Product
Solaris 9 Operating System
Solaris 8 Operating System

Bug Id
5038601

Date of Resolved Release
23-AUG-2004

Impact

Unprivileged local users may be able to gain unauthorized "Group ID" (gid) mail privileges due to a buffer overflow in the CDE Mailer (dtmail(1X)). This would allow users with access to a mail server the ability to read, modify, and delete the e-mail of other users in "/var/mail".

Sun acknowledges, with thanks, iDEFENSE for contacting us regarding this issue.

For additional information regarding this issue, please see: http://www.idefense.com/application/poi/display?type=vulnerabilities

Contributing Factors

This issue can occur in the following releases:

SPARC Platform

• CDE 1.4 for Solaris 8 without patch 109613-07
• CDE 1.5 for Solaris 9 without patch 112810-06

x86 Platform

• CDE 1.4 for Solaris 8 without patch 109614-07
• CDE 1.5 for Solaris 9 without patch 113870-05

Note: Solaris 7 is not affected by this issue.

Symptoms

There are no symptoms that would indicate the described issue has been exploited to gain unauthorized "gid" mail access to a host.

Workaround

To work around the described issue, remove the "set-group-ID" bit from dtmail(1X) by doing the following:

    # chmod 0555 /usr/dt/bin/dtmail

Note: Removing the "gid" bit from dtmail(1X) may make it impossible to read NFS mounted mail boxes.

Resolution

This issue is addressed in the following releases:

SPARC Platform

• CDE 1.4 for Solaris 8 with patch 109613-07 or later
• CDE 1.5 for Solaris 9 with patch 112810-06 or later

x86 Platform

• CDE 1.4 for Solaris 8 with patch 109614-07 or later
• CDE 1.5 for Solaris 9 with patch 113870-05 or later

Modification History

References

109613-07
112810-06
109614-07
113870-05




Attachments

This solution has no attachment