-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 IBM SECURITY ADVISORY First Issued: Tue May 19 10:27:38 CDT 2009 | Updated: Wed May 20 19:41:25 CDT 2009 | Added aparref information to fixes The most recent version of this document is available here: http://aix.software.ibm.com/aix/efixes/security/libc_advisory.asc or ftp://aix.software.ibm.com/aix/efixes/security/libc_advisory.asc VULNERABILITY SUMMARY VULNERABILITY: AIX libc MALLOCDEBUG file overwrite vulnerability PLATFORMS: AIX 5.3, 6.1 SOLUTION: Apply the fix as described below. THREAT: A local user may execute arbitrary code as root. DETAILED INFORMATION I. DESCRIPTION There is a race condition in the MALLOCDEBUG debugging component of the malloc subsystem in the library libc.a. A local user can exploit this race condition when executing setuid root programs and thereby overwrite any file in the system. The successful exploitation of this vulnerability allows a local user to overwrite arbitrary files and execute arbitrary code as the root user. The following libraries are vulnerable: /usr/ccs/lib/libc.a /usr/ccs/lib/libp/libc.a II. PLATFORM VULNERABILITY ASSESSMENT To determine if your system is vulnerable, execute the following command: lslpp -L bos.rte.libc bos.adt.prof The following fileset levels are vulnerable: AIX Fileset Lower Level Upper Level ------------------------------------------------ bos.rte.libc 5.3.0.0 5.3.0.71 bos.rte.libc 5.3.7.0 5.3.7.8 bos.rte.libc 5.3.8.0 5.3.8.5 bos.rte.libc 5.3.9.0 5.3.9.2 bos.rte.libc 6.1.0.0 6.1.0.9 bos.rte.libc 6.1.1.0 6.1.0.4 bos.rte.libc 6.1.2.0 6.1.0.3 bos.adt.prof 5.3.0.0 5.3.0.71 bos.adt.prof 5.3.7.0 5.3.7.8 bos.adt.prof 5.3.8.0 5.3.8.5 bos.adt.prof 5.3.9.0 5.3.9.2 bos.adt.prof 6.1.0.0 6.1.0.9 bos.adt.prof 6.1.1.0 6.1.0.4 bos.adt.prof 6.1.2.0 6.1.0.3 III. SOLUTIONS A. APARS IBM has assigned the following APARs to this problem: AIX Level APAR number Availability --------------------------------------------------- 5.3.0 IZ50500 07/01/09 5.3.7 IZ50517 07/01/09 5.3.8 IZ50447 07/01/09 5.3.9 IZ50445 07/01/09 6.1.0 IZ50139 06/03/09 6.1.1 IZ50129 06/03/09 6.1.2 IZ50121 06/03/09 Subscribe to the APARs here: http://www.ibm.com/support/docview.wss?uid=isg1IZ50500 http://www.ibm.com/support/docview.wss?uid=isg1IZ50517 http://www.ibm.com/support/docview.wss?uid=isg1IZ50447 http://www.ibm.com/support/docview.wss?uid=isg1IZ50445 http://www.ibm.com/support/docview.wss?uid=isg1IZ50139 http://www.ibm.com/support/docview.wss?uid=isg1IZ50129 http://www.ibm.com/support/docview.wss?uid=isg1IZ50121 By subscribing, you will receive periodic email alerting you to the status of the APAR, and a link to download the fix once it becomes available. B. FIXES Fixes are now available. The fixes can be downloaded from: ftp://aix.software.ibm.com/aix/efixes/security/libc_fix.tar http://aix.software.ibm.com/aix/efixes/security/libc_fix.tar The links above are to a tar file containing this signed advisory, fix packages, and PGP signatures for each package. AIX Level Interim Fix (*.Z) ------------------------------------------------------------------- | 5.3.0 TL6 IZ50500_06.090520.epkg.Z | IZ50500_6p.090520.epkg.Z | 5.3.7 IZ50517_07.090520.epkg.Z | IZ50517_7p.090520.epkg.Z | 5.3.8 IZ50447_08.090520.epkg.Z | IZ50447_8p.090520.epkg.Z | 5.3.9 IZ50445_09.090520.epkg.Z | IZ50445_9p.090520.epkg.Z | 6.1.0 IZ50139_00.090520.epkg.Z | IZ50139_0p.090520.epkg.Z | 6.1.1 IZ50129_01.090520.epkg.Z | IZ50129_1p.090520.epkg.Z | 6.1.2 IZ50121_02.090520.epkg.Z | IZ50121_2p.090520.epkg.Z To extract the fixes from the tar file: tar xvf libc_fix.tar cd libc_fix Verify you have retrieved the fixes intact: The checksums below were generated using the "csum -h SHA1" (sha1sum) commands and are as follows: csum -h SHA1 (sha1sum) filename ------------------------------------------------------------------ | cc9b263e02cfc057ad26b7173bd76fc93925ee39 IZ50121_02.090520.epkg.Z | 7e5c037462a5c5f732f0f0055defe63ea2df5129 IZ50121_2p.090520.epkg.Z | 63872432e0d77e3d0e87ab3e6e588a3e76427e30 IZ50129_01.090520.epkg.Z | ec3747bfe08ff0d7e57a62eeeadb62a20d2d7469 IZ50129_1p.090520.epkg.Z | e565ff946039d368243fa5254dabf3e161c86838 IZ50139_00.090520.epkg.Z | 5b62e8eba636254609382814aca5ac858d9d4e40 IZ50139_0p.090520.epkg.Z | 1b9ab4e58dfa6ab8c8b74ab2e3d491154dad0dbe IZ50445_09.090520.epkg.Z | 7b50e1ad2346fec2a07e1f5fcf178319cad16922 IZ50445_9p.090520.epkg.Z | b720dcd30a580b5e56941360f985f16bdf0602c8 IZ50447_08.090520.epkg.Z | cc25022b4630e4adc8e21bef7c5b969f52959d1b IZ50447_8p.090520.epkg.Z | 58e4b30487d5020c66cd05890264d5a6967a7d38 IZ50500_06.090520.epkg.Z | ce5403e857c0a530d9cffeb689aa13d92e570b26 IZ50500_6p.090520.epkg.Z | a098e8205caf07686bfb3159700ab4457819dfea IZ50517_07.090520.epkg.Z | 877668076c2713268d531dc7c3f761e820a1e1b8 IZ50517_7p.090520.epkg.Z To verify the sums, use the text of this advisory as input to csum or sha1sum. For example: csum -h SHA1 -i Advisory.asc sha1sum -c Advisory.asc These sums should match exactly. The PGP signatures in the tar file and on this advisory can also be used to verify the integrity of the fixes. If the sums or signatures cannot be confirmed, contact IBM AIX Security and describe the discrepancy at the following address: security-alert@austin.ibm.com C. INTERIM FIX INSTALLATION IMPORTANT: If possible, it is recommended that a mksysb backup of the system be created. Verify it is both bootable and readable before proceeding. Interim fixes have had limited functional and regression testing but not the full regression testing that takes place for Service Packs; thus, IBM does not warrant the fully correct functionality of an interim fix. Interim fix management documentation can be found at: http://www14.software.ibm.com/webapp/set2/sas/f/aix.efixmgmt/home.html To preview an interim fix installation: emgr -e ipkg_name -p # where ipkg_name is the name of the # interim fix package being previewed. To install an interim fix package: emgr -e ipkg_name -X # where ipkg_name is the name of the # interim fix package being installed. IV. WORKAROUNDS There are no workarounds. V. OBTAINING FIXES AIX security fixes can be downloaded from: http://aix.software.ibm.com/aix/efixes/security or ftp://aix.software.ibm.com/aix/efixes/security AIX fixes can be downloaded from: http://www.ibm.com/eserver/support/fixes/fixcentral/main/pseries/aix NOTE: Affected customers are urged to upgrade to the latest applicable Technology Level and Service Pack. VI. CONTACT INFORMATION If you would like to receive AIX Security Advisories via email, please visit: http://www.ibm.com/systems/support and click on the "My notifications" link. To view previously issued advisories, please visit: http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd Comments regarding the content of this announcement can be directed to: security-alert@austin.ibm.com To obtain the PGP public key that can be used to communicate securely with the AIX Security Team you can either: A. Download the key from our web page: http://www.ibm.com/systems/resources/systems_p_os_aix_security_pgpkey.txt B. Download the key from a PGP Public Key Server. The key ID is: 0xADA6EB4D Please contact your local IBM AIX support center for any assistance. eServer is a trademark of International Business Machines Corporation. IBM, AIX and pSeries are registered trademarks of International Business Machines Corporation. All other trademarks are property of their respective holders. VII. ACKNOWLEDGMENTS This vulnerability was reported by iDefense Labs. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (AIX) iD8DBQFKFKdtP9Qud62m600RAnLMAKDIquDIcLZh3WGoetrkzxgt2maU6gCg3gZy mBVAUue/qFWfZhe7LVIKL7E= =vvVi -----END PGP SIGNATURE-----