Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!wuarchive!zaphod.mps.ohio-state.edu!pacific.mps.ohio-state.edu!linac!att!pacbell.com!ucsd!nosc!crash!pnet01!jca
From: jca@pnet01.cts.com (John C. Archambeau)
Newsgroups: comp.unix.sysv386
Subject: Re: SECURITY BUG IN INTERACTIVE UNIX SYSV386
Message-ID: <7667@crash.cts.com>
Date: 20 Feb 91 21:56:01 GMT
Sender: root@crash.cts.com
Organization: People-Net [pnet01], El Cajon CA
Lines: 46

martys@mchale.ism.isc.com (Marty Stewart) writes:
>
>	This is mail to address the suggestions that INTERACTIVE either post
>the security hole fix to the net or put it on a ftp site where it can be
>picked up by users.
>
>	Under the AT&T licensing agreement, INTERACTIVE cannot post AT&T
>code to a site where any user can pick it up.  We are under the obligation
>to make sure only AT&T licensed users receive binaries that have portions of
>AT&T code in them.  The fixes for the security hole are in os.o and as such,
>the code cannot be put in a public area.  Another reason for not posting to
>the net is that the os.o is quite large and will take up unnecessary band-
>width at sites that do not need the INTERACTIVE fix.
>
>	As an alternative to calling support, please send mail to
>martys@ism.isc.com and I will see to it that users are sent a fix as soon as
>support is given the fix.  I will need an address, the version of software
>that you are running and your 2.0.2 or 2.2 serial number.  INTERACTIVE
>apologizes for any inconveniences this may cause users.

Now this is getting to be a bloody sick joke.  I find it a little bit
difficult to believe that there just isn't a simple binary patch for os.o much
along the same lines as the inode patch that has been floating around for
ages.  Might I remind you that SCO provides their patches and fixes to the
public via anonymous UUCP.

This is going about as well as a SCUD missile attack.  Maybe we should get Joe
Isuzu to head ISC tech support.  At least then we know that we're getting the
shaft and ISC is getting the gold mine.

I want the patch in my hot little hands before the customer goes out and buys
ISC.  Such security holes are intolerable.

Maybe we should all send suggestions to Saturday Night Live for an 'Anal
Retentive Unix Vendor' skit?

     // JCA

 /*
 **--------------------------------------------------------------------------*
 ** Flames  : /dev/null                     | What to buy?
 ** ARPANET : crash!pnet01!jca@nosc.mil     | EISA or MCA?
 ** INTERNET: jca@pnet01.cts.com            | When will the bus wars end?
 ** UUCP    : {nosc ucsd hplabs!hp-sdd}!crash!pnet01!jca
 **--------------------------------------------------------------------------*
 */