Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   OS (UNIX)  >   OpenServer Kernel Vendors:   Caldera/SCO
(Caldera Issues Revised Fix) Caldera OpenServer (SCO) Kernel Flaw May Let Local Users Execute Arbitrary Code
SecurityTracker Alert ID:  1002947
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Updated:  Jan 24 2002
Original Entry Date:  Dec 12 2001
Impact:   Execution of arbitrary code via local system, Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): OpenServer 5.0.6 and previous releases
Description:   Caldera reported a vulnerability in the OpenServer kernel. A local user could execute arbitrary code with root level privileges.

The kernel flaw lets local unprivileged user processes reprogram segment descriptors and certain other CPU registers.
The following files are affected:


Impact:   A local user could execute arbitrary code with root level privileges.
Solution:   Warning: Caldera reports that the fixed mentioned in this advisory is also flawed. They have released an updated advisory with a corrected fix (see the Message History for a separate alert containing the corrected fix).

Do not use the fix in this advisory.

Vendor URL: (Links to External Site)
Cause:   Access control error
Underlying OS:  UNIX (Open UNIX-SCO)

Message History:   This archive entry is a follow-up to the message listed below.
Nov 30 2001 Caldera OpenServer (SCO) Kernel Flaw May Let Local Users Execute Arbitrary Code

 Source Message Contents

Subject:  Security Update: [CSSA-2001-SCO.35.1] REVISION: OpenServer: setcontext and sysi86 vulnerabilities

Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: 8bit            



	    Caldera International, Inc. Security Advisory

Subject:		REVISION: OpenServer: setcontext and sysi86 vulnerabilities
Advisory number: 	CSSA-2001-SCO.35.1
Issue date: 		2001 December 10
Cross reference:	CSSA-2001-SCO-35

1. Problem Description
	[ The previous release of this fix was flawed, and required a
	recut. If CSSA-2001-SCO-35 has already been applied, Caldera
	stongly recommends that you install the updated fix ]

	This patch closes a family of security holes present in SCO
	OpenServer 5.0.6 and previous releases, which stem from the
	ability of regular user processes to reprogram segment
	descriptors and certain other CPU registers.

	Closing this family of security holes does, however, result in
	a functionality change which may prevent certain applications
	from running -- they will exit with an error, or dump core,
	instead of running properly.  For example, the i286emul and
	x286emul emulators will not work, so any '286 executables
	which require those emulators will not work.  It is our
	intention to enhance this patch in the future, such that it
	enables full functionality of such applications while still
	closing the security holes.

	If this patch breaks any crucial applications, the system
	administrator may choose to disable the patch, by editing the
	file /etc/conf/pack.d/kernel/space.c and setting the value of
	the allow_dscr_remap parameter to 1.  This will return the
	kernel to the old (not-secure) behavior.

2. Vulnerable Versions

	Operating System	Version	 Affected Files
	OpenServer		All	/etc/conf/pack.d/kernel/os.a(machdep.o)

3. Workaround


4. OpenServer

  4.1 Location of Fixed Binaries

  4.2 Verification

	md5 checksums:
	7d71c8be06a44ec3a3698ee8fbb77375	VOL.000.000

	md5 is available for download from

  4.3 Installing Fixed Binaries

	Upgrade the affected binaries with the following commands:

	Download the VOL.000.000 file to /tmp
	# custom

	Instruct custom to install from images, and supply /tmp as the
	directory of the VOL image.

5. References 

	This and other advisories are located at

	This advisory addresses Caldera Security internal incidents
	sr855993, sr855994, SCO-559-1328, SCO-559-1329, erg711906 and

6. Disclaimer

	Caldera International, Inc. is not responsible for the misuse
	of any of the information we provide on our website and/or
	through our security advisories. Our advisories are a service
	to our customers intended to promote secure installation and
	use of Caldera International products.

7. Acknowledgements

	Caldera wishes to thank the Last Stage of Delirium Research
	Group ( for their discovering of, and
	research into, these issues.


Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.0.6 (SCO_SV)
Comment: For info see




Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, LLC