linux, säkerhet

100543 2003-05-06  18:03  /162 rader/  <security@sco.com>
Importerad: 2003-05-06  18:03  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Extern mottagare: announce@lists.caldera.com
Extern mottagare: security-alerts@linuxsecurity.com
Externa svar till: please_reply_to_security@sco.com
Mottagare: Bugtraq (import) <4793>
Ärende: Security Update: [CSSA-2003-018.0] OpenLinux: file command buffer overflow
------------------------------------------------------------
To: bugtraq@securityfocus.com announce@lists.caldera.com security-alerts@linuxsecurity.com


______________________________________________________________________________

			SCO Security Advisory

Subject:		OpenLinux: file command buffer overflow
Advisory number: 	CSSA-2003-018.0
Issue date: 		2003 April 28
Cross reference:
______________________________________________________________________________


1. Problem Description

	The file command is vulnerable to a buffer overflow when given
	a maliciously crafted binary to examine.


2. Vulnerable Supported Versions

	System				Package
	----------------------------------------------------------------------

	OpenLinux 3.1.1 Server		prior to file-3.28-8.i386.rpm

	OpenLinux 3.1.1 Workstation	prior to file-3.28-8.i386.rpm

	OpenLinux 3.1 Server		prior to file-3.28-8.i386.rpm

	OpenLinux 3.1 Workstation	prior to file-3.28-8.i386.rpm


3. Solution

	The proper solution is to install the latest packages. Many
	customers find it easier to use the Caldera System Updater,
	called cupdate (or kcupdate under the KDE environment), to
	update these packages rather than downloading and installing
	them by hand.


4. OpenLinux 3.1.1 Server

	4.1 Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-018.0/RPMS

	4.2 Packages

	d0ad82669f9b01fd96dfcc62dc94f57c	file-3.28-8.i386.rpm

	4.3 Installation

	rpm -Fvh file-3.28-8.i386.rpm

	4.4 Source Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-018.0/SRPMS

	4.5 Source Packages

	8c906c8f4ef25a26e7bcde0a93c3b674	file-3.28-8.src.rpm


5. OpenLinux 3.1.1 Workstation

	5.1 Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-018.0/RPMS

	5.2 Packages

	d1a99e375dfd64eaf46cc9b0db3132c2	file-3.28-8.i386.rpm

	5.3 Installation

	rpm -Fvh file-3.28-8.i386.rpm

	5.4 Source Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-018.0/SRPMS

	5.5 Source Packages

	8d667b887a27ea3973a5049505910944	file-3.28-8.src.rpm


6. OpenLinux 3.1 Server

	6.1 Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2003-018.0/RPMS

	6.2 Packages

	9bb629d683cd6f97d490c16e069f9593	file-3.28-8.i386.rpm

	6.3 Installation

	rpm -Fvh file-3.28-8.i386.rpm

	6.4 Source Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2003-018.0/SRPMS

	6.5 Source Packages

	2f3aeeba02521523d0a74518d44cae96	file-3.28-8.src.rpm


7. OpenLinux 3.1 Workstation

	7.1 Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2003-018.0/RPMS

	7.2 Packages

	e464c56f403a596e7a8faae665d6f1cf	file-3.28-8.i386.rpm

	7.3 Installation

	rpm -Fvh file-3.28-8.i386.rpm

	7.4 Source Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2003-018.0/SRPMS

	7.5 Source Packages

	02bb22adeb36b09cfef84cb210ee7114	file-3.28-8.src.rpm


8. References

	Specific references for this advisory:

		http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0102

	SCO security resources:

		http://www.sco.com/support/security/index.html

	This security fix closes SCO incidents sr876782, fz527684,
	erg712286.


9. Disclaimer

	SCO is not responsible for the misuse of any of the
	information we provide on this website and/or through our
	security advisories. Our advisories are a service to our
	customers intended to promote secure installation and use of
	SCO products.


10. Acknowledgements

	David Endler of iDEFENSE discovered and researched
this	vulnerability.

______________________________________________________________________________
(100543) / <security@sco.com>/------------(Ombruten)
Bilaga (application/pgp-signature) i text 100544
100544 2003-05-06  18:03  /9 rader/  <security@sco.com>
Importerad: 2003-05-06  18:03  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Extern mottagare: announce@lists.caldera.com
Extern mottagare: security-alerts@linuxsecurity.com
Externa svar till: please_reply_to_security@sco.com
Mottagare: Bugtraq (import) <4794>
Bilaga (text/plain) till text 100543
Ärende: Bilaga till: Security Update: [CSSA-2003-018.0] OpenLinux: file command buffer overflow
------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (SCO_SV)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAj6y4SAACgkQbluZssSXDTFaqwCgradhf5UtRzjhWn00tBiTYsY1
HZcAoIeUZW/dT6eT76tooiUE3D5FKPrf
=A1VO
-----END PGP SIGNATURE-----
(100544) / <security@sco.com>/----------------------