TUCoPS :: SCO :: cs2sco22.txt

OpenServer 5.0.5/6 : scoadmin command creates temporary files ins - Caldera Advisory CSSA-2002-SCO.22 

To: bugtraq@securityfocus.com announce@lists.caldera.com scoannmod@xenitec.on.ca

______________________________________________________________________________

		Caldera International, Inc.  Security Advisory

Subject:		OpenServer 5.0.5 OpenServer 5.0.6 : scoadmin command creates temporary files insecurely
Advisory number: 	CSSA-2002-SCO.22
Issue date: 		2002 May 28
Cross reference:
______________________________________________________________________________


1. Problem Description

	The scoadmin command creates and uses temporary files
	insecurely. Names can be predicted, and spoofed with symbolic
	links.


2. Vulnerable Supported Versions

	System				Binaries
	----------------------------------------------------------------------
	OpenServer 5.0.5		/etc/sysadm.d/lib/sysadm.tlib
					/etc/sysadm.d/lib/sysadm.tndx
	OpenServer 5.0.6		/etc/sysadm.d/lib/sysadm.tlib
					/etc/sysadm.d/lib/sysadm.tndx


3. Solution

	The proper solution is to install the latest packages.


4. OpenServer 5.0.5

	4.1 Location of Fixed Binaries

	ftp://stage.caldera.com/pub/security/openserver/CSSA-2002-SCO.22


4.2 Verification

	MD5 (VOL.000.000) = 814cc4af8e653baf220f2a94b23ff741

	md5 is available for download from
		ftp://stage.caldera.com/pub/security/tools/


4.3 Installing Fixed Binaries

	Upgrade the affected binaries with the following commands:

	1) Download the VOL* files to the /tmp directory

	Run the custom command, specify an install from media images,
	and specify the /tmp directory as the location of the images.


5. OpenServer 5.0.6

	5.1 Location of Fixed Binaries

	ftp://stage.caldera.com/pub/security/openserver/CSSA-2002-SCO.22


5.2 Verification

	MD5 (VOL.000.000) = 814cc4af8e653baf220f2a94b23ff741

	md5 is available for download from
		ftp://stage.caldera.com/pub/security/tools/


5.3 Installing Fixed Binaries

	Upgrade the affected binaries with the following commands:

	1) Download the VOL* files to the /tmp directory

	Run the custom command, specify an install from media images,
	and specify the /tmp directory as the location of the images.


6. References

	Specific references for this advisory:
		none

	Caldera UNIX security resources:
		http://stage.caldera.com/support/security/

Caldera OpenLinux security resources:
		http://www.caldera.com/support/security/index.html

This security fix closes Caldera incidents sr847944,
	SCO-1-233, erg711739.


7. Disclaimer

	Caldera International, Inc. is not responsible for the
	misuse of any of the information we provide on this website
	and/or through our security advisories. Our advisories are
	a service to our customers intended to promote secure
	installation and use of Caldera products.


8. Acknowledgements

	Kevin Finisterre (dotslash@snosoft.com) discovered and
	researched this vulnerability.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH