Version CSSA-2003-SCO.24.0 had a bug which caused it to
work only for a root login.
Several buffer management errors and memory bugs are
corrected by this patch.
The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the following
names to these issues. CAN-2003-0693, CAN-2003-0695,
CAN-2003-0682, CAN-2003-0786.
The CERT Coordination Center has assigned the following
names VU#333628, and VU#602204.
CERT VU#333628 / CAN-2003-0693: A "buffer management error"
in buffer_append_space of buffer.c for OpenSSH before 3.7
may allow remote attackers to execute arbitrary code by
causing an incorrect amount of memory to be freed and
corrupting the heap, a different vulnerability than
CAN-2003-0695
CAN-2003-0695: Multiple "buffer management errors" in
OpenSSH before 3.7.1 may allow attackers to cause a denial
of service or execute arbitrary code using (1) buffer_init
in buffer.c, (2) buffer_free in buffer.c, or (3) a separate
function in channels.c, a different vulnerability than
CAN-2003-0693.
CAN-2003-0682: "Memory bugs" in OpenSSH 3.7.1 and earlier,
with unknown impact, a different set of vulnerabilities
than CAN-2003-0693 and CAN-2003-0695.
CERT VU#602204 / CAN-2003-0786: Portable OpenSSH versions
3.7p1 and 3.7.1p1 contain multiple vulnerabilities in the
new PAM code. At least one of these bugs is remotely
exploitable (under a non-standard configuration, with
privsep disabled). OpenServer is not configured to use PAM,
so is not vulnerable.
2. Vulnerable Supported Versions
System Binaries
----------------------------------------------------------------------
OpenServer 5.0.7 OpenSSH Distribution
3. Solution
The proper solution is to install the latest packages.
md5 is available for download from
ftp://ftp.sco.com/pub/security/tools
4.3 Installing Fixed Binaries
Upgrade the affected binaries with the following sequence:
1) Download the VOL* files to the /tmp directory
2) Run the custom command, specify an install from media
images, and specify the /tmp directory as the location of
the images.
5. References
Specific references for this advisory:
http://www.openssh.com/txt/buffer.adv
http://www.mindrot.org/pipermail/openssh-unix-announce/2003-September/00
0063.html
http://www.freebsd.org/cgi/cvsweb.cgi/~checkout~/ports/security/openssh/
files/patch-buffer.c
http://marc.theaimsgroup.com/?l=openbsd-misc&m=106371592604940
http://marc.theaimsgroup.com/?l=openbsd-security-announce&m=106375582924
840
This security fix closes SCO incidents sr884749 fz528324
erg712436.
6. Disclaimer
SCO is not responsible for the misuse of any of the information
we provide on this website and/or through our security
advisories. Our advisories are a service to our customers
intended to promote secure installation and use of SCO
products.
To: announce (at) lists.caldera (dot) com [email concealed] bugtraq (at) securityfocus (dot) com [email concealed] full-disclosure (at) lists.netsys (dot) com [email concealed]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
________________________________________________________________________
______
SCO Security Advisory
Subject: OpenServer 5.0.7 : OpenSSH: multiple buffer handling problems
Advisory number: CSSA-2003-SCO.24.1
Issue date: 2003 November 04
Cross reference: sr884749 fz528324 erg712436 CERT VU#33362 CERT VU#602204 CAN-2003-0693 CAN-2003-0786 CAN-2003-0695 CAN-2003-0682
________________________________________________________________________
______
1. Problem Description
Version CSSA-2003-SCO.24.0 had a bug which caused it to
work only for a root login.
Several buffer management errors and memory bugs are
corrected by this patch.
The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the following
names to these issues. CAN-2003-0693, CAN-2003-0695,
CAN-2003-0682, CAN-2003-0786.
The CERT Coordination Center has assigned the following
names VU#333628, and VU#602204.
CERT VU#333628 / CAN-2003-0693: A "buffer management error"
in buffer_append_space of buffer.c for OpenSSH before 3.7
may allow remote attackers to execute arbitrary code by
causing an incorrect amount of memory to be freed and
corrupting the heap, a different vulnerability than
CAN-2003-0695
CAN-2003-0695: Multiple "buffer management errors" in
OpenSSH before 3.7.1 may allow attackers to cause a denial
of service or execute arbitrary code using (1) buffer_init
in buffer.c, (2) buffer_free in buffer.c, or (3) a separate
function in channels.c, a different vulnerability than
CAN-2003-0693.
CAN-2003-0682: "Memory bugs" in OpenSSH 3.7.1 and earlier,
with unknown impact, a different set of vulnerabilities
than CAN-2003-0693 and CAN-2003-0695.
CERT VU#602204 / CAN-2003-0786: Portable OpenSSH versions
3.7p1 and 3.7.1p1 contain multiple vulnerabilities in the
new PAM code. At least one of these bugs is remotely
exploitable (under a non-standard configuration, with
privsep disabled). OpenServer is not configured to use PAM,
so is not vulnerable.
2. Vulnerable Supported Versions
System Binaries
----------------------------------------------------------------------
OpenServer 5.0.7 OpenSSH Distribution
3. Solution
The proper solution is to install the latest packages.
4. OpenServer 5.0.7
4.1 Install Maintanance Pack 1
4.2 Install gwxlibs-1.3.2Ag
ftp://ftp.sco.com/pub/updates/OpenServer/CSSA-2003-SCO.29/CSSA-2003-SCO.
29.txt
4.3 Location of Fixed Binaries
ftp://ftp.sco.com/pub/updates/OpenServer/CSSA-2003-SCO.24
4.4 Verification
MD5 (VOL.000.000) = c7b0c3fe58180819e0427d797594ede1
MD5 (VOL.000.001) = 301a17b2d2226c6dfe9e0606e1fa6e5b
MD5 (VOL.000.002) = 92bfaf84635b44b8df9702ef58843d34
MD5 (VOL.000.003) = c3bec5a2af450787a26877079208b3eb
md5 is available for download from
ftp://ftp.sco.com/pub/security/tools
4.3 Installing Fixed Binaries
Upgrade the affected binaries with the following sequence:
1) Download the VOL* files to the /tmp directory
2) Run the custom command, specify an install from media
images, and specify the /tmp directory as the location of
the images.
5. References
Specific references for this advisory:
http://www.openssh.com/txt/buffer.adv
http://www.mindrot.org/pipermail/openssh-unix-announce/2003-September/00
0063.html
http://www.freebsd.org/cgi/cvsweb.cgi/~checkout~/ports/security/openssh/
files/patch-buffer.c
http://marc.theaimsgroup.com/?l=openbsd-misc&m=106371592604940
http://marc.theaimsgroup.com/?l=openbsd-security-announce&m=106375582924
840
SCO security resources:
http://www.sco.com/support/security/index.html
This security fix closes SCO incidents sr884749 fz528324
erg712436.
6. Disclaimer
SCO is not responsible for the misuse of any of the information
we provide on this website and/or through our security
advisories. Our advisories are a service to our customers
intended to promote secure installation and use of SCO
products.
________________________________________________________________________
______
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (SCO/UNIX_SVR5)
iD8DBQE/q+NwaqoBO7ipriERAk2XAKCmoz0q1EvP06FqcbVQ73VtxJDSGgCfe4lq
//NxfitXUxxKY8fIhhcP1kM=
=E3rh
-----END PGP SIGNATURE-----
[ reply ]