-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


______________________________________________________________________________

		Caldera International, Inc.  Security Advisory

Subject:		UnixWare 7.1.1 Open UNIX 8.0.0 : in.rarpd format string vulnerability in error() and syserr()
Advisory number: 	CSSA-2002-SCO.29
Issue date: 		2002 June 24
Cross reference:
______________________________________________________________________________


1. Problem Description

	The in.rarpd program has several error routines (error()
	and syserr()) that can manipulated by a malicious user to
	compromise the system.


2. Vulnerable Supported Versions

	System				Binaries
	----------------------------------------------------------------------
	UnixWare 7.1.1			/usr/sbin/in.rarpd
	Open UNIX 8.0.0 		/usr/sbin/in.rarpd


3. Solution

	The proper solution is to install the latest packages.


4. UnixWare 7.1.1

	4.1 Location of Fixed Binaries

	ftp://ftp.caldera.com/pub/updates/OpenUNIX/CSSA-2002-SCO.29


	4.2 Verification

	MD5 (erg712062.pkg.Z) = 3c05be0a8197ddd3b6fcd3ac50933508

	md5 is available for download from
		ftp://ftp.caldera.com/pub/security/tools


	4.3 Installing Fixed Binaries

	Upgrade the affected binaries with the following commands:

	Download erg712062.pkg.Z to the /var/spool/pkg directory

	# uncompress /var/spool/pkg/erg712062.pkg.Z
	# pkgadd -d /var/spool/pkg/erg712062.pkg


5. Open UNIX 8.0.0

	5.1 Location of Fixed Binaries

	ftp://ftp.caldera.com/pub/updates/OpenUNIX/CSSA-2002-SCO.29


	5.2 Verification

	MD5 (erg712062.pkg.Z) = 3c05be0a8197ddd3b6fcd3ac50933508

	md5 is available for download from
		ftp://ftp.caldera.com/pub/security/tools


	5.3 Installing Fixed Binaries

	Upgrade the affected binaries with the following commands:

	Download erg712062.pkg.Z to the /var/spool/pkg directory

	# uncompress /var/spool/pkg/erg712062.pkg.Z
	# pkgadd -d /var/spool/pkg/erg712062.pkg


6. References

	Specific references for this advisory:
		none

	Caldera security resources:
		http://www.caldera.com/support/security/index.html

	This security fix closes Caldera incidents sr865148, fz521092,
	erg712062.


7. Disclaimer

	Caldera International, Inc. is not responsible for the
	misuse of any of the information we provide on this website
	and/or through our security advisories. Our advisories are
	a service to our customers intended to promote secure
	installation and use of Caldera products.


8. Acknowledgements

	David Reign <davidreign@hotmail.com> discovered these
	vulnerabilities.

______________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (SCO_SV)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAj0XoFIACgkQaqoBO7ipriGExACeMrn9kzCUO/IsSFNCtknwaHOL
1ssAn1GTL4gItldfYUGMSn3qzBnhCgRd
=PzYR
-----END PGP SIGNATURE-----