-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SCO Security Advisory Subject: OpenLinux: OpenSSH multiple buffer handling problems Advisory number: CSSA-2003-027.0 Issue date: 2003 October 28 Cross reference: sr884647 fz528312 erg712429 CERT VU#333628 CERT VU#602204 CAN-2003-0693 CAN-2003-0695 CAN-2003-0682 CAN-2003-0786 ______________________________________________________________________________ 1. Problem Description UPDATE: CSSA-2003-027.0 contained a configuration error Tim Rice of Multitalents pointed out our mistake. Several buffer management errors and memory bugs are corrected by this patch. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to these issues. CAN-2003-0693, CAN-2003-0695, CAN-2003-0682, CAN-2003-0786. The CERT Coordination Center has assigned the following names VU#333628, and VU#602204. CERT VU#333628 / CAN-2003-0693: A "buffer management error" in buffer_append_space of buffer.c for OpenSSH before 3.7 may allow remote attackers to execute arbitrary code by causing an incorrect amount of memory to be freed and corrupting the heap, a different vulnerability than CAN-2003-0695 CAN-2003-0695: Multiple "buffer management errors" in OpenSSH before 3.7.1 may allow attackers to cause a denial of service or execute arbitrary code using (1) buffer_init in buffer.c, (2) buffer_free in buffer.c, or (3) a separate function in channels.c, a different vulnerability than CAN-2003-0693. CAN-2003-0682: "Memory bugs" in OpenSSH 3.7.1 and earlier, with unknown impact, a different set of vulnerabilities than CAN-2003-0693 and CAN-2003-0695. CERT VU#602204 / CAN-2003-0786: Portable OpenSSH versions 3.7p1 and 3.7.1p1 contain multiple vulnerabilities in the new PAM code. At least one of these bugs is remotely exploitable (under a non-standard configuration, with privsep disabled). 2. Vulnerable Supported Versions System Package ---------------------------------------------------------------------- OpenLinux 3.1.1 Server prior to openssh-3.7.1p2-2.i386.rpm prior to openssh-askpass-3.7.1p2-2.i386.rpm prior to openssh-server-3.7.1p2-2.i386.rpm OpenLinux 3.1.1 Workstation prior to openssh-3.7.1p2-2.i386.rpm prior to openssh-askpass-3.7.1p2-2.i386.rpm prior to openssh-server-3.7.1p2-2.i386.rpm 3. Solution The proper solution is to install the latest packages. Many customers find it easier to use the Caldera System Updater, called cupdate (or kcupdate under the KDE environment), to update these packages rather than downloading and installing them by hand. 4. OpenLinux 3.1.1 Server 4.1 Package Location ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-027.0/RPMS 4.2 Packages 27737fbcaf888fbf8fdb20e61b00c6e6 openssh-3.7.1p2-2.i386.rpm 16b8e32c9a3a8dea4ef14d38c3389fff openssh-askpass-3.7.1p2-2.i386.rpm b7e47005592a78b66fc8772b6b6cdd80 openssh-server-3.7.1p2-2.i386.rpm 4.3 Installation rpm -Fvh openssh-3.7.1p2-2.i386.rpm rpm -Fvh openssh-askpass-3.7.1p2-2.i386.rpm rpm -Fvh openssh-server-3.7.1p2-2.i386.rpm 4.4 Source Package Location ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-027.0/SRPMS 4.5 Source Packages fa20551012e9527d87ec48ca7315ca9d openssh-3.7.1p2-2.src.rpm 5. OpenLinux 3.1.1 Workstation 5.1 Package Location ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-027.0/RPMS 5.2 Packages cf1e2116895e45f4118939caabce812b openssh-3.7.1p2-2.i386.rpm 39d21884c90453d1e67a421daa4e0939 openssh-askpass-3.7.1p2-2.i386.rpm 919197d6f95233462c5e7fa9b414643e openssh-server-3.7.1p2-2.i386.rpm 5.3 Installation rpm -Fvh openssh-3.7.1p2-2.i386.rpm rpm -Fvh openssh-askpass-3.7.1p2-2.i386.rpm rpm -Fvh openssh-server-3.7.1p2-2.i386.rpm 5.4 Source Package Location ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-027.0/SRPMS 5.5 Source Packages cb8210d0d0f919d342b0125bfb167d8c openssh-3.7.1p2-2.src.rpm 6. References Specific references for this advisory: http://www.openssh.com/txt/buffer.adv http://www.mindrot.org/pipermail/openssh-unix-announce/2003-September/000063.html http://www.freebsd.org/cgi/cvsweb.cgi/~checkout~/ports/security/openssh/files/patch-buffer.c http://marc.theaimsgroup.com/?l=openbsd-misc&m=106371592604940 http://marc.theaimsgroup.com/?l=openbsd-security-announce&m=106375582924840 SCO security resources: http://www.sco.com/support/security/index.html This security fix closes SCO incidents sr884647 fz528312 erg712429. 7. Disclaimer SCO is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of SCO products. ______________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iEYEARECAAYFAj+fDM0ACgkQbluZssSXDTGeKACeOYEiH99hnhzQDU09A4WVp2TD 84EAn0ISJnqvgU/zLhwiKjP3faFifl9P =a950 -----END PGP SIGNATURE-----