COMMAND

	dtprintinfo buffer overflow in various Unix systems

SYSTEMS AFFECTED

	 SCO UnixWare 7

	 OpenUnix 8.0.0

	

	 -Also-

	

	 Compaq Tru64 UNIX V4.0F

	 Compaq Tru64 UNIX V5.0

	 Compaq Tru64 UNIX V5.1

	 Compaq Tru64 UNIX V5.1A

	

PROBLEM

	In Caldera Security bulletin  CSSA-2001-SCO.22  (http://www.caldera.com)
	:
	

	Very long environment variables will cause the  dtprintinfo  command  to
	overflow a buffer. This could be used by an unauthorized  user  to  gain
	privilege.
	

	

	 Update (18 April 2002)

	 ======

	

	In Noboru Yoshinaga [yosinaga@lac.co.jp] SNS Advisory No.50 :
	

	The  /usr/dt/bin/dtprintinfo  included  with  Compaq  Tru64  UNIX  is  a
	program for opening the  CDE  Print  Manager  window.  This  program  is
	installed as SUID root. In dtprintinfo  it  is  possible  to  restore  a
	client to the original desktop state by loading the session  file  using
	the \"-session\" option. A buffer overflow  will  occur  in  dtprintinfo
	when  an  unusually  long  string  of  characters  is  used  in  session
	filenames. This will result in the possibility for  the  local  attacker
	to execute arbitrary code as root.

SOLUTION

	Get patch from :
	

	ftp://stage.caldera.com/pub/security/openunix/CSSA-2001-SCO.22/

	md5 checksums:e726067eba0107ac5efd8c1fdb141b0d	dtprintinfo.Z

	

	

	Compaq :
	 

	http://ftp.support.compaq.com/patches/.new/html/SSRT-541.shtml