SCO Security Advisory - Buffer overflow in the slc_add_reply function in various BSD-based Telnet clients, when handling LINEMODE suboptions, allows remote attackers to execute arbitrary code via a reply with a large number of Set Local Character (SLC) commands.
47e004e77d661de8734283de6bd87cbb7957bfb833df1fdc601dad8e564ad138
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SCO Security Advisory
Subject: UnixWare 7.1.4 UnixWare 7.1.3 UnixWare 7.1.1 : telnet client multiple issues
Advisory number: SCOSA-2005.21
Issue date: 2005 April 08
Cross reference: sr893210 fz531446 erg712801 CAN-2005-0469 CAN-2005-0468
______________________________________________________________________________
1. Problem Description
Buffer overflow in the slc_add_reply function in various
BSD-based Telnet clients, when handling LINEMODE suboptions,
allows remote attackers to execute arbitrary code via a
reply with a large number of Set Local Character (SLC)
commands.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CAN-2005-0469 to this issue.
Heap-based buffer overflow in the env_opt_add function
in telnet.c for various BSD-based Telnet clients allows
remote attackers to execute arbitrary code via responses
that contain a large number of characters that require
escaping, which consumers more memory than allocated.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CAN-2005-0468 to this issue.
2. Vulnerable Supported Versions
System Binaries
----------------------------------------------------------------------
UnixWare 7.1.4 /usr/bin/telnet
UnixWare 7.1.3 /usr/bin/telnet
UnixWare 7.1.1 /usr/bin/telnet
3. Solution
The proper solution is to install the latest packages.
4. UnixWare 7.1.4
4.1 Location of Fixed Binaries
ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.21
4.2 Verification
MD5 (erg712801.714.pkg.Z) = bf53673ea12a1c25e3606a5b879adbc4
md5 is available for download from
ftp://ftp.sco.com/pub/security/tools
4.3 Installing Fixed Binaries
Upgrade the affected binaries with the following sequence:
Download erg712801.714.pkg.Z to the /var/spool/pkg directory
# uncompress /var/spool/pkg/erg712801.714.pkg.Z
# pkgadd -d /var/spool/pkg/erg712801.714.pkg
5. UnixWare 7.1.3
5.1 Location of Fixed Binaries
ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.21
5.2 Verification
MD5 (erg712801.713.pkg.Z) = e876b261afbecb41c18c26d6ec11e71d
md5 is available for download from
ftp://ftp.sco.com/pub/security/tools
5.3 Installing Fixed Binaries
Upgrade the affected binaries with the following sequence:
Download erg712801.713.pkg.Z to the /var/spool/pkg directory
# uncompress /var/spool/pkg/erg712801.713.pkg.Z
# pkgadd -d /var/spool/pkg/erg712801.713.pkg
6. UnixWare 7.1.1
6.1 Location of Fixed Binaries
ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.21
6.2 Verification
MD5 (erg712801.711.pkg.Z) = f3099416a793c1f731bc7e377fe0e4a2
md5 is available for download from
ftp://ftp.sco.com/pub/security/tools
6.3 Installing Fixed Binaries
Upgrade the affected binaries with the following sequence:
Download erg712801.711.pkg.Z to the /var/spool/pkg directory
# uncompress /var/spool/pkg/erg712801.711.pkg.Z
# pkgadd -d /var/spool/pkg/erg712801.711.pkg
7. References
Specific references for this advisory:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0468
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0469
http://www.idefense.com/application/poi/display?id=221&type=vulnerabilities
http://www.idefense.com/application/poi/display?id=220&type=vulnerabilities
SCO security resources:
http://www.sco.com/support/security/index.html
SCO security advisories via email
http://www.sco.com/support/forums/security.html
This security fix closes SCO incidents sr893210 fz531446
erg712801.
8. Disclaimer
SCO is not responsible for the misuse of any of the information
we provide on this website and/or through our security
advisories. Our advisories are a service to our customers
intended to promote secure installation and use of SCO
products.
9. Acknowledgments
SCO would like to thank Gal Delalleau and iDEFENSE
______________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (SCO/SYSV)
iD8DBQFCVtn4aqoBO7ipriERAkZbAJ9qiuR3M89tJWzyJ3K7Q5NbBRTvMgCfdeFY
JmJIo8zz/ppyCI4EQ5UY9jA=
=8sOq
-----END PGP SIGNATURE-----