January 2006

ID: 00034
Ref: 33/2006
Date: 11 January 2006:15:08:08
Version: 1

---

Title: Two SCO Security Advisories: 1. SCOSA-2006.6 - OpenServer 5.0.6 OpenServer 5.0.7 OpenServer 6.0.0 : Zlib Multiple Vulnerabilities 2. SCOSA-2006.7 - OpenServer 5.0.7 OpenServer 6.0.0 : Lynx Multiple Vulnerabilities
Abstract:
Vendors affected: SCO
Operating systems affected: SCO
Applications affected: SCO

---

Title
=====

Two SCO Security Advisories:

1. SCOSA-2006.6 - OpenServer 5.0.6 OpenServer 5.0.7 OpenServer 6.0.0 : Zlib
Multiple Vulnerabilities

2. SCOSA-2006.7 - OpenServer 5.0.7 OpenServer 6.0.0 : Lynx Multiple
Vulnerabilities


Detail
======

1. The error handling in the (1) inflate and (2) inflateBack
functions in ZLib compression library 1.2.x allows local users
to cause a denial of service (application crash).

2. Ulf Harnhammar has reported a vulnerability in Lynx, which can
be exploited by malicious people to compromise a user's system.



1.



- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

______________________________________________________________________________

SCO Security Advisory

Subject: OpenServer 5.0.6 OpenServer 5.0.7 OpenServer 6.0.0 : Zlib
Multiple Vulnerabilities
Advisory number: SCOSA-2006.6
Issue date: 2006 January 10
Cross reference: sr894696 fz532828 erg712900 sr894695 fz532829 erg712899
CVE-2004-0797 CVE-2005-1849 CVE-2005-2096
______________________________________________________________________________


1. Problem Description

The error handling in the (1) inflate and (2) inflateBack
functions in ZLib compression library 1.2.x allows local users
to cause a denial of service (application crash).

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2004-0797 to this issue.

inftrees.h in zlib 1.2.2 allows remote attackers to cause a
denial of service (application crash) via an invalid file that
causes a large dynamic tree to be produced.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2005-1849 to this issue.

Buffer overflow in zlib 1.2 and later versions allows remote
attackers to cause a denial of service (crash) via a crafted
compressed stream, as demonstrated using a crafted PNG file.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2005-2096 to this issue.


2. Vulnerable Supported Versions

System Binaries
----------------------------------------------------------------------
OpenServer 5.0.6 /usr/lib/libz.so.1
OpenServer 5.0.7 /usr/lib/libz.so.1
OpenServer 6.0.0 /usr/lib/libz.so.1
/osr5/usr/lib/libz.so.1


3. Solution

The proper solution is to install the latest packages.


4. OpenServer 5.0.6

4.1 Location of Fixed Binaries

ftp://ftp.sco.com/pub/openserver5/opensrc/gwxlibs-2.1.0Ba/


4.2 Verification

MD5 (gwxlibs210Ba_vol.tar) = 18213632bd0c5ff1e260eac90aae7033

md5 is available for download from
ftp://ftp.sco.com/pub/security/tools


4.3 Installing Fixed Binaries

Please see the following:

ftp://ftp.sco.com/pub/openserver5/opensrc/gwxlibs-2.1.0Ba/gwxlibs-2.1.0Ba.txt

5. OpenServer 5.0.7

5.1 Location of Fixed Binaries

ftp://ftp.sco.com/pub/openserver5/507/mp/osr507mp4/osr507mp4_vol.tar


5.2 Verification

MD5 (osr507mp4_vol.tar) = 4c87d840ff5b43221258547d19030228

md5 is available for download from
ftp://ftp.sco.com/pub/security/tools


5.3 Installing Fixed Binaries

Please see the SCO OpenServer Release 5.0.7 Maintenance Pack 4 Release
and Installation Notes:

ftp://ftp.sco.com/pub/openserver5/507/mp/osr507mp4/osr507mp4.htm


6. OpenServer 6.0.0

6.1 Location of Fixed Binaries

ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2006.6


6.2 Verification

MD5 (VOL.000.000) = b077f94a0d35829500695abb703aa408

md5 is available for download from
ftp://ftp.sco.com/pub/security/tools


6.3 Installing Fixed Binaries

Upgrade the affected binaries with the following sequence:

1) Download the VOL* files to a directory.

2) Run the custom command, specify an install from media images,
and specify the directory as the location of the images.


7. References

Specific references for this advisory:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0797
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1849
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2096
http://www.kb.cert.org/vuls/id/238678
http://www.kb.cert.org/vuls/id/680620

SCO security resources:
http://www.sco.com/support/security/index.html

SCO security advisories via email
http://www.sco.com/support/forums/security.html

This security fix closes SCO incidents sr894696 fz532828
erg712900 sr894695 fz532829 erg712899.


8. Disclaimer

SCO is not responsible for the misuse of any of the information
we provide on this website and/or through our security
advisories. Our advisories are a service to our customers
intended to promote secure installation and use of SCO
products.


9. Acknowledgments

The SCO Group would like to thank Mark Adler for his research.

______________________________________________________________________________
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (UnixWare)

iD8DBQFDw+9HaqoBO7ipriERArTPAJ4k35+HA+yFMlVS6rYZeBAVBncrBQCfXGcm
OV1CEV0lnjNu5Aj1hoD8+uk=
=adQN
- -----END PGP SIGNATURE-----


2.

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

______________________________________________________________________________

SCO Security Advisory

Subject: OpenServer 5.0.7 OpenServer 6.0.0 : Lynx Multiple Vulnerabilities
Advisory number: SCOSA-2006.7
Issue date: 2006 January 10
Cross reference: fz533159 fz533314
CVE-2005-2929 CVE-2005-3120
______________________________________________________________________________


1. Problem Description

Lynx NNTP Buffer Overflow Vulnerability:

Ulf Harnhammar has reported a vulnerability in Lynx, which can
be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to a boundary error in the
"HTrjis()" function in the handling of article headers sent from
NNTP (Network News Transfer Protocol) servers. This can be
exploited to cause a stack-based buffer overflow by e.g.
tricking a user into visiting a malicious web site which
redirects to a malicious NNTP server via the "nntp:" URI
handler.

Successful exploitation allows execution of arbitrary code.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2005-3120 to this issue.

Lynx Command Injection Vulnerability:

Remote exploitation of a command injection vulnerability could
allow attackers to execute arbitrary commands with the
privileges of the underlying user.

The problem specifically exists within the feature to execute
local cgi-bin programs via the "lynxcgi:" URI handler. The
handler is generally intended to be restricted to a specific
directory or program(s). However, due to a configuration error
on multiple platforms, the default settings allow for arbitrary
websites to specify commands to run as the user running Lynx.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2005-2929 to this issue.


2. Vulnerable Supported Versions

System Binaries
----------------------------------------------------------------------
OpenServer 5.0.7 /usr/bin/lynx
OpenServer 6.0.0 /usr/bin/lynx


3. Solution

The proper solution is to install the latest packages.


4. OpenServer 5.0.7

4.1 Location of Fixed Binaries

ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2006.7


4.2 Verification

MD5 (p533159.507_vol.tar) = f86e8cb4941d567eedfd0ce761f890b3

md5 is available for download from
ftp://ftp.sco.com/pub/security/tools


4.3 Installing Fixed Binaries

Upgrade the affected binaries with the following sequence:

1) Download p533159.507_vol.tar file to a directory.

2) Extract VOL* files.

# tar xvf p533159.507_vol.tar

3) Run the custom command, specify an install from media images,
and specify the directory as the location of the images.


5. OpenServer 6.0.0

5.1 Location of Fixed Binaries

ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2006.7


5.2 Verification

MD5 (p533159.600_vol.tar) = 8819b849a7463563a50e9575beb15755

md5 is available for download from
ftp://ftp.sco.com/pub/security/tools


5.3 Installing Fixed Binaries

Upgrade the affected binaries with the following sequence:

1) Download p533159.600_vol.tar file to a directory.

2) Extract VOL* files.

# tar xvf p533159.600_vol.tar

3) Run the custom command, specify an install from media images,
and specify the directory as the location of the images.


6. References

Specific references for this advisory:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2929
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3120
http://lists.grok.org.uk/pipermail/full-disclosure/2005-October/038019.html
http://secunia.com/advisories/17216
http://securitytracker.com/id?1015065
http://securitytracker.com/id?1015195
http://www.idefense.com/application/poi/display?id=338&type=vulnerabilities
http://www.securityfocus.com/bid/15395

SCO security resources:
http://www.sco.com/support/security/index.html

SCO security advisories via email
http://www.sco.com/support/forums/security.html

This security fix closes SCO incidents fz533159 fz533314.


7. Disclaimer

SCO is not responsible for the misuse of any of the information
we provide on this website and/or through our security
advisories. Our advisories are a service to our customers
intended to promote secure installation and use of SCO
products.


8. Acknowledgments

SCO would like to thank Ulf Harnhammar for reporting the NNTP
buffer overflow vulnerability.

______________________________________________________________________________
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (UnixWare)

iD8DBQFDw/dAaqoBO7ipriERAoPxAJ9LtjZWkbeGAhnT+2UU7Bil3GzRjgCfdH7e
6GPm9s1v3GCkfj2PopBdQvY=
=98zM
- -----END PGP SIGNATURE-----