Home page logo
/

bugtraq logo Bugtraq mailing list archives

Security Update: [CSSA-2003-018.0] OpenLinux: file command buffer overflow
From: security () sco com
Date: Fri, 2 May 2003 14:20:32 -0700

To: bugtraq () securityfocus com announce () lists caldera com security-alerts () linuxsecurity com


______________________________________________________________________________

                        SCO Security Advisory

Subject:                OpenLinux: file command buffer overflow
Advisory number:        CSSA-2003-018.0
Issue date:             2003 April 28
Cross reference:
______________________________________________________________________________


1. Problem Description

        The file command is vulnerable to a buffer overflow when given
        a maliciously crafted binary to examine.


2. Vulnerable Supported Versions

        System                          Package
        ----------------------------------------------------------------------

        OpenLinux 3.1.1 Server          prior to file-3.28-8.i386.rpm

        OpenLinux 3.1.1 Workstation     prior to file-3.28-8.i386.rpm

        OpenLinux 3.1 Server            prior to file-3.28-8.i386.rpm

        OpenLinux 3.1 Workstation       prior to file-3.28-8.i386.rpm


3. Solution

        The proper solution is to install the latest packages. Many
        customers find it easier to use the Caldera System Updater, called
        cupdate (or kcupdate under the KDE environment), to update these
        packages rather than downloading and installing them by hand.


4. OpenLinux 3.1.1 Server

        4.1 Package Location

        ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-018.0/RPMS

        4.2 Packages

        d0ad82669f9b01fd96dfcc62dc94f57c        file-3.28-8.i386.rpm

        4.3 Installation

        rpm -Fvh file-3.28-8.i386.rpm

        4.4 Source Package Location

        ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-018.0/SRPMS

        4.5 Source Packages

        8c906c8f4ef25a26e7bcde0a93c3b674        file-3.28-8.src.rpm


5. OpenLinux 3.1.1 Workstation

        5.1 Package Location

        ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-018.0/RPMS

        5.2 Packages

        d1a99e375dfd64eaf46cc9b0db3132c2        file-3.28-8.i386.rpm

        5.3 Installation

        rpm -Fvh file-3.28-8.i386.rpm

        5.4 Source Package Location

        ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-018.0/SRPMS

        5.5 Source Packages

        8d667b887a27ea3973a5049505910944        file-3.28-8.src.rpm


6. OpenLinux 3.1 Server

        6.1 Package Location

        ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2003-018.0/RPMS

        6.2 Packages

        9bb629d683cd6f97d490c16e069f9593        file-3.28-8.i386.rpm

        6.3 Installation

        rpm -Fvh file-3.28-8.i386.rpm

        6.4 Source Package Location

        ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2003-018.0/SRPMS

        6.5 Source Packages

        2f3aeeba02521523d0a74518d44cae96        file-3.28-8.src.rpm


7. OpenLinux 3.1 Workstation

        7.1 Package Location

        ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2003-018.0/RPMS

        7.2 Packages

        e464c56f403a596e7a8faae665d6f1cf        file-3.28-8.i386.rpm

        7.3 Installation

        rpm -Fvh file-3.28-8.i386.rpm

        7.4 Source Package Location

        ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2003-018.0/SRPMS

        7.5 Source Packages

        02bb22adeb36b09cfef84cb210ee7114        file-3.28-8.src.rpm


8. References

        Specific references for this advisory:

                http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0102

        SCO security resources:

                http://www.sco.com/support/security/index.html

        This security fix closes SCO incidents sr876782, fz527684,
        erg712286.


9. Disclaimer

        SCO is not responsible for the misuse of any of the information
        we provide on this website and/or through our security
        advisories. Our advisories are a service to our customers intended
        to promote secure installation and use of SCO products.


10. Acknowledgements

        David Endler of iDEFENSE discovered and researched this vulnerability.

______________________________________________________________________________

Attachment: _bin
Description:


  By Date           By Thread  

Current thread:
  • Security Update: [CSSA-2003-018.0] OpenLinux: file command buffer overflow security (May 06)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault