What is Security Supplement p534589, the UnixWare 7.1.4 pkgadd security patch?

KEYWORDS: unixware 7.1.4 security pkgadd directory traversal vulnerability 714 fz534589 p534589 IDEF2722 

RELEASE:  SCO UnixWare Release 7.1.4

PROBLEM:  What is p534589, the UnixWare 7.1.4 pkgadd pkgadd security patch?

SOLUTION: p534589 repairs a directory traversal vulnerability discovered in the 
          pkgadd(1M) utility. 

          What follows is the Security Advisory for this fix:

______________________________________________________________________________


                        SCO Security Advisory


Subject:                pkgadd(1M) Directory Traversal Vulnerability
Advisory number:        SCOSA-2008.1
Issue date:             27 February 2008
Cross reference:        fz534589
______________________________________________________________________________


1. Problem Description

        pkgadd(1M) could allow a local attacker to execute arbitrary 
        code as root. 
	
2. Vulnerable Supported Versions

        System                          Binaries
        ----------------------------------------------------------------------
        UnixWare 7.1.4                  pkgadd
                                        pkgrm
                                       
3. Solution

        The proper solution is to install the package below.

4. UnixWare 7.1.4

        4.1 Location of Fixed Binaries

        ftp://ftp.sco.com/pub/unixware7/714/security/p534589/

        4.2 Verification

        MD5 (p534589.image) = 1f8f904efcc476785773c0a337aa8062

        md5 is available for download from

        ftp://ftp.sco.com/pub/security/tools

        4.3 Installation Instructions

        1) Download the p534589.image file to the /tmp directory on 
        your machine.

        2) As root, add the package to your system using these commands:

        $ su -
        Password: <type your root password>
        # pkgadd -d /tmp/p534589.image

        Alternatively, this package may be installed in quiet mode, 
        that is, without displaying the release notes and asking for 
        confirmation. To do this, use these commands:

        $ su -
        Password: <type your root password>
        # pkgadd -qd /tmp/p534589.image all

        3) There is no need to reboot the system after installing this
        package.

        4.4 Removal Instructions

        1) As root, remove the package using these commands:

        $ su -
        Password: <type your root password>
        # pkgrm p534589

5. OpenServer 6.0.0

        OpenServer 6.0.0 is not affected by this vulnerability.

6. OpenServer 5.0.7

        OpenServer 5.0.7 is not affected by this vulnerability.

7. References

        SCO security resources:
                http://www.sco.com/support/download.html

        SCO security advisories via email
                http://www.sco.com/support/forums/security.html

        This security fix closes SCO incidents fz534589.

8. Disclaimers

        SCO is not responsible for the misuse of any of the information
        we provide on this website and/or through our security
        advisories. Our advisories are a service to our customers intended
        to promote secure installation and use of SCO products.