Bugtraq mailing list archives

Keeping Solaris up-to-date: summary

From: jr () SCMS RGU AC UK (John RIddoch)
Date: Wed, 20 Jan 1999 10:15:24 +0000


As promised, here is a summary of comments from BUGTRAQ readers:

Robert Watson raised an issue about a potential race condition while the
script reads the file data in.  If the file is modified during the running of
the script, inconsistent data is likely to be read.  While there is no obvious
exploit to this, it is still considered a bug.  Some kind of file-locking
could be implemented to prevent this, especially since all hosts are Solaris
machines.

He also raised the issue that NFS is not cryptographically protected and is
not a particularly secure transport.

Several people asked about brining the system down to single user mode (as is
recommended, especially for kernel patches).  No, I haven't looked at that as
yet, although I may consider trying to implement it.  However, I haven't
experienced any problems with applying patches to live systems as yet.

Everett Lipman raised concern about running an NFS-mounted script, as it
becomes trivial to break root on multiple machines if the NFS server is
cracked.  The obvious fix is to install the script on each machine (say, in
/usr/sbin).

He also pointed out that the NFS-server could share the directory read-only
for added safety.  This was, in fact, what I had done (although I didn't
mention it).

Corey Lindsly also pointed out that blithely applying patches can be a Bad
Thing as patches have been known to break systems.

Finally, something which no-one actually pointed out to me was that there is
no checking of the data read in from the patch_list file; simply having a
line:
123456-12;rm -rf /
would delete the machine (the danger of using system() calls).  I plan on
implementing bounds checking this in the script.

Finally, I've put the stuff regarding this on the web at
http://www.scms.rgu.ac.uk/staff/jr/computing/unix/perl/patchupdate.shtml

This includes the issues raised above and some better instructions on how to
install and set up the script.  Any further updates will be posted there.

--
John Riddoch    Email: jr () scms rgu ac uk        Telephone: (01224)262730
Room C4, School of Computer and Mathematical Science
Robert Gordon University, Aberdeen, AB25 1HG
"Yoda of Borg are we:  Futile is resistance.  Assimilate you, we will"

Current thread:

Another web-based mail reader hole, (continued)
- - - Another web-based mail reader hole Dave Pifke (Jan 18)
    - Re: Another web-based mail reader hole Peter van Dijk (Jan 19)
  - Re: Sendmail 8.8.x/8.9.x bugware Michal Zalewski (Jan 18)
- Re: Sendmail 8.8.x/8.9.x bugware Nic Bellamy (Jan 19)
- NetBSD Security Advisory 1999-001: select(2)/accept(2) race Luke Mewburn (Jan 20)
  - Re: NetBSD Security Advisory 1999-001: select(2)/accept(2) race Alan Cox (Jan 23)
    - Mirc 5.5 'DCC Server' hole Spikeman (Jan 24)
    - Re: Mirc 5.5 'DCC Server' hole Sandro Jurado (Jan 26)
    - Re: NetBSD Security Advisory 1999-001: select(2)/accept(2) race Casper Dik (Jan 25)
    - Announcement: Wietse's FTP site has moved Wietse Venema (Jan 25)
- Keeping Solaris up-to-date: summary John RIddoch (Jan 20)
- FW: Personal web server - Temporary Fix Ollie Whitehouse (Jan 20)
- Nobo and Netbuster Dos Wolfgang Gassner (Jan 20)
  - Re: Nobo and Netbuster Dos Flavio Veloso (Jan 21)
- Quake 2 Server Crash Leif Sawyer (Jan 20)
- NetBSD Security Advisory 1999-001: select(2)/accept(2) race D. J. Bernstein (Jan 20)
- Sendmail 8.8.x/8.9.x bugware Gregory Neil Shapiro (Jan 20)
  - CFP: New Security Paradigms Workshop 1999 Crispin Cowan (Jan 21)
  - Re: Sendmail 8.8.x/8.9.x bugware Phil Stracchino (Jan 21)
    - Re: Sendmail 8.8.x/8.9.x bugware Phil Stracchino (Jan 21)
    - linux crashes irix6.3 Philipp Schott (Jan 22)

(Thread continues...)