Path: utzoo!utgpu!news-server.csri.toronto.edu!mailrus!cs.utexas.edu!swrinde!zaphod.mps.ohio-state.edu!samsung!munnari.oz.au!metro!news
From: jimr@maths.su.oz.au (Jim Richardson)
Newsgroups: comp.sys.apollo
Subject: Patch tapes; security; getpwnam; APRs
Message-ID: <1990Jun7.073655.20620@metro.ucc.su.OZ.AU>
Date: 7 Jun 90 07:36:55 GMT
References: <2803@syma.sussex.ac.uk>
Reply-To: jimr@maths.su.oz.au (Jim Richardson)
Organization: Dept of Pure Mathematics, University of Sydney
Lines: 119

In article <2803@syma.sussex.ac.uk>, andrewn@syma.sussex.ac.uk (Andrew D Nimmo)
writes:
>Could someone please post a list of patches to this group --
>I am having no luck through any other channels.

I haven't seen any other responses yet, so I'll bite.  Here is the list of
patches on the March 1990 SR10.2 patch tape (a small extract of a file,
copyright Hewlett-Packard Company 1990, which I reproduce here for the
purpose of fair comment :-) :

                          Patch Kit M68K_9003

     Patch #        Description              Blocks    Date

     Patch_m0122    /sau7,8,9 domain_os      2457      9003
     Patch_m0121    security patch           118       9003
     Patch_m0120    /lib/streams             568       9003
     Patch_m0119    /lib/pmlib               389       9003
     Patch_m0118    /lib/kslib               133       9003
     Patch_m0117    /lib/ftnlib              125       9003
     Patch_m0116    /lib/tfp                 131       9003
     Patch_m0115    /lib/kslib               Replaced by Patch m0118 (9003)
     Patch_m0114    /sau7,8,9 ring.dex       598       9002
     Patch_m0113    /sau7,8,9 domain_os      Replaced by Patch m0122 (9003)
     Patch_m0112    /lib/gprlib              954       9002
     Patch_m0111    /lib/rgylib              148       9002
     Patch_m0110    /lib/dseelib (9.7)       1892      9002
     Patch_m0109    /lib/dseelib             2049      9002
     Patch_m0108    /etc/routed              41        9001
     Patch_m0107    /etc/ftpd and ftp        418       9001
     Patch_m0106    DPCE fixes               1385      9001
     Patch_m0105    DPCC fixes               1541      9001
     Patch_m0104    /sau7/domain_os          792       9001
     Patch_m0103    SNA 3770 fixes           5         9001
     Patch_m0102    /sys/sna_3770/rje        157       9001
     Patch_m0101    /sau7/ctape7b.dex        80        9001

Has anyone got a later tape?

Note that m0121 is a vital security patch which no multi-user Apollo site
should be without ... I would have been much happier if we'd received the
tape automatically *before* we stumbled on the security hole which m0121
addresses, instead of as an informal response to an APR.  I am not going to
post any details of the hole (and I beg other people not to do so either):
believe me, it's a nasty one.

On another matter I had some hopes that patch m0111 would fix the extraordinary
bug shown below, but it just perturbed it slightly.

% cat > pwbug.c << EOF
#include	<pwd.h>
#include	<sys/wait.h>

main( int argc, char **argv )
{
    register struct passwd *pw;
    extern struct passwd *	getpwnam();
    int pid;
    char * NullEnv = (char *)0;
    union wait status;

    if ( (pw = getpwnam("root")) != (struct passwd *)0 )
	printf( "getpwnam(root) worked: root has uid %d\n", pw->pw_uid );
    else
	printf( "getpwnam(root) failed\n" );

    if( argc > 1 )
	switch( pid = fork() )
	{
	    case 0:
		execve( argv[1], argv+1, &NullEnv );  /* does not return */
		perror( "execve failed: " );
		_exit( 1 );

	    default:
		wait( status );
	}
}
EOF
% cc pwbug.c -o pwbug
% pwbug pwbug		# see below
getpwnam(root) worked: root has uid 0
getpwnam(root) worked: root has uid 0
% pwbug /bin/ps u	# dies with no message ...
getpwnam(root) worked: root has uid 0
USER       PID   SZ  RSS TTY     STAT  TIME COMMAND
% tb -last		# ... but tb explains what happened ...
Process        6377 (parent 6376, group 6376)
Time           90/06/07.17:15(AEST)
Program        /bsd4.3/bin/ps
Status         03080003: heap corruption detected; block header incorrect \
		(process manager/basic heap storage manager)
In routine     "pm_$proc_release" line 2105
Called from    "pgm_$invoke_uid_pn" line 1160

The above is after the patch.  At least it has fixed the "pwbug pwbug" variant
of the problem, which before the patch did this:

% pwbug pwbug
getpwnam(root) worked: root has uid 0
getpwnam(root) failed

The bug did not exist at 10.1.  On some nodes 10.2 you didn't get failure with
one exec, but (before the patch)

	% pwbug pwbug pwbug pwbug pwbug pwbug

always seemed to fail.  There's nothing like a nice diagonal counter-example!

I APRed this (ID 6E3C480C) on 19 March, but have had no response.  On the whole,
APR response in Australia is slow to non-existent: is this so everywhere else
too?
--
Jim Richardson
Department of Pure Mathematics, University of Sydney, NSW 2006, Australia
Internet: jimr@maths.su.oz.au  ACSNET: jimr@maths.su.oz  FAX: +61 2 692 4534

"When she was dark she was very very dark, but when she was light she was
lighter than air."  -- J. Crowley