Note: This is an archival copy of Security Sun Alert 200999 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000752.1.
Article ID : 1000752.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2010-01-24
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Security Vulnerabilities Involving the utempter(8) Utility



Category
Security

Release Phase
Resolved

Bug Id
6179483

Date of Resolved Release
26-OCT-2004

Impact

Unprivileged local users may be able to overwrite arbitrary files on a system due to a security vulnerability in the utempter(8) utility.

Note: utempter(8) is a privileged helper program that writes utmp/wtmp entries for unprivileged programs.

This issue is described in the following documents:


Contributing Factors

This issue can occur in the following releases:

Linux

  • Sun Java Desktop System (JDS) 2003 without the updated RPMs (patch-8934)
  • Sun Java Desktop System (JDS) Release 2 without the updated RPMs (patch-8934)

Note: JDS for Solaris is not impacted by this issue.

This issue only occurs with utempter versions utempter-0.5.2-342 or earlier.

To determine the release of JDS for Linux installed on a system, the following command can be run:

    % cat /etc/sun-release 
Sun Java Desktop System, Release 2 -build 10b (GA)
Assembled 30 March 2004

To determine the version of utempter, the following command can be run:

    % rpm -qf /usr/sbin/utempter
utempter-0.5.2-342

Symptoms

There are no predictable symptoms that would show the described issue has been exploited.


Workaround

There is no workaround. Please see the "Resolution" section below.


Resolution

This issue is addressed in the following releases:

Linux

  • Sun Java Desktop System (JDS) 2003 with the updated RPMs (patch-8934)
  • Sun Java Desktop System (JDS) Release 2 with the updated RPMs (patch-8934)

To download and install the updated RPMs from the update servers select the following from the launch bar:

    Launch >> Applications >> System Tools >> Online Update

For additional information on obtaining updates see:



Modification History

Product
Sun Java Desktop System Release 2
Sun Java Desktop System 2003






















Attachments
This solution has no attachment