OpenServer 5.0.6 OpenServer 5.0.7 : Xsco contains a buffer overflow that could be exploited to gain root privileges.

2004-08-0200:00:00

vulners.com

JSON

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                    SCO Security Advisory

Subject: OpenServer 5.0.6 OpenServer 5.0.7 : Xsco contains a buffer overflow that could be
exploited to gain root privileges.
Advisory number: SCOSA-2004.3
Issue date: 2004 July 29
Cross reference: sr889371 fz528866 erg712547 CAN-2004-0083 CAN-2004-0084 CAN-2004-0106

Problem Description

 A buffer overflow in ReadFontAlias from dirfile.c of Xsco
 may allow local users and remote attackers to execute 
 arbitrary code via a font alias file with a long token. 

 The Common Vulnerabilities and Exposures project &#40;cve.mitre.org&#41; 
 has assigned the name CAN-2004-0083 to this issue. 

 Buffer overflow in the ReadFontAlias function in Xsco,
 when using the CopyISOLatin1Lowered function, may allow
 local or remote authenticated users to execute arbitrary 
 code via a malformed entry in the font alias file. 

 The Common Vulnerabilities and Exposures project &#40;cve.mitre.org&#41; 
 has assigned the name CAN-2004-0084 to this issue.

 Multiple flaws in reading font files.

 The Common Vulnerabilities and Exposures project &#40;cve.mitre.org&#41; 
 has assigned the name CAN-2004-0106 to these issues.

Vulnerable Supported Versions

 System                          Binaries
 ----------------------------------------------------------------------
 OpenServer 5.0.6                /usr/bin/X11/Xsco
 OpenServer 5.0.7                /usr/bin/X11/Xsco

Solution

 The proper solution is to install the latest packages.

OpenServer 5.0.6

 4.1 Location of Fixed Binaries

 ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2004.3

 4.2 Verification

 MD5 &#40;VOL.000.000&#41; = 7341b2e45bfc55b838009d8a1c49d000

 md5 is available for download from
         ftp://ftp.sco.com/pub/security/tools

 4.3 Installing Fixed Binaries

 Upgrade the affected binaries with the following sequence:

 1&#41; Download the VOL* files to a directory

 2&#41; Run the custom command, specify an install from media
 images, and specify the directory as the location of
 the images.

OpenServer 5.0.7

 5.1 Location of Fixed Binaries

 ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2004.3

 The fixes are also available in SCO OpenServer Release 5.0.7
 Maintenance Pack 3 or later.  See
 http://www.sco.com/support/update/download/osr507list.html.

 5.2 Verification

 MD5 &#40;VOL.000.000&#41; = 7341b2e45bfc55b838009d8a1c49d000

 MD5 &#40;507mp3_vol.tar&#41; = c927aefdd50b50aca5d29e08c1562aec

 md5 is available for download from
         ftp://ftp.sco.com/pub/security/tools


 5.3 Installing Fixed Binaries

 Upgrade the affected binaries with the following sequence:

 1&#41; Download the VOL* files to the /tmp directory

 2&#41; Run the custom command, specify an install from media
 images, and specify the /tmp directory as the location of
 the images.

 Or see the Maintenance Pack 3 Release and Installation Notes at

 ftp://ftp.sco.com/pub/openserver5/507/mp/mp3/osr507mp3.txt

References

 Specific references for this advisory:
         http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0083 
         http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0084
         http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0106

 SCO security resources:
         http://www.sco.com/support/security/index.html

 SCO security advisories via email:
         http://www.sco.com/support/forums/security.html

 This security fix closes SCO incidents sr889371 fz528866
 erg712547.

Disclaimer

 SCO is not responsible for the misuse of any of the information
 we provide on this website and/or through our security
 advisories. Our advisories are a service to our customers
 intended to promote secure installation and use of SCO
 products.

Acknowledgments

 Greg MacManus &#40;iDEFENSE Labs&#41; is credited with the discovery
 of this vulnerability.  Additionally David Dawes discovered
 further flaws in reading font files.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (SCO/UNIX_SVR5)

iD8DBQFBCqG8aqoBO7ipriERAkmYAJ9/6a/7zQke5Eht4cuTuHtpDxr2rwCgqRtR
edH7NQKjSfWXFbk9RJB/Etk=
=8TYG
-----END PGP SIGNATURE-----