<<< Date Index >>>     <<< Thread Index >>>

OpenLinux: Multiple vulnerabilities were discovered in the saned daemon



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


______________________________________________________________________________

                        SCO Security Advisory

Subject:                OpenLinux: Multiple vulnerabilities were discovered in 
the saned daemon
Advisory number:        CSSA-2004-005.0
Issue date:             2004 February 19
Cross reference:        sr886093 fz528425 erg712466 CAN-2003-0773 CAN-2003-0774 
CAN-2003-0775 CAN-2003-0776 CAN-2003-0777 CAN-2003-0778
______________________________________________________________________________


1. Problem Description

        CAN-2003-0773 saned in sane-backends 1.0.7 and earlier does
        not check the IP address of the connecting host during the
        SANE_NET_INIT RPC call, which allows remote attackers to use that
        call even if they are restricted in saned.conf. 
        
        CAN-2003-0774 saned in sane-backends 1.0.7 and earlier does not quickly
        handle connection drops, which allows remote attackers to
        cause a denial of service (segmentation fault) when invalid
        memory is accessed. 

        CAN-2003-0775 saned in sane-backends 1.0.7
        and earlier calls malloc with an arbitrary size value if a
        connection is dropped before the size value has been sent, which
        allows remote attackers to cause a denial of service (memory
        consumption or crash). 

        CAN-2003-0776 saned in sane-backends
        1.0.7 and earlier does not properly "check the validity of
        the RPC numbers it gets before getting the parameters," with
        unknown consequences. 

        CAN-2003-0777 saned in sane-backends 1.0.7
        and earlier, when debug messages are enabled, does not properly
        handle dropped connections, which can prevent strings from being
        null terminated and cause a denial of service (segmentation
        fault). 

        CAN-2003-0778 saned in sane-backends 1.0.7 and earlier,
        and possibly later versions, does not properly allocate memory
        in certain cases, which could allow attackers to cause a denial
        of service (memory consumption).


2. Vulnerable Supported Versions

        System                          Package
        ----------------------------------------------------------------------
        OpenLinux 3.1.1 Server          prior to sane-1.0.13-1.i386.rpm
                                        prior to sane-devel-1.0.13-1.i386.rpm

        OpenLinux 3.1.1 Workstation     prior to sane-1.0.13-1.i386.rpm
                                        prior to sane-devel-1.0.13-1.i386.rpm


3. Solution

        The proper solution is to install the latest packages. Many
        customers find it easier to use the Caldera System Updater, called
        cupdate (or kcupdate under the KDE environment), to update these
        packages rather than downloading and installing them by hand.


4. OpenLinux 3.1.1 Server

        4.1 Package Location

        
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2004-005.0/RPMS

        4.2 Packages

        551a28ff2aa0a74e086972d8bdba7657        sane-1.0.13-1.i386.rpm
        3082901716b19a271fc14cc2b8356c7e        sane-devel-1.0.13-1.i386.rpm

        4.3 Installation

        rpm -Fvh sane-1.0.13-1.i386.rpm
        rpm -Fvh sane-devel-1.0.13-1.i386.rpm

        4.4 Source Package Location

        
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2004-005.0/SRPMS

        4.5 Source Packages

        0be6d309556ddb7f588437c4435e1e42        sane-1.0.13-1.src.rpm


5. OpenLinux 3.1.1 Workstation

        5.1 Package Location

        
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2004-005.0/RPMS

        5.2 Packages

        c9b9c0ee81ba3e2b09ca743703718007        sane-1.0.13-1.i386.rpm
        a313dbf67a26110d3a3fae1a39ffd592        sane-devel-1.0.13-1.i386.rpm

        5.3 Installation

        rpm -Fvh sane-1.0.13-1.i386.rpm
        rpm -Fvh sane-devel-1.0.13-1.i386.rpm

        5.4 Source Package Location

        
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2004-005.0/SRPMS

        5.5 Source Packages

        6ccf84292c1decf88207c26bff0001f1        sane-1.0.13-1.src.rpm


6. References

        Specific references for this advisory:
                http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0773
                http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0774
                http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0775
                http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0776
                http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0777
                http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0778

        SCO security resources:
                http://sco.com/support/security/index.html

        This security fix closes SCO incidents sr886093 fz528425
        erg712466.


7. Disclaimer

        SCO is not responsible for the misuse of any of the information
        we provide on this website and/or through our security
        advisories. Our advisories are a service to our customers intended
        to promote secure installation and use of SCO products.

______________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (SCO/UNIX_SVR5)

iD8DBQFANUjVbluZssSXDTERArQyAKC/MNrxbSJE17sFpY8lrLn5qpoisACfayHo
Dv9gADi2UYMpwjs+EP0EJ/0=
=gP+Z
-----END PGP SIGNATURE-----