COMMAND

    fmt(1) (/usr/sbin/fmt)

SYSTEMS AFFECTED

    IRIX  versions  prior  to  4.0  (this  includes  all 3.2 and 3.3.*
    versions).  This problem has been fixed in version 4.0.

PROBLEM

    A  vulnerability  exists  such  that  IRIX  pre-4.0  (e.g., 3.3.3)
    systems with the basic system software ("eoe1.sw.unix")  installed
    can allow  unauthorized read  access to  users' mail  messages, by
    exploiting a  configuration error  in a  standard system  utility.
    Due  to  the  ease  of  exploiting  this  vulnerability  and   the
    simplicity of the corrective  action, the CERT/CC urges  all sites
    to install the patch given below.

SOLUTION

    As "root", execute the following commands:

    chmod 755 /usr/sbin/fmt
    chown root.sys /usr/sbin/fmt

    If system  software should  ever be  reloaded from  a 3.2 or 3.3.*
    installation tape or from a  backup tape created before the  patch
    was  applied,  repeat  the  above  procedure immediately after the
    software  has  been  reloaded,  before  enabling  logins by normal
    users.