[21888] in bugtraq
Security Update: [CSSA-2001-SCO.8] OpenServer: /etc/popper buffer overflow
daemon@ATHENA.MIT.EDU (sco-security@caldera.com)
Thu Jul 26 17:47:07 2001
Message-Id: <200107261748.f6QHm7H22214@ergo.uss.ca.caldera.com>
To: announce@lists.caldera.com, bugtraq@securityfocus.com,
security-announce@lists.securityportal.com
From: sco-security@caldera.com
Date: Thu, 26 Jul 2001 10:48:07 -0700
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
To: announce@lists.caldera.com bugtraq@securityfocus.com security-announce@lists.securityportal.com
___________________________________________________________________________
Caldera International, Inc. Security Advisory
Subject: OpenServer: /etc/popper buffer overflow
Advisory number: CSSA-2001-SCO.8
Issue date: 2001 July 26
Cross reference:
___________________________________________________________________________
1. Problem Description
The popper daemon /etc/popper was subject to a buffer overflow
that could be used by a malicious user.
2. Vulnerable Versions
Operating System Version Affected Files
------------------------------------------------------------------
OpenServer <= 5.0.6a /etc/popper
3. Workaround
None.
4. OpenServer
4.1 Location of Fixed Binaries
ftp://ftp.sco.com/pub/security/openserver/sr848324/
4.2 Verification
md5 checksums:
8795253219fbcbba3027f0c37f6a884e popper.Z
md5 is available for download from
ftp://ftp.sco.com/pub/security/tools/
4.3 Installing Fixed Binaries
Upgrade the affected binaries with the following commands:
# uncompress /tmp/popper.Z
# mv /etc/popper /etc/popper.old
# cp /tmp/popper /etc
# chown bin /etc/popper
# chgrp bin /etc/popper
# chmod 755 /etc/popper
5. References
http://www.calderasystems.com/support/security/index.html
6. Disclaimer
Caldera International, Inc. is not responsible for the misuse
of any of the information we provide on our website and/or
through our security advisories. Our advisories are a service
to our customers intended to promote secure installation and
use of Caldera International products.
7.Acknowledgements
Caldera International wishes to thank Gustavo Viscaino for
originally finding the problem, Michael Brennen
<mbrennen@fni.com> for forwarding the problem report from the
qpopper list, and the folks at Qualcomm for fixing the
problem.
___________________________________________________________________________
