From security@sco.com Tue Mar 14 16:11:32 2006 From: Security Officer To: security-announce@list.sco.com Date: Tue, 14 Mar 2006 13:01:01 -0800 Subject: [Full-disclosure] SCOSA-2006.10 OpenServer 5.0.6 OpenServer 5.0.7 OpenServer 6.0.0 : Multiple System Libraries Vulnerabilities -- Dr. Ronald Joe Record Chief Security Officer SCO rr@sco.com [ Part 2: "Attached Text" ] -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SCO Security Advisory Subject: OpenServer 5.0.6 OpenServer 5.0.7 OpenServer 6.0.0 : Multiple System Libraries Vulnerabilities Advisory number: SCOSA-2006.10 Issue date: 2006 March 14 Cross reference: fz532924 fz532923 fz533164 fz533174 fz533390 CVE-2005-2491 CVE-2005-3183 CVE-2005-3185 ______________________________________________________________________________ 1. Problem Description PCRE is prone to a heap-overflow vulnerability. This issue is due to the library's failure to properly perform boundary checks on user-supplied input before copying data to an internal memory buffer. The impact of successful exploitation of this vulnerability depends on the application and the user credentials using the vulnerable library. A successful attack may ultimately permit an attacker to control the contents of critical memory control structures and write arbitrary data to arbitrary memory locations. Integer overflow in pcre_compile.c in Perl Compatible Regular Expressions (PCRE) before 6.2, as used in multiple products such as Python, Ethereal, and PHP, allows attackers to execute arbitrary code via quantifier values in regular expressions, which leads to a heap-based buffer overflow. W3C Libwww is prone to multiple vulnerabilities. These issues include a buffer overflow vulnerability and some issues related to the handling of multipart/byteranges content. Libwww 5.4.0 is reported to be vulnerable. Other versions may be affected as well. These issues may also be exploited through other applications that implement the library. The HTBoundary_put_block function in HTBound.c for W3C libwww (w3c-libwww) allows remote servers to cause a denial of service (segmentation fault) via a crafted multipart/byteranges MIME message that triggers an out-of-bounds read. GNU wget and cURL are prone to a buffer overflow vulnerability. This issue is due to a failure in the applications to do proper bounds checking on user supplied data before using it in a memory copy operation. An attacker can exploit this vulnerability to execute arbitrary code in the context of the user utilizing the vulnerable application. Exploitation of this vulnerability requires that NTLM authentication is enabled in the affected clients. Stack-based buffer overflow in the ntlm_output function in http-ntlm.c for (1) wget 1.10, (2) curl 7.13.2, and (3) libcurl 7.13.2, and other products that use libcurl, when NTLM authentication is enabled, allows remote servers to execute arbitrary code via a long NTLM username. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2005-2491, CVE-2005-3183, and CVE-2005-3185 to these issues. 2. Vulnerable Supported Versions System Binaries ---------------------------------------------------------------------- OpenServer 5.0.6 libpcre, libwww, libcurl libraries in the gwxlibs component OpenServer 5.0.7 libpcre, libwww, libcurl libraries in the gwxlibs component OpenServer 6.0.0 libpcre, libwww, libcurl libraries in the gwxlibs component 3. Solution The proper solution is to install the latest packages. 4. OpenServer 5.0.6 4.1 Location of Fixed Binaries ftp://ftp.sco.com/pub/openserver5/opensrc/gwxlibs-2.1.0Ba/gwxlibs210Ba_vol.tar 4.2 Verification MD5 (gwxlibs210Ba_vol.tar) = 18213632bd0c5ff1e260eac90aae7033 md5 is available for download from ftp://ftp.sco.com/pub/security/tools 4.3 Installing Fixed Binaries Download and install the Supplemental Graphics, Web and X11 Libraries (gwxlibs) version 2.1.0Ba from: ftp://ftp.sco.com/pub/openserver5/opensrc/gwxlibs-2.1.0Ba/ This supplement can be installed on the following SCO OpenServer release(s): SCO OpenServer Release 5.0.6 with RS506A and OSS646C See: ftp://ftp.sco.com/pub/openserver5/opensrc/gwxlibs-2.1.0Ba/gwxlibs-2.1.0Ba.txt 5. OpenServer 5.0.7 5.1 Location of Fixed Binaries ftp://ftp.sco.com/pub/openserver5/507/mp/osr507mp4/osr507mp4_vol.tar 5.2 Verification MD5 (osr507mp4_vol.tar) = 4c87d840ff5b43221258547d19030228 md5 is available for download from ftp://ftp.sco.com/pub/security/tools 5.3 Installing Fixed Binaries See the SCO OpenServer Release 5.0.7 Maintenance Pack 4 Release and Installation Notes: ftp://ftp.sco.com/pub/openserver5/507/mp/osr507mp4/osr507mp4.htm 6. OpenServer 6.0.0 6.1 Location of Fixed Binaries ftp://ftp.sco.com/pub/openserver6/600/mp/osr600mp2/osr600mp2.iso 6.2 Verification MD5 (osr600mp2.iso) = 7e560dcde374eb60df2b4a599ac20d8a md5 is available for download from ftp://ftp.sco.com/pub/security/tools 6.3 Installing Fixed Binaries See the SCO OpenServer Release 6.0.0 Maintenance Pack 2 Release and Installation Notes: ftp://ftp.sco.com/pub/openserver6/600/mp/osr600mp2/osr600mp2.html 7. References Specific references for this advisory: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2491 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3183 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3185 http://www.securityfocus.com/bid/14620 http://www.securityfocus.com/bid/15035 http://www.securityfocus.com/bid/15102 http://securitytracker.com/id?1014744 http://securitytracker.com/id?1015057 SCO security resources: http://www.sco.com/support/security/index.html SCO security advisories via email http://www.sco.com/support/forums/security.html This security fix closes SCO incidents fz532924 fz532923 fz533164 fz533174 fz533390. 8. Disclaimer SCO is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of SCO products. ______________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (UnixWare) iD8DBQFEFynVaqoBO7ipriERAusBAJ449zh23lL5tq9yV2PpPqoGY3yiDQCfSCw9 /S2QKbSM8J+jGesfDrbV7wU= =WXg5 -----END PGP SIGNATURE----- [ Part 3: "Attached Text" ] _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/