[582] in Best-of-Security
BoS: AIX/Gradient iFOR/LS bug: follows symlinks
daemon@ATHENA.MIT.EDU (Joerg Schumacher)
Fri Mar 6 22:30:41 1998
X-Delivering-To: best-of-security-mtg@menelaus.mit.edu
XDelivering-To: best-of-security@cyber.com.au
Delivering-To: best-of-security@cyber.com.au
Date: Mon, 9 Feb 1998 23:32:45 +0100
Reply-To: Joerg Schumacher <schuma@GAERTNER.DE>
From: Joerg Schumacher <schuma@GAERTNER.DE>
Old-X-Originally-To: To: BUGTRAQ@NETSPACE.ORG
Old-X-Originated-From: From: Joerg Schumacher <schuma@GAERTNER.DE>
Errors-To: best-of-security-request@cyber.com.au
To: best-of-security@cyber.com.au
Resent-From: best-of-security@cyber.com.au
AIX 4.1 includes the iFOR/LS (formerly known as NetLS) license server
from Gradient Technologies. Some parts of this system (NCS, server and
client libs) use a cache file (/tmp/last_uuid, mode 0666), which will be
created on the fly if missing. The code has the classical file open bug:
it will happily follow any symlink.
I guess IBM and Gradient had their chance to fix this bug, since I
reported it back in december 1996 (no typo, more than a year ago).
IIRC, HP-UX had (and may still have) this bug too.
Some complaints:
to IBM: I guess it's time to review the APAR process wrt security.
Having a security related bug hanging around for more than a
year at low priority is definitely a bad thing.
to IBM-ERS: I've submitted a Cc of my original bug report to
ers-tech@vnet.ibm.com but I never got any feedback.
Granted, you don't want to us to send any reports via
email, but this "small planet" isn't small enough to let me
call you via phone for free.
to DFN-CERT: Where have you been? No tracking seen despite my Cc.
Thanks to Troy Bollinger (troy@austin.ibm.com) for pointing out some
other insecurely created temporary files.
Regards,
Joerg
