Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!chinacat!uudell!mustang!jrh From: jrh@mustang.dell.com (James Howard) Newsgroups: comp.unix.sysv386 Subject: Re: SECURITY BUG IN INTERACTIVE UNIX SYSV386 Keywords: BAD BUG Message-ID: <15185@uudell.dell.com> Date: 16 Feb 91 00:46:43 GMT References: <1991Feb15.035643.5542@jwt.UUCP> <1991Feb11.184130.11321@jwt.UUCP> <1991Feb12.052336.29639@motcad.portal.com> <15126@uudell.dell.com> Sender: news@uudell.dell.com Reply-To: jrh@mustang.dell.com (James Howard) Organization: Dell Computer Corp. Lines: 59 In article <1991Feb15.035643.5542@jwt.UUCP>, john@jwt.UUCP (John Temples) writes: > In article <15126@uudell.dell.com> jrh@mustang.dell.com (James Howard) writes: > >I have tried the program posted earlier on both Dell > >SVR3.2 (which is ISC 2.0.2 based) and Dell SVR4.0 (not in any way > >related to ISC ;-) ). It core dumps faithfully on both. > > Based on what I've read here (not just in regards to the security > hole), I'm starting to get the feeling that Dell is the only UNIX > vendor that has its act together. I think I might just buy Dell's > SVR4.0 even though upgrading my ESIX will probably be cheaper. > -- > John W. Temples -- john@jwt.UUCP (uunet!jwt!john) Let me attempt to correct an oversight in my original post. I tested the posted source on a 3.2 machine running here internally, but it was a 486 machine, not a 386. It did not display the bug, but of course, it did have the 486 internal equivalent of a 387, which might have affected the test. To be sure, I later tried it on several 386 systems without a mathco, and it still did not display the bug. I should have been more careful before posting that it did not occur, although it turned out to be true anyway. It has been posted elsewhere in this thread that AT&T 3.2.1 does not have this bug. Dell UNIX 1.1 (which is generally described as based on ISC 2.0.2 sources) was a merge of ISC, AT&T 3.2.1, and Dell 1.0 code bases. The likely explanation for why Dell does not display a bug in a UNIX release based on ISC source, is that ISC did not merge in all of the AT&T fixes for 3.2.1, pure supposition on my part however. So, now for the facts, right? The following machine configurations were tested, and did not display the bug. The test was done by compiling the source as posted here on USENET. System CPU / MathCo OS / Release ------------------------------------------------------- Dell 325 386 / NONE Dell SVR3.2 / 1.1 Dell 325 386 / 387 Dell SVR3.2 / 1.1 Dell 425E 486 / Builtin Dell SVR3.2 / 1.1 Dell 325P 386 / 387 Dell SVR4.0 / 2.0 Dell 325P 386 / NONE Dell SVR4.0 / 2.0 Dell 325 386 / NONE Dell SVR4.0 / 2.0 Dell 425TE 486 / Builtin Dell SVR4.0 / 2.0 I believe this covers the cases where it might be a problem, as well as a fairly wide range of hardware. If a Dell customer has the bug, it might be with Dell UNIX 1.0, which did not have the 3.2.1 fixes applied. Such a customer should contact Dell Technical Support or send mail to support@dell.dell.com (or support@uudell.dell.com) to inquire as to bug a fix. I did not test Dell UNIX 1.0, because I could not locate a system in house running the older version software. I would very much like to hear from anyone with Dell UNIX that is experiencing the bug described above. James Howard Dell Computer Corp. !'s:uunet!dell!mustang!jrh (512) 343-3480 9505 Arboretum Blvd @'s:jrh@mustang.dell.com Austin, TX 78759-7299