Original issue date: October 31, 1990<BR> 
Last revised: September 17, 1997<BR>
		Attached Copyright statement

<P>A complete revision history is at the end of this file.

<P>The CERT/CC has received the following report of a vulnerability in
/usr/sbin/Mail, present only in IRIX 3.3 and 3.3.1.  This information was
provided to the CERT/CC by Robert Stephens, of Silicon Graphics Inc.

<P><HR>
<H2>I. Description</H2>

/usr/sbin/Mail can fail to reset its group id to the group id of the caller.
 <BR>
<H2>II. Impact</H2>

Can allow any user logged onto the system to read any other user's
(including root's) mail.
<H2>III. Solution</H2>

A fixed /usr/sbin/Mail binary has been made available for anonymous ftp
from SGI.COM ([192.48.153.1]).  The correct binary can be found at:

<P>sgi/Mail/Mail

<P>under the ftp directory.

<P>Note that this binary must be installed with the same group (mail) and
permissions (2755) as your existing 3.3 or 3.3.1 /usr/sbin/Mail.

<P>For further questions, please contact your Silicon Graphics support center
(Geometry Partners HOTLINE number: (800) 345-0222)



<P><HR>

<!--#include virtual="/include/footer_nocopyright.html" -->
<P>Copyright 1990 Carnegie Mellon University.</P>

<HR>

Revision History
<PRE>
September 17,1997  Attached Copyright Statement
</PRE>