Date: Fri, 22 Jun 2001 10:41:21 -0700
From: Andrew Sharpe <[email protected]>
To: [email protected]Subject: Caldera Systems security advisory: libcurses, atcronsh, rtpm
--8P1HSweYDcXXzwPJ
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
___________________________________________________________________________
Caldera Systems, Inc. Security Advisory
Subject: curses library, rtpm, atcronsh
Advisory number: CSSA-2001-SCO.1
Issue date: 2001 June, 22
Cross reference:
___________________________________________________________________________=
__
1. Problem Description
A buffer overrun vulnerability has been found in the curses
library. A malicious user could attack a set{uid,gid} command
that uses this library to gain privileges.
One such command that is shipped with OpenServer is
/usr/lib/sysadm/atcronsh.
One such command that is shipped with UnixWare 7 is
/usr/sbin/rtpm.
In addition, the curses library is shipped only as a static
library, so an application would need to be re-linked with
this new library to take advantage of the fix.
2. Vulnerable Versions
Operating System Version Affected Files
----------------------------------------------------------------
UnixWare 7 All /usr/sbin/rtpm
/usr/ccs/lib/libcurses.a
OpenServer <=3D 5.0.6a /usr/lib/sysadm/atcronsh
/usr/lib/libcurses.a
3. Workaround
For rtpm:
# chmod g-s /usr/sbin/rtpm
For atcronsh:
# chmod g-s /usr/lib/sysadm/atcronsh
=09
Otherwise, none.
4. UnixWare 7
4.1 Location of Fixed Binaries
ftp://ftp.sco.com/pub/security/unixware/sr848806/
4.2 Verification
md5 checksums:
=09
ae2bc5b813dad2c729fb3593b59fd62a libcurses.a.Z
990d9216ed368f2939596104c60bd27b rtpm.Z
md5 is available for download from
ftp://ftp.sco.com/pub/security/tools/
4.3 Installing Fixed Binaries
Backup the existing /usr/ccs/lib/libcurses.a, and replace it
with the provided libcurses.a binary. Ensure that the new
libcurses.a has bin/bin/0444 permissions.
Backup the existing /usr/sbin/rtpm and replace it with the
provided rtpm binary. Ensure that the new rtpm has
bin/sys/02555 permissions.
5. OpenServer
4.1 Location of Fixed Binaries
ftp://ftp.sco.com/pub/security/openserver/sr848771/
libcurses.a is not yet available; expect it within a week of
this advisory.
4.2 Verification
md5 checksums:
=09
bf1ce0570284a1e12256ebac0174f6d4 atcronsh.Z
md5 is available for download from
ftp://ftp.sco.com/pub/security/tools/
4.3 Installing Fixed Binaries
Backup the existing /usr/lib/sysadm/atcronsh and replace it
with the provided atcronsh binary. Ensure that the new
atcronsh has bin/cron/02111 permissions.
Backup the existing /usr/lib/libcurses.a, and replace it
with the provided libcurses.a binary. Ensure that the new
libcurses.a has bin/bin/0644 permissions.
6. References
Caldera security resources are located at the following url:
http://www.calderasystems.com/support/security/index.html
7. Disclaimer
Caldera Systems, Inc. is not responsible for the misuse of any
of the information we provide on this website and/or through
our security advisories. Our advisories are a service to our
customers intended to promote secure installation and use of
Caldera OpenLinux.
8. Acknowledgements
Caldera wishes to thank Aycan Irican <[email protected]>
for spotting the UnixWare problem.
Caldera wishes to thank KF <[email protected]> for spotting
the OpenServer problem.
=09
___________________________________________________________________________=
__
--8P1HSweYDcXXzwPJ
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (SCO_SV)
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAjszg0EACgkQom1bqoqwkdT+LQCfRJxpJ2La6Gwa/rQALigBCFFi
vkkAmgMENBIoxo/ri6qf4YkvNqvpYv9m
=MwMA
-----END PGP SIGNATURE-----
--8P1HSweYDcXXzwPJ--
