UnixWare 7.1.3 Open UNIX 8.0.0 UnixWare 7.1.1 : OpenSSH: multiple buffer handling problems
To: announce@xxxxxxxxxxxxx bugtraq@xxxxxxxxxxxxxxxxx full-disclosure@xxxxxxxxxxx
s.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SCO Security Advisory
Subject: UnixWare 7.1.3 Open UNIX 8.0.0 UnixWare 7.1.1 :
OpenSSH: multiple buffer handling problems
Advisory number: CSSA-2003-SCO.22
Issue date: 2003 September 26
Cross reference: sr883609 fz528218 erg712412 CERT VU#333628 VU#602204
CAN-2003-0693 CAN-2003-0695 CAN-2003-0682 CAN-2003-0786
______________________________________________________________________________
1. Problem Description
Several buffer management errors and memory bugs are
corrected by this patch.
The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the following names to
these issues. CAN-2003-0693, CAN-2003-0695, CAN-2003-0682,
CAN-2003-0786.
The CERT Coordination Center has assigned the following names
VU#333628, and VU#602204.
CERT VU#333628 / CAN-2003-0693: A "buffer management error"
in buffer_append_space of buffer.c for OpenSSH before 3.7
may allow remote attackers to execute arbitrary code by
causing an incorrect amount of memory to be freed and
corrupting the heap, a different vulnerability than
CAN-2003-0695.
CAN-2003-0695: Multiple "buffer management errors" in
OpenSSH before 3.7.1 may allow attackers to cause a
denial of service or execute arbitrary code using
(1) buffer_init in buffer.c, (2) buffer_free in buffer.c,
or (3) a separate function in channels.c, a different
vulnerability than CAN-2003-0693.
CAN-2003-0682: "Memory bugs" in OpenSSH 3.7.1 and earlier,
with unknown impact, a different set of vulnerabilities than
CAN-2003-0693 and CAN-2003-0695.
CERT VU#602204 / CAN-2003-0786: Portable OpenSSH versions
3.7p1 and 3.7.1p1 contain multiple vulnerabilities in the
new PAM code. At least one of these bugs is remotely
exploitable (under a non-standard configuration, with privsep
disabled). UnixWare is not configured to use PAM, so is not vulnerable.
Software Notes and Recommendations
----------------------------------
erg712430 should only be installed on: UnixWare 7.1.1 or 7.1.2
or 8.0.0 or 7.1.3
If your system is running any libraries or commands that
are contained in this SLS, then these programs will continue
to run with the old versions of these libraries or commands
until the the system is rebooted.
Note that when all necessary patches have been installed, it is good
practice to reboot the system at the earliest opportunity. This
will ensure that no programs continue to run with the old
libraries or commands.
2. Vulnerable Supported Versions
System Binaries
----------------------------------------------------------------------
UnixWare 7.1.3
Open UNIX 8.0.0
UnixWare 7.1.1
/usr/bin/scp
/usr/bin/sftp
/usr/bin/ssh
/usr/bin/ssh-add
/usr/bin/ssh-agent
/usr/bin/ssh-keygen
/usr/bin/ssh-keyscan
/usr/sbin/sftp-server
/usr/sbin/ssh-keysign
/usr/sbin/sshd
3. Solution
The proper solution is to install the latest packages.
4. UnixWare 7.1.3 / Open UNIX 8.0.0 / UnixWare 7.1.1
4.1 Location of Fixed Binaries
ftp://ftp.sco.com/pub/updates/UnixWare/CSSA-2003-SCO.22
4.2 Verification
MD5 (erg712430.Z) = 6102d1aa40261479ee31c35561db8514
md5 is available for download from
ftp://ftp.sco.com/pub/security/tools
4.3 Installing Fixed Binaries
Upgrade the affected binaries with the following sequence:
1. Download the erg712430.Z file to the /tmp directory on your
machine.
2. As root, uncompress the file and add the package to your
system
using these commands:
$ su
Password: <type your root password>
# uncompress /tmp/erg712430.Z
# pkgadd -d /tmp/erg712430
# rm /tmp/erg712430
7. References
Specific references for this advisory:
http://www.openssh.com/txt/buffer.adv
http://www.mindrot.org/pipermail/openssh-unix-announce/2003-September/000063.html
http://www.freebsd.org/cgi/cvsweb.cgi/~checkout~/ports/security/openssh/files/patch-buffer.c
http://marc.theaimsgroup.com/?l=openbsd-misc&m=106371592604940
http://marc.theaimsgroup.com/?l=openbsd-security-announce&m=106375582924840
SCO security resources:
http://www.sco.com/support/security/index.html
This security fix closes SCO incidents sr883609 fz528218
erg712412.
8. Disclaimer
SCO is not responsible for the misuse of any of the information
we provide on this website and/or through our security
advisories. Our advisories are a service to our customers
intended to promote secure installation and use of SCO
products.
______________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (SCO_SV)
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAj90vQcACgkQaqoBO7ipriFnXwCfebMrsi8g8ylrY3OXlH6AV4MQ
AdwAn03qbJTBKg72XtP4vRK2kq/2GoBs
=M3an
-----END PGP SIGNATURE-----