OpenServer 5.0.5 OpenServer 5.0.6 OpenServer 5.0.7: Multiple vulnerabilities affecting several components of gwxlibs
To: announce@xxxxxxxxxxxxxxxxx bugtraq@xxxxxxxxxxxxxxxxx
full-disclosure@xxxxxxxxxxxxxxxx
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SCO Security Advisory
Subject: OpenServer 5.0.5 OpenServer 5.0.6 OpenServer 5.0.7:
Multiple vulnerabilities affecting several components of gwxlibs
Advisory number: CSSA-2003-SCO.29
Issue date: 2003 November 04
Cross reference: sr885387 fz528382 erg712448 sr875559 fz527506 erg712256
sr875409 fz527489 erg712252 CAN-2003-0543 CAN-2003-0544 CAN-2003-0545
CAN-2003-0131 CAN-2003-0107
______________________________________________________________________________
1. Problem Description
Multiple vulnerabilities affecting several components of gwxlibs. The issues
are:
Multiple Vulnerability Issues in OpenSSL up to and including 0.9.6j and
0.9.7b
NISCC/006489/openssl/1
CAN-2003-0543 Integer overflow in OpenSSL 0.9.6 and
0.9.7 may allow
remote attackers to cause a denial of service (crash)
via an SSL client
certificate with certain ASN.1 tag values.
CAN-2003-0544 OpenSSL 0.9.6 and 0.9.7 does not properly
track the number
of characters in certain ASN.1 inputs, which mahy allow
remote attackers to
cause a denial of service (crash) via an SSL client
certificate that causes
OpenSSL to read past the end of a buffer when the long
form is used.
NISCC/006489/openssl/2
An invalid public key in a certificate will crash the
verify code if it is set
to ignore all errors. This isnt done in production code
just for debugging
purposes. Successful exploitation would result in a
Denial of Service
condition.
NISCC/006489/openssl/3
CAN-2003-0545 Double-free vulnerability in OpenSSL
0.9.7 may allow remote attackers
to cause a denial of service (crash) and possibly
execute arbitrary code via an
SSL client certificate with a certain invalid ASN.1
encoding.
Certain ASN.1 structures which are rejected as invalid
by the parser result in
part of the corresponding structure being freed up
incorrectly. In theory
exploitation of this vulnerability could result in an
attacker being able to
execute malicious code.
GNU TLS Library Record Layer Timing Information Leakage Weakness
CAN-2003-0131 The SSL and TLS components for OpenSSL
0.9.6i and earlier, 0.9.7,
and 0.9.7a may allow remote attackers to perform an
unauthorized RSA private key
operation via a modified Bleichenbacher attack that
uses a large number of SSL
or TLS connections using PKCS #1 v1.5 padding that
cause OpenSSL to leak
information regarding the relationship between
ciphertext and the associated
plaintext, aka the "Klima-Pokorny-Rosa attack."
Buffer overflow in the gzprintf function in zlib 1.1.4
CAN-2003-0107 Buffer overflow in the gzprintf function in zlib
1.1.4, when zlib
is compiled without vsnprintf or when long inputs are truncated
using vsnprintf,
may allow attackers to cause a denial of service or possibly
execute arbitrary code.
Since OpenServer builds of libz use vsnprintf(), only the less
serious truncation
part of this potential vulnerability applies even when this
supplement is not installed.
This supplement contains zlib 1.1.4 patched with an unofficial
patch has been
released which implements proper verification of the usability
of the vsnprintf()
function. No new official zlib version has been released.
1.1 Changes in this version of gwxlibs
This version of gwxlibs several improvements over the
previous version and the gwxlibs package that was distributed as
GWXLIBS version 1.3.1Ba. This section briefly lists the packages
updated
and improvements made.
o expat updated to 1.95.7
o libmng updated to 1.0.6
o fontconfig updated to 2.2
o gettext updated to 0.12.1
o XMLSEC updated to 1.2.1
o TIFF updated to 3.6.0
o NetPBM updated to 10.18
o LCMS updated to 1.11
o Freetype2 updated to 2.1.5
o PCRE updated to 4.4
o OpenSSL 0.9.6 updated to 0.9.6k
o OpenSSL 0.9.7c added
o XSLT updated to 1.0.33
o XML2 updated to 2.6.1
o GTK+ updated to 2.2.4
o GLIB updated to 2.2.3
o Pango updated to 1.2.5
o GDOME2 updated to 0.8.0
o Sablotron updated to 1.0
o cURL upgraded to 7.10.7
o libIDL upgraded to 0.8.2
o OpenLDAP updated to 2.1.23
o Xalan-C updated to 1.6
o Xerces-C updated to 2.3.0
o MM updated to 1.3.0
o Added missing alias files for pango
o Compile GDOME and libIDL twice, once linking to glib1 and once to
glib2
2. Vulnerable Supported Versions
System Binaries
----------------------------------------------------------------------
OpenServer 5.0.5 gwxlibs Distribution
OpenServer 5.0.6 gwxlibs Distribution
OpenServer 5.0.7 gwxlibs Distribution
3. Solution
The proper solution is to install the latest packages.
4. OpenServer 5.0.5 / OpenServer 5.0.6
4.1 First install OSS646B - Execution Environment Supplement
4.2 Location of Fixed Binaries
ftp://ftp.sco.com/pub/updates/OpenServer/CSSA-2003-SCO.29
4.3 Verification
MD5 (VOL.000.000) = fa163df4aca2dc283ac15a643492fce9
MD5 (VOL.000.001) = 406b89eb5f1e1407e1dcd9f92a2914f9
MD5 (VOL.000.002) = fb632551866bca26dbd88b1159cc949e
MD5 (VOL.000.003) = 84a03cddaa2bc8336d186562fb9ad6f6
md5 is available for download from
ftp://ftp.sco.com/pub/security/tools
4.4 Installing Fixed Binaries
Upgrade the affected binaries with the following sequence:
1) Download the VOL* files to the /tmp directory
2) Run the custom command, specify an install from media
images, and specify the /tmp directory as the location of
the images.
5. OpenServer 5.0.7
5.1 First install Maintenance Pack 1
5.1 Location of Fixed Binaries
ftp://ftp.sco.com/pub/updates/OpenServer/CSSA-2003-SCO.29
5.2 Verification
MD5 (VOL.000.000) = fa163df4aca2dc283ac15a643492fce9
MD5 (VOL.000.001) = 406b89eb5f1e1407e1dcd9f92a2914f9
MD5 (VOL.000.002) = fb632551866bca26dbd88b1159cc949e
MD5 (VOL.000.003) = 84a03cddaa2bc8336d186562fb9ad6f6
md5 is available for download from
ftp://ftp.sco.com/pub/security/tools
5.3 Installing Fixed Binaries
Upgrade the affected binaries with the following sequence:
1) Download the VOL* files to the /tmp directory
2) Run the custom command, specify an install from media
images, and specify the /tmp directory as the location of
the images.
6. References
Specific references for this advisory:
http://www.uniras.gov.uk/vuls/2003/006489/openssl.htm
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0543
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0544
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0545
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0131
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0107
SCO security resources:
http://www.sco.com/support/security/index.html
This security fix closes SCO incidents sr885387 fz528382
erg712448 sr875559 fz527506 erg712256 sr875409 fz527489
erg712252.
7. Disclaimer
SCO is not responsible for the misuse of any of the information
we provide on this website and/or through our security
advisories. Our advisories are a service to our customers
intended to promote secure installation and use of SCO
products.
8. Acknowledgments
SCO would like to thank National Infrastructure Security
Co-ordination Centre (NISCC) and Stephen Henson, a member
of the OpenSSL core team. SCO would also like to thank Ralf
S. Engelschall, Kelledin, and crazy_einstein@xxxxxxxxx for
the zlib research.
______________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (SCO/UNIX_SVR5)
iD8DBQE/qtdRaqoBO7ipriERAtYeAJ4qoIeN+aUszciLap/P0quqA5Ef6wCfWDjU
vOARm6zL+kTrWaL7TJK8/n8=
=9AX3
-----END PGP SIGNATURE-----