<<< Date Index >>>     <<< Thread Index >>>

OpenServer 5.0.7 : OpenSSH: multiple buffer handling problems



To: announce@xxxxxxxxxxxxx bugtraq@xxxxxxxxxxxxxxxxx 
full-disclosure@xxxxxxxxxxxxxxxx

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

______________________________________________________________________________

                        SCO Security Advisory

Subject:                OpenServer 5.0.7 : OpenSSH: multiple buffer handling 
problems
Advisory number:        CSSA-2003-SCO.24
Issue date:             2003 October 1
Cross reference:        sr884749 fz528324 erg712436 CERT VU#33362 CERT 
VU#602204 CAN-2003-0693  CAN-2003-0786 CAN-2003-0695 CAN-2003-0682
______________________________________________________________________________


1. Problem Description

         Several buffer management errors and memory bugs are
         corrected by this patch. 
         
         The Common Vulnerabilities and Exposures project 
         (cve.mitre.org) has assigned the following
         names to these issues. CAN-2003-0693, CAN-2003-0695,
         CAN-2003-0682, CAN-2003-0786. 
         
         The CERT Coordination Center has assigned the following 
         names VU#333628, and VU#602204.

         CERT VU#333628 / CAN-2003-0693: A "buffer management error"
         in buffer_append_space of buffer.c for OpenSSH before 3.7
         may allow remote attackers to execute arbitrary code by
         causing an incorrect amount of memory to be freed and
         corrupting the heap, a different vulnerability than
         CAN-2003-0695 
         
         CAN-2003-0695: Multiple "buffer management errors" in 
         OpenSSH before 3.7.1 may allow attackers to cause a denial 
         of service or execute arbitrary code using (1) buffer_init 
         in buffer.c, (2) buffer_free in buffer.c, or (3) a separate 
         function in channels.c, a different vulnerability than 
         CAN-2003-0693. 
         
         CAN-2003-0682: "Memory bugs" in OpenSSH 3.7.1 and earlier, 
         with unknown impact, a different set of vulnerabilities 
         than CAN-2003-0693 and CAN-2003-0695. 
         
         CERT VU#602204 / CAN-2003-0786: Portable OpenSSH versions 
         3.7p1 and 3.7.1p1 contain multiple vulnerabilities in the 
         new PAM code. At least one of these bugs is remotely 
         exploitable (under a non-standard configuration, with 
         privsep disabled). OpenServer is not configured to use PAM, 
         so is not vulnerable.


2. Vulnerable Supported Versions

        System                          Binaries
        ----------------------------------------------------------------------
        OpenServer 5.0.7                OpenSSH Distribution


3. Solution

        The proper solution is to install the latest packages.


4. OpenServer 5.0.7

        4.1 Location of Fixed Binaries

        ftp://ftp.sco.com/pub/updates/OpenServer/CSSA-2003-SCO.24

        4.2 Verification

        MD5 (VOL.000.000) = f36194ca559c850794874f9c7a0b2a18
        MD5 (VOL.000.001) = 02b76bd551a0a95f2544b8999c6fbcbf
        MD5 (VOL.000.002) = 6818513c946dbcd43a3f34fc19ef79fc
        MD5 (VOL.000.003) = 8149c475968c3d7318eda33f30ce8045

        md5 is available for download from
                ftp://ftp.sco.com/pub/security/tools


        4.3 Installing Fixed Binaries

        Upgrade the affected binaries with the following sequence:

        1) Download the VOL* files to the /tmp directory

        2) Run the custom command, specify an install from media
        images, and specify the /tmp directory as the location of
        the images.


5. References

        Specific references for this advisory:
                http://www.openssh.com/txt/buffer.adv 
                
http://www.mindrot.org/pipermail/openssh-unix-announce/2003-September/000063.html
 
                
http://www.freebsd.org/cgi/cvsweb.cgi/~checkout~/ports/security/openssh/files/patch-buffer.c
 
                http://marc.theaimsgroup.com/?l=openbsd-misc&m=106371592604940 
                
http://marc.theaimsgroup.com/?l=openbsd-security-announce&m=106375582924840

        SCO security resources:
                http://www.sco.com/support/security/index.html

        This security fix closes SCO incidents sr884749 fz528324
        erg712436.


6. Disclaimer

        SCO is not responsible for the misuse of any of the information
        we provide on this website and/or through our security
        advisories. Our advisories are a service to our customers
        intended to promote secure installation and use of SCO
        products.

______________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (SCO/UNIX_SVR5)

iD8DBQE/eyW6aqoBO7ipriERAugiAJwP8ehQ81QNC7EuX8NEkINrtvII0gCfTbZl
HrkB1nNF8uxgUSgnWHR61O4=
=p5ga
-----END PGP SIGNATURE-----