OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: securitycaldera.com
Date: Fri Dec 07 2001 - 12:31:02 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    To: bugtraqsecurityfocus.com announcelists.caldera.com scoannmodxenitec.on.ca

    ___________________________________________________________________________

                Caldera International, Inc. Security Advisory

    Subject: OpenServer: lpstat buffer overflow
    Advisory number: CSSA-2001-SCO.38
    Issue date: 2001 December 7
    Cross reference: sse072
    ___________________________________________________________________________

    1. Problem Description
            
            Even with sse072, lpstat has a buffer overflow. This could be
            used by a malicious user to gain privileges.

    2. Vulnerable Versions

            Operating System Version Affected Files
            ------------------------------------------------------------------
            OpenServer <= 5.0.6a /usr/bin/lpstat

    3. Workaround

            If the lpstat command is not required, remove the setgid bit
            from the binary:

                    chmod g-s /usr/bin/lpstat

    4. OpenServer

      4.1 Location of Fixed Binaries

            ftp://stage.caldera.com/pub/security/openserver/CSSA-2001-SCO.38/

      4.2 Verification

            md5 checksums:
            
            2deab6d340bb3790104fa0cb8ae36e6c erg711871.pkg.Z

            md5 is available for download from

                    ftp://stage.caldera.com/pub/security/tools/

      4.3 Installing Fixed Binaries

            Upgrade the affected binaries with the following commands:

            # uncompress /tmp/erg711871.pkg.Z
            # pkgadd -d /tmp/erg711871.pkg

    5. References

            This and other advisories are located at
                    http://stage.caldera.com/support/security

            This advisory addresses Caldera Security internal incidents
            sr854294, SCO-559-1315, erg711871.

    6. Disclaimer

            Caldera International, Inc. is not responsible for the misuse
            of any of the information we provide on our website and/or
            through our security advisories. Our advisories are a service
            to our customers intended to promote secure installation and
            use of Caldera International products.

    ___________________________________________________________________________

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.6 (SCO_SV)
    Comment: For info see http://www.gnupg.org

    iEYEARECAAYFAjwRCuUACgkQaqoBO7ipriGyQQCeN8d03pNqPP9sh8N3wYUVX7Av
    5QgAmwe0z9pgKZSsLTeAkd5KFjw7gxVi
    =0uQK
    -----END PGP SIGNATURE-----