-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SCO Security Advisory Subject: UnixWare 7.1.4 : Updated mozilla fixes many security issues Advisory number: SCOSA-2005.25 Issue date: 2005 May 18 Cross reference: sr891008 fz529877 erg712655 sr891398 fz530151 erg712686 sr892164 fz530485 erg712734 sr892473 fz530642 erg712748 sr893376 fz531626 erg712820 CAN-2005-0399 CAN-2004-0597 CAN-2004-0599 CAN-2004-0718 CAN-2004-0722 CAN-2004-0757 CAN-2004-0758 CAN-2004-0759 CAN-2004-0760 CAN-2004-0761 CAN-2004-0762 CAN-2004-0763 CAN-2004-0764 CAN-2004-0765 ______________________________________________________________________________ 1. Problem Description The Mozilla 1.7.6 browser in this update represents a significant advancement in features and fixes over the Mozilla 1.2.1 released with UnixWare 7.1.4. This update addresses the following security issues: Technical Cyber Security Alert TA04-261A Multiple vulnerabilities in Mozilla products VU#414240 - Mozilla Mail vulnerable to buffer overflow via writeGroup() function in nsVCardObj.cpp VU#847200 - Mozilla contains integer overflows in bitmap image decoder VU#808216 - Mozilla contains heap overflow in UTF8 conversion of hostname portion of URLs VU#125776 - Multiple buffer overflows in Mozilla POP3 protocol handler VU#327560 - Mozilla "send page" feature contains a buffer overflow VU#651928 - Mozilla allows arbitrary code execution via link dragging These vulnerabilities could allow a remote attacker to execute arbitrary code with the privileges of the user running the affected application. This fix also addresses several other security issues, and their CAN numbers are listed below. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names:CAN-2005-0399 CAN-2004-0597 CAN-2004-0599 CAN-2004-0718 CAN-2004-0722 CAN-2004-0757 CAN-2004-0758 CAN-2004-0759 CAN-2004-0760 CAN-2004-0761 CAN-2004-0762 CAN-2004-0763 CAN-2004-0764 CAN-2004-0765 2. Vulnerable Supported Versions System Binaries ---------------------------------------------------------------------- UnixWare 7.1.4 Mozilla distribution 3. Solution The proper solution is to install the latest packages. 4. UnixWare 7.1.4 4.1 Location of Fixed Binaries ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.25 4.2 Verification (mozilla-1.7.6.pkg) = c4f4ee1a73c3d6d10d3064c7e68f6299 md5 is available for download from ftp://ftp.sco.com/pub/security/tools 4.3 Installing Fixed Binaries Upgrade the affected binaries with the following sequence: Download mozilla.image.pkg to the /var/spool/pkg directory # pkgadd -d /var/spool/pkg/mozilla.image.pkg 5. References Specific references for this advisory: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0399 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0597 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0599 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0718 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0722 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0757 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0758 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0759 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0760 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0761 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0762 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0763 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0764 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0765 http://www.us-cert.gov/cas/techalerts/TA04-261A.html http://www.kb.cert.org/vuls/id/414240 http://www.kb.cert.org/vuls/id/847200 http://www.kb.cert.org/vuls/id/808216 http://www.kb.cert.org/vuls/id/125776 http://www.kb.cert.org/vuls/id/327560 http://www.kb.cert.org/vuls/id/651928 SCO security resources: http://www.sco.com/support/security/index.html SCO security advisories via email http://www.sco.com/support/forums/security.html This security fix closes SCO incidents sr891008 fz529877 erg712655 sr891398 fz530151 erg712686 sr892164 fz530485 erg712734 sr892473 fz530642 erg712748 sr893376 fz531626 erg712820. 6. Disclaimer SCO is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of SCO products. 7. Acknowledgments SCO would like to thank Georgi Guninski, Gael Delalleau, Mats Palmgren, and Jesse Ruderman ______________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (SCO/SYSV) iD8DBQFCi1rVaqoBO7ipriERAiHrAJ4trp0n1Tse98oWr7VU0jGFlhes+gCfVZph 9SDDehPywPTZzQdU4V9xrEs= =udtT -----END PGP SIGNATURE-----