HP/Works

Home Join! Events PING! Committee Directory

Go to: PING INDEX : DECEMBER 1997 CONTENTS

HP Security Warning for CDE

Document ID: HPSBUX9710-072
Date: 29/10/97
Title: Security Vulnerability in CDE on HP-UX 10.0[1,2,3]

The information in the following Security Bulletin should be acted upon as soon as possible. Hewlett-Packard will not be liable for any consequences to any customer resulting from the customer's failure to fully implement instructions in this Security Bulletin as soon as possible.

PROBLEM: Buffer overflows in CDE.
PLATFORM: HP9000 series 700/800, HP-UX releases 10.10, 10.20, and 10.30
DAMAGE: suid/sgid CDE programs can be exploited to increase privileges.
SOLUTION: Install the patches listed below and relink any programs linked with archived CDE libraries.
AVAILABILITY: All patches are available now.

A. Background - Several buffer overflow conditions have been identified in the Common Desktop Environment (CDE).

B. Fixing the problem - Install the applicable patches:


PHSS_12137     10.10 CDE Runtime
PHSS_12138     10.20 CDE Runtime
PHSS_12139     10.20 CDE Developer's Kit
PHSS_12151     10.30 CDE Runtime
PHSS_12152     10.30 CDE Developer's Kit

NOTE: CDE was not offered on 10.0 and 10.01 releases of HP-UX.

C. Recommended solution - Install the applicable patches and relink archived suid/sgid programs.

D. Impact of the patch - The patch corrects buffer overflow conditions.

E. To subscribe to automatically receive future NEW HP Security Bulletins from the HP Electronic Support Center via electronic mail, do the following:

F. To report new security vulnerabilities, send email to:security-alert@hp.com

Please encrypt any exploit information using the security-alert PGP key, available from your local key server, or by sending a message with a subject (not body) of 'get key' (no quotes) to security-alert@hp.com.

HP Visualize Alert

Home