Date: Fri, 16 Nov 2001 15:28:16 -0800
From: security@caldera.com
To: bugtraq@securityfocus.com, announce@lists.caldera.com,
Subject: Security Update: [CSSA-2001-SCO.34] Open UNIX, UnixWare 7: xlock buffer overflow
--d6Gm4EdcadzBjdND
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
To: bugtraq@securityfocus.com announce@lists.caldera.com scoannmod@xenitec.=
on.ca
___________________________________________________________________________
Caldera International, Inc. Security Advisory
Subject: Open UNIX, UnixWare 7: xlock buffer overflow
Advisory number: CSSA-2001-SCO.34
Issue date: 2001 November 16
___________________________________________________________________________
1. Problem Description
=09
The /usr/bin/X11/xlock program contains a potential security
problem via a buffer overflow. This could be used by an
unauthorized user to gain privilege.
2. Vulnerable Versions
Operating System Version Affected Files
------------------------------------------------------------------
UnixWare 7 7.1.0, 7.1.1 /usr/bin/X11/xlock
Open UNIX 8.0.0 /usr/bin/X11/xlock
3. Workaround
Remove the setuid bit from the binary:
chmod -s /usr/bin/X11/xlock
4. UnixWare 7, Open UNIX 8
4.1 Location of Fixed Binaries
ftp://stage.caldera.com/pub/security/openunix/CSSA-2001-SCO.34/
4.2 Verification
md5 checksums:
=09
7220c59693f2db6312173259a37a6ba5 xcontrib_801.pkg
md5 is available for download from
ftp://stage.caldera.com/pub/security/tools/
4.3 Installing Fixed Binaries
Download the xcontrib_801.pkg file to /usr/tmp.
This package is an upgrade install to UnixWare 7 xcontrib
package version 7.1.1 and Caldera OpenUNIX 8 version 8.0.0.
This version 8.0.1 contains all the components released with
any previous updates plus the bug fixes mentioned above. To
verify the currently installed version of this package:
# pkginfo -x xcontrib
It is not necessary, nor recommended, to remove previous
versions of this package from the system before installing
this updated version.
To install this package, you may use the SCOadmin Application
Installer from the desktop, or as a root login with pkgadd:
# pkgadd -d /usr/tmp/xcontrib_801.pkg
NOTE: Do not use /tmp as the download directory. It could fail
with a 'No space' message during pkgadd.
The message
WARNING: UnixWare Update 7.x.x should be reapplied
can be safely ignored. There are no files in the Update which
patch this package.
5. References
This and other advisories are located at
http://stage.caldera.com/support/security
This advisory addresses Caldera Security internal incidents
sr848020, fz518827, erg711744.
6. Disclaimer
Caldera International, Inc. is not responsible for the misuse
of any of the information we provide on our website and/or
through our security advisories. Our advisories are a service
to our customers intended to promote secure installation and
use of Caldera International products.
___________________________________________________________________________
--d6Gm4EdcadzBjdND
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (SCO_SV)
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAjv1oRAACgkQaqoBO7ipriEztwCgmB972W/x3j56CQmQQRR3PiJ+
rmUAoJXhb+s1JzqgyUbL262hrEmO+iur
=OEPe
-----END PGP SIGNATURE-----
--d6Gm4EdcadzBjdND--
