Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Security Update: [CSSA-2001-SCO.38] OpenServer: lpstat buffer overflow

From: security () caldera com
Date: Fri, 7 Dec 2001 10:31:02 -0800
To: bugtraq () securityfocus com announce () lists caldera com scoannmod () xenitec on ca


___________________________________________________________________________

            Caldera International, Inc. Security Advisory

Subject:                OpenServer: lpstat buffer overflow
Advisory number:        CSSA-2001-SCO.38
Issue date:             2001 December 7
Cross reference:        sse072
___________________________________________________________________________


1. Problem Description
        
        Even with sse072, lpstat has a buffer overflow. This could be
        used by a malicious user to gain privileges.


2. Vulnerable Versions

        Operating System        Version         Affected Files
        ------------------------------------------------------------------
        OpenServer              <= 5.0.6a       /usr/bin/lpstat


3. Workaround

        If the lpstat command is not required, remove the setgid bit
        from the binary:

                chmod g-s /usr/bin/lpstat


4. OpenServer

  4.1 Location of Fixed Binaries

        ftp://stage.caldera.com/pub/security/openserver/CSSA-2001-SCO.38/


  4.2 Verification

        md5 checksums:
        
        2deab6d340bb3790104fa0cb8ae36e6c        erg711871.pkg.Z


        md5 is available for download from

                ftp://stage.caldera.com/pub/security/tools/


  4.3 Installing Fixed Binaries

        Upgrade the affected binaries with the following commands:

        # uncompress /tmp/erg711871.pkg.Z
        # pkgadd -d /tmp/erg711871.pkg


5. References

        This and other advisories are located at
                http://stage.caldera.com/support/security

        This advisory addresses Caldera Security internal incidents
        sr854294, SCO-559-1315, erg711871.


6. Disclaimer

        Caldera International, Inc. is not responsible for the misuse
        of any of the information we provide on our website and/or
        through our security advisories. Our advisories are a service
        to our customers intended to promote secure installation and
        use of Caldera International products.

___________________________________________________________________________

Attachment: _bin
Description:

Previous By Date Next
Previous By Thread Next

Current thread: