-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SCO Security Advisory Subject: OpenServer 5.0.7 OpenServer 5.0.6 OpenServer 5.0.5 : Multiple security vulnerabilities in Xsco Advisory number: CSSA-2003-SCO.26 Issue date: 2003 October 10 Cross reference: sr862609 fz520528 erg712006 sr860995 fz520242 erg711972 CAN-2002-0158 CAN-2002-0164 ______________________________________________________________________________ 1. Problem Description This supplement corrects two unrelated security problems in the SCO OpenServer "Xsco" X11 server. First, NSFOCUS Security Team has found a buffer overflow vulnerability in Xsun shipped with Solaris system when processing a command line parameter "-co", which could enable a local attacker to run arbitrary code with root user/root group privilege. Kevin Finisterre of Snosoft.com discovered that Xsco was also vulnerable. The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2002-0158 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. Candidates may change significantly before they become official CVE entries. Second, Roberto Zunino discovered a vulnerability in the MIT-SHM extension in all X servers that are running as root. Any user with local X access can exploit the MIT-SHM extension and gain read/write access to any shared memory segment on the system. The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2002-0164 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. Candidates may change significantly before they become official CVE entries. 2. Vulnerable Supported Versions System Binaries ---------------------------------------------------------------------- OpenServer 5.0.7 /usr/bin/X11/Xsco OpenServer 5.0.6 /usr/bin/X11/Xsco OpenServer 5.0.5 /usr/bin/X11/Xsco 3. Solution The proper solution is to install the latest packages. 4. OpenServer 5.0.7, OpenServer 5.0.6, OpenServer 5.0.5 4.1 Location of Fixed Binaries ftp://ftp.sco.com/pub/updates/OpenServer/CSSA-2003-SCO.26 4.2 Verification MD5 (VOL.000.000) = e7cbf7a8094ba43d44a6657a95673aeb MD5 (VOL.001.000) = 2eca28ac86436cec5fa7f059ab2fe850 md5 is available for download from ftp://ftp.sco.com/pub/security/tools 4.3 Installing Fixed Binaries Upgrade the affected binaries with the following sequence: 1) Download the VOL* files to the /tmp directory 2) Run the custom command, specify an install from media images, and specify the /tmp directory as the location of the images. 5. References Specific references for this advisory: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0158 http://marc.theaimsgroup.com/?l=bugtraq&m=101776858410652&w=2 http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0000.html http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0164 http://marc.theaimsgroup.com/?l=bugtraq&m=103547625009363&w=2 http://xforce.iss.net/xforce/xfdb/8706 http://www.securityfocus.com/bid/4396 http://www.linuxsecurity.com/advisories/caldera_advisory-2006.html ftp://stage.caldera.com/pub/security/openunix/CSSA-2002-SCO.14/CSSA-2002-SCO.14.txt SCO security resources: http://www.sco.com/support/security/index.html This security fix closes SCO incidents sr862609 fz520528 erg712006 sr860995 fz520242 erg711972 6. Disclaimer SCO is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of SCO products. 7. Acknowledgments SCO would like to thank the NSFOCUS Security Team for finding the "-co" vulnerability, and Kevin Finisterre of Snosoft.com for confirming its applicability to Xsco. SCO would also like to thank Roberto Zunino for discovering the MIT-SHM vulnerability. ______________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (SCO/UNIX_SVR5) iD8DBQE/jfZSaqoBO7ipriERAjSbAJkBWpJMSXcQwLFnTTRgVa5vaEXGEgCfeSKa yS0vg5xrMpoBo3zWeqgpsNQ= =Abuh -----END PGP SIGNATURE----- ----- End forwarded message -----