December 2005

ID: 01114
Ref: 1046/2005
Date: 20 December 2005:09:12:54
Version: 1

---

Title: Four SCO Security Advisories
Abstract:
Vendors affected: SCO
Operating systems affected: SCO
Applications affected: SCO

---

Title
=====

Four SCO Security Advisories:

1. SCOSA-2005.58 - UnixWare 7.1.4 : Gzip Multiple Vulnerabilities

2. SCOSA-2005.59 - OpenServer 5.0.7 OpenServer 6.0.0 : Gzip Multiple
Vulnerabilities

3. SCOSA-2005.60 - UnixWare 7.1.3 UnixWare 7.1.4 : Tcpdump Denial of Service

4. SCOSA-2005.61 - OpenServer 6.0.0 : Tcpdump Denial of Service

Detail
======

1. zgrep in gzip does not properly sanitize arguments, which allows
local users to execute arbitrary commands via filenames that are
injected into a sed script.

2. zgrep in gzip does not properly sanitize arguments, which allows
local users to execute arbitrary commands via filenames that are
injected into a sed script.

3. Various flaws in tcpdump can allow remote attackers to cause
denial of service.

4. Various flaws in tcpdump can allow remote attackers to cause
denial of service.



1.


- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

______________________________________________________________________________

SCO Security Advisory

Subject: UnixWare 7.1.4 : Gzip Multiple Vulnerabilities
Advisory number: SCOSA-2005.58
Issue date: 2005 December 16
Cross reference: sr894862 erg712915 fz532919
CVE-2005-0758 CVE-2005-0988 CVE-2005-1228
______________________________________________________________________________


1. Problem Description

zgrep in gzip does not properly sanitize arguments, which allows
local users to execute arbitrary commands via filenames that are
injected into a sed script.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2005-0758 to this issue.

Race condition in gzip, when decompressing a gzipped file,
allows local users to modify permissions of arbitrary files via
a hard link attack on a file while it is being decompressed,
whose permissions are changed by gzip after the decompression is
complete.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2005-0988 to this issue.

Directory traversal vulnerability in gunzip -N allows remote
attackers to write to arbitrary directories via a .. (dot dot)
in the original filename within a compressed file.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2005-1228 to this issue.


2. Vulnerable Supported Versions

System Binaries
----------------------------------------------------------------------
UnixWare 7.1.4 gzip distribution


3. Solution

The proper solution is to install the latest packages.


4. UnixWare 7.1.4

4.1 Location of Fixed Binaries

ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.58


4.2 Verification

MD5 (gzip.image) = 82e72a751b0cfee5e7e51680052d2651

md5 is available for download from
ftp://ftp.sco.com/pub/security/tools


4.3 Installing Fixed Binaries

Upgrade the affected binaries with the following sequence:

Download gzip.image to the /var/spool/pkg directory.

# pkgadd -d /var/spool/pkg/gzip.image


5. References

Specific references for this advisory:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0758
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0988
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1228
http://secunia.com/advisories/15047
http://www.securityfocus.com/bid/12996
http://xforce.iss.net/xforce/xfdb/20199

SCO security resources:
http://www.sco.com/support/security/index.html

SCO security advisories via email
http://www.sco.com/support/forums/security.html

This security fix closes SCO incidents sr894862 erg712915
fz532919.


6. Disclaimer

SCO is not responsible for the misuse of any of the information
we provide on this website and/or through our security
advisories. Our advisories are a service to our customers
intended to promote secure installation and use of SCO
products.

______________________________________________________________________________
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (UnixWare)

iD8DBQFDoz+WaqoBO7ipriERAnT1AJ9Oo0xrb4AXRUHL5nbA51jJuzxiIQCgmTHI
G/Y6bv22+MAt3Okm+FhJo7U=
=pF7S
- -----END PGP SIGNATURE-----


2.

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

______________________________________________________________________________

SCO Security Advisory

Subject: OpenServer 5.0.7 OpenServer 6.0.0 : Gzip Multiple Vulnerabilities
Advisory number: SCOSA-2005.59
Issue date: 2005 December 16
Cross reference: sr864726 erg712907 fz532854 sr864725 erg712906 fz532855
CVE-2005-0758 CVE-2005-0988 CVE-2005-1228
______________________________________________________________________________


1. Problem Description

zgrep in gzip does not properly sanitize arguments, which allows
local users to execute arbitrary commands via filenames that are
injected into a sed script.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2005-0758 to this issue.

Race condition in gzip, when decompressing a gzipped file,
allows local users to modify permissions of arbitrary files via
a hard link attack on a file while it is being decompressed,
whose permissions are changed by gzip after the decompression is
complete.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2005-0988 to this issue.

Directory traversal vulnerability in gunzip -N allows remote
attackers to write to arbitrary directories via a .. (dot dot)
in the original filename within a compressed file.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2005-1228 to this issue.


2. Vulnerable Supported Versions

System Binaries
----------------------------------------------------------------------
OpenServer 5.0.7 gzip distribution
OpenServer 6.0.0 gzip distribution


3. Solution

The proper solution is to install the latest packages.


4. OpenServer 5.0.7

4.1 Location of Fixed Binaries

The fixes are only available in SCO OpenServer Release 5.0.7
Maintenance Pack 4 or later.

ftp://ftp.sco.com/pub/openserver5/507/mp/osr507mp4/osr507mp4_vol.tar


4.2 Verification

MD5 (osr507mp4_vol.tar) = 4c87d840ff5b43221258547d19030228

md5 is available for download from
ftp://ftp.sco.com/pub/security/tools


4.3 Installing Fixed Binaries

See the SCO OpenServer Release 5.0.7 Maintenance Pack 4 Release
and Installation Notes:

ftp://ftp.sco.com/pub/openserver5/507/mp/osr507mp4/osr507mp4.htm


5. OpenServer 6.0.0

5.1 Location of Fixed Binaries

ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2005.59


5.2 Verification

MD5 (VOL.000.000) = 2f882aed13d5d0386880fad4f0ee8860

md5 is available for download from
ftp://ftp.sco.com/pub/security/tools


5.3 Installing Fixed Binaries

Upgrade the affected binaries with the following sequence:

1) Download the VOL* files to a directory.

2) Run the custom command, specify an install
from media images, and specify the directory as
the location of the images.


6. References

Specific references for this advisory:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0758
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0988
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1228
http://secunia.com/advisories/15047
http://www.securityfocus.com/bid/12996
http://xforce.iss.net/xforce/xfdb/20199

SCO security resources:
http://www.sco.com/support/security/index.html

SCO security advisories via email
http://www.sco.com/support/forums/security.html

This security fix closes SCO incidents sr864726 erg712907
fz532854 sr864725 erg712906 fz532855.


7. Disclaimer

SCO is not responsible for the misuse of any of the information
we provide on this website and/or through our security
advisories. Our advisories are a service to our customers
intended to promote secure installation and use of SCO
products.

______________________________________________________________________________
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (UnixWare)

iD8DBQFDo0QsaqoBO7ipriERAiD7AJ9uMkNTFe+HMx1knQGlNXAbxT+wagCfUtMO
lkaSesgOnhrzol2tEWkeBDM=
=uGJ7
- -----END PGP SIGNATURE-----


3.

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

______________________________________________________________________________

SCO Security Advisory

Subject: UnixWare 7.1.3 UnixWare 7.1.4 : Tcpdump Denial of Service
Advisory number: SCOSA-2005.60
Issue date: 2005 December 16
Cross reference: sr893915 erg712849 fz532314
CVE-2005-1278 CVE-2005-1279 CVE-2005-1280
______________________________________________________________________________


1. Problem Description

Various flaws in tcpdump can allow remote attackers to cause
denial of service.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the following names to these issue: CVE-2005-1278,
CVE-2005-1279, CVE-2005-1280.


2. Vulnerable Supported Versions

System Binaries
----------------------------------------------------------------------
UnixWare 7.1.3 /usr/sbin/tcpdump
UnixWare 7.1.4 /usr/sbin/tcpdump


3. Solution

The proper solution is to install the latest packages.


4. UnixWare 7.1.3

4.1 Location of Fixed Binaries

ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.60


4.2 Verification

MD5 (p532314.image) = 065c23a3c5f662f5bbf9a1f34a6fbeba

md5 is available for download from
ftp://ftp.sco.com/pub/security/tools


4.3 Installing Fixed Binaries

The following package should be installed on your
system before you install this fix:

UnixWare 7.1.3 Maintenance Pack 5

Upgrade the affected binaries with the following sequence:

Download p532314.image to the /var/spool/pkg directory.

# pkgadd -d /var/spool/pkg/p532314.image


5. UnixWare 7.1.4

5.1 Location of Fixed Binaries

ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.60


5.2 Verification

MD5 (p532314.image) = 065c23a3c5f662f5bbf9a1f34a6fbeba

md5 is available for download from
ftp://ftp.sco.com/pub/security/tools


5.3 Installing Fixed Binaries

The following package should be installed on your
system before you install this fix:

UnixWare 7.1.4 Maintenance Pack 2

Upgrade the affected binaries with the following sequence:

Download p532314.image to the /var/spool/pkg directory.

# pkgadd -d /var/spool/pkg/p532314.image


6. References

Specific references for this advisory:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1278
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1279
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1280

SCO security resources:
http://www.sco.com/support/security/index.html

SCO security advisories via email
http://www.sco.com/support/forums/security.html

This security fix closes SCO incidents sr893915 erg712849
fz532314.


7. Disclaimer

SCO is not responsible for the misuse of any of the information
we provide on this website and/or through our security
advisories. Our advisories are a service to our customers
intended to promote secure installation and use of SCO
products.

______________________________________________________________________________
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (UnixWare)

iD8DBQFDo1jMaqoBO7ipriERApNVAJ43066O/0OGdxsSHxzd6aba+2jZFQCgnKOT
jNeLmBn/yj5Hua+4eVnG4gU=
=hsOH
- -----END PGP SIGNATURE-----


4.

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

______________________________________________________________________________

SCO Security Advisory

Subject: OpenServer 6.0.0 : Tcpdump Denial of Service
Advisory number: SCOSA-2005.61
Issue date: 2005 December 16
Cross reference: sr895065 erg712955 fz533034
CVE-2005-1278 CVE-2005-1279 CVE-2005-1280

______________________________________________________________________________


1. Problem Description

Various flaws in tcpdump can allow remote attackers to cause
denial of service.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the following names to these issue: CVE-2005-1278,
CVE-2005-1279, CVE-2005-1280.


2. Vulnerable Supported Versions

System Binaries
----------------------------------------------------------------------
OpenServer 6.0.0 /usr/sbin/tcpdump


3. Solution

The proper solution is to install the latest packages.


4. OpenServer 6.0.0

4.1 Location of Fixed Binaries

ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2005.61


4.2 Verification

MD5 (VOL.000.000) = ad7a7a888c20039f715dc46badb524ba

md5 is available for download from
ftp://ftp.sco.com/pub/security/tools


4.3 Installing Fixed Binaries

Upgrade the affected binaries with the following sequence:

1) Download the VOL* files to a directory.

2) Run the custom command, specify an install
from media images, and specify the directory as
the location of the images.


5. References

Specific references for this advisory:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1278
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1279
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1280

SCO security resources:
http://www.sco.com/support/security/index.html

SCO security advisories via email
http://www.sco.com/support/forums/security.html

This security fix closes SCO incidents sr895065 erg712955
fz533034.


6. Disclaimer

SCO is not responsible for the misuse of any of the information
we provide on this website and/or through our security
advisories. Our advisories are a service to our customers
intended to promote secure installation and use of SCO
products.

______________________________________________________________________________
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (UnixWare)

iD8DBQFDo1qWaqoBO7ipriERAjpxAJ4h+QAqIYlzRLtUlHgRgqTUpZgDjQCgop0Q
x63DO04vg1jW/7LXsDa0R84=
=XZWr
- -----END PGP SIGNATURE-----