-----BEGIN PGP SIGNED MESSAGE----- CA-90:08 CERT Advisory October 31, 1990 IRIX 3.3 & 3.31 /usr/sbin/Mail - --------------------------------------------------------------------------- The CERT/CC has received the following report of a vulnerability in /usr/sbin/Mail, present only in IRIX 3.3 and 3.3.1. This information was provided to the CERT/CC by Robert Stephens, of Silicon Graphics Inc. - ---------------------------------------------------------------------------- DESCRIPTION: /usr/sbin/Mail can fail to reset its group id to the group id of the caller. IMPACT: Can allow any user logged onto the system to read any other user's (including root's) mail. SOLUTION: A fixed /usr/sbin/Mail binary has been made available for anonymous ftp from SGI.COM ([192.48.153.1]). The correct binary can be found at: sgi/Mail/Mail under the ftp directory. Note that this binary must be installed with the same group (mail) and permissions (2755) as your existing 3.3 or 3.3.1 /usr/sbin/Mail. - -------------------------------------------------------------------------- CONTACT INFORMATION For further questions, please contact your Silicon Graphics support center (Geometry Partners HOTLINE number: (800) 345-0222) - -------------------------------------------------------------------------- Computer Emergency Response Team/Coordination Center (CERT/CC) Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Internet E-mail: cert@cert.org Telephone: 412-268-7090 24-hour hotline: CERT personnel answer 7:30a.m.-6:00p.m. EST, on call for emergencies other hours. Past advisories and other information are available for anonymous ftp from cert.org (192.88.209.5). -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMaMwi3VP+x0t4w7BAQFjMgQAiXFV+Dh5WiTIxFsE2uh0Ek9Ec164MCEa HBB8bSXEy+cSP877mVu4w/1o1eQkNBBw1Wi8ExmNDb5FJgZt/d/vqhjtAf59SOwV Is6/a+6GyfJFK2LySwlJ/zxajZBGzPov0P1Pd9WsyDg4yUW6rVZFKjb2IkWraUL4 P7jw2Hf2iuQ= =vulZ -----END PGP SIGNATURE-----