[Full-disclosure] SCOSA-2006.10 OpenServer 5.0.6 OpenServer 5.0.7 OpenServer 6.0.0 : Multiple System Libraries Vulnerabilities

[Security Officer <security@xxxxxxx>]

-- 
Dr. Ronald Joe Record
Chief Security Officer
SCO
rr@xxxxxxx

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

______________________________________________________________________________

                        SCO Security Advisory

Subject:                OpenServer 5.0.6 OpenServer 5.0.7 OpenServer 6.0.0 : 
Multiple System Libraries Vulnerabilities
Advisory number:        SCOSA-2006.10
Issue date:             2006 March 14
Cross reference:        fz532924 fz532923 fz533164 fz533174 fz533390
                        CVE-2005-2491 CVE-2005-3183 CVE-2005-3185
______________________________________________________________________________


1. Problem Description

        PCRE is prone to a heap-overflow vulnerability. This issue
        is due to the library's failure to properly perform boundary
        checks on user-supplied input before copying data to an
        internal memory buffer. The impact of successful exploitation
        of this vulnerability depends on the application and the user
        credentials using the vulnerable library.  A successful attack
        may ultimately permit an attacker to control the contents of
        critical memory control structures and write arbitrary data to
        arbitrary memory locations.  Integer overflow in pcre_compile.c
        in Perl Compatible Regular Expressions (PCRE) before 6.2, as
        used in multiple products such as Python, Ethereal, and PHP,
        allows attackers to execute arbitrary code via quantifier
        values in regular expressions, which leads to a heap-based
        buffer overflow.
        
        W3C Libwww is prone to multiple vulnerabilities. These issues
        include a buffer overflow vulnerability and some issues related
        to the handling of multipart/byteranges content. Libwww
        5.4.0 is reported to be vulnerable.  Other versions may
        be affected as well. These issues may also be exploited
        through other applications that implement the library. The
        HTBoundary_put_block function in HTBound.c for W3C libwww
        (w3c-libwww) allows remote servers to cause a denial of service
        (segmentation fault) via a crafted multipart/byteranges MIME
        message that triggers an out-of-bounds read.
        
        GNU wget and cURL are prone to a buffer overflow vulnerability.
        This issue is due to a failure in the applications to do
        proper bounds checking on user supplied data before using
        it in a memory copy operation.  An attacker can exploit this
        vulnerability to execute arbitrary code in the context of the
        user utilizing the vulnerable application. Exploitation of this
        vulnerability requires that NTLM authentication is enabled
        in the affected clients. Stack-based buffer overflow in the
        ntlm_output function in http-ntlm.c for (1) wget 1.10, (2)
        curl 7.13.2, and (3) libcurl 7.13.2, and other products that
        use libcurl, when NTLM authentication is enabled, allows remote
        servers to execute arbitrary code via a long NTLM username.
        
        The Common Vulnerabilities and Exposures project
        (cve.mitre.org) has assigned the names CVE-2005-2491,
        CVE-2005-3183, and CVE-2005-3185 to these issues.


2. Vulnerable Supported Versions

        System                          Binaries
        ----------------------------------------------------------------------
        OpenServer 5.0.6        libpcre, libwww, libcurl libraries in the
                                gwxlibs component
        OpenServer 5.0.7        libpcre, libwww, libcurl libraries in the
                                gwxlibs component
        OpenServer 6.0.0        libpcre, libwww, libcurl libraries in the
                                gwxlibs component


3. Solution

        The proper solution is to install the latest packages.


4. OpenServer 5.0.6

        4.1 Location of Fixed Binaries

        
ftp://ftp.sco.com/pub/openserver5/opensrc/gwxlibs-2.1.0Ba/gwxlibs210Ba_vol.tar


        4.2 Verification

        MD5 (gwxlibs210Ba_vol.tar) = 18213632bd0c5ff1e260eac90aae7033

        md5 is available for download from
                ftp://ftp.sco.com/pub/security/tools


        4.3 Installing Fixed Binaries

        Download and install the Supplemental Graphics, Web and X11
        Libraries (gwxlibs) version 2.1.0Ba from:

        ftp://ftp.sco.com/pub/openserver5/opensrc/gwxlibs-2.1.0Ba/

        This supplement can be installed on the following
        SCO OpenServer release(s):

                SCO OpenServer Release 5.0.6 with RS506A and OSS646C

        See:
        
ftp://ftp.sco.com/pub/openserver5/opensrc/gwxlibs-2.1.0Ba/gwxlibs-2.1.0Ba.txt


5. OpenServer 5.0.7

        5.1 Location of Fixed Binaries

        ftp://ftp.sco.com/pub/openserver5/507/mp/osr507mp4/osr507mp4_vol.tar


        5.2 Verification

        MD5 (osr507mp4_vol.tar) = 4c87d840ff5b43221258547d19030228

        md5 is available for download from
                ftp://ftp.sco.com/pub/security/tools


        5.3 Installing Fixed Binaries

        See the SCO OpenServer Release 5.0.7 Maintenance Pack 4 Release
        and Installation Notes:

        ftp://ftp.sco.com/pub/openserver5/507/mp/osr507mp4/osr507mp4.htm


6. OpenServer 6.0.0

        6.1 Location of Fixed Binaries

        ftp://ftp.sco.com/pub/openserver6/600/mp/osr600mp2/osr600mp2.iso


        6.2 Verification

        MD5 (osr600mp2.iso) = 7e560dcde374eb60df2b4a599ac20d8a

        md5 is available for download from
                ftp://ftp.sco.com/pub/security/tools


        6.3 Installing Fixed Binaries

        See the SCO OpenServer Release 6.0.0 Maintenance Pack 2 Release
        and Installation Notes:

        ftp://ftp.sco.com/pub/openserver6/600/mp/osr600mp2/osr600mp2.html


7. References

        Specific references for this advisory:
                http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2491
                http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3183
                http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3185
                http://www.securityfocus.com/bid/14620 
                http://www.securityfocus.com/bid/15035 
                http://www.securityfocus.com/bid/15102 
                http://securitytracker.com/id?1014744 
                http://securitytracker.com/id?1015057

        SCO security resources:
                http://www.sco.com/support/security/index.html

        SCO security advisories via email
                http://www.sco.com/support/forums/security.html

        This security fix closes SCO incidents fz532924 fz532923 fz533164
        fz533174 fz533390.


8. Disclaimer

        SCO is not responsible for the misuse of any of the information
        we provide on this website and/or through our security
        advisories. Our advisories are a service to our customers intended
        to promote secure installation and use of SCO products.


______________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (UnixWare)

iD8DBQFEFynVaqoBO7ipriERAusBAJ449zh23lL5tq9yV2PpPqoGY3yiDQCfSCw9
/S2QKbSM8J+jGesfDrbV7wU=
=WXg5
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/