<<< Date Index >>>     <<< Thread Index >>>

OpenServer 5.0.7 : OpenSSH: multiple buffer handling problems



To: announce@xxxxxxxxxxxxxxxxx bugtraq@xxxxxxxxxxxxxxxxx 
full-disclosure@xxxxxxxxxxxxxxxx

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


______________________________________________________________________________

                        SCO Security Advisory

Subject:                OpenServer 5.0.7 : OpenSSH: multiple buffer handling 
problems
Advisory number:        CSSA-2003-SCO.24.1
Issue date:             2003 November 04
Cross reference:        sr884749 fz528324 erg712436 CERT VU#33362 CERT 
VU#602204 CAN-2003-0693  CAN-2003-0786 CAN-2003-0695 CAN-2003-0682
______________________________________________________________________________


1. Problem Description

         Version CSSA-2003-SCO.24.0 had a bug which caused it to 
         work only for a root login.

         Several buffer management errors and memory bugs are
         corrected by this patch. 
         
         The Common Vulnerabilities and Exposures project 
         (cve.mitre.org) has assigned the following
         names to these issues. CAN-2003-0693, CAN-2003-0695,
         CAN-2003-0682, CAN-2003-0786. 
         
         The CERT Coordination Center has assigned the following 
         names VU#333628, and VU#602204.

         CERT VU#333628 / CAN-2003-0693: A "buffer management error"
         in buffer_append_space of buffer.c for OpenSSH before 3.7
         may allow remote attackers to execute arbitrary code by
         causing an incorrect amount of memory to be freed and
         corrupting the heap, a different vulnerability than
         CAN-2003-0695 
         
         CAN-2003-0695: Multiple "buffer management errors" in 
         OpenSSH before 3.7.1 may allow attackers to cause a denial 
         of service or execute arbitrary code using (1) buffer_init 
         in buffer.c, (2) buffer_free in buffer.c, or (3) a separate 
         function in channels.c, a different vulnerability than 
         CAN-2003-0693. 
         
         CAN-2003-0682: "Memory bugs" in OpenSSH 3.7.1 and earlier, 
         with unknown impact, a different set of vulnerabilities 
         than CAN-2003-0693 and CAN-2003-0695. 
         
         CERT VU#602204 / CAN-2003-0786: Portable OpenSSH versions 
         3.7p1 and 3.7.1p1 contain multiple vulnerabilities in the 
         new PAM code. At least one of these bugs is remotely 
         exploitable (under a non-standard configuration, with 
         privsep disabled). OpenServer is not configured to use PAM, 
         so is not vulnerable.


2. Vulnerable Supported Versions

        System                          Binaries
        ----------------------------------------------------------------------
        OpenServer 5.0.7                OpenSSH Distribution


3. Solution

        The proper solution is to install the latest packages.


4. OpenServer 5.0.7

        4.1 Install Maintanance Pack 1

        4.2 Install gwxlibs-1.3.2Ag

        
ftp://ftp.sco.com/pub/updates/OpenServer/CSSA-2003-SCO.29/CSSA-2003-SCO.29.txt

        4.3 Location of Fixed Binaries

        ftp://ftp.sco.com/pub/updates/OpenServer/CSSA-2003-SCO.24

        4.4 Verification

        MD5 (VOL.000.000) = c7b0c3fe58180819e0427d797594ede1
        MD5 (VOL.000.001) = 301a17b2d2226c6dfe9e0606e1fa6e5b
        MD5 (VOL.000.002) = 92bfaf84635b44b8df9702ef58843d34
        MD5 (VOL.000.003) = c3bec5a2af450787a26877079208b3eb

        md5 is available for download from
                ftp://ftp.sco.com/pub/security/tools


        4.3 Installing Fixed Binaries

        Upgrade the affected binaries with the following sequence:

        1) Download the VOL* files to the /tmp directory

        2) Run the custom command, specify an install from media
        images, and specify the /tmp directory as the location of
        the images.


5. References

        Specific references for this advisory:
                http://www.openssh.com/txt/buffer.adv 
                
http://www.mindrot.org/pipermail/openssh-unix-announce/2003-September/000063.html
 
                
http://www.freebsd.org/cgi/cvsweb.cgi/~checkout~/ports/security/openssh/files/patch-buffer.c
 
                http://marc.theaimsgroup.com/?l=openbsd-misc&m=106371592604940 
                
http://marc.theaimsgroup.com/?l=openbsd-security-announce&m=106375582924840

        SCO security resources:
                http://www.sco.com/support/security/index.html

        This security fix closes SCO incidents sr884749 fz528324
        erg712436.


6. Disclaimer

        SCO is not responsible for the misuse of any of the information
        we provide on this website and/or through our security
        advisories. Our advisories are a service to our customers
        intended to promote secure installation and use of SCO
        products.

______________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (SCO/UNIX_SVR5)

iD8DBQE/q+NwaqoBO7ipriERAk2XAKCmoz0q1EvP06FqcbVQ73VtxJDSGgCfe4lq
//NxfitXUxxKY8fIhhcP1kM=
=E3rh
-----END PGP SIGNATURE-----