Patches are binary code modifications that affect the way Sun-supplied software operates. They can be released by Sun because of previously identified bugs which have been fixed, or because a security exploit has been discovered in a piece of software, and a simple workaround is inadequate to prevent intrusion or disruption of normal system activity. For example, many of the older Solaris daemons suffered from buffer overflow vulnerabilities until recently, where the fixed boundaries on an array are deliberately over-written by a rogue client to crash the system. Many of the system daemons, such as web servers, may be crashed because memory is overwritten with arbitrary values outside the declared size of an array. Without appropriate bounds checking, passing a GET request to a web server of 1025 bytes when the array size is 1024 would clearly result in unpredictable behavior, as the C language does not prevent a program from doing this. Since Solaris daemons are typically written in C, a number have been fixed in recent years to prevent this problem occurring (but you may be surprised at just how often new weaknesses are exposed). Sendmail, IMAP, and POP daemons for Solaris have all experienced buffer overflow vulnerabilities in the past which have required an urgent installation of security patches.
For early Solaris 9 installations out-of-the-box, two critical problems were typically identified, both associated with gaining root access via buffer overflow:
The CDE-based Calendar Manager service may be vulnerable to a buffer overflow attack, as identified in CVE 1999-0320 and 1999-0696. The Calendar Manager is used to manage appointments and other date/time based functions.
The remote administration daemon (sadmind) may be vulnerable to a buffer overflow attack, as described in CVE 1999-0977. The remote administration daemon is used to manage system administration activities across a number of different hosts.
The CVE number matches descriptions of each security issue from the Common Vulnerabilities and Exposures database (http://cve.mitre.org/). Each identified vulnerability will contain a hyperlink back to the CVE database, so that information displayed about every issue is updated directly from the source. New patches and bug fixes are also listed.
To find out information about current patches, sysadmins are directed to the http://www.sunsolve.com/ site. Here, details about current patches for each operating system release can be found. There are two basic types of patches available from SunSolve: single patches and jumbo patches. Single patches have a single patch number associated with them; are generally aimed at resolving a single outstanding issue; and usually insert, delete, or update data in a small number of files. Single patches are also targeted at resolving specific security issues. Each patch is associated with an internal bug number from Sun’s bug database. For example, patch number 108435-01 aims to fix BugId 4318566, involving a shared library issue with the 64-bit C++ compiler.
In contrast, a jumbo patch consists of many single patches that have been bundled together, on the basis of operating system release levels, to ensure that the most common issues for a particular platform are resolved by the installation of the jumbo patch. It’s standard practice to install the current jumbo patch for Solaris 9 once it’s been installed from scratch, or if the system has been upgraded from Solaris 7.
Some of the latest patches released for Solaris 9 include the following:
110322-01: Patch for /usr/lib/netsvc/yp/ypbind
110853-01: Patch for Sun-Fire-880
110856-01: Patch for /etc/inet/services
110888-01 : Patch for figgs
110894-01: Patch for country name
110927-01: Patch for SUNW_PKGLIST
111078-01: Patch Solaris Resource Manager
111295-01: Patch for /usr/bin/sparcv7/pstack and /usr/bin/sparcv9/pstack
111297-01: Patch for /usr/lib/libsendfile.so.1
111337-01: Patch for /usr/sbin/ocfserv
111400-01: Patch for KCMS configure tool
111402-01: Patch for crontab
111431-01: Patch for /usr/lib/libldap.so.4
111439-01: Patch for /kernel/fs/tmpfs
111473-01: Patch for PCI Host Adapter
111562-01: Patch for /usr/lib/librt.so.1
111564-01 Patch for SunPCi 2.2.1
111570-01: Patch for uucp
111588-01: Patch for /kernel/drv/wc
111606-01: Patch for /usr/sbin/in.ftpd
111624-01: Patch for /usr/sbin/inetd
111648-01 Patch for env3test, cpupmtest, ifbtest, and rsctest
111656-01: Patch for socal and sf drivers
111762-01 Patch for Expert3D and SunVTS
One of the most useful guides to the currently available patches for Solaris 9 is the SunSolve Patch Report (ftp://sunsolve.sun.com/pub/patches/Solaris8.PatchReport). This report provides a quick reference to all newly released patches for the platform, as well as updates on previous patches that have now been modified. A list of suggested patches for the platform is also contained in the Report, while recommended security patches are listed separately. Finally, a list of obsolete patches is provided. Some of the currently listed security patches available include the following:
108528-09: Patch for kernel update
108869-06: Patch for snmpdx/mibiisa/libssasnmp/snmplib
108875-09: Patch for c2audit
108968-05: Patch for vol/vold/rmmount
108975-04: Patch for /usr/bin/rmformat and /usr/sbin/format
108985-03: Patch for /usr/sbin/in.rshd
108991-13: Patch for /usr/lib/libc.so.1
109091-04: Patch for /usr/lib/fs/ufs/ufsrestore
109134-19: Patch for WBEM
109234-04: Patch for Apache and NCA
109279-13: Patch for /kernel/drv/ip
109320-03: Patch for LP
109322-07: Patch for libnsl
109326-05: Patch for libresolv.so.2 and in.named
109354-09: Patch for dtsession
109783-01: Patch for /usr/lib/nfs/nfsd
109805-03: Patch for pam_krb5.so.1
109887-08: Patch for smartcard
109888-05: Patch for platform drivers
109892-03: Patch for /kernel/drv/ecpp driver
109894-01: Patch for /kernel/drv/sparcv9/bpp driver
109896-04: Patch for USB driver
109951-01: Patch for jserver buffer overflow
Figure 15-1 shows the main screen on SunSolve that lists all of the available jumbo patches and recommended clusters for Solaris 9.
To determine which patches are currently installed on your system, you need to use the showrev command as follows:
# showrev -p Patch: 107430-01 Obsoletes: Requires: Incompatibles: Packages: SUNWwsr Patch: 108029-01 Obsoletes: Requires: Incompatibles: Packages: SUNWwsr Patch: 107437-03 Obsoletes: Requires: Incompatibles: Packages: SUNWtiu8 Patch: 107316-01 Obsoletes: Requires: Incompatibles: Packages: SUNWploc Patch: 107453-01 Obsoletes: Requires: Incompatibles: Packages: SUNWkvm, SUNWc ar Patch: 106541-06 Obsoletes: 106976-01, 107029-01, 107030-01, 107334-01 Requires: Incompatibles: Packages: SUNWkvm, SUNWcsu, SUNWcsr, SUNWcsl, SUNWcar, SUNWesu , SUNWarc, SUNWatfsr, SUNWcpr, SUNWdpl, SUNWhea, SUNWtoo, SUNWpcmci, SUNWtnfc, S UNWvolr Patch: 106541-10 Obsoletes: 106832-03, 106976-01, 107029-01, 107030-01, 107334-0 1, 107031-01, 107117-05, 107899-01 Requires: 107544-02 Incompatibles: Packages: SUNWkvm, SUNWcsu, SUNWcsr, SUNWcsl, SUNWcar, SUNWesu, SUNWarc, SUNWatfsr, SUNWs cpu, SUNWcpr, SUNWdpl, SUNWhea, SUNWipc, SUNWtoo, SUNWpcmci, SUNWpcmcu, SUNWtnfc , SUNWvolr Patch: 106541-15 Obsoletes: 106832-03, 106976-01, 107029-01, 107030-01, 107334-0 1, 107031-01, 107117-05, 107899-01, 108752-01, 107147-08, 109104-04 Requires: 10 7544-02 Incompatibles: Packages: SUNWkvm, SUNWcsu, SUNWcsr, SUNWcsl, SUNWcar, S UNWesu, SUNWarc, SUNWatfsr, SUNWscpu, SUNWcpr, SUNWdpl, SUNWhea, SUNWipc, SUNWto o, SUNWnisu, SUNWpcmci, SUNWpcmcu, SUNWtnfc, SUNWvolu, SUNWvolr
From the example shown here, we can see that showrev reports several different properties of each patch installed:
The patch number.
Whether the patch obsoletes a previously released patch (or patches) and which version numbers.
Whether there are any prerequisite patches (and their version numbers) on which the current patch depends.
Whether the patch is incompatible with any other patches.
What standard Solaris packages are affected by installation of the patch.
From one of these examples (106541-15), we can see that it obsoletes a large number of other patches, including 106832-03, 106976-01, 107029-01, 107030-01, 107334-01, 107031-01, 107117-05, 107899-01, 108752-01, 107147-08, and 109104-04. In addition, it depends on patch 107544-02, and is compatible with all other known patches. Finally, it affects a large number of different packages, including SUNWkvm, SUNWcsu, SUNWcsr, SUNWcsl, SUNWcar, SUNWesu, SUNWarc, SUNWatfsr, SUNWscpu, SUNWcpr, SUNWdpl, SUNWhea, SUNWipc, SUNWtoo, SUNWnisu, SUNWpcmci, SUNWpcmcu, SUNWtnfc, SUNWvolu, and SUNWvolr.
To install single patches, you simple need to use the patchadd command
# patchadd /patches/106541-15
where /patches is the directory where your patches are downloaded to, and 106541-15 is the name of the patch filename (it should be the same as the patch number).
To add a large number of patches from the same directory, the following command can be used
# patchadd /patches/106541-15 106541-10 107453-01
where 106541-15, 106541-10, and 107453-01 are the patches to be installed. Once the patches have been successfully installed, they can be verified by using the showrev command. For example, to check that patch 106541-15 has been successfully installed, the following command could be used:
# showrev -p | grep 106541-15
Patches can be easily removed by using the patchrm command. For example, to remove the patch 106541-15, the following command would be used:
# patchrm 106541-15
If the patch was previously installed, it would now be removed. However, if the patch was not previously installed, the following errors message would be displayed:
Checking installed packages and patches... Patch 106541-15 has not been applied to this system. patchrm is terminating.