Multiple Vendor CDE dtaction Userflag Buffer Overflow Vulnerability

Updated SGI advisory (20021102-02-P) and patch details available.

This solution information has been quoted from CERT Advisory CA-99-11: Four Vulnerabilities in the Common Desktop Environment. This advisory is referenced in the 'Credit' section of this vulnerability entry. Please note that some of these fixes are temporary, this information is not considered to be complete given that some vendors are still investigating this problem as of the posting of this entry and some of the provided information is incomplete.

Compaq's Tru64/DIGITAL UNIX

This potential security problem has been resolved and a patch for this problem has been made available for Tru64 UNIX V4.0D, V4.0E and V4.0F.

This patch can be installed on:

V4.0D Patch kit BL11 or BL12
V4.0E Patch kit BL1 or BL12
V4.0F Patch kit BL1

*This solution will be included in a future distributed release of Compaq's Tru64/ DIGITAL UNIX.

This patch may be obtained from the World Wide Web at the following FTP address:

IBM Corporation

All releases of AIX version 4 are vulnerable to vulnerabilities #1, #3, and #4. AIX is not vulnerable to #2. The following APARs will be available soon:

AIX 4.1.x: IY03125 IY03847
AIX 4.2.x: IY03105 IY03848
AIX 4.3.x: IY02944 IY03849

Customers that do not require the CDE desktop functionality can disable CDE by restricting access to the CDE daemons and removing the dt entry from /etc/inittab. Run the following commands as root to disable CDE:

# /usr/dt/bin/dtconfig -d
# chsubserver -d -v dtspc
# chsubserver -d -v ttdbserver
# chsubserver -d -v cmsd
# chown root.system /usr/dt/bin/*
# chmod 0 /usr/dt/bin/*

For customers that require the CDE desktop functionality, a temporary fix is available via anonymous ftp from:

Filename sum md5
dtaction_4.1 32885 18 82af470bbbd334b240e874ff6745d8ca
dtaction_4.2 52162 18 b10f21abf55afc461882183fbd30e602
dtaction_4.3 56550 19 6bde84b975db2506ab0cbf9906c275ed
libtt.a_4.1 29234 2132 f5d5a59956deb8b1e8b3a14e94507152
libtt.a_4.2 21934 2132 73f32a73873caff06057db17552b8560
libtt.a_4.3 12154 2118 b0d14b9fe4a483333d64d7fd695f084d
ttauth 56348 31 495828ea74ec4c8f012efc2a9e6fa731
ttsession_4.1 19528 337 bfac4a06b90cbccc0cd494a44bd0ebc9
ttsession_4.2 46431 338 05949a483c4e390403055ff6961b0816
ttsession_4.3 54031 339 e1338b3167c7edf899a33520a3adb060

NOTE - This temporary fix has not been fully regression tested. Use the following steps (as root) to install the temporary fix.

1. Uncompress and extract the fix.

# uncompress < cdecert.tar.Z | tar xf -
# cd cdecert

2. Replace the vulnerable executables with the temporary fix for
your version of AIX.

# (cd /usr/dt/lib && mv libtt.a libtt.a.before_security_fix)
# (cd /usr/dt/bin && mv ttsession ttsession.before_security_fix)
# (cd /usr/dt/bin && mv dtaction dtaction.before_security_fix)
# chown root.system /usr/dt/lib/libtt.a.before_security_fix
# chown root.system /usr/dt/bin/ttsession.before_security_fix
# chown root.system /usr/dt/bin/dtaction.before_security_fix
# chmod 0 /usr/dt/lib/libtt.a.before_security_fix
# chmod 0 /usr/dt/bin/ttsession.before_security_fix
# chmod 0 /usr/dt/bin/dtaction.before_security_fix
# cp ./libtt.a_ /usr/dt/lib/libtt.a
# cp ./ttsession_ /usr/dt/bin/ttsession
# cp ./dtaction_ /usr/dt/bin/dtaction
# cp ./ttauth /usr/dt/bin/ttauth
# chmod 555 /usr/dt/lib/libtt.a
# chmod 555 /usr/dt/bin/ttsession
# chmod 555 /usr/dt/bin/dtaction
# chmod 555 /usr/dt/bin/ttauth

IBM AIX APARs may be ordered using Electronic Fix Distribution (via the FixDist program), or from the IBM Support Center. For more information on FixDist, and to obtain fixes via the Internet, please reference

or send electronic mail to "" with the word "FixDist" in the "Subject:" line. To facilitate ease of ordering all security related APARs for each AIX release, security fixes are periodically bundled into a cumulative APAR. For more information on these cumulative APARs including last update and list of individual fixes, send electronic mail to "" with the word "subscribe Security_APARs" in the "Subject:" line.

Sun Microsystems

The following patches are available:

CDE version Patch ID
___________ _________
1.3 sparc 108219-01
1.3 x86 108220-01
1.2 x86 108201-01
1.2 x86 108202-01

SunOS version Patch ID
---------------- ---------------
SunOS 5.7 sparc 108219-01
SunOS 5.7 x86 108220-01
SunOS 5.6 sparc 108201-01
SunOS 5.6 x86 108202-01

Patches are available to all Sun customers at

Sun Solaris 7.0
  • Sun 108219-01

Sun Solaris 7.0_x86
  • Sun 108220-01

Sun Solaris 2.6
  • Sun 108201-01

  • IBM IY02944

IBM AIX 4.3.1
  • IBM IY02944

IBM AIX 4.3.2
  • IBM IY02944


SGI IRIX 6.5.1

SGI IRIX 6.5.10

SGI IRIX 6.5.10 f

SGI IRIX 6.5.10 m

SGI IRIX 6.5.11

SGI IRIX 6.5.11 m

SGI IRIX 6.5.11 f

SGI IRIX 6.5.12 f

SGI IRIX 6.5.12 m

SGI IRIX 6.5.12

SGI IRIX 6.5.13 f

SGI IRIX 6.5.13 m

SGI IRIX 6.5.13

SGI IRIX 6.5.14

SGI IRIX 6.5.2

SGI IRIX 6.5.2 m

SGI IRIX 6.5.2 f

SGI IRIX 6.5.3

SGI IRIX 6.5.3 m

SGI IRIX 6.5.3 f

SGI IRIX 6.5.4 m

SGI IRIX 6.5.4

SGI IRIX 6.5.4 f

SGI IRIX 6.5.5

SGI IRIX 6.5.5 m

SGI IRIX 6.5.5 f

SGI IRIX 6.5.6 m

SGI IRIX 6.5.6 f

SGI IRIX 6.5.6

SGI IRIX 6.5.7 m

SGI IRIX 6.5.7

SGI IRIX 6.5.7 f

SGI IRIX 6.5.8 m

SGI IRIX 6.5.8

SGI IRIX 6.5.8 f

SGI IRIX 6.5.9 f

SGI IRIX 6.5.9 m

SGI IRIX 6.5.9


Privacy Statement
Copyright 2010, SecurityFocus