-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SCO Security Advisory Subject: OpenServer 5.0.5 OpenServer 5.0.6 OpenServer 5.0.7 : X sessions which are not started by scologin cannot use the X authorization protocol Advisory number: SCOSA-2004.5 Issue date: 2004 April 07 Cross reference: sr862325 fz520452 erg712002 CAN-2004-0390 ______________________________________________________________________________ 1. Problem Description As noted in the Xsecurity(X) man page, OpenServer 5 provides multiple X display access control mechanisms. The least secure is the Host Access method, where any client on a host in the host access control list (which is managed by the xhost command) is allowed access to the X server. More secure access methods are provided using the X authorization protocol (Xauthority). Currently, OpenServer 5 supports the X authorization protocol only for X sessions which are started by scologin. This supplement provides support for the X authorization protocol for X sessions which are not started by scologin (e.g., sessions which are started via startx). In order to prevent unauthorized access to your system, do not use the xhost command to grant access to your X server. Instead, it is recommended that you use the access provided by the .Xauthority file. With this supplement applied, scologin, startx, and xinit can all be used to start the X server using the MIT-MAGIC-COOKIE-1 access control system as described in the Xsecurity(X) man page. If the X server is started directly (by running X or Xsco), Xauthority-style access control will not be enabled. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0390 to this issue. 2. Vulnerable Supported Versions System Binaries ---------------------------------------------------------------------- OpenServer 5.0.5 X display system OpenServer 5.0.6 X display system OpenServer 5.0.7 X display system 3. Solution The proper solution is to install the latest packages and enable Xauthority. 4. OpenServer 5.0.5, OpenServer 5.0.6, OpenServer 5.0.7 4.1 Location of Fixed Binaries ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2004.5 4.2 Verification MD5 (VOL.000.000) = 628f0f07d63bc12978fff3dc93d44a40 md5 is available for download from ftp://ftp.sco.com/pub/security/tools 4.3 Installing Fixed Binaries Upgrade the affected binaries with the following sequence: 1) Download the VOL* files to a directory 2) Run the custom command, specify then install from media images, and specify the directory as the location of the images. 4.4 Set up a .Xauthority file (see the xauth(X) man page). 4.5 Quit & restart the X server. 5. References Specific references for this advisory: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0390 SCO security resources: http://www.sco.com/support/security/index.html SCO security advisories via email http://www.sco.com/support/forums/security.html This security fix closes SCO incidents sr862325 fz520452 erg712002. 6. Disclaimer SCO is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of SCO products. 7. Acknowledgments SCO would like to thank Kevin R Finisterre ______________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (SCO/UNIX_SVR5) iD8DBQFAoB0HaqoBO7ipriERAg7xAKCI5A+YHtpM5PLm+VYlKu7R14+U2wCffk/8 Iuf+dACi59/YfKVor4G1Zu0= =65Jx -----END PGP SIGNATURE-----