COMMAND
gmemusage
SYSTEMS AFFECTED
IRIX 5.3, 6.1, 6.2, 6.4
PROBLEM
A security vulnerability has been found with the gmemusage program
distributed in the Developer Toolbox versions 6.0 (based on IRIX
5.3) 6.1 (based on IRIX 6.2) and as part of the eoe.sw.perf
subsystem for IRIX 6.1 through 6.4.
Silicon Graphics Inc. has investigated the issue and recommends
the following steps for neutralizing the exposure. It is HIGHLY
RECOMMENDED that these measures be implemented on ALL vulnerable
SGI systems running IRIX versions 5.x and 6.x. This issue has
been corrected in more recent releases of IRIX and will be
corrected in future releases of IRIX.
The gmemusage program is used to graphically display a system's
memory usage. Developer Toolbox versions 6.0 (based on IRIX 5.3)
and 6.1 (based on IRIX 6.2) contain the gmemusage program and
source code. With the Developer Toolbox, the gmemusage program
can be installed wherever desired and on any IRIX version 5.x
through 6.4.
With the release of IRIX 6.1, the gmemusage program is part of the
eoe.sw.perf subsystem and can be installed on IRIX 6.1, 6.2,
6.3 and 6.4. The eoe.sw.perf is not installed by default.
SOLUTION
Although patches are available for this issue, it is realized that
there may be situations where installing the patches immediately
many not be possible.
The steps below can be used to limit the vulnerability by removing
the setuid permission. Once this is done, only root will be able
to run this program.
Unfortunately, there are no patches for IRIX 5.x, 6.0, 6.0.1 and
6.1. To remove this vulnerability you should upgraded to a newer
operating system version.
Patches are:
System patch
-----------------------
IRIX 6.2 1973
IRIX 6.3 1974
IRIX 6.4 1975
The SGI anonymous FTP site is sgigate.sgi.com (204.94.209.1) or
its mirror, ftp.sgi.com. Patches can be found in the following
directories on the FTP server:
~ftp/Security
or
~ftp/Patches/6.2
/6.3
/6.4