To: announceat_private bugtraqat_private security-announceat_private ___________________________________________________________________________ Caldera International, Inc. Security Advisory Subject: OpenServer: /etc/popper buffer overflow Advisory number: CSSA-2001-SCO.8 Issue date: 2001 July 26 Cross reference: ___________________________________________________________________________ 1. Problem Description The popper daemon /etc/popper was subject to a buffer overflow that could be used by a malicious user. 2. Vulnerable Versions Operating System Version Affected Files ------------------------------------------------------------------ OpenServer <= 5.0.6a /etc/popper 3. Workaround None. 4. OpenServer 4.1 Location of Fixed Binaries ftp://ftp.sco.com/pub/security/openserver/sr848324/ 4.2 Verification md5 checksums: 8795253219fbcbba3027f0c37f6a884e popper.Z md5 is available for download from ftp://ftp.sco.com/pub/security/tools/ 4.3 Installing Fixed Binaries Upgrade the affected binaries with the following commands: # uncompress /tmp/popper.Z # mv /etc/popper /etc/popper.old # cp /tmp/popper /etc # chown bin /etc/popper # chgrp bin /etc/popper # chmod 755 /etc/popper 5. References http://www.calderasystems.com/support/security/index.html 6. Disclaimer Caldera International, Inc. is not responsible for the misuse of any of the information we provide on our website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of Caldera International products. 7.Acknowledgements Caldera International wishes to thank Gustavo Viscaino for originally finding the problem, Michael Brennen <mbrennenat_private> for forwarding the problem report from the qpopper list, and the folks at Qualcomm for fixing the problem. ___________________________________________________________________________
This archive was generated by hypermail 2b30 : Thu Jul 26 2001 - 14:20:44 PDT