Note: This is an archival copy of Security Sun Alert 201035 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000771.1.
Article ID : 1000771.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2003-07-13
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Fix for Security Vulnerability in dtsession(1X) May Be Lost

Category
Security

Release Phase
Resolved

Product
Solaris 9 Operating System

Bug Id
4788212

Date of Resolved Release
18-JUL-2003

Impact

When patch 114497-01 (SPARC) or patch 114498-01 (x86) is installed, and then patch 113240-03 (SPARC) or earlier or patch 113241-03 (x86) or earlier is installed afterwards, the fix for dtsession(1X) security BugID 4788212 is lost.


Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • Solaris 9 without patch 113240-05

x86 Platform

  • Solaris 9 without patch 113241-05

The dtsession(1X) security BugID 4788212 is addressed when patch 114497-01 (SPARC) or patch 114498-01 (x86) is installed. These changes are lost when patch 113240-03 (SPARC) or earlier or patch 113241-03 (x86) or earlier is installed afterwards. This issue may also arise when installing Solaris 9 Maintenance Update 3 (MU3), as this installs patch 114497-01 (SPARC) or patch 114498-01 (x86) followed by patch 113240-03 (SPARC) or patch 113241-03 (x86).

Note: Please see Sun Alert 52388 for more information on the security issue for BugID 4788212.

Note: This issue only occurs when patch 113240-03 (SPARC) or earlier or patch 113241-03 (x86) or earlier version is installed in addition to patch 114497-01 (SPARC) or patch 114498-01 (x86). This may occur if Solaris 9 MU3 is installed on a system which does not already have patch 113240-03 (SPARC) or patch 113241-03 (x86) installed.

Note: Patch 113240-05 (SPARC) and patch 113241-05 (x86) include all the dtsession(1X) fixes. Patches 114497-01 (SPARC) and patch 114498-01 (x86) are obsoleted.

Note: Installations of Solaris 9 Update 4/03 are unaffected by this issue. No other Solaris releases are affected.


Symptoms

Use the following command to determine if BugID 4788212 is present: 

    # /usr/ccs/bin/mcs -p /usr/dt/bin/dtsession
"@(#)CDEVersion1.5.3":sparc:26Nov02-12:13:22

The above output is an indication that the Bug fix has been lost.

If the output instead is: 

    "@(#)CDEVersion1.5.3_06":sparc:10Jan03-21:35:07

or has a date greater than 10Jan03, then the system is not affected.


Workaround

Do not install patch 113240-03 (SPARC) or earlier or patch 113241-03 (x86) or earlier in addition to patch 114497-01 (SPARC) or patch 114498-01 (x86).


Resolution

This issue is addressed in the following releases:

SPARC Platform

  • Solaris 9 with patch 113240-05 or later

x86 Platform

  • Solaris 9 with patch 113241-05 or later


Modification History

References
 113240-05

 113241-05



                                                                                                  


Attachments
This solution has no attachment