-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SCO Security Advisory Subject: Linux: slocate command line buffer overflows Advisory number: CSSA-2003-009.0 Issue date: 2003 March 06 Cross reference: ______________________________________________________________________________ 1. Problem Description The slocate command suffers from two command line buffer overflows. 2. Vulnerable Supported Versions System Package ---------------------------------------------------------------------- OpenLinux 3.1.1 Server prior to slocate-2.6-3.i386.rpm OpenLinux 3.1.1 Workstation prior to slocate-2.6-3.i386.rpm OpenLinux 3.1 Server prior to slocate-2.6-3.i386.rpm OpenLinux 3.1 Workstation prior to slocate-2.6-3.i386.rpm 3. Solution The proper solution is to install the latest packages. Many customers find it easier to use the Caldera System Updater, called cupdate (or kcupdate under the KDE environment), to update these packages rather than downloading and installing them by hand. 4. OpenLinux 3.1.1 Server 4.1 Package Location ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-009.0/RPMS 4.2 Packages d357c2ee6bd94601dc6be091ddf8082e slocate-2.6-3.i386.rpm 4.3 Installation rpm -Fvh slocate-2.6-3.i386.rpm 4.4 Source Package Location ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-009.0/SRPMS 4.5 Source Packages 7125d9ef9ec4c3285112fbfabf239a5f slocate-2.6-3.src.rpm 5. OpenLinux 3.1.1 Workstation 5.1 Package Location ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-009.0/RPMS 5.2 Packages 685e16e765ceaed906a59e65860848b2 slocate-2.6-3.i386.rpm 5.3 Installation rpm -Fvh slocate-2.6-3.i386.rpm 5.4 Source Package Location ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-009.0/SRPMS 5.5 Source Packages 4f513aebf7046701c41eee72f8e15c2a slocate-2.6-3.src.rpm 6. OpenLinux 3.1 Server 6.1 Package Location ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2003-009.0/RPMS 6.2 Packages ce609a2df9f795106913c60a86c30427 slocate-2.6-3.i386.rpm 6.3 Installation rpm -Fvh slocate-2.6-3.i386.rpm 6.4 Source Package Location ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2003-009.0/SRPMS 6.5 Source Packages 6e0da763e91bf91362d2521ef471c457 slocate-2.6-3.src.rpm 7. OpenLinux 3.1 Workstation 7.1 Package Location ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2003-009.0/RPMS 7.2 Packages 239f88e2ba4d1db53cd49e8ab5d22b28 slocate-2.6-3.i386.rpm 7.3 Installation rpm -Fvh slocate-2.6-3.i386.rpm 7.4 Source Package Location ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2003-009.0/SRPMS 7.5 Source Packages 1bd5b95650c530fbe48d58d7bdc2dd8d slocate-2.6-3.src.rpm 8. References Specific references for this advisory: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0056 SCO security resources: http://www.sco.com/support/security/index.html This security fix closes SCO incidents sr873878, fz527219, erg712211, erg712226. 9. Disclaimer SCO is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of SCO products. 10. Acknowledgements Knight420 and Gregory Duchemin discovered and investigated these vulnerabilities. ______________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iEYEARECAAYFAj5nuuEACgkQbluZssSXDTGQIwCfY9/jmccGrzMkNZG3ZjrlqPb1 z3UAoLNEgEklUVzM7n31AGCuQNstsE/b =xrr+ -----END PGP SIGNATURE-----