Secunia

IBM has issued updates for Informix. These fix multiple vulnerabilities allowing malicious users to escalate their privileges.

1) Multiple executable files with setuid attributes contain boundary errors in the handling of the "GL_PATH" environment variable. This can be exploited by malicious local users to cause a buffer overflow and execute arbitrary code with escalated privileges.

2) Certain executable files open and parse files when executed. The parsing of certain files is flawed and contain a format string vulnerability which can be exploited by editing these files. Normally these files aren't accessible, however, users can change the "INFORMIXDIR" environment variable so the files are read from a different location.

3) The program "onshowaudit" try to read files from "/tmp" with root privileges. This can be exploited by malicious local users to see the content of arbitrary files by linking from the files in "/tmp" to files with sensitive data, such as "/etc/shadow".

4) The "ontape" binary contains a boundary error which allows malicious local users to cause a buffer overflow by setting a long "ONCONFIG" environment variable. This can be exploited to gain root privileges.

5) The "onedcu" executable doesn't drop privileges before writing to the log file "\001". This can be exploited to overwrite arbitrary files by creating links.

According to vendor this affects:
IBM Informix Dynamic Server (IDS) 9.40.xC1
IBM Informix Extended Parallel Server (XPS) version 8.40.UCx

Solution
Contact Customer Services for an upgrade to IBM Informix Dynamic Server 9.40.UC3 or IBM Informix Extended Parallel Server 8.40.UD1.
Further details available in Customer Area

Provided and/or discovered by
Issue 1 and 2 was reported by KF
Issue 3, 4 and 5 was reported by Juan Manuel Pascual Escriba

Original Advisory
http://www-1.ibm.com/support/docview.wss?uid=swg21153336

Deep Links
Links available in Customer Area