___________________________________________________________________________ Caldera Systems, Inc. Security Advisory Subject: OpenServer, UnixWare7: curses library, rtpm, atcronsh Advisory number: CSSA-2001-SCO.1 Issue date: 2001 June, 20 Cross reference: _____________________________________________________________________________ 1. Problem Description A buffer overrun vulnerability has been found in the curses library. A malicious user could attack a set{uid,gid} command that uses this library to gain privileges. One such command that is shipped with OpenServer is /usr/lib/sysadm/atcronsh. One such command that is shipped with UnixWare 7 is /usr/sbin/rtpm. In addition, the curses library is shipped only as a static library, so an application would need to be re-linked with this new library to take advantage of the fix. 2. Vulnerable Versions Operating System Version Affected Files ---------------------------------------------------------------- UnixWare 7 All /usr/sbin/rtpm /usr/ccs/lib/libcurses.a OpenServer <= 5.0.6a /usr/lib/sysadm/atcronsh /usr/lib/libcurses.a 3. Workaround For rtpm: # chmod g-s /usr/sbin/rtpm For atcronsh: # chmod g-s /usr/lib/sysadm/atcronsh Otherwise, none. 4. UnixWare 7 4.1 Location of Fixed Binaries ftp://stage.caldera.com/pub/security/unixware/CSSA-2001-SCO.1/ 4.2 Verification md5 checksums: ae2bc5b813dad2c729fb3593b59fd62a libcurses.a.Z 990d9216ed368f2939596104c60bd27b rtpm.Z md5 is available for download from ftp://stage.caldera.com/pub/security/tools/ 4.3 Installing Fixed Binaries Backup the existing /usr/ccs/lib/libcurses.a, and replace it with the provided libcurses.a binary. Ensure that the new libcurses.a has bin/bin/0444 permissions. Backup the existing /usr/sbin/rtpm and replace it with the provided rtpm binary. Ensure that the new rtpm has bin/sys/02555 permissions. 5. OpenServer 4.1 Location of Fixed Binaries ftp://stage.caldera.com/pub/security/openserver/CSSA-2001-SCO.1/ 4.2 Verification md5 checksums: bf1ce0570284a1e12256ebac0174f6d4 atcronsh.Z 77a762717e430441f6446fce346790f6 libcurses.a.Z md5 is available for download from ftp://stage.caldera.com/pub/security/tools/ 4.3 Installing Fixed Binaries Backup the existing /usr/lib/sysadm/atcronsh and replace it with the provided atcronsh binary. Ensure that the new atcronsh has bin/cron/02111 permissions. Backup the existing /usr/lib/libcurses.a, and replace it with the provided libcurses.a binary. Ensure that the new libcurses.a has bin/bin/0644 permissions. 6. References This, and other advisories are located at http://stage.caldera.com/support/security This advisory addresses Caldera Security internal incident sr848771. 7. Disclaimer Caldera Systems, Inc. is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of Caldera OpenLinux. 8. Acknowledgements Caldera wishes to thank Aycan Irican for spotting the UnixWare problem. Caldera wishes to thank KF for spotting the OpenServer problem. _____________________________________________________________________________