-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SCO Security Advisory Subject: UnixWare 7.1.4 UnixWare 7.1.3 : The error handling in the inflate and inflateBack functions in ZLib compression library allows local users to cause a denial of service Advisory number: SCOSA-2004.17 Issue date: 2004 October 18 Cross reference: sr891410 fz530158 erg712692 VU#238678 CAN-2004-0797 ______________________________________________________________________________ 1. Problem Description CERT Vulnerability Note VU#238678 Un-handled error conditions in the zlib compression library may allow an attacker to cause a denial-of-service condition. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following name CAN-2004-0797 to this issue. 2. Vulnerable Supported Versions System Binaries ---------------------------------------------------------------------- UnixWare 7.1.4 /usr/include/zconf.h /usr/include/zlib.h /usr/lib/libz.so.1.2.1 UnixWare 7.1.3 /usr/include/zconf.h /usr/include/zlib.h /usr/lib/libz.so.1.2.1 3. Solution The proper solution is to install the latest packages. 4. UnixWare 7.1.4 4.1 Location of Fixed Binaries ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2004.17 4.2 Verification MD5 (erg712692.714.pkg) = 0b56f889838a2daaed77f8251922391e md5 is available for download from ftp://ftp.sco.com/pub/security/tools 4.3 Installing Fixed Binaries Upgrade the affected binaries with the following sequence: Download erg712692.714.pkg to the /var/spool/pkg directory # pkgadd -d /var/spool/pkg/erg712692.714.pkg 5. UnixWare 7.1.3 5.1 Location of Fixed Binaries ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2004.17 5.2 Verification MD5 (erg712692.pkg) = 5c48d63e7f5922dccf38f6d6fa66b325 md5 is available for download from ftp://ftp.sco.com/pub/security/tools 5.3 Installing Fixed Binaries Upgrade the affected binaries with the following sequence: Download erg712692.pkg to the /var/spool/pkg directory # pkgadd -d /var/spool/pkg/erg712692.pkg 6. References Specific references for this advisory: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0797 SCO security resources: http://www.sco.com/support/security/index.html SCO security advisories via email http://www.sco.com/support/forums/security.html This security fix closes SCO incidents sr891410 fz530158 erg712692. 7. Disclaimer SCO is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of SCO products. 8. Acknowledgments SCO would like to thank Johan Thelmen for his help in finding and fixing this bug. ______________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (SCO/UNIX_SVR5) iD8DBQFBdEDoaqoBO7ipriERAhGiAJ48MdrOA8bdUGm6pmHo2LyFhZOFVwCeIROv gzuWIUemTaDZJ+qd//YgoWs= =mt0U -----END PGP SIGNATURE-----