Possible security vulnerabilities with Informix Dynamic Server, CSDK, and I-Connect product installers

Technote (troubleshooting)


Problem(Abstract)

Two possible security vulnerabilities have been identified with the installation scripts for IBM® Informix® Dynamic Server (IDS), IBM® Informix® Client Software Development Kit (CSDK), and IBM® Informix® Connect.

Symptom

The two possible vulnerabilities are:

  • The default permissions of the installation scripts could allow an unprivileged user to insert code which could compromise security during installation.
  • The installation process creates temporary files in the /tmp directory. It is possible for a user with access to /tmp to link to these files and thereby compromise security.

The APARs reported for these defects are:

Product installer
Install script
APAR ID
IBM® Informix® Dynamic Server
installserver
IBM® Informix® Dynamic Server (Bundle)
ids_install
IBM® Informix® CSDK
installclientsdk
IBM® Informix® Connect
installconn

Environment

The following products and operating systems are affected:

Product Name
Product Version(s)
Hardware Vendor
Operating System
IBM® Informix® Dynamic Server
10.00
All
Unix, Linux
IBM® Informix® Client SDK
2.90
All
Unix, Linux
IBM® Informix® Connect
2.90
All
Unix, Linux

Resolving the problem

These defects are planned to be addressed in:


Product

Platform

Version

IBM® Informix® Dynamic Server

Solaris Opteron, Linux zSeries

10.00.xC5R1

IBM® Informix® Dynamic Server

All others

10.00.xC6

IBM® Informix® CSDK

All

2.90.xC4R1

IBM® Informix® Connect

All

2.90.xC4R1


When released, contact your local technical support office for an upgrade to the version where the problem is addressed.

You can obtain current information about reported Informix APARs from any of the Informix Product Support Centers. To access one of the Informix Product Support Centers, visit the Informix Product Family Support page.

Important: To access APAR information, you must sign in using an IBM Registration ID. Your free ID is your single point of access to IBM web applications that use IBM Registration. If you are not currently registered, you can register now.

If you are interested in learning more about Authorized Program Analysis Reports, review the Technote: Informix APAR Information.


HOW TO AVOID THIS PROBLEM
  • Change the permissions of the install script for your product to 755.
  • Use the -log option when performing your product installation to redirect the temporary files created to a secure directory.

Cross Reference information
Segment Product Component Platform Version Edition
Information Management Informix Servers AIX, HP-UX, IRIX, Linux, Solaris 10.0 Workgroup, Enterprise, Express
Information Management Informix Tools Informix Client Software Development Kit (CSDK) AIX, HP-UX, IRIX, Linux, Solaris 2.9
Information Management Informix Tools Informix Connect AIX, HP-UX, IRIX, Linux, Solaris 2.9

Rate this page:

(0 users)Average rating

Document information


More support for:

Informix Servers

Software version:

10.0

Operating system(s):

AIX, HP-UX, IRIX, Linux, Solaris

Software edition:

Enterprise, Express, Workgroup

Reference #:

1247438

Modified date:

2006-10-30

Translate my page

Machine Translation

Content navigation