Re: Question on Solaris LC_MESSAGES libc exploit

[darren.moffat () UK SUN COM (Darren J Moffat - Sun Enterprise Services UK)]

>       A previous message stated that the LC_MESSAGES bug in Solaris has
> been fixed in 7. However, I am still able to gain root with the below code
> on Sparc Solaris 7 5/99 Release boxes with MU2 and 7_Recommended patch set
> installed (offset 7152 gets root for me). Has there been a patch released
> for Solaris 7 that addresses this? Thanks for any help.

The fix for this will be included in the following 3 patches:

106541-06       Solaris 7 Kernel Update
106793-03       ufsdump and ufsrestore patch
107972-01       /usr/sbin/static/rcp patch

These patches have not yet been released officially.  If you have
a service contract they you can get a pre-release version from Sun Enterprise
Services.

We expect the patches will be released officially very soon.

Why was there such a long delay ?

The fix for LC_MESSAGES requires changes to the static and dynamic
versions of libc.  In Solaris 7 libc is part of the kernel update due
to intimate changes that effected both the kernel and libc in an early
release of the kernel update patch.   Sun does a lot of regression
testing and other QA cyles on the kernel update patches before they are
released.  Unfortunatly the 5/99 release and the corresponding kernel
update patch were to far along the line to include the LC_MESSAGES fix
in that release.

We are currently investigating if there are ways we can improve the
release time for security fixes when we have complex patch dependancies
and QA release cycles.


--
Darren J Moffat