============================================================= IBM i Access for Windows patch for Security Bulletin CVE-2015-0114 (c) Copyright IBM Corporation 1996, 2015. All rights reserved. ============================================================= This document is provided "as is" without warranty of any kind. IBM disclaims all warranties, whether expressed or implied, including without limitation, the implied warranties of fitness for a particular purpose and merchantability with respect to the information in this document. By furnishing this document, IBM grants no licenses to any patents or copyrights. ============================================================= ------------------------------------------------------------------- TABLE OF CONTENTS ------------------------------------------------------------------- 1.0 INFORMATION FOR Security Bulletin CVE-2015-0114 1.1 Problem Description 1.2 Problem Resolution 2.0 INSTALLATION NOTES 2.1 Applying the patch 2.2 Removing the patch 3.0 PERMANENT FIX DELIVERY 4.0 REPORTING PROBLEMS 5.0 ATTRIBUTION ------------------------------------------------------------------- 1.0 INFORMATION FOR Security Bulletin CVE-2015-0114 ------------------------------------------------------------------- 1.1 Problem Description ------------------------------------------------------------------- The 5250 emulator in IBM i Access for Windows is vulnerable to a stack-based buffer overflow, caused by improper bounds checking. A local attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. ------------------------------------------------------------------- 1.1 Problem Resolution ------------------------------------------------------------------- A temporary patch has been provided for workstations that have 7.1 IBM i Access for Windows with service pack SI53809. Apply the patch as outlined below. ------------------------------------------------------------------- 2.0 INSTALLATION NOTES ------------------------------------------------------------------- 2.1 Applying the patch ------------------------------------------------------------------- This temporary patch is only compatible with 7.1 IBM i Access for Windows service pack SI53809. 1) Close all open emulator sessions. 2) Locate the "Emulator" folder inside the IBM i Access install path. By default, this is "C:\Program Files (x86)\IBM\Client Access\Emulator" 3) In that directory, rename the file pcspref.dll to pcspref.dll.bak 4) Save the patch version of pcspref.dll into this directory. 2.2 Removing the patch --------------------------- 1) Close all open emulator sessions. 2) Locate the "Emulator" folder inside the IBM i Access install path. By default, this is "C:\Program Files (x86)\IBM\Client Access\Emulator" 3) Rename the file pcspref.dll.bak to pcspref.dll ------------------------------------------------------------------- 3.0 PERMANENT FIX DELIVERY ------------------------------------------------------------------- The permanent fix will be delivered in a future service pack for 7.1. No special action (beyond installing the appropriate 7.1 updates) will be necessary for the user to acquire the permanent fix. ------------------------------------------------------------------- 4.0 REPORTING PROBLEMS If you need to report a problem with the 5250 emulator any time after you have installed this patch, please let your IBM service representative know this patch has been applied. 5.0 ATTRIBUTION ------------------------------------------------------------------- Thanks to Fernando Muņoz, from NULL Group http://nullgroup.com/ for reporting this issue. It is tracked as CVE-2015-0114. [END OF DOCUMENT]