---------------------------------------------------
TOPIC: buffer overflows in lp and mail-related utilities
PRODUCTS AFFECTED: SCO OpenServer 5.0.0-> 5.0.6
PATCH: System Security Supplement (SSE) SSE072B
PATCH LOCATION: ftp://ftp.sco.com/SSE/sse072b.tar.Z
ftp://ftp.sco.com/SSE/sse072b.tar.bz2
ftp://ftp.sco.com/SSE/sse072b.ltr
SUMMARY: SSE072B supersedes SSE072
DATE: April 12, 2001
---------------------------------------------------
System Security Enhancement (SSE) SSE072B - 11-Apr-2001
NOTE: This patch supercedes SSE072. However, there is no need to install SSE072B
on any system with SSE072 already successfully applied.
Problem:
Buffer overflows have been found in the following SCO OpenServer 5
utilities:
/usr/bin/accept
/usr/bin/cancel
/usr/mmdf/bin/deliver
/usr/bin/disable
/usr/bin/enable
/usr/lib/libcurses.a
/usr/bin/lp
/usr/lib/lpadmin
/usr/lib/lpfilter
/usr/lib/lpforms
/usr/lib/lpmove
/usr/lib/lpshut
/usr/bin/lpstat
/usr/lib/lpusers
/usr/bin/recon
/usr/bin/reject
/usr/bin/rmail
/usr/lib/sendmail
/usr/bin/tput
NOTE: the accept, reject, enable, and disable commands are symbolically
linked to the same binary.
Running any of the above utilities with a very large argument can
result in a core dump. For example:
/usr/bin/recon -T `perl -e 'print "A" x 3000'`
Patch:
This patch is applicable to all releases of OpenServer 5. However,
for releases 5.0.0, 5.0.2, 5.0.4, and 5.0.5, please note the additional
installation instruction 3b below.
This patch contains replacements for all binaries listed above.
This patch supercedes SSE072. There is no need to apply SSE072B on
OpenServer Release 5.0.6 if SSE072 is already applied.
Installation:
1. We reccommend you drop into single user mode to install this SSE
(though this is not enforced).
2. Uncompress and extract the SSE into a temporary directory
of the server (eg. /tmp/sse072b).
# uncompress sse072b.tar.Z
OR
# bunzip2 sse072b.tar.bz2
# tar xvf sse072b.tar
3. Execute the install script. Follow the instructions
at the prompt.
# ./install-sse072b.sh
Note: "Warning" messages simply explain that because a
specific file was not found on the current
server, it was not replaced. If a system has
custom binaries or paths, this patch may not
succeed.
3b.For releases 5.0.0, 5.0.2, 5.0.4, and 5.0.5 (NOT 5.0.6), manually
install ./usr/lib/libsocket.so.2 and ./usr/lib/libresolv.so.1
by copying these files to /usr/lib:
# cp usr/lib/libsocket.so.2 /usr/lib
# cp usr/lib/libresolv.so.1 /usr/lib
4. Clean up.
A backup of the orginal binaries will be saved in:
/opt/K/SCO/sse/sse072b
The following files will be left over after patch
installation and can be removed:
./install-sse072b.sh
./sse072b.files.tar
The following files will be left over after patch
installation and can be moved to an archival
directory in case the patches are needed again:
./sse072b.tar
./sse072b.doc
Checksums of the packages:
`sum -lr ./sse072b.tar`: 3532308775 3788
MD5(./sse072b.tar): 4ee79e11f2db094f2f51a8597d0095b2
`sum -lr ./sse072b.files.tar`: 1147213061 3768
MD5:(./sse072b.files.tar): 1b7c64ee49ec076a8244fb2b123582b2
References:
Most of the vulnerabilities addressed in this patch were found by:
Kevin Finisterre <[EMAIL PROTECTED]>
For more details, see the following BUGTRAQ archives:
http://www.securityfocus.com/archive/1/171949
http://www.securityfocus.com/archive/1/171947
http://www.securityfocus.com/archive/1/171942
http://www.securityfocus.com/archive/1/171939
http://www.securityfocus.com/archive/1/171935
http://www.securityfocus.com/archive/1/171934
http://www.securityfocus.com/archive/1/171933
Disclaimer:
SCO believes that this patch addresses the reported vulnerabilities.
However, in order that it be released as soon as possible, this patch
has not been fully tested or packaged to SCO's normal exacting
standards. For that reason, this patch is not officially supported.
Official supported and packaged fixes for current SCO products will
be available in due course.
