From security@sco.com Fri Nov 7 14:12:52 2003 From: security@sco.com To: announce@lists.caldera.com, bugtraq@securityfocus.com, full-disclosure@lists.netsys.com Date: Fri, 7 Nov 2003 10:55:20 -0800 Reply-To: please_reply_to_security@sco.com Subject: OpenServer 5.0.5 OpenServer 5.0.6 OpenServer 5.0.7: Multiple vulnerabilities affecting several components of gwxlibs To: announce@lists.caldera.com bugtraq@securityfocus.com full-disclosure@lists.netsys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SCO Security Advisory Subject: OpenServer 5.0.5 OpenServer 5.0.6 OpenServer 5.0.7: Multiple vulnerabilities affecting several components of gwxlibs Advisory number: CSSA-2003-SCO.29 Issue date: 2003 November 04 Cross reference: sr885387 fz528382 erg712448 sr875559 fz527506 erg712256 sr875409 fz527489 erg712252 CAN-2003-0543 CAN-2003-0544 CAN-2003-0545 CAN-2003-0131 CAN-2003-0107 ______________________________________________________________________________ 1. Problem Description Multiple vulnerabilities affecting several components of gwxlibs. The issues are: Multiple Vulnerability Issues in OpenSSL up to and including 0.9.6j and 0.9.7b NISCC/006489/openssl/1 CAN-2003-0543 Integer overflow in OpenSSL 0.9.6 and 0.9.7 may allow remote attackers to cause a denial of service (crash) via an SSL client certificate with certain ASN.1 tag values. CAN-2003-0544 OpenSSL 0.9.6 and 0.9.7 does not properly track the number of characters in certain ASN.1 inputs, which mahy allow remote attackers to cause a denial of service (crash) via an SSL client certificate that causes OpenSSL to read past the end of a buffer when the long form is used. NISCC/006489/openssl/2 An invalid public key in a certificate will crash the verify code if it is set to ignore all errors. This isnt done in production code just for debugging purposes. Successful exploitation would result in a Denial of Service condition. NISCC/006489/openssl/3 CAN-2003-0545 Double-free vulnerability in OpenSSL 0.9.7 may allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via an SSL client certificate with a certain invalid ASN.1 encoding. Certain ASN.1 structures which are rejected as invalid by the parser result in part of the corresponding structure being freed up incorrectly. In theory exploitation of this vulnerability could result in an attacker being able to execute malicious code. GNU TLS Library Record Layer Timing Information Leakage Weakness CAN-2003-0131 The SSL and TLS components for OpenSSL 0.9.6i and earlier, 0.9.7, and 0.9.7a may allow remote attackers to perform an unauthorized RSA private key operation via a modified Bleichenbacher attack that uses a large number of SSL or TLS connections using PKCS #1 v1.5 padding that cause OpenSSL to leak information regarding the relationship between ciphertext and the associated plaintext, aka the "Klima-Pokorny-Rosa attack." Buffer overflow in the gzprintf function in zlib 1.1.4 CAN-2003-0107 Buffer overflow in the gzprintf function in zlib 1.1.4, when zlib is compiled without vsnprintf or when long inputs are truncated using vsnprintf, may allow attackers to cause a denial of service or possibly execute arbitrary code. Since OpenServer builds of libz use vsnprintf(), only the less serious truncation part of this potential vulnerability applies even when this supplement is not installed. This supplement contains zlib 1.1.4 patched with an unofficial patch has been released which implements proper verification of the usability of the vsnprintf() function. No new official zlib version has been released. 1.1 Changes in this version of gwxlibs This version of gwxlibs several improvements over the previous version and the gwxlibs package that was distributed as GWXLIBS version 1.3.1Ba. This section briefly lists the packages updated and improvements made. o expat updated to 1.95.7 o libmng updated to 1.0.6 o fontconfig updated to 2.2 o gettext updated to 0.12.1 o XMLSEC updated to 1.2.1 o TIFF updated to 3.6.0 o NetPBM updated to 10.18 o LCMS updated to 1.11 o Freetype2 updated to 2.1.5 o PCRE updated to 4.4 o OpenSSL 0.9.6 updated to 0.9.6k o OpenSSL 0.9.7c added o XSLT updated to 1.0.33 o XML2 updated to 2.6.1 o GTK+ updated to 2.2.4 o GLIB updated to 2.2.3 o Pango updated to 1.2.5 o GDOME2 updated to 0.8.0 o Sablotron updated to 1.0 o cURL upgraded to 7.10.7 o libIDL upgraded to 0.8.2 o OpenLDAP updated to 2.1.23 o Xalan-C updated to 1.6 o Xerces-C updated to 2.3.0 o MM updated to 1.3.0 o Added missing alias files for pango o Compile GDOME and libIDL twice, once linking to glib1 and once to glib2 2. Vulnerable Supported Versions System Binaries ---------------------------------------------------------------------- OpenServer 5.0.5 gwxlibs Distribution OpenServer 5.0.6 gwxlibs Distribution OpenServer 5.0.7 gwxlibs Distribution 3. Solution The proper solution is to install the latest packages. 4. OpenServer 5.0.5 / OpenServer 5.0.6 4.1 First install OSS646B - Execution Environment Supplement 4.2 Location of Fixed Binaries ftp://ftp.sco.com/pub/updates/OpenServer/CSSA-2003-SCO.29 4.3 Verification MD5 (VOL.000.000) = fa163df4aca2dc283ac15a643492fce9 MD5 (VOL.000.001) = 406b89eb5f1e1407e1dcd9f92a2914f9 MD5 (VOL.000.002) = fb632551866bca26dbd88b1159cc949e MD5 (VOL.000.003) = 84a03cddaa2bc8336d186562fb9ad6f6 md5 is available for download from ftp://ftp.sco.com/pub/security/tools 4.4 Installing Fixed Binaries Upgrade the affected binaries with the following sequence: 1) Download the VOL* files to the /tmp directory 2) Run the custom command, specify an install from media images, and specify the /tmp directory as the location of the images. 5. OpenServer 5.0.7 5.1 First install Maintenance Pack 1 5.1 Location of Fixed Binaries ftp://ftp.sco.com/pub/updates/OpenServer/CSSA-2003-SCO.29 5.2 Verification MD5 (VOL.000.000) = fa163df4aca2dc283ac15a643492fce9 MD5 (VOL.000.001) = 406b89eb5f1e1407e1dcd9f92a2914f9 MD5 (VOL.000.002) = fb632551866bca26dbd88b1159cc949e MD5 (VOL.000.003) = 84a03cddaa2bc8336d186562fb9ad6f6 md5 is available for download from ftp://ftp.sco.com/pub/security/tools 5.3 Installing Fixed Binaries Upgrade the affected binaries with the following sequence: 1) Download the VOL* files to the /tmp directory 2) Run the custom command, specify an install from media images, and specify the /tmp directory as the location of the images. 6. References Specific references for this advisory: http://www.uniras.gov.uk/vuls/2003/006489/openssl.htm http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0543 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0544 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0545 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0131 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0107 SCO security resources: http://www.sco.com/support/security/index.html This security fix closes SCO incidents sr885387 fz528382 erg712448 sr875559 fz527506 erg712256 sr875409 fz527489 erg712252. 7. Disclaimer SCO is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of SCO products. 8. Acknowledgments SCO would like to thank National Infrastructure Security Co-ordination Centre (NISCC) and Stephen Henson, a member of the OpenSSL core team. SCO would also like to thank Ralf S. Engelschall, Kelledin, and crazy_einstein@yahoo.com for the zlib research. ______________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (SCO/UNIX_SVR5) iD8DBQE/qtdRaqoBO7ipriERAtYeAJ4qoIeN+aUszciLap/P0quqA5Ef6wCfWDjU vOARm6zL+kTrWaL7TJK8/n8= =9AX3 -----END PGP SIGNATURE-----