1.
http://www-1.ibm.com/support/docview...=utf-8&lang=en

mentions an issue with ISM that allows gaining "administrator
privileges" on the machine.

Fixed in 10.00.xC8W1 due beginning of March.

"Unix machines are not known to be affected unless the library
provided by the operating system vendor containing the XDR functions
is itself vulnerable." Which functions? What vulnerabillity? What is
the library for
Solaris 8, Redhat 3/4?

Are IDS 7/9 affected?

2. http://labs.idefense.com/intelligenc...lay.php?id=650

mentions
"Local exploitation of a file creation vulnerability in IBM Corp.'s
Informix Dynamic Server allows attackers to elevate privileges to
root.

When the SQLIDEBUG environment variable is set, several set-uid
binaries will log debugging information to the specified file. "

Following the fix list for 10.00.xC8 at http://www-1.ibm.com/support/docview...id=swg27011556
leads to two publically accessible APARs for security issues fixed in
xC8:

IC54309 SECURITY: SQLIDEBUG FILE CREATION VULNERABILITY
IC54307 SECURITY: SERVER ONEDCU FILE CREATION VULNERABILITY

Nothing says if IDS 7/9 are affected, are they affected?

david@smooth1.co.uk wrote:
> 1.
> http://www-1.ibm.com/support/docview...=utf-8&lang=en
>
> mentions an issue with ISM that allows gaining "administrator
> privileges" on the machine.
>
> Fixed in 10.00.xC8W1 due beginning of March.
>
> "Unix machines are not known to be affected unless the library
> provided by the operating system vendor containing the XDR functions
> is itself vulnerable." Which functions? What vulnerability? What is
> the library for Solaris 8, Redhat 3/4?

xdr_* functions -- like it says.

On Solaris (8, 9, 10), the library is libnsl.so

For Redhat, it might be librpc; it might be something else altogether.
You can poke around for a library containing functions that start 'xdr_'
and that's most probably the one. You could use 'ldd' on the ISM
executables to get candidate names, too.

The relevant o/s bugs were fixed a number of years ago. XDR is a good
search term in places like http://cve.mitre.org/.

> Are IDS 7/9 affected?

Yes, but neither 7.31 nor 9.40 gets regular fix packs any more, so
you'll have to request a patch port. Note that ISM is in fact a
separately versioned component of IDS. Also, you're not going to get a
re-release of ISM unless you are on Windows - there's no need.

> 2. http://labs.idefense.com/intelligenc...lay.php?id=650
>
> mentions
> "Local exploitation of a file creation vulnerability in IBM Corp.'s
> Informix Dynamic Server allows attackers to elevate privileges to
> root.
>
> When the SQLIDEBUG environment variable is set, several set-uid
> binaries will log debugging information to the specified file. "
>
> Following the fix list for 10.00.xC8 at http://www-1.ibm.com/support/docview...id=swg27011556
> leads to two publically accessible APARs for security issues fixed in
> xC8:
>
> IC54309 SECURITY: SQLIDEBUG FILE CREATION VULNERABILITY
> IC54307 SECURITY: SERVER ONEDCU FILE CREATION VULNERABILITY
>
> Nothing says if IDS 7/9 are affected, are they affected?

As noted above, neither IDS 7.31 nor 9.40 gets regular fix packs any
more. The code changes were checked into 9.40 and dragged forward.
Back-porting the SQLIDEBUG fix to IDS 7.31 would be hard because the fix
included a major overhaul of the SQLIDEBUG code; the ONEDCU fix is
pretty straight-forward to back-port. (Unless you actively use ON-Perf,
a better workaround for the ONEDCU problem is to remove or disable
onperf, onedcu and onedpu.)

--
Jonathan Leffler #include <disclaimer.h>
Email: jleffler@earthlink.net, jleffler@us.ibm.com
Guardian of DBD::Informix v2007.0914 -- http://dbi.perl.org/

publictimestamp.org/ptb/PTB-2550 sha256 2008-02-18 06:00:06
584876CDEE4ED8A07EEA0CB5B761FFE73729DA383218C7E1DA 3B2BB4D8A7F97B

On 18 Feb, 07:49, Jonathan Leffler <jleff...@earthlink.net> wrote:
> da...@smooth1.co.uk wrote:
> > 1.
> >http://www-1.ibm.com/support/docview...=SSGU8G&contex....
>
> > mentions an issue with ISM that allows gaining "administrator
> > privileges" on the machine.
>
> > Fixed in 10.00.xC8W1 due beginning of March.
>
> > "Unix machines are not known to be affected unless the library
> > provided by the operating system vendor containing the XDR functions
> > is itself vulnerable." Which functions? What vulnerability? What is
> > the library for Solaris 8, Redhat 3/4?
>
> xdr_* functions -- like it says.
>
> On Solaris (8, 9, 10), the library is libnsl.so
>
> For Redhat, it might be librpc; it might be something else altogether.
> You can poke around for a library containing functions that start 'xdr_'
> and that's most probably the one. *You could use 'ldd' on the ISM
> executables to get candidate names, too.
>
> The relevant o/s bugs were fixed a number of years ago. *XDR is a good
> search term in places likehttp://cve.mitre.org/.
>
> > Are IDS 7/9 affected?
>
> Yes, but neither 7.31 nor 9.40 gets regular fix packs any more, so
> you'll have to request a patch port. *Note that ISM is in fact a
> separately versioned component of IDS. *Also, you're not going to get a
> re-release of ISM unless you are on Windows - there's no need.
>
>
>
>
>
> > 2. *http://labs.idefense.com/intelligenc...lay.php?id=650
>
> > mentions
> > "Local exploitation of a file creation vulnerability in IBM Corp.'s
> > Informix Dynamic Server allows attackers to elevate privileges to
> > root.
>
> > When the SQLIDEBUG environment variable is set, several set-uid
> > binaries will log debugging information to the specified file. "
>
> > Following the fix list for 10.00.xC8 athttp://www-1.ibm.com/support/docview.wss?uid=swg27011556
> > leads to two publically accessible APARs for security issues fixed in
> > xC8:
>
> > IC54309 SECURITY: SQLIDEBUG FILE CREATION VULNERABILITY
> > IC54307 SECURITY: SERVER ONEDCU FILE CREATION VULNERABILITY
>
> > Nothing says if IDS 7/9 are affected, are they affected?
>
> As noted above, neither IDS 7.31 nor 9.40 gets regular fix packs any
> more. *The code changes were checked into 9.40 and dragged forward.
> Back-porting the SQLIDEBUG fix to IDS 7.31 would be hard because the fix
> included a major overhaul of the SQLIDEBUG code; the ONEDCU fix is
> pretty straight-forward to back-port. *(Unless you actively use ON-Perf,
> a better workaround for the ONEDCU problem is to remove or disable
> onperf, onedcu and onedpu.)
>
> --
> Jonathan Leffler * * * * * * * * * #include <disclaimer.h>
> Email: jleff...@earthlink.net, jleff...@us.ibm.com
> Guardian of DBD::Informix v2007.0914 --http://dbi.perl.org/
>
> publictimestamp.org/ptb/PTB-2550 sha256 2008-02-18 06:00:06
> 584876CDEE4ED8A07EEA0CB5B761FFE73729DA383218C7E1DA 3B2BB4D8A7F97B- Hide quoted text -
>
> - Show quoted text -

OK can we get this info put into the IBM webpages for these issues?

Shouldn't IBM be providing just these fixes for IDS 7/9 in a full
release (at least for patforms like Solaris/Linux)
rather than expecting every customer who want to stay on 7/9 to
request a seperate patch port?

On Feb 19, 2:17 pm, "david@smooth1.co.uk" wrote:
> On 18 Feb, 07:49, Jonathan Leffler wrote:
>>[...snip...]
>
> OK can we get this info put into the IBM webpages for these issues?
>
> Shouldn't IBM be providing just these fixes for IDS 7/9 in a full
> release (at least for patforms like Solaris/Linux)
> rather than expecting every customer who want to stay on 7/9 to
> request a seperate patch port?

If you provide me with a working email address, I will discuss matters
with you offline.

-=JL=-