Caldera Systems security advisory: libcurses, atcronsh, rtpm

From: Andrew Sharpe (asharpeat_private)
Date: Fri Jun 22 2001 - 10:41:21 PDT

  • Next message: bugzillaat_private: "[RHSA-2001:084-03] Kernel: FTP iptables vulnerability in 2.4 kernel and general bug fixes" 

    ___________________________________________________________________________

		   Caldera Systems, Inc.  Security Advisory

Subject:		curses library, rtpm, atcronsh
Advisory number: 	CSSA-2001-SCO.1
Issue date: 		2001 June, 22
Cross reference:
_____________________________________________________________________________



1. Problem Description

	A buffer overrun vulnerability has been	found in the curses
	library. A malicious user could attack a set{uid,gid} command
	that uses this library to gain privileges.

	One such command that is shipped with OpenServer is
	/usr/lib/sysadm/atcronsh.

	One such command that is shipped with UnixWare 7 is
	/usr/sbin/rtpm.

	In addition, the curses library is shipped only as a static
	library, so an application would need to be re-linked with
	this new library to take advantage of the fix.


2. Vulnerable Versions

	Operating System	Version		Affected Files
	----------------------------------------------------------------
	UnixWare 7		All		/usr/sbin/rtpm
						/usr/ccs/lib/libcurses.a

	OpenServer		<= 5.0.6a	/usr/lib/sysadm/atcronsh
						/usr/lib/libcurses.a

3. Workaround

	For rtpm:
		# chmod g-s /usr/sbin/rtpm

	For atcronsh:
		# chmod g-s /usr/lib/sysadm/atcronsh
		
	Otherwise, none.


4. UnixWare 7

  4.1 Location of Fixed Binaries

	ftp://ftp.sco.com/pub/security/unixware/sr848806/


  4.2 Verification

	md5 checksums:
	
	ae2bc5b813dad2c729fb3593b59fd62a	libcurses.a.Z
	990d9216ed368f2939596104c60bd27b	rtpm.Z


	md5 is available for download from

		ftp://ftp.sco.com/pub/security/tools/


  4.3 Installing Fixed Binaries

	Backup the existing /usr/ccs/lib/libcurses.a, and replace it
	with the provided libcurses.a binary. Ensure that the new
	libcurses.a has bin/bin/0444 permissions.

	Backup the existing /usr/sbin/rtpm and replace it with the
	provided rtpm binary. Ensure that the new rtpm has
	bin/sys/02555 permissions.


5. OpenServer

  4.1 Location of Fixed Binaries

	ftp://ftp.sco.com/pub/security/openserver/sr848771/

	libcurses.a is not yet available; expect it within a week of
	this advisory.


  4.2 Verification

	md5 checksums:
	
	bf1ce0570284a1e12256ebac0174f6d4	atcronsh.Z

	md5 is available for download from

		ftp://ftp.sco.com/pub/security/tools/


  4.3 Installing Fixed Binaries

	Backup the existing /usr/lib/sysadm/atcronsh and replace it
	with the provided atcronsh binary. Ensure that the new
	atcronsh has bin/cron/02111 permissions.

	Backup the existing /usr/lib/libcurses.a, and replace it
	with the provided libcurses.a binary. Ensure that the new
	libcurses.a has bin/bin/0644 permissions.


6. References

	Caldera security resources are located at the following url:

	http://www.calderasystems.com/support/security/index.html


7. Disclaimer

	Caldera Systems, Inc. is not responsible for the misuse of any
	of the information we provide on this website and/or through
	our security advisories. Our advisories are a service to our
	customers intended to promote secure installation and use of
	Caldera OpenLinux.


8. Acknowledgements

	Caldera wishes to thank Aycan Irican <aycanat_private>
	for spotting the UnixWare problem.

	Caldera wishes to thank KF <dotslashat_private> for spotting
	the OpenServer problem.
	

_____________________________________________________________________________

    This archive was generated by hypermail 2b30 : Fri Jun 22 2001 - 18:31:35 PDT