[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] SCOSA-2006.15 OpenServer 5.0.7 OpenServer 6.0.0 : Xpdf Multiple Buffer Overflow Vulnerabilities

To: security-announce@xxxxxxxxxxxx
Subject: [Full-disclosure] SCOSA-2006.15 OpenServer 5.0.7 OpenServer 6.0.0 : Xpdf Multiple Buffer Overflow Vulnerabilities
From: SCO Security Advisories <security@xxxxxxx>
Date: Thu, 23 Mar 2006 11:18:29 -0800

-- 
Dr. Ronald Joe Record
Chief Security Officer
SCO
rr@xxxxxxx

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

______________________________________________________________________________

                        SCO Security Advisory

Subject:                OpenServer 5.0.7 OpenServer 6.0.0 : Xpdf Multiple 
Buffer Overflow Vulnerabilities
Advisory number:        SCOSA-2006.15
Issue date:             2006 March 22
Cross reference:        fz533384 CVE-2005-3624 CVE-2005-3625
                        CVE-2005-3626 CVE-2005-3627 CVE-2006-0301
                        
______________________________________________________________________________


1. Problem Description

        Multiple buffer overflow vulnerabilities in xpdf.
        
        The Common Vulnerabilities and Exposures project
        (cve.mitre.org) has assigned the names CVE-2005-3624,
        CVE-2005-3625, CVE-2005-3626, CVE-2005-3627, and CVE-2006-0301
        to these issues.


2. Vulnerable Supported Versions

        System                          Binaries
        ----------------------------------------------------------------------
        OpenServer 5.0.7                xpdf package
        OpenServer 6.0.0                xpdf package


3. Solution

        The proper solution is to install the latest packages.


4. OpenServer 5.0.7

        4.1 Location of Fixed Binaries

        ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2006.15


        4.2 Verification

        MD5 (xpdf-3.0.1Ta-5.0.7-VOLS.tar) = f5daeea33bf8930b98b535945dfa58cf

        md5 is available for download from
                ftp://ftp.sco.com/pub/security/tools


        4.3 Installing Fixed Binaries

        Upgrade the affected binaries with the following sequence:

        1) Download xpdf-3.0.1Ta-5.0.7-VOLS.tar to a directory.

        2) Extract VOL* files.

           # tar xvf xpdf-3.0.1Ta-5.0.7-VOLS.tar

        3) Run the custom command, specify an install
           from media images, and specify the directory as
           the location of the images.


5. OpenServer 6.0.0

        5.1 Location of Fixed Binaries

        ftp://ftp.sco.com/pub/openserver6/600/mp/osr600mp2/osr600mp2.iso


        5.2 Verification

        MD5 (osr600mp2.iso) = 7e560dcde374eb60df2b4a599ac20d8a

        md5 is available for download from
                ftp://ftp.sco.com/pub/security/tools


        5.3 Installing Fixed Binaries

        See the SCO OpenServer Release 6.0.0 Maintenance Pack 2 Release
        and Installation Notes:

        ftp://ftp.sco.com/pub/openserver6/600/mp/osr600mp2/osr600mp2.html


6. References

        Specific references for this advisory:
                http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3191
                http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3192
                http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3193
                http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3624
                http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3625
                http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3626
                http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3627
                http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0301
                http://secunia.com/advisories/17897/
                http://secunia.com/advisories/18303/
                http://secunia.com/advisories/18677/

        SCO security resources:
                http://www.sco.com/support/security/index.html

        SCO security advisories via email
                http://www.sco.com/support/forums/security.html

        This security fix closes SCO incidents fz533384.


7. Disclaimer

        SCO is not responsible for the misuse of any of the information
        we provide on this website and/or through our security
        advisories. Our advisories are a service to our customers intended
        to promote secure installation and use of SCO products.


8. Acknowledgments

        Thanks to Chris Evans and others for reporting these
        vulnerabilities.

______________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (SCO_SV)

iD8DBQFEIu1uaqoBO7ipriERAj9sAJ9o28lTkefP/WwA+7+NdSyUhXZX/ACeJtlJ
aHzHUpCB/RdsbcKbF77nxL0=
=wcsd
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: Re: [Full-disclosure] SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow)
Next by Date: Re: [Full-disclosure] Re: Re: Re: Links to Google's cache of626FrSIRTexploits
Previous by thread: [Full-disclosure] Microsoft MSN Hotmail : Cross-Site Scripting Vulnerability
Next by thread: [Full-disclosure] recommendations ??
Index(es):
- Date
- Thread