From sco-security@caldera.com Thu Jun 28 19:02:42 2001 From: sco-security@caldera.com To: bugtraq@securityfocus.com, security-announce@lists.securityportal.com Date: Wed, 27 Jun 2001 17:52:26 -0700 Subject: Security Update: [CSSA-2001-SCO.4] UnixWare: uucp utilities buffer overflows To: bugtraq@securityfocus.com security-announce@lists.securityportal.com ___________________________________________________________________________ Caldera International, Inc. Security Advisory Subject: UnixWare - uucp utilities buffer overflows Advisory number: CSSA-2001-SCO.4 Issue date: 2001 June, 27 Cross reference: ___________________________________________________________________________ 1. Problem Description The uucp utilities are vulnerable to command line argument buffer overflows. These could allow a process to execute arbitrary code, allowing a malicious user to gain elevated privileges. 2. Vulnerable Versions Operating System Version Affected Files ------------------------------------------------------------------ UnixWare 7 All /usr/bin/uucp /usr/bin/uux /usr/lib/uucp/bnuconvert /usr/lib/uucp/uucico /usr/lib/uucp/uuxcmd /usr/lib/uucp/uuxqt 3. Workaround None. 4. UnixWare 7 4.1 Location of Fixed Binaries ftp://ftp.sco.com/pub/security/unixware/sr847405/ 4.2 Verification md5 checksums: e93266c02e2bd2f71b9675847fd9a7b5 erg711716a.Z md5 is available for download from ftp://ftp.sco.com/pub/security/tools/ 4.3 Installing Fixed Binaries Upgrade the affected binaries with the following commands: # uncompress /tmp/erg711716a.Z # pkgadd -d /tmp/erg711716a 5. References http://www.calderasystems.com/support/security/index.html 6. Disclaimer Caldera International, Inc. is not responsible for the misuse of any of the information we provide on our website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of Caldera International, Inc. products. ___________________________________________________________________________ [Part 2, Application/PGP-SIGNATURE 245bytes] [Unable to print this part]