cert-advisory-request@CERT.SEI.CMU.EDU (CERT Advisory) (11/01/90)
CA-90:08 CERT Advisory
October 31, 1990
IRIX 3.3 & 3.31 /usr/sbin/Mail
---------------------------------------------------------------------------
The CERT/CC has received the following report of a vulnerability in
/usr/sbin/Mail, present only in IRIX 3.3 and 3.3.1. This information was
provided to the CERT/CC by Robert Stephens, of Silicon Graphics Inc.
----------------------------------------------------------------------------
DESCRIPTION:
/usr/sbin/Mail can fail to reset its group id to the group id of the caller.
IMPACT:
Can allow any user logged onto the system to read any other user's
(including root's) mail.
SOLUTION:
A fixed /usr/sbin/Mail binary has been made available for anonymous ftp
from SGI.COM ([192.48.153.1]). The correct binary can be found at:
sgi/Mail/Mail
under the ftp directory.
Note that this binary must be installed with the same group (mail) and
permissions (2755) as your existing 3.3 or 3.3.1 /usr/sbin/Mail.
--------------------------------------------------------------------------
CONTACT INFORMATION
For further questions, please contact your Silicon Graphics support center
(Geometry Partners HOTLINE number: (800) 345-0222)
--------------------------------------------------------------------------
Dan Farmer
Computer Emergency Response Team/Coordination Center (CERT/CC)
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213-3890
Internet E-mail: cert@cert.sei.cmu.edu
Telephone: 412-268-7090 24-hour hotline: CERT personnel answer
7:30a.m.-6:00p.m. EST, on call for
emergencies other hours.
Past advisories and other information are available for anonymous ftp
from cert.sei.cmu.edu (128.237.253.5).