IBM Support

IT05707: TSM UNIX AND LINUX CLIENT LOCAL ESCALATION OF PRIVILEGE VULNERABILITY DUE TO STACK-BASED BUFFER OVERFLOW

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • Local escalation of privilege security vulnerability in TSM UNIX
    and Linux clients due to stack-based buffer overflow.
    CVSS score: 7.2
    

Local fix

  • Change the permissions on dsmtca so that only trusted users are
    permitted to execute it.
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:                                              *
    * Tivoli Storage Manager Client 5.4 through 6.3 users running  *
    * on Unix or Linux system                                      *
    ****************************************************************
    * PROBLEM DESCRIPTION:                                         *
    * See ERROR DESCRIPTION                                        *
    * For additional details, refer to the                         *
    * security bulletin published here:                            *
    * http://www.ibm.com/support/docview.wss?uid=swg21695878       *
    ****************************************************************
    * RECOMMENDATION:                                              *
    * Apply fixing level when available. This problem is currently *
    * projected to be fixed in Tivoli Storage Manager Client in    *
    * levels 5.4.4, 5.5.5, 6.1.6, 6.2.6, and 6.3.2.3. Note that    *
    * this is subject to change at the discretion of IBM.          *
    ****************************************************************
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    ***********
    

Problem conclusion

  • Validation of the command line argument lengths was added to
    prevent the buffer overflow.
    

Temporary fix

  • A fix for this problem is currently targeted for Tivoli Storage
    Manager Client interim fix package 5.4.3.7, 5.5.4.4, 6.1.5.7,
    6.2.5.4, and 6.3.2.3.  Until the interim fix is actually
    available, this information is subject to change at the
    discretion of IBM.
    

Comments

APAR Information

  • APAR number

    IT05707

  • Reported component name

    TSM CLIENT

  • Reported component ID

    5698ISMCL

  • Reported release

    63L

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2014-11-25

  • Closed date

    2016-08-26

  • Last modified date

    2016-08-26

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    TSM CLIENT

  • Fixed component ID

    5698ISMCL

Applicable component levels

  • R54L PSY

       UP

  • R55L PSY

       UP

  • R61L PSY

       UP

  • R62L PSY

       UP

  • R63L PSY

       UP



Document information

More support for: Tivoli Storage Manager

Software version: 63L

Reference #: IT05707

Modified date: 26 August 2016