[Full-Disclosure] UnixWare 7.1.3 Open UNIX 8.0.0 UnixWare 7.1.1 : perl unsafe Safe compartment

please_reply_to_security_at_sco.com
Date: 04/01/04

  • Next message: Tobias Weisserth: "Re: [Full-Disclosure] Security Hole in HTTP (RFC1945) - Browser-Spoofing"
    To: security-announce@list.sco.com, bugtraq@securityfocus.com, full-disclosure@lists.netsys.com
    Date: Wed, 31 Mar 2004 15:45:11 -0800 (PST)
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    ______________________________________________________________________________

                            SCO Security Advisory

    Subject: UnixWare 7.1.3 Open UNIX 8.0.0 UnixWare 7.1.1 : perl unsafe Safe compartment
    Advisory number: SCOSA-2004.1
    Issue date: 2004 March 29
    Cross reference: sr887197 fz528449 erg712495 CAN-2002-1323
    ______________________________________________________________________________

    1. Problem Description

            Safe.pm 2.0.7 and earlier, when used in Perl 5.8.0 and
            earlier, may allow attackers to break out of safe compartments
            in (1) Safe::reval or (2) Safe::rdo using a redefined @_
            variable, which is not reset between successive calls.
            
            The Common Vulnerabilities and Exposures project (cve.mitre.org)
            has assigned the name CAN-2002-1323 to this issue.

    2. Vulnerable Supported Versions

            System Binaries
            ----------------------------------------------------------------------
            UnixWare 7.1.3 /usr/gnu/lib/perl5/i386-svr4/5.00404/Safe.pm
            Open UNIX 8.0.0 /usr/gnu/lib/perl5/i386-svr4/5.00404/Safe.pm
            UnixWare 7.1.1 /usr/gnu/lib/perl5/i386-svr4/5.00404/Safe.pm

    3. Solution

            The proper solution is to install the latest packages.

    4. UnixWare 7.1.3
       Open UNIX 8.0.0
       UnixWare 7.1.2

            4.1 Location of Fixed Binaries

            ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2004.1

            4.2 Verification

            MD5 (erg712495.Z) = a58a6ad7b7ea39ee48abc8bc3cc0d4fe

            md5 is available for download from
                    ftp://ftp.sco.com/pub/security/tools

            4.3 Installing Fixed Binaries

            Upgrade the affected binaries with the following sequence:

            1. Download the erg712495.Z file to a directory on your machine.

            2. As root, uncompress the file and add the package to your system
            using these commands:

            # uncompress erg712495.Z
            # pkgadd -d erg712495

            3. There is no need to reboot the system after installing this package.

            If you have questions regarding this supplement, or the product on
            which it is installed, please contact your software supplier.

    5. References

            Specific references for this advisory:
                    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1323

            SCO security resources:
                    http://www.sco.com/support/security/index.html

            SCO security advisories via email:
                    http://www.sco.com/support/forums/security.html

            This security fix closes SCO incidents sr887197 fz528449
            erg712495.

    6. Disclaimer

            SCO is not responsible for the misuse of any of the information
            we provide on this website and/or through our security
            advisories. Our advisories are a service to our customers
            intended to promote secure installation and use of SCO
            products.

    7. Acknowledgments

            SCO would like to thank Andreas Jurenda

            If you would like to receive SCO Security Advisories please visit:
            http://www.thescogroup.com/support/forums/announce.html

    ______________________________________________________________________________

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.4 (SCO/UNIX_SVR5)

    iD8DBQFAa1gDaqoBO7ipriERAmUSAJ4wj29qyF8tdLnaf73PAJy0uwmXGACfR4qY
    V04ijiOTJg8nxlajD4dtwCw=
    =1x3D
    -----END PGP SIGNATURE-----

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Tobias Weisserth: "Re: [Full-Disclosure] Security Hole in HTTP (RFC1945) - Browser-Spoofing"

    Relevant Pages