<<< Date Index >>>     <<< Thread Index >>>

UnixWare 7.1.3 Open UNIX 8.0.0 UnixWare 7.1.1 : OpenSSH: multiple buffer handling problems



To: announce@xxxxxxxxxxxxx bugtraq@xxxxxxxxxxxxxxxxx full-disclosure@xxxxxxxxxxx
s.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


______________________________________________________________________________

                        SCO Security Advisory

Subject:                UnixWare 7.1.3 Open UNIX 8.0.0 UnixWare 7.1.1 : 
OpenSSH: multiple buffer handling problems
Advisory number:        CSSA-2003-SCO.22
Issue date:             2003 September 26
Cross reference:        sr883609 fz528218 erg712412 CERT VU#333628 VU#602204 
CAN-2003-0693 CAN-2003-0695 CAN-2003-0682 CAN-2003-0786
______________________________________________________________________________


1. Problem Description

        Several buffer management errors and memory bugs are
        corrected by this patch. 

        The Common Vulnerabilities and Exposures project 
        (cve.mitre.org) has assigned the following names to 
        these issues. CAN-2003-0693, CAN-2003-0695, CAN-2003-0682, 
        CAN-2003-0786. 

        The CERT Coordination Center has assigned the following names 
        VU#333628, and VU#602204.  

        CERT VU#333628 / CAN-2003-0693: A "buffer management error"
        in buffer_append_space of buffer.c for OpenSSH before 3.7
        may allow remote attackers to execute arbitrary code by
        causing an incorrect amount of memory to be freed and
        corrupting the heap, a different vulnerability than
        CAN-2003-0695.

        CAN-2003-0695: Multiple "buffer management errors" in 
        OpenSSH before 3.7.1 may allow attackers to cause a 
        denial of service or execute arbitrary code using
        (1) buffer_init in buffer.c, (2) buffer_free in buffer.c,
        or (3) a separate function in channels.c, a different
        vulnerability than CAN-2003-0693. 

        CAN-2003-0682: "Memory bugs" in OpenSSH 3.7.1 and earlier, 
        with unknown impact, a different set of vulnerabilities than 
        CAN-2003-0693 and CAN-2003-0695. 

        CERT VU#602204 / CAN-2003-0786: Portable OpenSSH versions 
        3.7p1 and 3.7.1p1 contain multiple vulnerabilities in the 
        new PAM code. At least one of these bugs is remotely 
        exploitable (under a non-standard configuration, with privsep 
        disabled). UnixWare is not configured to use PAM, so is not vulnerable. 

        Software Notes and Recommendations
        ---------------------------------- 
        erg712430 should only be installed on: UnixWare 7.1.1 or 7.1.2 
        or 8.0.0 or 7.1.3 

        If your system is running any libraries or commands that
        are contained in this SLS, then these programs will continue
        to run with the old versions of these libraries or commands
        until the the system is rebooted. 

        Note that when all necessary patches have been installed, it is good 
        practice to reboot the system at the earliest opportunity. This
        will ensure that no programs continue to run with the old
        libraries or commands.


2. Vulnerable Supported Versions

        System                          Binaries
        ----------------------------------------------------------------------
        UnixWare 7.1.3  
        Open UNIX 8.0.0 
        UnixWare 7.1.1  
                                        /usr/bin/scp 
                                        /usr/bin/sftp 
                                        /usr/bin/ssh
                                        /usr/bin/ssh-add 
                                        /usr/bin/ssh-agent 
                                        /usr/bin/ssh-keygen
                                        /usr/bin/ssh-keyscan 
                                        /usr/sbin/sftp-server 
                                        /usr/sbin/ssh-keysign
                                        /usr/sbin/sshd 

3. Solution

        The proper solution is to install the latest packages.


4. UnixWare 7.1.3 / Open UNIX 8.0.0 / UnixWare 7.1.1

        4.1 Location of Fixed Binaries

        ftp://ftp.sco.com/pub/updates/UnixWare/CSSA-2003-SCO.22


        4.2 Verification

        MD5 (erg712430.Z) = 6102d1aa40261479ee31c35561db8514

        md5 is available for download from
                ftp://ftp.sco.com/pub/security/tools


        4.3 Installing Fixed Binaries

        Upgrade the affected binaries with the following sequence:

                1. Download the erg712430.Z file to the /tmp directory on your 
machine.

                2. As root, uncompress the file and add the package to your 
system 
                using these commands:

                $ su
                Password: <type your root password>
                # uncompress /tmp/erg712430.Z
                # pkgadd -d /tmp/erg712430
                # rm /tmp/erg712430

7. References

        Specific references for this advisory:
                http://www.openssh.com/txt/buffer.adv 
                
http://www.mindrot.org/pipermail/openssh-unix-announce/2003-September/000063.html
 
                
http://www.freebsd.org/cgi/cvsweb.cgi/~checkout~/ports/security/openssh/files/patch-buffer.c
 
                http://marc.theaimsgroup.com/?l=openbsd-misc&m=106371592604940 
                
http://marc.theaimsgroup.com/?l=openbsd-security-announce&m=106375582924840

        SCO security resources:
                http://www.sco.com/support/security/index.html

        This security fix closes SCO incidents sr883609 fz528218
        erg712412.


8. Disclaimer

        SCO is not responsible for the misuse of any of the information
        we provide on this website and/or through our security
        advisories. Our advisories are a service to our customers
        intended to promote secure installation and use of SCO
        products.

______________________________________________________________________________


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (SCO_SV)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAj90vQcACgkQaqoBO7ipriFnXwCfebMrsi8g8ylrY3OXlH6AV4MQ
AdwAn03qbJTBKg72XtP4vRK2kq/2GoBs
=M3an
-----END PGP SIGNATURE-----