What is Security Supplement p534589b, the UnixWare 7 pkgadd security patch?

KEYWORDS: unixware 7.1.4 security pkgadd directory traversal vulnerability 714
fz534589 p534589 7.1.3 713 CVE-2008-0310

RELEASE:  SCO UnixWare Release 7.1.4
          SCO UnixWare Release 7.1.3

PROBLEM:  What is p534589b, the UnixWare 7 pkgadd pkgadd security patch?

SOLUTION: p534589b repairs a directory traversal vulnerability discovered in
the 
          pkgadd(1M) utility. 

          p534589b has the following changes above and beyond p534589:

          - Installation is now supported on UnixWare 7.1.3 systems.

          What follows is the Security Advisory for this fix:

______________________________________________________________________________


                        SCO Security Advisory


Subject:                pkgadd(1M) Directory Traversal 
Vulnerability
Advisory number:        SCOSA-2008.3
Issue date:             31 March 2008
Cross reference:        fz534589
                        CVE-2008-0310
______________________________________________________________________________


1. Problem Description

        pkgadd(1M) could allow a local attacker to execute arbitrary 
        code as root. 
	
2. Vulnerable Supported Versions

        System                          Binaries
        ----------------------------------------------------------------------
        UnixWare 7.1.4 and 7.1.3        pkgadd
                                        pkgrm
                                       
3. Solution

        The proper solution is to install the package below.

4. UnixWare 7.1.4 and 7.1.3

        4.1 Location of Fixed Binaries

        ftp://ftp.sco.com/pub/unixware7/714/security/p534589b/

        4.2 Verification

        MD5 (p534589.image) = f2de826907c36a234d6c5c9a894f24df

        md5 is available for download from

        ftp://ftp.sco.com/pub/security/tools

        4.3 Installation Instructions

        1) Download the p534589b.image file to the /tmp directory on 
        your machine.

        2) As root, add the package to your system using these commands:

        $ su -
        Password: <type your root password>
        # pkgadd -d /tmp/p534589b.image

        Alternatively, this package may be installed in quiet mode, 
        that is, without displaying the release notes and asking for 
        confirmation. To do this, use these commands:

        $ su -
        Password: <type your root password>
        # pkgadd -qd /tmp/p534589b.image all

        3) There is no need to reboot the system after installing this
        package.

        4.4 Removal Instructions

        1) As root, remove the package using these commands:

        $ su -
        Password: <type your root password>
        # pkgrm p534589

5. OpenServer 6.0.0

        OpenServer 6.0.0 is not affected by this vulnerability.

6. OpenServer 5.0.7

        OpenServer 5.0.7 is not affected by this vulnerability.

7. References

        Specific references for this advisory:
                http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0310

        SCO security resources:
                http://www.sco.com/support/download.html

        SCO security advisories via email
                http://www.sco.com/support/forums/security.html

        This security fix closes SCO incidents fz534589.

8. Disclaimers

        SCO is not responsible for the misuse of any of the information
        we provide on this website and/or through our security
        advisories. Our advisories are a service to our customers intended
        to promote secure installation and use of SCO products.

9. Acknowledgements

        SCO would like to acknowledge VeriSign iDefense Labs for reporting
        this issue.