| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 25 Mar 2004 15:09:03 -0800 (PST) From: please_reply_to_security@....com To: announce@...ts.caldera.com, bugtraq@...urityfocus.com, full-disclosure@...ts.netsys.com, security-alerts@...uxsecurity.com Subject: OpenLinux: mc Updated packages resolve local buffer overflow vulnerability -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SCO Security Advisory Subject: OpenLinux: mc Updated packages resolve local buffer overflow vulnerability Advisory number: CSSA-2004-014.0 Issue date: 2004 March 25 Cross reference: sr889551 fz528937 erg712553 CAN-2003-1023 ______________________________________________________________________________ 1. Problem Description Stack-based buffer overflow in vfs_s_resolve_symlink of vfs/direntry.c for Midnight Commander (mc) 4.6.0 and earlier, and possibly later versions, allows remote attackers to execute arbitrary code during symlink conversion. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-1023 to this issue. 2. Vulnerable Supported Versions System Package ---------------------------------------------------------------------- OpenLinux 3.1.1 Server prior to mc-4.5.51-6.i386.rpm prior to mc-doc-4.5.51-6.i386.rpm OpenLinux 3.1.1 Workstation prior to mc-4.5.51-6.i386.rpm prior to mc-doc-4.5.51-6.i386.rpm 3. Solution The proper solution is to install the latest packages. Unix users with Linux Kernel Personality can use the Caldera System Updater, called cupdate (or kcupdate under the KDE environment), to update these packages rather than downloading and installing them by hand. 4. OpenLinux 3.1.1 Server 4.1 Package Location ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2004-014.0/RPMS 4.2 Packages 683f2374c3602c3d4680d033da405a91 mc-4.5.51-6.i386.rpm 1d1737ac2576c2571cfc6132d31ca89a mc-doc-4.5.51-6.i386.rpm 4.3 Installation rpm -Fvh mc-4.5.51-6.i386.rpm rpm -Fvh mc-doc-4.5.51-6.i386.rpm 4.4 Source Package Location ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2004-014.0/SRPMS 4.5 Source Packages 728be58503d28303c1446b1954d85340 mc-4.5.51-6.src.rpm 5. OpenLinux 3.1.1 Workstation 5.1 Package Location ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2004-014.0/RPMS 5.2 Packages 936ff3ee57f8bee7ccb96581ccdeca63 mc-4.5.51-6.i386.rpm 126a8cc66def304a321bc4dad071bc4a mc-doc-4.5.51-6.i386.rpm 5.3 Installation rpm -Fvh mc-4.5.51-6.i386.rpm rpm -Fvh mc-doc-4.5.51-6.i386.rpm 5.4 Source Package Location ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2004-014.0/SRPMS 5.5 Source Packages 98f3e31a702d2e890f9781753429d2dc mc-4.5.51-6.src.rpm 6. References Specific references for this advisory: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-1023 SCO security resources: http://www.sco.com/support/security/index.html This security fix closes SCO incidents sr889551 fz528937 erg712553. 7. Disclaimer SCO is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of SCO products. 8. Acknowledgements SCO would like to thank Ilya Teterin ______________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (SCO/UNIX_SVR5) iD8DBQFAY2IebluZssSXDTERAutPAKCYgjPEb/nv3Z+SpCxBLk/TrphuvQCcCDSg /Kv/+sBl46snE5KypyrwvS4= =8D7F -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists