May 2006
SCO Security Advisory: SCOSA-2006.24 - Sendmail Arbitrary Code Execution Vulnerability
ID: 00368
Ref: 361/2006
Date: 23 May 2006:11:26:16
Version: 1
Title: SCO Security Advisory: SCOSA-2006.24 - Sendmail Arbitrary Code Execution Vulnerability
Abstract: Sendmail could allow a remote attacker to execute arbitrary code as root, caused by a signal race vulnerability.
Vendors affected: SCO
Operating systems affected: SCO
Applications affected: SCO
Title
=====
SCO Security Advisory: SCOSA-2006.24 - Sendmail Arbitrary Code Execution Vulnerability
Detail
======
Sendmail could allow a remote attacker to execute arbitrary code as
root, caused by a signal race vulnerability.
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SCO Security Advisory
Subject: Sendmail Arbitrary Code Execution Vulnerability
Advisory number: SCOSA-2006.24
Issue date: 2006 May 21
Cross reference: fz533700
CVE-2006-0058
______________________________________________________________________________
1. Problem Description
Sendmail could allow a remote attacker to execute arbitrary code as
root, caused by a signal race vulnerability.
The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CVE-2006-0058 to
this issue.
2. Vulnerable Supported Versions
System Binaries
----------------------------------------------------------------------
UnixWare 7.1.3 sendmail
mailstats
praliiases
rmail
smrsh
makemap
UnixWare 7.1.4 sendmail
mailstats
praliiases
rmail
smrsh
makemap
3. Solution
The proper solution is to install the latest packages.
4. UnixWare 7.1.3
4.1 Location of Fixed Binaries
ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2006.24
4.2 Verification
MD5 (p533700.713.image) = 2c33879a5f676c79efe1e78cadb2aeb8
md5 is available for download from
ftp://ftp.sco.com/pub/security/tools
4.3 Installing Fixed Binaries
The following packages should be installed on your system before
you install this fix:
UnixWare 7.1.3 Maintenance Pack 5
http://www.sco.com/support/update/download/release.php?rid=96
Upgrade the affected binaries with the following sequence:
Download p533700.713.image to the /var/spool/pkg directory
# pkgadd -d /var/spool/pkg/p533700.713.image
5. UnixWare 7.1.4
5.1 Location of Fixed Binaries
ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2006.24
5.2 Verification
MD5 (p533700.714.image) = 0a3a7c95a68e1ca3e5916e40e9dfa0ae
md5 is available for download from
ftp://ftp.sco.com/pub/security/tools
5.3 Installing Fixed Binaries
The following packages should be installed on your system before
you install this fix:
UnixWare 7.1.4 Maintenance Pack 3
http://www.sco.com/support/update/download/release.php?rid=126
Upgrade the affected binaries with the following sequence:
Download p533700.714.image to the /var/spool/pkg directory
# pkgadd -d /var/spool/pkg/p533700.714.image
6. References
Specific references for this advisory:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0058
http://www.securityfocus.com/archive/1/428536/100/0/threaded
http://www.sendmail.org/
SCO security resources:
http://www.sco.com/support/security/index.html
SCO security advisories via email
http://www.sco.com/support/forums/security.html
This security fix closes SCO incidents fz533700.
7. Disclaimer
SCO is not responsible for the misuse of any of the information
we provide on this website and/or through our security
advisories. Our advisories are a service to our customers intended
to promote secure installation and use of SCO products.
8. Acknowledgments
Marc Bejarano is credited with the discovery of this vulnerability.
______________________________________________________________________________
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (SCO_SV)
iD8DBQFEcSxeaqoBO7ipriERAtnOAJ4l8SWkkFxTYf8T8iD9P4UFQBqX0QCfZld8
m4gPf3unHlkCKdp/9PbXL9Y=
=vpKs
- -----END PGP SIGNATURE-----