IRIX contains a flaw that may allow a malicious local user to manipulate arbitrary files on the system. The issue is due to the LicenseManager creating files insecurely. It is possible for a user to set an environment variable and use a symlink style attack, resulting in a loss of integrity.

Upgrade to version 6.4 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround: prevent the execution of admintool.

#chmod 400 /usr/bin/admintool

Also, Silicon Graphics, Inc. has released patches that address this vulnerability.

• CVE ID: 1999-0051 (see also: NVD)
• Bugtraq ID: 73
• ISS X-Force ID: 893
• CERT: CA-1997-01
• Vendor Specific Solution URL: ftp://ftp.sgi.com/support/Patches/
• Vendor Specific Advisory URL: ftp://patches.sgi.com/support/free/security/advisories/19980406-01-PX
• Vendor URL: http://www.sgi.com
• CIAC Advisory: i-045

• Yuri Volobuev - volobuevt1.chem.umn.edu -