Full Disclosure mailing list archives

UPDATED OpenServer 5.0.5 OpenServer 5.0.6 OpenServer 5.0.7 : X sessions which are not started by scologin cannot use the X authorization protocol

From: please_reply_to_security () sco com
Date: Mon, 10 May 2004 17:24:53 -0700 (PDT)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



______________________________________________________________________________

                        SCO Security Advisory

Subject:                OpenServer 5.0.5 OpenServer 5.0.6 OpenServer 5.0.7 : X sessions which are not started by 
scologin cannot use the X authorization protocol
Advisory number:        SCOSA-2004.5
Issue date:             2004 April 07
Cross reference:        sr862325 fz520452 erg712002 CAN-2004-0390
______________________________________________________________________________


1. Problem Description

        As noted in the Xsecurity(X) man page, OpenServer 5 provides
        multiple X display access control mechanisms. 

        The least secure is the Host Access method, where any 
        client on a host in the host access control list (which 
        is managed by the xhost command) is allowed access to 
        the X server. 

        More secure access methods are provided using the X 
        authorization protocol (Xauthority). Currently, OpenServer 5 
        supports the X authorization protocol only for X sessions 
        which are started by scologin. 

        This supplement provides support for the X authorization 
        protocol for X sessions which are not started by scologin 
        (e.g., sessions which are started via startx).

        In order to prevent unauthorized access to your system, do not 
        use the xhost command to grant access to your X server.  Instead, 
        it is recommended that you use the access provided by the 
        .Xauthority file.  

        With this supplement applied, scologin, startx, and xinit can all 
        be used to start the X server using the MIT-MAGIC-COOKIE-1 access       
        control system as described in the Xsecurity(X) man page.  
        If the X server is started directly (by running X or Xsco), 
        Xauthority-style access control will not be enabled.

        The Common Vulnerabilities and Exposures project (cve.mitre.org)
        has assigned the name CAN-2004-0390 to this issue. 

2. Vulnerable Supported Versions

        System                          Binaries
        ----------------------------------------------------------------------
        OpenServer 5.0.5                X display system        
        OpenServer 5.0.6                X display system
        OpenServer 5.0.7                X display system

3. Solution

        The proper solution is to install the latest packages 
        and enable Xauthority.


4. OpenServer 5.0.5, OpenServer 5.0.6, OpenServer 5.0.7

        4.1 Location of Fixed Binaries

        ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2004.5

        4.2 Verification

        MD5 (VOL.000.000) = 628f0f07d63bc12978fff3dc93d44a40

        md5 is available for download from
                ftp://ftp.sco.com/pub/security/tools


        4.3 Installing Fixed Binaries

        Upgrade the affected binaries with the following sequence:

        1) Download the VOL* files to a directory

        2) Run the custom command, specify then install from media
        images, and specify the directory as the location of
        the images.

        4.4 Set up a .Xauthority file (see the xauth(X) man page).

        4.5 Quit & restart the X server.

5. References

        Specific references for this advisory:
                http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0390

        SCO security resources:
                http://www.sco.com/support/security/index.html

        SCO security advisories via email
                http://www.sco.com/support/forums/security.html

        This security fix closes SCO incidents sr862325 fz520452
        erg712002.


6. Disclaimer

        SCO is not responsible for the misuse of any of the information
        we provide on this website and/or through our security
        advisories. Our advisories are a service to our customers
        intended to promote secure installation and use of SCO
        products.


7. Acknowledgments

        SCO would like to thank Kevin R Finisterre

______________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (SCO/UNIX_SVR5)

iD8DBQFAoB0HaqoBO7ipriERAg7xAKCI5A+YHtpM5PLm+VYlKu7R14+U2wCffk/8
Iuf+dACi59/YfKVor4G1Zu0=
=65Jx
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:

UPDATED OpenServer 5.0.5 OpenServer 5.0.6 OpenServer 5.0.7 : X sessions which are not started by scologin cannot use the X authorization protocol please_reply_to_security (May 10)