[3680] in bugtraq
lquerypv fix
daemon@ATHENA.MIT.EDU (Troy Bollinger)
Mon Nov 25 12:13:25 1996
Date: Mon, 25 Nov 1996 09:51:08 -0600
Reply-To: Troy Bollinger <troy@austin.ibm.com>
From: Troy Bollinger <troy@austin.ibm.com>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
In-Reply-To: <Pine.SUN.3.94.961124214343.6509A-100000@dfw.dfw.net> from "Aleph
One" at Nov 24, 96 09:48:47 pm
Hi,
IBM is working on a permanent fix to this problem. In the meantime,
system administrators can close this security window with the e-fix
of:
chmod -s /usr/sbin/lquerypv
This should not affect the basic behavior of
the LVM high level commands that call lquerypv.
Yes, the lquery* commands have the setuid issue
but only the "-h" option, which was placed there to
help with problem diagnostics, would constitute
a security problem.
The apars which will fix this problem are:
4.1 - ix64203
4.2 - ix64204
We apologize for the inconvenience and ask you
to use the e-fix method until the apars are available
for ordering.
Aleph One wrote:
>
> There may exists a vulnerability in the lquerypv command under AIX.
> I'am not sure what version yet. Please try to fallowing command:
>
> /usr/sbin/lquerypv -h /etc/security/passwd
>
> You can substitute /etc/security/passwd for any other unreadable file.
> If the program is able to dump the file (maybe in hex) you got a problem.
> Please email me what version of AIX you are running, patch level, and if
> you are vulnerable. I will summarize the resuls and post them to the list.
>
> Aleph One / aleph1@dfw.net
> http://underground.org/
> KeyID 1024/948FD6B5
> Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01
>
--
+---------------- I do not speak for IBM! ------------------+
|Troy Bollinger | email: troy@austin.ibm.com|
|AIX Security Development | Sometimes the old ways are best.|
+-------- AIX security bugs: security@austin.ibm.com --------+
