Re: Security hole in Solaris 2.5 (sdtcm_convert) + exploit

[casper () HOLLAND SUN COM (Casper Dik)]

> Sat Feb 22 15:25:48 EET 1997 Romania
>
> Another hole in Solaris
>
> I have found a security hole in sdtcm_convert on Solaris 2.5.1.
> sdtcm_convert - calendar data conversion utility - allows any user to
> change the owner for any file (or directory) from the system or gain root
> access. The exploit is very simple. Change the permision mode of your calendar
> file (callog.YOU) from /var/spool/calendar directory (usual r--rw----) and run
> sdtcm_convert. sdtcm_convert 'll observe the change and 'll want  to
> correct it (it 'll ask you first). You have only to delete the callog file
> and make a symbolic link to a target file and your calendar file and said to
> sdtcm_convert 'y' (yes). sdtcm_convert 'll make you the owner of target
> file ...
> A simple way to correct this is to get out suid_exec bit from
> sdtcm_convert


Is this the bug fixed in the Sun patches:

103670-02: CDE 1.0.2: sdtcm_convert has a security vulnerability
103671-02: CDE 1.0.1: sdtcm_convert has a security vulnerability
103717-02: CDE 1.0.2: sdtcm_convert has a security vulnerability (x86 version)
103718-02: CDE 1.0.1: sdtcm_convert has a security vulnerability (x86 version)


or is it a new one?

Casper