-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SCO Security Advisory Subject: UnixWare 7.1.3 Open UNIX 8.0.0 UnixWare 7.1.1 : perl unsafe Safe compartment Advisory number: SCOSA-2004.1 Issue date: 2004 March 29 Cross reference: sr887197 fz528449 erg712495 CAN-2002-1323 ______________________________________________________________________________ 1. Problem Description Safe.pm 2.0.7 and earlier, when used in Perl 5.8.0 and earlier, may allow attackers to break out of safe compartments in (1) Safe::reval or (2) Safe::rdo using a redefined @_ variable, which is not reset between successive calls. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-1323 to this issue. 2. Vulnerable Supported Versions System Binaries ---------------------------------------------------------------------- UnixWare 7.1.3 /usr/gnu/lib/perl5/i386-svr4/5.00404/Safe.pm Open UNIX 8.0.0 /usr/gnu/lib/perl5/i386-svr4/5.00404/Safe.pm UnixWare 7.1.1 /usr/gnu/lib/perl5/i386-svr4/5.00404/Safe.pm 3. Solution The proper solution is to install the latest packages. 4. UnixWare 7.1.3 Open UNIX 8.0.0 UnixWare 7.1.2 4.1 Location of Fixed Binaries ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2004.1 4.2 Verification MD5 (erg712495.Z) = a58a6ad7b7ea39ee48abc8bc3cc0d4fe md5 is available for download from ftp://ftp.sco.com/pub/security/tools 4.3 Installing Fixed Binaries Upgrade the affected binaries with the following sequence: 1. Download the erg712495.Z file to a directory on your machine. 2. As root, uncompress the file and add the package to your system using these commands: # uncompress erg712495.Z # pkgadd -d erg712495 3. There is no need to reboot the system after installing this package. If you have questions regarding this supplement, or the product on which it is installed, please contact your software supplier. 5. References Specific references for this advisory: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1323 SCO security resources: http://www.sco.com/support/security/index.html SCO Security Advisories via email: http://www.thescogroup.com/support/forums/security.html This security fix closes SCO incidents sr887197 fz528449 erg712495. 6. Disclaimer SCO is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of SCO products. 7. Acknowledgments SCO would like to thank Andreas Jurenda If you would like to receive SCO Security Advisories please visit: http://www.thescogroup.com/support/forums/announce.html ______________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (SCO/UNIX_SVR5) iD8DBQFAaeIHaqoBO7ipriERAjocAJwIQYhWqPCT0eSZr5N9a4vLGJ0L7wCeK4o3 qgR4hIjrKpj/RN8yer7OyVM= =jt5J -----END PGP SIGNATURE-----