HP has recently released two patches that, when applied, will prevent Version Manager from running in setuid mode.

What follows is a copy of an official warning that went out from HP on patch PHSS_30970, which is a patch for HP-UX 11.11 (a.k.a. 11i).  The equivalent patch for HP-UX 11.00 is PHSS_30969, and it has the same problems.

Subject: HP-UX PATCH NOTIFY: Patch PHSS_30970 Has Warnings

Hewlett-Packard
****************************
HP  IT RESOURCE CENTER
****************************
Patch PHSS_30970 has a new warning

Dear Customer,

Hewlett-Packard has issued a new warning for the following patch:

PHSS_30970 : s700_800 11.11 ld(1) and linker tools cumulative patch

Please read the "Warning Description" below to determine whether it is necessary for you take any actions.

Warning Description:

Warning: 05/07/05 - This Critical Warning has been issued by HP.

        - PHSS_30968 introduced behavior that may cause dynamically
          loaded 32-bit setuid applications to fail because the
          SHLIB_PATH and LD_LIBRARY_PATH environment variables are
          ignored for setuid programs.  The applications may fail to
          start due to missing libraries or may abort at startup due to
          libraries being loaded in a different order than intended.
        - The same behavior is observed with superseding patch
          PHSS_30970.
        - The previous patch, PHSS_30966, does not exhibit this same
          behavior.
        - To avoid this behavior, HP recommends removing PHSS_30968
          and PHSS_30970 from systems on which 32-bit setuid
          applications are failing as described above.  If you choose
          to remove these patches, HP recommends installing PHSS_30966
          after they are removed.  If PHSS_30966 was installed prior to
          PHSS_30968 and PHSS_30970, it will automatically be restored
          when they are removed and it will not need to be
          re-installed.
        - Please note that PHSS_32226 is dependent upon PHSS_30970.
          If PHSS_30970 is removed, PHSS_32226 must also be removed.
        - This behavior will be addressed in PHSS_32864, which is
          expected to be released by the end of August 2005.

If you have any questions, please contact the HP Response Center.

Thank you -
HP Patch team

When either patch is applied and a user tries to run the Version Manager GUI (pvcsvmux) or PCLI as a "non-pvcs user", they will see error messages similar to:

   /usr/lib/dld.sl: Can't open shared library: /CLO/Components/JAVA_12/Src/build/HP_UX/lib/PA_RISC2.0/server/libjvm.sl
   /usr/lib/dld.sl: No such file or directory
   /usr/pvcs/vm/hpux/bin/pvcsvmdmn[389]: 1640 Abort=

or

   /usr/pvcs/vm/hpux/bin/pvcsvmdmn[438]: 5710 Memory fault

Attempts to use CLI commands will result in:

   /usr/lib/dld.sl: Can't find path for shared library: libpvcsvm.sl
   /usr/lib/dld.sl: No such file or directory
   ABORT instruction

even though the SHLIB_PATH environment variable is setup correctly (i.e. the vmprofile / vmcshrc file was sourced).  When in doubt, simply execute the command "pcli".  If that command gives you the "libjvm.sl" error shown in the first example, then you most likely are affected by the bad patch, and you should check the list of installed patches (using "swlist" or "swlist -l patch").  If the "pcli" command did not return an error, you probably just don't have your environment setup correctly to run CLI commands.  To correct that problem, execute:

   . VM_Install_Dir/vm/OS/bin/vmprofile

when using sh, ksh and bash, or

   source VM_Install_Dir/vm/OS/bin/vmcshrc

when using csh or tzsh.

The short term workaround is to roll back the offending patches (also see HP's e-mail).  The long term solution is to install one of two new patches from HP, once they become generally available:

For HP-UX 11.00: PHSS_32863

For HP-UX 11.11: PHSS_32864

Both patches are expected to be available in end of August 2005.

If you cannot roll back the offending patch, for example because roll-back capabilities were explicitly turned off to save disk space, you should contact HP to get pre-release access to either patch (before HP's QA department has completed their tests).