<<< Date Index >>>     <<< Thread Index >>>

OpenServer 5.0.5 OpenServer 5.0.6 OpenServer 5.0.7: Multiple vulnerabilities affecting several components of gwxlibs



To: announce@xxxxxxxxxxxxxxxxx bugtraq@xxxxxxxxxxxxxxxxx 
full-disclosure@xxxxxxxxxxxxxxxx

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


______________________________________________________________________________

                        SCO Security Advisory

Subject:                OpenServer 5.0.5 OpenServer 5.0.6 OpenServer 5.0.7: 
Multiple vulnerabilities affecting several components of gwxlibs
Advisory number:        CSSA-2003-SCO.29
Issue date:             2003 November 04
Cross reference:        sr885387 fz528382 erg712448 sr875559 fz527506 erg712256 
sr875409 fz527489 erg712252 CAN-2003-0543 CAN-2003-0544 CAN-2003-0545 
CAN-2003-0131 CAN-2003-0107
______________________________________________________________________________


1. Problem Description

   Multiple vulnerabilities affecting several components of gwxlibs. The issues 
are:

        Multiple Vulnerability Issues in OpenSSL up to and including 0.9.6j and 
0.9.7b

                NISCC/006489/openssl/1 

                        CAN-2003-0543 Integer overflow in OpenSSL 0.9.6 and 
0.9.7 may allow 
                        remote attackers to cause a denial of service (crash) 
via an SSL client
                        certificate with certain ASN.1 tag values.

                        CAN-2003-0544 OpenSSL 0.9.6 and 0.9.7 does not properly 
track the number
                        of characters in certain ASN.1 inputs, which mahy allow 
remote attackers to
                        cause a denial of service (crash) via an SSL client 
certificate that causes
                        OpenSSL to read past the end of a buffer when the long 
form is used.

                NISCC/006489/openssl/2 

                        An invalid public key in a certificate will crash the 
verify code if it is set
                        to ignore all errors. This isnt done in production code 
just for debugging
                        purposes. Successful exploitation would result in a 
Denial of Service
                        condition.

                NISCC/006489/openssl/3 

                        CAN-2003-0545 Double-free vulnerability in OpenSSL 
0.9.7 may allow remote attackers
                        to cause a denial of service (crash) and possibly 
execute arbitrary code via an
                        SSL client certificate with a certain invalid ASN.1 
encoding.

                        Certain ASN.1 structures which are rejected as invalid 
by the parser result in
                        part of the corresponding structure being freed up 
incorrectly. In theory
                        exploitation of this vulnerability could result in an 
attacker being able to
                        execute malicious code.

                GNU TLS Library Record Layer Timing Information Leakage Weakness

                        CAN-2003-0131 The SSL and TLS components for OpenSSL 
0.9.6i and earlier, 0.9.7,
                        and 0.9.7a may allow remote attackers to perform an 
unauthorized RSA private key
                        operation via a modified Bleichenbacher attack that 
uses a large number of SSL
                        or TLS connections using PKCS #1 v1.5 padding that 
cause OpenSSL to leak
                        information regarding the relationship between 
ciphertext and the associated
                        plaintext, aka the "Klima-Pokorny-Rosa attack."

        Buffer overflow in the gzprintf function in zlib 1.1.4

                CAN-2003-0107 Buffer overflow in the gzprintf function in zlib 
1.1.4, when zlib
                is compiled without vsnprintf or when long inputs are truncated 
using vsnprintf,
                may allow attackers to cause a denial of service or possibly 
execute arbitrary code.

                Since OpenServer builds of libz use vsnprintf(), only the less 
serious truncation 
                part of this potential vulnerability applies even when this 
supplement is not installed.

                This supplement contains zlib 1.1.4 patched with an unofficial 
patch has been 
                released which implements proper verification of the usability 
of the vsnprintf() 
                function. No new official zlib version has been released.

        1.1  Changes in this version of gwxlibs

        This version of gwxlibs several improvements over the
        previous version and the gwxlibs package that was distributed as
        GWXLIBS version 1.3.1Ba.  This section briefly lists the packages 
updated
        and improvements made.

          o  expat updated to 1.95.7
          o  libmng updated to 1.0.6
          o  fontconfig updated to 2.2
          o  gettext updated to 0.12.1
          o  XMLSEC updated to 1.2.1
          o  TIFF updated to 3.6.0
          o  NetPBM updated to 10.18
          o  LCMS updated to 1.11
          o  Freetype2 updated to 2.1.5
          o  PCRE updated to 4.4
          o  OpenSSL 0.9.6 updated to 0.9.6k
          o  OpenSSL 0.9.7c added
          o  XSLT updated to 1.0.33
          o  XML2 updated to 2.6.1
          o  GTK+ updated to 2.2.4
          o  GLIB updated to 2.2.3
          o  Pango updated to 1.2.5
          o  GDOME2 updated to 0.8.0
          o  Sablotron updated to 1.0
          o  cURL upgraded to 7.10.7
          o  libIDL upgraded to 0.8.2
          o  OpenLDAP updated to 2.1.23
          o  Xalan-C updated to 1.6
          o  Xerces-C updated to 2.3.0
          o  MM updated to 1.3.0
          o  Added missing alias files for pango
          o  Compile GDOME and libIDL twice, once linking to glib1 and once to 
glib2

2. Vulnerable Supported Versions

        System                          Binaries
        ----------------------------------------------------------------------
        OpenServer 5.0.5                gwxlibs Distribution
        OpenServer 5.0.6                gwxlibs Distribution
        OpenServer 5.0.7                gwxlibs Distribution


3. Solution

        The proper solution is to install the latest packages.


4. OpenServer 5.0.5 / OpenServer 5.0.6

        4.1 First install  OSS646B - Execution Environment Supplement

        4.2 Location of Fixed Binaries

        ftp://ftp.sco.com/pub/updates/OpenServer/CSSA-2003-SCO.29


        4.3 Verification

        MD5 (VOL.000.000) = fa163df4aca2dc283ac15a643492fce9
        MD5 (VOL.000.001) = 406b89eb5f1e1407e1dcd9f92a2914f9
        MD5 (VOL.000.002) = fb632551866bca26dbd88b1159cc949e
        MD5 (VOL.000.003) = 84a03cddaa2bc8336d186562fb9ad6f6

        md5 is available for download from
                ftp://ftp.sco.com/pub/security/tools


        4.4 Installing Fixed Binaries

        Upgrade the affected binaries with the following sequence:

        1) Download the VOL* files to the /tmp directory

        2) Run the custom command, specify an install from media
        images, and specify the /tmp directory as the location of
        the images.

5. OpenServer 5.0.7

        5.1 First install Maintenance Pack 1

        5.1 Location of Fixed Binaries

        ftp://ftp.sco.com/pub/updates/OpenServer/CSSA-2003-SCO.29

        5.2 Verification

        MD5 (VOL.000.000) = fa163df4aca2dc283ac15a643492fce9
        MD5 (VOL.000.001) = 406b89eb5f1e1407e1dcd9f92a2914f9
        MD5 (VOL.000.002) = fb632551866bca26dbd88b1159cc949e
        MD5 (VOL.000.003) = 84a03cddaa2bc8336d186562fb9ad6f6

        md5 is available for download from
                ftp://ftp.sco.com/pub/security/tools


        5.3 Installing Fixed Binaries

        Upgrade the affected binaries with the following sequence:

        1) Download the VOL* files to the /tmp directory

        2) Run the custom command, specify an install from media
        images, and specify the /tmp directory as the location of
        the images.


6. References

        Specific references for this advisory:
                http://www.uniras.gov.uk/vuls/2003/006489/openssl.htm 
                http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0543 
                http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0544 
                http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0545 
                http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0131 
                http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0107

        SCO security resources:
                http://www.sco.com/support/security/index.html

        This security fix closes SCO incidents sr885387 fz528382
        erg712448 sr875559 fz527506 erg712256 sr875409 fz527489
        erg712252.


7. Disclaimer

        SCO is not responsible for the misuse of any of the information
        we provide on this website and/or through our security
        advisories. Our advisories are a service to our customers
        intended to promote secure installation and use of SCO
        products.


8. Acknowledgments

        SCO would like to thank National Infrastructure Security
        Co-ordination Centre (NISCC) and Stephen Henson, a member
        of the OpenSSL core team. SCO would also like to thank Ralf
        S. Engelschall, Kelledin, and crazy_einstein@xxxxxxxxx for
        the zlib research.
______________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (SCO/UNIX_SVR5)

iD8DBQE/qtdRaqoBO7ipriERAtYeAJ4qoIeN+aUszciLap/P0quqA5Ef6wCfWDjU
vOARm6zL+kTrWaL7TJK8/n8=
=9AX3
-----END PGP SIGNATURE-----