UnixWare 7.1.3 Open UNIX 8.0.0 : Xsco contains a buffer overflow that could be exploited to gain root privileges.

2004-08-0200:00:00

vulners.com

JSON

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                    SCO Security Advisory

Subject: UnixWare 7.1.3 Open UNIX 8.0.0 : Xsco contains a buffer overflow that could be
exploited to gain root privileges.
Advisory number: SCOSA-2004.2
Issue date: 2004 July 29
Cross reference: sr889370 fz528865 erg712546 CAN-2004-0083 CAN-2004-0084 CAN-2004-0106

Problem Description

 A buffer overflow in ReadFontAlias from dirfile.c of Xsco
 may allow local users and remote attackers to execute 
 arbitrary code via a font alias file with a long token. 

 The Common Vulnerabilities and Exposures project &#40;cve.mitre.org&#41; 
 has assigned the name CAN-2004-0083 to this issue. 

 Buffer overflow in the ReadFontAlias function in Xsco,
 when using the CopyISOLatin1Lowered function, may allow
 local or remote authenticated users to execute arbitrary 
 code via a malformed entry in the font alias file. 

 The Common Vulnerabilities and Exposures project &#40;cve.mitre.org&#41; 
 has assigned the name CAN-2004-0084 to this issue.

 Multiple flaws in reading font files.

 The Common Vulnerabilities and Exposures project &#40;cve.mitre.org&#41;
 has assigned the name CAN-2004-0106 to these issues.

Vulnerable Supported Versions

 System                          Binaries
 ----------------------------------------------------------------------
 UnixWare 7.1.3                  /usr/X/bin/Xsco
 Open UNIX 8.0.0                 /usr/X/bin/Xsco

Solution

 The proper solution is to install the latest packages.

UnixWare 7.1.3 / Open UNIX 8.0.0

 4.1 Location of Fixed Binaries

 ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2004.2

 4.2 Verification

 MD5 &#40;erg712546.pkg.Z&#41; = a7ca45fddc3990268e2779a16601b323

 md5 is available for download from
         ftp://ftp.sco.com/pub/security/tools

 4.3 Installing Fixed Binaries

 Upgrade the affected binaries with the following sequence:

 Download erg712546.pkg.Z to the /var/spool/pkg directory

 # uncompress /var/spool/pkg/erg712546.pkg.Z
 # pkgadd -d /var/spool/pkg/erg712546.pkg

References

 Specific references for this advisory:
         http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0083 
         http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0084
         http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0106

 SCO security resources:
         http://www.sco.com/support/security/index.html

 SCO security advisories via email:
         http://www.sco.com/support/forums/security.html

 This security fix closes SCO incidents sr889370 fz528865
 erg712546.

Disclaimer

 SCO is not responsible for the misuse of any of the information
 we provide on this website and/or through our security
 advisories. Our advisories are a service to our customers
 intended to promote secure installation and use of SCO
 products.

Acknowledgments

 Greg MacManus &#40;iDEFENSE Labs&#41; is credited with the discovery
 of this vulnerability.  Additionally David Dawes discovered
 further flaws in reading font files.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (SCO/UNIX_SVR5)

iD8DBQFBCqGxaqoBO7ipriERAkoyAJ91gL8wb8JakO+PD8UAu5ud2P/zbACgllGF
CROJ3rJtJ5iFKT7lahBbwcQ=
=OdyX
-----END PGP SIGNATURE-----