Note: This is an archival copy of Security Sun Alert 200519 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000396.1.
Solaris 9 Operating System
Solaris 10 Operating System
Solaris 8 Operating System
Date of Workaround Release
Date of Resolved Release
Local unprivileged users may be able to gain unauthorized root access due to a security vulnerability in the Solaris runtime linker (ld.so.1(1)).
This issue can occur in the following releases:
Note: Solaris 7 is not affected by this issue.
There are no reliable symptoms that would indicate the described issue has been exploited to gain elevated privileges.
To work around the described issue, sites running Solaris 8 or Solaris 9 can back out the relevant linker patch to a revision which is not affected using the patchrm(1M) command. If the patch cannot be backed out, the ld.so.1(1M) file from an earlier patch can be replaced on the system using the following steps as the root user:
1. Copy the ld.so.1 file from the patch onto the system as shown in the following example:
# cp ./SUNWcsu/reloc/usr/lib/ld.so.1 /usr/lib/ld.so.1-patch
2. Create a directory entry (link) for the existing runtime linker to a new file using ln(1):
# cd /usr/lib ; ln ld.so.1 ld.so.1.original
3. Create a directory entry (link) for the patched runtime linker copied earlier to the current runtime linker, again using ln(1):
# cd /usr/lib ; ln ld.so.1-patch ld.so.1
4. For SPARC systems running in 64-bit mode, the runtime linker located in the patch at:
will need to be copied to "/usr/lib/sparcv9". The above steps can then be repeated using the "/usr/lib/sparcv9" path instead of "/usr/lib".
This issue is addressed in the following releases:
This solution has no attachment