Date: Thu, 11 Oct 2001 13:55:50 -0700
From: [email protected]
To: [email protected], [email protected],
Subject: Security Update: [CSSA-2001-SCO.25] OpenServer: various scoadmin/sysadm subprograms have buffer overflows
--zaRBsRFn0XYhEU69
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
To: [email protected][email protected] an=
[email protected][email protected]=20
Do not reply to this mail. This security advisory is being sent from a
nonexistent address in order to avoid spam problems. Caldera's
contact address for UNIX security issues is [email protected].
___________________________________________________________________________
Caldera International, Inc. Security Advisory
Subject: OpenServer: various scoadmin/sysadm subprograms have buffer overf=
lows
Advisory number: CSSA-2001-SCO.25
Issue date: 2001 October 11
Cross reference:
___________________________________________________________________________
1. Problem Description
=09
Various programs that scoadmin and sysadmsh use have buffer
overflows that could be used by a malicious user to gain
privilege.
2. Vulnerable Versions
Operating System Version Affected Files
------------------------------------------------------------------
OpenServer <=3D 5.0.6a /usr/lib/sysadm/atcronsh
/usr/lib/sysadm/auditsh
/usr/lib/sysadm/authsh
/usr/lib/sysadm/backupsh
/usr/lib/sysadm/lpsh
/usr/lib/sysadm/sysadm.menu
/usr/lib/sysadm/termsh
3. Workaround
None.
4. OpenServer
4.1 Location of Fixed Binaries
ftp://stage.caldera.com/pub/security/openserver/CSSA-2001-SCO.25/
4.2 Verification
md5 checksums:
=09
baf6e1a57f8a86803362a5cf798883aa sysadm.tar.Z
md5 is available for download from
ftp://stage.caldera.com/pub/security/tools/
4.3 Installing Fixed Binaries
Upgrade the affected binaries with the following commands:
( Note: if the sysadmsh subsystem is not installed, it is
normal for some of the following mv commands to fail.)
# uncompress /tmp/sysadm.tar.Z
# for i in atcronsh auditsh authsh backupsh lpsh sysadm.menu termsh
> do
> mv /usr/lib/sysadm/$i /usr/lib/sysadm/${i}-
> chmod 0 /usr/lib/sysadm/${i}-
> done
# cd /
# tar xvf /tmp/sysadm.tar
5. References
This and other advisories are located at
http://stage.caldera.com/support/security
This advisory addresses Caldera Security internal incidents
sr849820, SCO-559-1295 and erg711790.
6. Disclaimer
Caldera International, Inc. is not responsible for the misuse
of any of the information we provide on our website and/or
through our security advisories. Our advisories are a service
to our customers intended to promote secure installation and
use of Caldera International products.
7. Acknowledgements
Caldera International wishes to thank KF <[email protected]>
for discovering and reporting this problem.
=20
___________________________________________________________________________
--zaRBsRFn0XYhEU69
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (SCO_SV)
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAjvGB1YACgkQaqoBO7ipriGj8gCeKGa7hnEnI9FU6BMH6vMvuBdE
3WUAoKZcPxsFgPhzc8wYDn7gTVJsaq2x
=CV4c
-----END PGP SIGNATURE-----
--zaRBsRFn0XYhEU69--
