Caldera OpenUnix8 Overflows (reject, lpsystem, su)

[KF <dotslash () snosoft com>]

I contacted Caldera (SCO) about some local overflows in a few binaries 
that came default with my install of OpenUnix8... Here is a snippet 
of the email dialog between us. Due to the lack of access to the machine 
and lack of a good debugger on the system, I have not had time to put
any 
further research time in. If anyone else has access to this fairly new
OS
feedback would be appreciated. Sorry for the lack of info on this
subject. 
-KF

> tigger () caldera com wrote:
>
> To: dotslash () snosoft com
>
> Hi,
>
> We've heard that you have found some suid overflows in OU8. In
> particular, su was mentioned. We've fixed several problems with this
> command, but it didn't fully get fixed until OU8 FCS. Are you certain
> that you are not testing this on Beta?

Not unless you mailed me beta media when I purchased it last week. =]
basics of the issues are

/bin/su and /sbin/su are not the same file and they both suffer the 
same overflow. They differ in size to say the least. 

TERM=`perl -e 'print "A" x 7000'`
su - 
core dump

or TERMINFO=long string 
TERM=semilong string
su - nobody 
core dump

/usr/sbin/reject `perl -e 'print "A" x 7000'` 
core dump

/usr/sbin/lpsystem `perl -e 'print "A" x 7000'` 
core dump 

-KF