April 2005
SCO - Five Security Advisories
ID: 00296
Ref: 274/2005
Date: 08 April 2005:11:14:48
Version: 1
Title: SCO - Five Security Advisories
Abstract:
Vendors affected: SCO
Operating systems affected: SCO
Applications affected: SCO
Title
=====
SCO - Five Security Advisories:
1. OpenServer 5.0.6 OpenServer 5.0.7 : cscope local attacker can remove arbitrary files [SCOSA-2005.11]
2. OpenServer 5.0.6 OpenServer 5.0.7 : termsh atcronsh auditsh environment buffer overflows [SCOSA-2005.15]
3. UnixWare 7.1.4 UnixWare 7.1.3 UnixWare 7.1.1 : CDE dtlogin unspecified double free [SCOSA-2005.18]
4. UnixWare 7.1.4 : libtiff Multiple vulnerabilities [SCOSA-2005.19]
5. UnixWare 7.1.4 : cdrecord local root exploit [SCOSA-2005.20]
Detail
======
Security Advisory summaries:
1. cscope creates temporary files with an easily predictable file name. A
local attacker could exploit this vulnerability and possibly gain elevated
privileges on the system.
2. A very long HOME environment variable will cause a buffer overflow in
auditsh, atcronsh and termsh.
3. The CDE dtlogin utility has a double-free vulnerability in the X Display
Manager Control Protocol (XDMCP).
4. Multiple vulnerabilities in the RLE (run length encoding) decoders for
libtiff 3.6.1 and earlier, related to buffer overflows and integer overflows,
allow remote attackers to execute arbitrary code via TIFF files.
5. cdrecord in the cdrtools package before 2.01, when installed setuid root,
does not properly drop privileges before executing a program specified in the
RSH environment variable, which allows local users to gain privileges.
Security Advisory content follows:
1.
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SCO Security Advisory
Subject: OpenServer 5.0.6 OpenServer 5.0.7 : cscope local attacker can remove arbitrary files
Advisory number: SCOSA-2005.11
Issue date: 2005 April 7
Cross reference: sr892180 fz530504 erg712739 CAN-2004-0996
______________________________________________________________________________
1. Problem Description
cscope is a developer's tool for browsing source code.
cscope creates temporary files with an easily predictable
file name. A local attacker could exploit this vulnerability
and possibly gain elevated privileges on the system.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CAN-2004-0996 to this issue.
2. Vulnerable Supported Versions
System Binaries
----------------------------------------------------------------------
OpenServer 5.0.6 /usr/ccs/bin/cscope
OpenServer 5.0.7 /usr/ccs/bin/cscope
3. Solution
The proper solution is to install the latest packages.
4. OpenServer 5.0.6
4.1 Location of Fixed Binaries
ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2005.11
4.2 Verification
MD5 (VOL.000.000) = 1fb21699e2a86a2aeb390a57219ff567
md5 is available for download from
ftp://ftp.sco.com/pub/security/tools
4.3 Installing Fixed Binaries
Upgrade the affected binaries with the following sequence:
1) Download the VOL* files to a directory
2) Run the custom command, specify an install from media
images, and specify the directory as the location of the
images.
5. OpenServer 5.0.7
5.1 Location of Fixed Binaries
ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2005.11
5.2 Verification
MD5 (VOL.000.000) = 1fb21699e2a86a2aeb390a57219ff567
md5 is available for download from
ftp://ftp.sco.com/pub/security/tools
5.3 Installing Fixed Binaries
Upgrade the affected binaries with the following sequence:
1) Download the VOL* files to a directory
2) Run the custom command, specify an install from media
images, and specify the directory as the location of the
images.
6. References
Specific references for this advisory:
http://xforce.iss.net/xforce/xfdb/18125
http://www.securityfocus.com/bid/11697
http://marc.theaimsgroup.com/?l=bugtraq&m=110133485519690&w=2
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0996
SCO security resources:
http://www.sco.com/support/security/index.html
SCO security advisories via email
http://www.sco.com/support/forums/security.html
This security fix closes SCO incidents sr892180 fz530504
erg712739.
7. Disclaimer
SCO is not responsible for the misuse of any of the information
we provide on this website and/or through our security
advisories. Our advisories are a service to our customers
intended to promote secure installation and use of SCO
products.
8. Acknowledgments
SCO would like to thank Gangstuck / Psirac
who disclosed this vulnerability. Jeremy Bae from STG
Security Inc also disclosed this
vulnerability to the vendor.
______________________________________________________________________________
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (SCO/SYSV)
iD8DBQFCVY+taqoBO7ipriERAqV1AJ9efhMnTGgI0X0i+9u69ESgLpF8xgCeI8Jj
e3dYzV4evbTDaDlU3X3QJfw=
=DCWX
- -----END PGP SIGNATURE-----
2.
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SCO Security Advisory
Subject: OpenServer 5.0.6 OpenServer 5.0.7 : termsh atcronsh auditsh environment buffer overflows
Advisory number: SCOSA-2005.15
Issue date: 2005 April 7
Cross reference: sr875152 fz527464 erg712238 sr886656 fz528456 erg712472 sr886657 fz528457 erg712473 CAN-2005-0351
______________________________________________________________________________
1. Problem Description
A very long HOME environment variable will cause a buffer
overflow in auditsh, atcronsh and termsh.
506 requires
OSS646C installed prior to installation of this fix
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CAN-2005-0351 to this issue.
2. Vulnerable Supported Versions
System Binaries
----------------------------------------------------------------------
OpenServer 5.0.6 /usr/lib/sysadm/auditsh
/usr/lib/sysadm/termsh
/usr/lib/sysadm/atcronsh
OpenServer 5.0.7 /usr/lib/sysadm/auditsh
/usr/lib/sysadm/termsh
/usr/lib/sysadm/atcronsh
3. Solution
The proper solution is to install the latest packages.
4. OpenServer 5.0.6
4.1 First install oss646c or later
4.2 Location of oss646c
ftp://ftp.sco.com/pub/openserver5/oss646c/
4.3 Verification of oss646c
MD5 (VOL.000.000) = f19b6c6949f615316bfb075d249989e8
MD5 (VOL.000.001) = 341ff8553aecd2c7b0c2beaf83030d0f
MD5 (VOL.000.002) = 6e46708ad8029e12280d4f9ac60ab814
MD5 (VOL.000.003) = 2868b64a6a6db742adb3b485be645d7e
MD5 (VOL.000.004) = 1696fe1db9bb063827ee5e76e58dff84
MD5 (VOL.000.005) = f39da342f8af72fcaccdf478dca04109
MD5 (VOL.000.006) = 2b31611c8af7d2e7910d6e8e3cf701a6
MD5 (VOL.000.007) = d0175c0f4e3ed29435b1eab95609f8f4
MD5 (VOL.000.008) = aa9e8a525c341fed077f981b1dacb486
MD5 (VOL.000.009) = 8e023af67b57507824406bdda322079a
MD5 (VOL.000.010) = 2b46e8adba8ae0b64109f2069da978a2
4.4 Installation of oss646c
See ftp://ftp.sco.com/pub/openserver5/oss646c/oss646c.txt
4.5 Location of Fixed Binaries
ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2005.15
4.6 Verification
MD5 (VOL.000.000) = 3b47d83661354009a73acbd2979c4d0c
md5 is available for download from
ftp://ftp.sco.com/pub/security/tools
4.7 Installing Fixed Binaries
Upgrade the affected binaries with the following sequence:
1) Download the VOL* files to a directory
2) Run the custom command, specify an install from media
images, and specify the directory as the location of the
images.
5. OpenServer 5.0.7
5.1 Location of Fixed Binaries
ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2005.15
5.2 Verification
MD5 (VOL.000.000) = 3b47d83661354009a73acbd2979c4d0c
md5 is available for download from
ftp://ftp.sco.com/pub/security/tools
5.3 Installing Fixed Binaries
Upgrade the affected binaries with the following sequence:
1) Download the VOL* files to a directory
2) Run the custom command, specify an install from media
images, and specify the directory as the location of the
images.
6. References
Specific references for this advisory:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0351
SCO security resources:
http://www.sco.com/support/security/index.html
SCO security advisories via email
http://www.sco.com/support/forums/security.html
This security fix closes SCO incidents sr875152 fz527464
erg712238 sr886656 fz528456 erg712472 sr886657 fz528457
erg712473.
7. Disclaimer
SCO is not responsible for the misuse of any of the information
we provide on this website and/or through our security
advisories. Our advisories are a service to our customers
intended to promote secure installation and use of SCO
products.
8. Acknowledgments
SCO would like to thank Joel Soderberg and Christer Oberg
of Deprotect which describes itself as "a Swedish based
security company divided into four divisions; Managed
Security Services, Security Services, Products and Development
and our Security Academy."
______________________________________________________________________________
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (SCO/SYSV)
iD8DBQFCVZAoaqoBO7ipriERAmnRAJ9PsrKYTpWDsGM9uk+3hFRWBtoiBgCfbd70
TP1LFtZvO16TnqYIesRLAb0=
=TGHH
- -----END PGP SIGNATURE-----
3.
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SCO Security Advisory
Subject: UnixWare 7.1.4 UnixWare 7.1.3 UnixWare 7.1.1 : CDE dtlogin unspecified double free
Advisory number: SCOSA-2005.18
Issue date: 2005 April 7
Cross reference: sr890079 fz529303 erg712592 CAN-2004-0368 CERT VU#179804
______________________________________________________________________________
1. Problem Description
The Common Desktop Environment (CDE) dtlogin utility is
used to log into a CDE session. The CDE dtlogin utility has
a double-free vulnerability in the X Display Manager Control
Protocol (XDMCP). By sending a specially-crafted XDMCP
packet to a vulnerable system, a remote attacker could
obtain sensitive information, cause a denial of service or
execute arbitrary code on the system.
CERT Vulnerability Note VU#179804, Common Desktop Environment
(CDE) dtlogin improperly deallocates memory at
http://www.kb.cert.org/vuls/id/179804.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CAN-2004-0368 to this issue.
2. Vulnerable Supported Versions
System Binaries
----------------------------------------------------------------------
UnixWare 7.1.4 /usr/dt/bin/dtgreet
/usr/dt/bin/dtlogin
/usr/dt/lib/libDtLogin.so.1
UnixWare 7.1.3 /usr/dt/bin/dtgreet
/usr/dt/bin/dtlogin
/usr/dt/lib/libDtLogin.so.1
UnixWare 7.1.1 See Maintenance Pack 5 notes
3. Solution
The proper solution is to install the latest packages.
4. UnixWare 7.1.4
4.1 Location of Fixed Binaries
ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.18
4.2 Verification
MD5 (erg712592.pkg.Z) = d3714b22a624db25740f5539c063d407
md5 is available for download from
ftp://ftp.sco.com/pub/security/tools
4.3 Installing Fixed Binaries
Upgrade the affected binaries with the following sequence:
Download erg712592.pkg.Z to the /var/spool/pkg directory
# uncompress /var/spool/pkg/erg712592.pkg.Z
# pkgadd -d /var/spool/pkg/erg712592.pkg
5. UnixWare 7.1.3
5.1 Location of Fixed Binaries
ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.18
5.2 Verification
MD5 (erg712592.713.pkg.Z) = fc8d0c4f0ebdcf65504d1b4985c7ba52
md5 is available for download from
ftp://ftp.sco.com/pub/security/tools
5.3 Installing Fixed Binaries
Upgrade the affected binaries with the following sequence:
Download erg712592.713.pkg.Z to the /var/spool/pkg directory
# uncompress /var/spool/pkg/erg712592.713.pkg.Z
# pkgadd -d /var/spool/pkg/erg712592.713.pkg
6. UnixWare 7.1.1 uw711mp5
6.1 Location of Fixed Binaries
The fixes are available in SCO UnixWare Release 7.1.1
Maintenance Pack 5 or later. See
ftp://ftp.sco.com/pub/unixware7/uw711pk/uw711mp5.txt
and
ftp://ftp.sco.com/pub/unixware7/uw711pk/uw711mp5_errata.txt
6.2 Verification
MD5 (uw711mp5.cpio.Z) = 50bd66b7d57b2025da9dca4010d0ab1a
md5 is available for download from
ftp://ftp.sco.com/pub/security/tools
6.3 Installing Fixed Binaries
See uw711mp5.txt and uw711mp5_errata.txt for install instructions.
7. References
Specific references for this advisory:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0368
SCO security resources:
http://www.sco.com/support/security/index.html
SCO security advisories via email
http://www.sco.com/support/forums/security.html
This security fix closes SCO incidents sr890079 fz529303
erg712592.
8. Disclaimer
SCO is not responsible for the misuse of any of the information
we provide on this website and/or through our security
advisories. Our advisories are a service to our customers
intended to promote secure installation and use of SCO
products.
9. Acknowledgments
SCO would like to thank Dave Aitel
______________________________________________________________________________
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (SCO/SYSV)
iD8DBQFCVYa9aqoBO7ipriERAiKPAJ9tygBRSAMRNqWS2jRKE5PWyJF4+gCff8Em
Hvk5XLjwEg89hCPj96JJ1MM=
=dRsT
- -----END PGP SIGNATURE-----
4.
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SCO Security Advisory
Subject: UnixWare 7.1.4 : libtiff Multiple vulnerabilities
Advisory number: SCOSA-2005.19
Issue date: 2005 April 07
Cross reference: sr892971 fz531015 erg712790 CAN-2004-0803 CAN-2004-0804 CAN-2004-0886 CAN-2004-0929 CAN-2004-1183 CAN-2004-1308
______________________________________________________________________________
1. Problem Description
Updated libtiff fixes several vulnerabilities:
Multiple vulnerabilities in the RLE (run length encoding)
decoders for libtiff 3.6.1 and earlier, related to buffer
overflows and integer overflows, allow remote attackers to
execute arbitrary code via TIFF files.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned th e name CAN-2004-0803 to this issue.
Vulnerability in in tif_dirread.c for libtiff allows remote
attackers to cause a denial of service (application crash)
via a TIFF image that causes a divide-by-zero error when
the number of row bytes is zero.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CAN-2004-0804 to this issue.
Multiple integer overflows in libtiff 3.6.1 and earlier allow
remote attackers to cause a denial of service (crash or memory
corruption) via TIFF images that lead to incorrect malloc calls.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned th e name CAN-2004-0886 to this issue.
Heap-based buffer overflow in the OJPEGVSetField function
in tif_ojpeg.c for libtiff 3.6.1 and earlier, when compiled
with the OJPEG_SUPPORT (old JPEG support) option, allows
remote attackers to execute arbitrary code via a malformed
TIFF image.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned th e name CAN-2004-0929 to this issue.
Integer overflow in the tiffdump utility for libtiff 3.7.1 and
earlier allows remote attackers to cause a denial of service
(application crash) and possibly execute arbitrary code via a
crafted TIFF file.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned th e name CAN-2004-1183 to this issue.
Integer overflow in (1) tif_dirread.c and (2) tif_fax3.c
for libtiff 3.5.7 and 3.7.0 allows remote attackers to
execute arbitrary code via a TIFF file containing a TIFF_ASCII
or TIFF_UNDEFINED directory entry with a -1 entry count,
which leads to a heap-based buffer overflow.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2004-1308 to this issue.
2. Vulnerable Supported Versions
System Binaries
----------------------------------------------------------------------
UnixWare 7.1.4 libtiff distribution
3. Solution
The proper solution is to install the latest packages.
4. UnixWare 7.1.4
4.1 Location of Fixed Binaries
ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.19
4.2 Verification
MD5 (tiff.image) = c9f976565559059f1ae413886a43c063
md5 is available for download from
ftp://ftp.sco.com/pub/security/tools
4.3 Installing Fixed Binaries
Upgrade the affected binaries with the following sequence:
Download tiff.image to the /var/spool/pkg directory
# pkgadd -d /var/spool/pkg/tiff.image
5. References
Specific references for this advisory:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1308
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1183
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0929
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0886
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0804
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0803
SCO security resources:
http://www.sco.com/support/security/index.html
SCO security advisories via email
http://www.sco.com/support/forums/security.html
This security fix closes SCO incidents sr892971 fz531015
erg712790.
6. Disclaimer
SCO is not responsible for the misuse of any of the information
we provide on this website and/or through our security
advisories. Our advisories are a service to our customers
intended to promote secure installation and use of SCO
products.
7. Acknowledgments
SCO would like to thank iDEFENSE and infamous41md[at]hotpop.com
______________________________________________________________________________
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (SCO/SYSV)
iD8DBQFCVZtCaqoBO7ipriERAq0NAKCJyEGo562Bx4SGIYb7DQnXycvavACfXj9H
MFkNw5rfq8K3bHt9nip2nQ0=
=cjWx
- -----END PGP SIGNATURE-----
5.
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SCO Security Advisory
Subject: UnixWare 7.1.4 : cdrecord local root exploit
Advisory number: SCOSA-2005.20
Issue date: 2005 April 07
Cross reference: sr891408 fz530156 erg712690 CAN-2004-0806
______________________________________________________________________________
1. Problem Description
cdrecord in the cdrtools package before 2.01, when installed
setuid root, does not properly drop privileges before
executing a program specified in the RSH environment variable,
which allows local users to gain privileges.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CAN-2004-0806 to this issue.
2. Vulnerable Supported Versions
System Binaries
----------------------------------------------------------------------
UnixWare 7.1.4 cdrtools distribution
3. Solution
The proper solution is to install the latest packages.
4. UnixWare 7.1.4
4.1 Location of Fixed Binaries
ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.20
4.2 Verification
MD5 (cdrtools.pkg) = 5921506ffd8ff63a0207d946912f2493
md5 is available for download from
ftp://ftp.sco.com/pub/security/tools
4.3 Installing Fixed Binaries
Upgrade the affected binaries with the following sequence:
Download cdrtools.pkg to the /var/spool/pkg directory
# pkgadd -d /var/spool/pkg/cdrtools.pkg
5. References
Specific references for this advisory:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0806
SCO security resources:
http://www.sco.com/support/security/index.html
SCO security advisories via email
http://www.sco.com/support/forums/security.html
This security fix closes SCO incidents sr891408 fz530156
erg712690.
6. Disclaimer
SCO is not responsible for the misuse of any of the information
we provide on this website and/or through our security
advisories. Our advisories are a service to our customers
intended to promote secure installation and use of SCO
products.
7. Acknowledgments
SCO would like to thank Max Vozeler
______________________________________________________________________________
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (SCO/SYSV)
iD8DBQFCVaOGaqoBO7ipriERAlb/AKCi7kbIPuwmGSuBo+zT6my1MeF/ogCfRxsN
N2Ob1RbSZzEp42Fjt7LcMuo=
=PjnM
- -----END PGP SIGNATURE-----