-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SCO Security Advisory Subject: UnixWare 7.1.3 Open UNIX 8.0.0 UnixWare 7.1.1 : OpenSSH: multiple buffer handling problems Advisory number: CSSA-2003-SCO.22 Issue date: 2003 September 26 Cross reference: sr883609 fz528218 erg712412 CERT VU#333628 VU#602204 CAN-2003-0693 CAN-2003-0695 CAN-2003-0786 ______________________________________________________________________________ 1. Problem Description Several buffer management errors and memory bugs are corrected by this patch. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to these issues. CAN-2003-0693, CAN-2003-0695, CAN-2003-0682, CAN-2003-0786. The CERT Coordination Center has assigned the following names VU#333628, and VU#602204. CERT VU#333628 / CAN-2003-0693: A "buffer management error" in buffer_append_space of buffer.c for OpenSSH before 3.7 may allow remote attackers to execute arbitrary code by causing an incorrect amount of memory to be freed and corrupting the heap, a different vulnerability than CAN-2003-0695. CAN-2003-0695: Multiple "buffer management errors" in OpenSSH before 3.7.1 may allow attackers to cause a denial of service or execute arbitrary code using (1) buffer_init in buffer.c, (2) buffer_free in buffer.c, or (3) a separate function in channels.c, a different vulnerability than CAN-2003-0693. CERT VU#602204 / CAN-2003-0786: Portable OpenSSH versions 3.7p1 and 3.7.1p1 contain multiple vulnerabilities in the new PAM code. At least one of these bugs is remotely exploitable (under a non-standard configuration, with privsep disabled). UnixWare is not configured to use PAM, so is not vulnerable. Software Notes and Recommendations ---------------------------------- erg712430 should only be installed on: UnixWare 7.1.1 or 7.1.2 or 8.0.0 or 7.1.3 If your system is running any libraries or commands that are contained in this SLS, then these programs will continue to run with the old versions of these libraries or commands until the the system is rebooted. Note that when all necessary patches have been installed, it is good practice to reboot the system at the earliest opportunity. This will ensure that no programs continue to run with the old libraries or commands. 2. Vulnerable Supported Versions System Binaries ---------------------------------------------------------------------- UnixWare 7.1.3 Open UNIX 8.0.0 UnixWare 7.1.1 /usr/bin/scp /usr/bin/sftp /usr/bin/ssh /usr/bin/ssh-add /usr/bin/ssh-agent /usr/bin/ssh-keygen /usr/bin/ssh-keyscan /usr/sbin/sftp-server /usr/sbin/ssh-keysign /usr/sbin/sshd 3. Solution The proper solution is to install the latest packages. 4. UnixWare 7.1.3 / Open UNIX 8.0.0 / UnixWare 7.1.1 4.1 Location of Fixed Binaries ftp://ftp.sco.com/pub/updates/UnixWare/CSSA-2003-SCO.22 4.2 Verification MD5 (erg712430.Z) = 6102d1aa40261479ee31c35561db8514 md5 is available for download from ftp://ftp.sco.com/pub/security/tools 4.3 Installing Fixed Binaries Upgrade the affected binaries with the following sequence: 1. Download the erg712430.Z file to the /tmp directory on your machine. 2. As root, uncompress the file and add the package to your system using these commands: $ su Password: # uncompress /tmp/erg712430.Z # pkgadd -d /tmp/erg712430 # rm /tmp/erg712430 5. Open UNIX 8.0.0 / UnixWare 7.1.1 5.1 First install the latest libc from the SDK. 5.2 Location of Fixed Binaries ftp://ftp.sco.com/pub/updates/UnixWare/CSSA-2003-SCO.22 5.3 Verification MD5 (erg712430.Z) = 6102d1aa40261479ee31c35561db8514 md5 is available for download from ftp://ftp.sco.com/pub/security/tools 5.4 Installing Fixed Binaries Upgrade the affected binaries with the following sequence: 1. Download the erg712430.Z file to the /tmp directory on your machine. 2. As root, uncompress the file and add the package to your system using these commands: $ su Password: # uncompress /tmp/erg712430.Z # pkgadd -d /tmp/erg712430 # rm /tmp/erg712430 6. References Specific references for this advisory: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0693 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0695 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0786 http://www.openssh.com/txt/buffer.adv http://www.mindrot.org/pipermail/openssh-unix-announce/2003-September/000063.html http://www.freebsd.org/cgi/cvsweb.cgi/~checkout~/ports/security/openssh/files/patch-buffer.c http://marc.theaimsgroup.com/?l=openbsd-misc&m=106371592604940 http://marc.theaimsgroup.com/?l=openbsd-security-announce&m=106375582924840 SCO security resources: http://www.sco.com/support/security/index.html This security fix closes SCO incidents sr883609 fz528218 erg712412. 7. Disclaimer SCO is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of SCO products. ______________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (SCO/UNIX_SVR5) iD8DBQE/eMNkaqoBO7ipriERAryTAJ9UrTQ/wTx188wIeQJKQff5WrsMhACfS1TT s8Ucf5xbGGYKz1XH0dajhus= =dQ0r -----END PGP SIGNATURE-----