November 2005

ID: 01002
Ref: 940/05
Date: 09 November 2005:15:17:20
Version: 1

---

Title: SCO - Lynx NNTP Buffer Overflow Vulnerability [SCOSA-2005.47]
Abstract: Ulf Harnhammar has reported a vulnerability in Lynx, which can be exploited by malicious people to compromise a user's system.
Vendors affected: SCO
Operating systems affected: SCO
Applications affected: SCO

---

Title
=====
SCO - Lynx NNTP Buffer Overflow Vulnerability [SCOSA-2005.47]


Detail
======


- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

______________________________________________________________________________

SCO Security Advisory

Subject: UnixWare 7.1.3 UnixWare 7.1.4 : Lynx NNTP Buffer Overflow Vulnerability
Advisory number: SCOSA-2005.47
Issue date: 2005 November 08
Cross reference: fz533159
CVE-2005-3120
______________________________________________________________________________


1. Problem Description

Ulf Harnhammar has reported a vulnerability in Lynx, which can
be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to a boundary error in the
"HTrjis()" function in the handling of article headers sent from
NNTP (Network News Transfer Protocol) servers. This can be
exploited to cause a stack-based buffer overflow by e.g.
tricking a user into visiting a malicious web site which
redirects to a malicious NNTP server via the "nntp:" URI
handler.

Successful exploitation allows execution of arbitrary code.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2005-3120 to this issue.


2. Vulnerable Supported Versions

System Binaries
----------------------------------------------------------------------
UnixWare 7.1.3 /usr/gnu/bin/lynx
UnixWare 7.1.4 /usr/gnu/bin/lynx


3. Solution

The proper solution is to install the latest packages.


4. UnixWare 7.1.3

4.1 Location of Fixed Binaries

ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.47


4.2 Verification

MD5 (p533159.image) = bc3fd8c36aea096b7ed75a2f27950b1e

md5 is available for download from
ftp://ftp.sco.com/pub/security/tools


4.3 Installing Fixed Binaries

Upgrade the affected binaries with the following sequence:

Download p533159.image to the /var/spool/pkg directory

# pkgadd -d /var/spool/pkg/p533159.image


5. UnixWare 7.1.4

5.1 Location of Fixed Binaries

ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.47


5.2 Verification

MD5 (p533159.image) = bc3fd8c36aea096b7ed75a2f27950b1e

md5 is available for download from
ftp://ftp.sco.com/pub/security/tools


5.3 Installing Fixed Binaries

Upgrade the affected binaries with the following sequence:

Download p533159.image to the /var/spool/pkg directory

# pkgadd -d /var/spool/pkg/p533159.image


6. References

Specific references for this advisory:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3120
http://lists.grok.org.uk/pipermail/full-disclosure/2005-October/038019.html
http://securitytracker.com/id?1015065
http://secunia.com/advisories/17216

SCO security resources:
http://www.sco.com/support/security/index.html

SCO security advisories via email
http://www.sco.com/support/forums/security.html

This security fix closes SCO incident fz533159.


7. Disclaimer

SCO is not responsible for the misuse of any of the information
we provide on this website and/or through our security
advisories. Our advisories are a service to our customers
intended to promote secure installation and use of SCO
products.


8. Acknowledgments

SCO would like to thank Ulf Harnhammar for reporting this
vulnerability.

______________________________________________________________________________
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (UnixWare)

iD8DBQFDcPYVaqoBO7ipriERAjoRAJ0U1Ik6iVjuCU2XFRAAiJ1k157D8gCeOXw6
+lnmbCl8lvRH/GYwLg2saLE=
=g4hZ
- -----END PGP SIGNATURE-----