm #2 (sum):       16285 7 patchSG0005097.idb
MD5 checksum:             152EC2F41F33695C4AF3D7CAFCD4351A

Filename:                 README.patch.5098
Algorithm #1 (sum -r):    15978 9 README.patch.5098
Algorithm #2 (sum):       13991 9 README.patch.5098
MD5 checksum:             349BACBB17DA911B09887BF86B0CFCAB

Filename:                 patchSG0005098
Algorithm #1 (sum -r):    08006 4 patchSG0005098
Algorithm #2 (sum):       11963 4 patchSG0005098
MD5 checksum:             FABF856D5E6410E75049E8916FC624AD

Filename:                 patchSG0005098.eoe_sw
Algorithm #1 (sum -r):    15158 34088 patchSG0005098.eoe_sw
Algorithm #2 (sum):       25637 34088 patchSG0005098.eoe_sw
MD5 checksum:             E2C53EC193CAD9ED415C7FBB6E4FA313

Filename:                 patchSG0005098.idb
Algorithm #1 (sum -r):    42688 9 patchSG0005098.idb
Algorithm #2 (sum):       9682 9 patchSG0005098.idb
MD5 checksum:             9E45608160B1A34CEE6DF769A3059E20

Filename:                 README.patch.5099
Algorithm #1 (sum -r):    20723 11 README.patch.5099
Algorithm #2 (sum):       47645 11 README.patch.5099
MD5 checksum:             4DBE557092619218809E59C5290824D6

Filename:                 patchSG0005099
Algorithm #1 (sum -r):    03805 2 patchSG0005099
Algorithm #2 (sum):       40746 2 patchSG0005099
MD5 checksum:             2D796B78C7B40868F0D88F93D23D9BFB

Filename:                 patchSG0005099.eoe_sw
Algorithm #1 (sum -r):    03886 7441 patchSG0005099.eoe_sw
Algorithm #2 (sum):       46009 7441 patchSG0005099.eoe_sw
MD5 checksum:             6261AA3734999A7D3AF8D9B3B19FCC8D

Filename:                 patchSG0005099.idb
Algorithm #1 (sum -r):    65490 7 patchSG0005099.idb
Algorithm #2 (sum):       59168 7 patchSG0005099.idb
MD5 checksum:             79F61D623D40E8B9BA9AF28D14C2DA75

Filename:                 README.patch.5100
Algorithm #1 (sum -r):    57778 11 README.patch.5100
Algorithm #2 (sum):       47318 11 README.patch.5100
MD5 checksum:             FCDFA68E29D354F96A8DD58852065AD8

Filename:                 patchSG0005100
Algorithm #1 (sum -r):    20958 2 patchSG0005100
Algorithm #2 (sum):       41324 2 patchSG0005100
MD5 checksum:             EC8E5720AE464F8FFBDA0806413F6D6F

Filename:                 patchSG0005100.eoe_sw
Algorithm #1 (sum -r):    45129 7526 patchSG0005100.eoe_sw
Algorithm #2 (sum):       56977 7526 patchSG0005100.eoe_sw
MD5 checksum:             0EFF67F92B312928995A81381AF4831C

Filename:                 patchSG0005100.idb
Algorithm #1 (sum -r):    13322 7 patchSG0005100.idb
Algorithm #2 (sum):       57684 7 patchSG0005100.idb
MD5 checksum:             6B39059BB878C33CE431231B9321AF08

Filename:                 README.patch.5101
Algorithm #1 (sum -r):    64087 8 README.patch.5101
Algorithm #2 (sum):       49332 8 README.patch.5101
MD5 checksum:             07702C6B15B7384DFF403A615F22C029

Filename:                 patchSG0005101
Algorithm #1 (sum -r):    49723 3 patchSG0005101
Algorithm #2 (sum):       7510 3 patchSG0005101
MD5 checksum:             9FCCEE5872B9505FB2A95F4197309B8F

Filename:                 patchSG0005101.eoe_sw
Algorithm #1 (sum -r):    47522 34815 patchSG0005101.eoe_sw
Algorithm #2 (sum):       32551 34815 patchSG0005101.eoe_sw
MD5 checksum:             061E93138EA6812DE807D5C639E5CD48

Filename:                 patchSG0005101.idb
Algorithm #1 (sum -r):    35104 14 patchSG0005101.idb
Algorithm #2 (sum):       11821 14 patchSG0005101.idb
MD5 checksum:             0900CE4140D1E607DE317BEC2060EE81

Filename:                 README.patch.5102
Algorithm #1 (sum -r):    62183 8 README.patch.5102
Algorithm #2 (sum):       49371 8 README.patch.5102
MD5 checksum:             F0DB91D422BF9AEC8CC716BC2D6AF4D1

Filename:                 patchSG0005102
Algorithm #1 (sum -r):    15140 3 patchSG0005102
Algorithm #2 (sum):       11203 3 patchSG0005102
MD5 checksum:             92BCD2AB4DD0CE01D893126036BC5FF6

Filename:                 patchSG0005102.eoe_sw
Algorithm #1 (sum -r):    18492 36150 patchSG0005102.eoe_sw
Algorithm #2 (sum):       12442 36150 patchSG0005102.eoe_sw
MD5 checksum:             1FF77B260F4C699647E995510AA506D4

Filename:                 patchSG0005102.idb
Algorithm #1 (sum -r):    08852 14 patchSG0005102.idb
Algorithm #2 (sum):       11757 14 patchSG0005102.idb
MD5 checksum:             7467607559296AED086D155D1FF7ED72


- -------------
- --- Links ---
- -------------

SGI Security Advisories can be found at:
http://www.sgi.com/support/security/ and
ftp://patches.sgi.com/support/free/security/advisories/

SGI Security Patches can be found at:
http://www.sgi.com/support/security/ and
ftp://patches.sgi.com/support/free/security/patches/

SGI patches for IRIX can be found at the following patch servers:
http://support.sgi.com/ and ftp://patches.sgi.com/

SGI freeware updates for IRIX can be found at:
http://freeware.sgi.com/

SGI fixes for SGI open sourced code can be found on:
http://oss.sgi.com/projects/

SGI patches and RPMs for Linux can be found at:
http://support.sgi.com/

SGI patches for Windows NT or 2000 can be found at:
http://support.sgi.com/

IRIX 5.2-6.4 Recommended/Required Patch Sets can be found at:
http://support.sgi.com/ and ftp://patches.sgi.com/support/patchset/

IRIX 6.5 Maintenance Release Streams can be found at:
http://support.sgi.com/

IRIX 6.5 Software Update CDs can be obtained from:
http://support.sgi.com/

The primary SGI anonymous FTP site for security advisories and patches is
patches.sgi.com.  Security advisories and patches are located under the URL
ftp://patches.sgi.com/support/free/security/

For security and patch management reasons, ftp.sgi.com (mirrors
patches.sgi.com security FTP repository) lags behind and does not do a
real-time update.


- -----------------------------------------
- --- SGI Security Information/Contacts ---
- -----------------------------------------

If there are questions about this document, email can be sent to
security-info@....com.

                      ------oOo------

SGI provides security information and patches for use by the entire SGI
community.  This information is freely available to any person needing the
information and is available via anonymous FTP and the Web.

The primary SGI anonymous FTP site for security advisories and patches is
patches.sgi.com.  Security advisories and patches are located under the URL
ftp://patches.sgi.com/support/free/security/

The SGI Security Headquarters Web page is accessible at the URL:
http://www.sgi.com/support/security/

For issues with the patches on the FTP sites, email can be sent to
security-info@....com.

For assistance obtaining or working with security patches, please
contact your SGI support provider.

                      ------oOo------

SGI provides a free security mailing list service called wiretap and
encourages interested parties to self-subscribe to receive (via email) all
SGI Security Advisories when they are released. Subscribing to the mailing
list can be done via the Web
(http://www.sgi.com/support/security/wiretap.html) or by sending email to
SGI as outlined below.

% mail wiretap-request@....com
subscribe wiretap <YourEmailAddress such as zedwatch@....com >
end
^d

In the example above, <YourEmailAddress> is the email address that you wish
the mailing list information sent to.  The word end must be on a separate
line to indicate the end of the body of the message. The control-d (^d) is
used to indicate to the mail program that you are finished composing the
mail message.


                      ------oOo------

SGI provides a comprehensive customer World Wide Web site. This site is
located at http://www.sgi.com/support/security/ .

                      ------oOo------

If there are general security questions on SGI systems, email can be sent to
security-info@....com.

For reporting *NEW* SGI security issues, email can be sent to
security-alert@....com or contact your SGI support provider.  A support
contract is not required for submitting a security report.

______________________________________________________________________________
      This information is provided freely to all interested parties
      and may be redistributed provided that it is not altered in any
      way, SGI is appropriately credited and the document retains and
      includes its valid PGP signature.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBPuYy3bQ4cFApAP75AQHF+AQAoh1bDKK8afzzVGvbwi8mSiNsAOJ50mvX
wf2QGuBRBt5K7XRh55izxEzblOeqXzbbqbkiqKYRwiJPvgZTjGIg07Pgq/VEZ7RG
ZEKF7RpVDqsl+f5AORbnW5F4WHaYxTVpyDCDH5J7bAddWRiDLXFfpHBZDT3XX18Q
4C1IO8oE/NU=
=/sgq
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists