OpenServer 5.0.6 OpenServer 5.0.7 : uudecode does not check for symlink or pipe
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SCO Security Advisory
Subject: OpenServer 5.0.6 OpenServer 5.0.7 : uudecode does not
check for symlink or pipe
Advisory number: SCOSA-2004.12
Issue date: 2004 July 29
Cross reference: sr864864 fz527541 erg712054 CAN-2002-0178
______________________________________________________________________________
1. Problem Description
The uudecode utility would create an output file without
checking to see if it was about to write to a symlink or a
pipe. If a user uses uudecode to extract data into open
shared directories, such as /tmp, this vulnerability could
be used by a local attacker to overwrite files or lead to
privilege escalation.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CAN-2002-0178 to this issue.
2. Vulnerable Supported Versions
System Binaries
----------------------------------------------------------------------
OpenServer 5.0.6 /usr/bin/uudecode
OpenServer 5.0.7 /usr/bin/uudecode
3. Solution
The proper solution is to install the latest packages.
4. OpenServer 5.0.6
4.1 First install oss646b or later
4.2 Location of oss646c
ftp://ftp.sco.com/pub/openserver5/oss646c/
4.3 Verification of oss646c
MD5 (VOL.000.000) = f19b6c6949f615316bfb075d249989e8
MD5 (VOL.000.001) = 341ff8553aecd2c7b0c2beaf83030d0f
MD5 (VOL.000.002) = 6e46708ad8029e12280d4f9ac60ab814
MD5 (VOL.000.003) = 2868b64a6a6db742adb3b485be645d7e
MD5 (VOL.000.004) = 1696fe1db9bb063827ee5e76e58dff84
MD5 (VOL.000.005) = f39da342f8af72fcaccdf478dca04109
MD5 (VOL.000.006) = 2b31611c8af7d2e7910d6e8e3cf701a6
MD5 (VOL.000.007) = d0175c0f4e3ed29435b1eab95609f8f4
MD5 (VOL.000.008) = aa9e8a525c341fed077f981b1dacb486
MD5 (VOL.000.009) = 8e023af67b57507824406bdda322079a
MD5 (VOL.000.010) = 2b46e8adba8ae0b64109f2069da978a2
4.4 Location of Fixed Binaries
ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2004.12
4.5 Verification
MD5 (VOL.000.000) = 53e8739812e5bfd7f3504d467e979019
md5 is available for download from
ftp://ftp.sco.com/pub/security/tools
4.6 Installing Fixed Binaries
Upgrade the affected binaries with the following sequence:
1) Download the VOL* files to the /tmp directory
2) Run the custom command, specify an install from media
images, and specify the /tmp directory as the location of
the images.
5. OpenServer 5.0.7
5.1 Location of Fixed Binaries
ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2004.12
The fixes are also available in SCO OpenServer Release 5.0.7
Maintenance Pack 3 or later. See
http://www.sco.com/support/update/download/osr507list.html.
5.2 Verification
MD5 (VOL.000.000) = 53e8739812e5bfd7f3504d467e979019
MD5 (507mp3_vol.tar) = c927aefdd50b50aca5d29e08c1562aec
md5 is available for download from
ftp://ftp.sco.com/pub/security/tools
5.3 Installing Fixed Binaries
Upgrade the affected binaries with the following sequence:
1) Download the VOL* files to the /tmp directory
2) Run the custom command, specify an install from media
images, and specify the /tmp directory as the location of
the images.
Or see the Maintenance Pack 3 Release and Installation Notes at
ftp://ftp.sco.com/pub/openserver5/507/mp/mp3/osr507mp3.txt
6. References
Specific references for this advisory:
http://www.aerasec.de/security/index.html?id=ae-200204-033&lang=en
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0178
SCO security resources:
http://www.sco.com/support/security/index.html
SCO security advisories via email
http://www.sco.com/support/forums/security.html
This security fix closes SCO incidents sr864864 fz527541
erg712054.
7. Disclaimer
SCO is not responsible for the misuse of any of the information
we provide on this website and/or through our security
advisories. Our advisories are a service to our customers
intended to promote secure installation and use of SCO
products.
______________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (SCO/UNIX_SVR5)
iD8DBQFBCqGmaqoBO7ipriERAiTGAJsFXtXRf+Gp7oo6F8W6Un5uLm01CQCbBPPk
YHPyFvekzIswp7A8jQAuw34=
=9v1h
-----END PGP SIGNATURE-----