Subject: UnixWare 7.1.0: Unnecessary privileges are given to some packaging commands Advisory number: n/a Issue date: n/a ftp://ftp.sco.com/pub/security/sse/ptf7408b Dear SCO Customer, The enclosed Support Level Supplement (SLS) PTF7408B, the UnixWare 7.1.0 Security Fix, addresses the following problems: 1. Unnecessary privileges are given to some packaging commands that allow users to compromise system security by adding or removing privileged files. 2. Users can use packaging tools to read restricted system files. 3. Users can create arbitrary root-owned directories. 4. There is the potential of buffer overflow attack. 5. Booting is slow on systems where disks and other devices share the same controller. SLS PTF7408B contains these files: /usr/lib/libadm.a /etc/scsi/pdimkdev /sbin/putdev /usr/bin/ddbconv /usr/bin/devattr /usr/bin/getdev /usr/bin/pkginfo /usr/bin/pkgparam /usr/bin/pkgtrans /usr/bin/getdgrp /usr/bin/getvol /usr/sbin/pkgadd /usr/sbin/pkgrm /usr/sbin/pkgchk /usr/sbin/installf /usr/sbin/pkgcat /usr/sbin/pkginstall /usr/sbin/prtconf /usr/sadm/install/bin/pkgaudit /usr/sadm/install/bin/pkginstall /usr/sadm/install/bin/pkgname /usr/sadm/install/bin/pkgremove Software Notes and Recommendations ---------------------------------- SLS PTF7408B should only be installed on: UnixWare 7.1.0 Installation Instructions ------------------------- 1. Download the ptf7408b.Z file to the /tmp directory on your machine. 2. As root, uncompress the file and add the package to your system using these commands: $ su Password: # uncompress /tmp/ptf7408b.Z # pkgadd -d /tmp/ptf7408b # rm /tmp/ptf7408b 3. There is no need to reboot the system after installing this package. The release notes displayed prior to installation can be found in: /var/sadm/pkg/ptf7408/install/ptf7408.txt Removal Instructions -------------------- Removing this PTF leaves your system exposed to a serious security problem that allows any of your users to make arbitrary changes to the packages that are installed on your system. SCO strongly recommends that this SLS is only removed if you subsequently intend to remove Update 7.1.0 from your system. 1. As root, remove the package using these commands: $ su Password: # pkgrm ptf7408 2. There is no need to reboot the system after removing this SLS. If you have questions regarding this supplement, or the product on which it is installed, please contact your software supplier.