TUCoPS :: SCO :: bt1657.txt

OpenServer 5.0.5 OpenServer 5.0.6 OpenServer 5.0.7: Multiple vulnerabilities affecting several components of gwxlibs



To: announce@lists.caldera.com bugtraq@securityfocus.com full-disclosure@lists.netsys.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


______________________________________________________________________________

			SCO Security Advisory

Subject:		OpenServer 5.0.5 OpenServer 5.0.6 OpenServer 5.0.7: Multiple vulnerabilities affecting several components of gwxlibs
Advisory number: 	CSSA-2003-SCO.29
Issue date: 		2003 November 04
Cross reference: 	sr885387 fz528382 erg712448 sr875559 fz527506 erg712256 sr875409 fz527489 erg712252 CAN-2003-0543 CAN-2003-0544 CAN-2003-0545 CAN-2003-0131 CAN-2003-0107
______________________________________________________________________________


1. Problem Description

   Multiple vulnerabilities affecting several components of gwxlibs. The issues are:

        Multiple Vulnerability Issues in OpenSSL up to and including 0.9.6j and 0.9.7b

                NISCC/006489/openssl/1 

                        CAN-2003-0543 Integer overflow in OpenSSL 0.9.6 and 0.9.7 may allow 
			remote attackers to cause a denial of service (crash) via an SSL client
                        certificate with certain ASN.1 tag values.

                        CAN-2003-0544 OpenSSL 0.9.6 and 0.9.7 does not properly track the number
                        of characters in certain ASN.1 inputs, which mahy allow remote attackers to
                        cause a denial of service (crash) via an SSL client certificate that causes
                        OpenSSL to read past the end of a buffer when the long form is used.

                NISCC/006489/openssl/2 

                        An invalid public key in a certificate will crash the verify code if it is set
                        to ignore all errors. This isnt done in production code just for debugging
                        purposes. Successful exploitation would result in a Denial of Service
                        condition.

                NISCC/006489/openssl/3 

                        CAN-2003-0545 Double-free vulnerability in OpenSSL 0.9.7 may allow remote attackers
                        to cause a denial of service (crash) and possibly execute arbitrary code via an
                        SSL client certificate with a certain invalid ASN.1 encoding.

                        Certain ASN.1 structures which are rejected as invalid by the parser result in
                        part of the corresponding structure being freed up incorrectly. In theory
                        exploitation of this vulnerability could result in an attacker being able to
                        execute malicious code.

                GNU TLS Library Record Layer Timing Information Leakage Weakness

                        CAN-2003-0131 The SSL and TLS components for OpenSSL 0.9.6i and earlier, 0.9.7,
                        and 0.9.7a may allow remote attackers to perform an unauthorized RSA private key
                        operation via a modified Bleichenbacher attack that uses a large number of SSL
                        or TLS connections using PKCS #1 v1.5 padding that cause OpenSSL to leak
                        information regarding the relationship between ciphertext and the associated
                        plaintext, aka the "Klima-Pokorny-Rosa attack."

        Buffer overflow in the gzprintf function in zlib 1.1.4

                CAN-2003-0107 Buffer overflow in the gzprintf function in zlib 1.1.4, when zlib
                is compiled without vsnprintf or when long inputs are truncated using vsnprintf,
                may allow attackers to cause a denial of service or possibly execute arbitrary code.

		Since OpenServer builds of libz use vsnprintf(), only the less serious truncation 
		part of this potential vulnerability applies even when this supplement is not installed.

		This supplement contains zlib 1.1.4 patched with an unofficial patch has been 
		released which implements proper verification of the usability of the vsnprintf() 
		function. No new official zlib version has been released.

	1.1  Changes in this version of gwxlibs

	This version of gwxlibs several improvements over the
	previous version and the gwxlibs package that was distributed as
	GWXLIBS version 1.3.1Ba.  This section briefly lists the packages updated
	and improvements made.

	  o  expat updated to 1.95.7
	  o  libmng updated to 1.0.6
	  o  fontconfig updated to 2.2
	  o  gettext updated to 0.12.1
	  o  XMLSEC updated to 1.2.1
	  o  TIFF updated to 3.6.0
	  o  NetPBM updated to 10.18
	  o  LCMS updated to 1.11
	  o  Freetype2 updated to 2.1.5
	  o  PCRE updated to 4.4
	  o  OpenSSL 0.9.6 updated to 0.9.6k
	  o  OpenSSL 0.9.7c added
	  o  XSLT updated to 1.0.33
	  o  XML2 updated to 2.6.1
	  o  GTK+ updated to 2.2.4
	  o  GLIB updated to 2.2.3
	  o  Pango updated to 1.2.5
	  o  GDOME2 updated to 0.8.0
	  o  Sablotron updated to 1.0
	  o  cURL upgraded to 7.10.7
	  o  libIDL upgraded to 0.8.2
	  o  OpenLDAP updated to 2.1.23
	  o  Xalan-C updated to 1.6
	  o  Xerces-C updated to 2.3.0
	  o  MM updated to 1.3.0
	  o  Added missing alias files for pango
	  o  Compile GDOME and libIDL twice, once linking to glib1 and once to glib2

2. Vulnerable Supported Versions

	System				Binaries
	----------------------------------------------------------------------
	OpenServer 5.0.5 		gwxlibs Distribution
	OpenServer 5.0.6 		gwxlibs Distribution
	OpenServer 5.0.7 		gwxlibs Distribution


3. Solution

	The proper solution is to install the latest packages.


4. OpenServer 5.0.5 / OpenServer 5.0.6

	4.1 First install  OSS646B - Execution Environment Supplement

	4.2 Location of Fixed Binaries

	ftp://ftp.sco.com/pub/updates/OpenServer/CSSA-2003-SCO.29


	4.3 Verification

	MD5 (VOL.000.000) = fa163df4aca2dc283ac15a643492fce9
	MD5 (VOL.000.001) = 406b89eb5f1e1407e1dcd9f92a2914f9
	MD5 (VOL.000.002) = fb632551866bca26dbd88b1159cc949e
	MD5 (VOL.000.003) = 84a03cddaa2bc8336d186562fb9ad6f6

	md5 is available for download from
		ftp://ftp.sco.com/pub/security/tools


	4.4 Installing Fixed Binaries

	Upgrade the affected binaries with the following sequence:

	1) Download the VOL* files to the /tmp directory

	2) Run the custom command, specify an install from media
	images, and specify the /tmp directory as the location of
	the images.

5. OpenServer 5.0.7

	5.1 First install Maintenance Pack 1

	5.1 Location of Fixed Binaries

	ftp://ftp.sco.com/pub/updates/OpenServer/CSSA-2003-SCO.29

	5.2 Verification

	MD5 (VOL.000.000) = fa163df4aca2dc283ac15a643492fce9
	MD5 (VOL.000.001) = 406b89eb5f1e1407e1dcd9f92a2914f9
	MD5 (VOL.000.002) = fb632551866bca26dbd88b1159cc949e
	MD5 (VOL.000.003) = 84a03cddaa2bc8336d186562fb9ad6f6

	md5 is available for download from
		ftp://ftp.sco.com/pub/security/tools


	5.3 Installing Fixed Binaries

	Upgrade the affected binaries with the following sequence:

	1) Download the VOL* files to the /tmp directory

	2) Run the custom command, specify an install from media
	images, and specify the /tmp directory as the location of
	the images.


6. References

	Specific references for this advisory:
		http://www.uniras.gov.uk/vuls/2003/006489/openssl.htm 
		http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0543 
		http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0544 
		http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0545 
		http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0131 
		http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0107

	SCO security resources:
		http://www.sco.com/support/security/index.html

	This security fix closes SCO incidents sr885387 fz528382
	erg712448 sr875559 fz527506 erg712256 sr875409 fz527489
	erg712252.


7. Disclaimer

	SCO is not responsible for the misuse of any of the information
	we provide on this website and/or through our security
	advisories. Our advisories are a service to our customers
	intended to promote secure installation and use of SCO
	products.


8. Acknowledgments

	SCO would like to thank National Infrastructure Security
	Co-ordination Centre (NISCC) and Stephen Henson, a member
	of the OpenSSL core team. SCO would also like to thank Ralf
	S. Engelschall, Kelledin, and crazy_einstein@yahoo.com for
	the zlib research.
______________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (SCO/UNIX_SVR5)

iD8DBQE/qtdRaqoBO7ipriERAtYeAJ4qoIeN+aUszciLap/P0quqA5Ef6wCfWDjU
vOARm6zL+kTrWaL7TJK8/n8=
=9AX3
-----END PGP SIGNATURE-----

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH