[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040511001829.1BF45261BA@helix.pdev.ca.sco.com>
Date: Mon, 10 May 2004 17:18:29 -0700 (PDT)
From: please_reply_to_security@....com
To: security-announce@...t.sco.com, bugtraq@...urityfocus.com,
full-disclosure@...ts.netsys.com
Subject: OpenServer 5.0.5 OpenServer 5.0.6 OpenServer 5.0.7 : X sessions which are not started by scologin cannot use the X authorization protocol
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SCO Security Advisory
Subject: OpenServer 5.0.5 OpenServer 5.0.6 OpenServer 5.0.7 : X sessions which are not started by scologin cannot use the X authorization protocol
Advisory number: SCOSA-2004.5
Issue date: 2004 April 07
Cross reference: sr862325 fz520452 erg712002 CAN-2004-0390
______________________________________________________________________________
1. Problem Description
As noted in the Xsecurity(X) man page, OpenServer 5 provides
multiple X display access control mechanisms.
The least secure is the Host Access method, where any
client on a host in the host access control list (which
is managed by the xhost command) is allowed access to
the X server.
More secure access methods are provided using the X
authorization protocol (Xauthority). Currently, OpenServer 5
supports the X authorization protocol only for X sessions
which are started by scologin.
This supplement provides support for the X authorization
protocol for X sessions which are not started by scologin
(e.g., sessions which are started via startx).
In order to prevent unauthorized access to your system, do not
use the xhost command to grant access to your X server. Instead,
it is recommended that you use the access provided by the
.Xauthority file.
With this supplement applied, scologin, startx, and xinit can all
be used to start the X server using the MIT-MAGIC-COOKIE-1 access
control system as described in the Xsecurity(X) man page.
If the X server is started directly (by running X or Xsco),
Xauthority-style access control will not be enabled.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CAN-2004-0390 to this issue.
2. Vulnerable Supported Versions
System Binaries
----------------------------------------------------------------------
OpenServer 5.0.5 X display system
OpenServer 5.0.6 X display system
OpenServer 5.0.7 X display system
3. Solution
The proper solution is to install the latest packages
and enable Xauthority.
4. OpenServer 5.0.5, OpenServer 5.0.6, OpenServer 5.0.7
4.1 Location of Fixed Binaries
ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2004.5
4.2 Verification
MD5 (VOL.000.000) = 628f0f07d63bc12978fff3dc93d44a40
md5 is available for download from
ftp://ftp.sco.com/pub/security/tools
4.3 Installing Fixed Binaries
Upgrade the affected binaries with the following sequence:
1) Download the VOL* files to a directory
2) Run the custom command, specify then install from media
images, and specify the directory as the location of
the images.
4.4 Set up a .Xauthority file (see the xauth(X) man page).
4.5 Quit & restart the X server.
5. References
Specific references for this advisory:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0390
SCO security resources:
http://www.sco.com/support/security/index.html
SCO security advisories via email
http://www.sco.com/support/forums/security.html
This security fix closes SCO incidents sr862325 fz520452
erg712002.
6. Disclaimer
SCO is not responsible for the misuse of any of the information
we provide on this website and/or through our security
advisories. Our advisories are a service to our customers
intended to promote secure installation and use of SCO
products.
7. Acknowledgments
SCO would like to thank Kevin R Finisterre
______________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (SCO/UNIX_SVR5)
iD8DBQFAoBaOaqoBO7ipriERAvsGAJ4s3m8Xecjh+AUrqHpYBPhauOkfwwCfR5aB
Icb8hmbs6tafcb7tWx9uSHQ=
=3pY7
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists