SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Merge Vendors:   Santa Cruz Operations
SCO UnixWare Merge Lets Local Users Gain Root Privileges
SecurityTracker Alert ID:  1009168
SecurityTracker URL:  http://securitytracker.com/id/1009168
CVE Reference:   CVE-2003-0597   (Links to External Site)
Date:  Feb 23 2004
Impact:   Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 5.3.23a
Description:   A vulnerability was reported in Merge on SCO UnixWare. A local user can gain root privileges.

It is reported that a local user can exploit a flaw in '/usr/lib/merge/display' to gain root access on the target system. No further details were provided.

Impact:   A local user can gain root privileges.
Solution:   SCO has released a fix for UnixWare 7.1.2, 7.1.3:

Location of Fixed Binaries

http://www.sco.com/download

Select NeTraverse Merge 5.3.23 for UnixWare 7.1.2 and UnixWare 7.1.3

Verification:

MD5 (uw7_merge5323a.pkg) = 6b28bb98d01d36a098a81413fd8e3f66

md5 is available for download from
ftp://ftp.sco.com/pub/security/tools

Installing Fixed Binaries:

Upgrade the affected binaries with the following sequence:

Download uw7_merge5323a.pkg to the /var/spool/pkg directory

# pkgadd -d /var/spool/pkg/uw7_merge5323a.pkg

Vendor URL:  www.sco.com/ (Links to External Site)
Cause:   Not specified
Underlying OS:  UNIX (Open UNIX-SCO)
Underlying OS Comments:  UnixWare 7.1.2, 7.1.3

Message History:   None.


 Source Message Contents

Subject:  Security Update: [ CSSA-2003-SCO.12 ] OpenServer 5.0.6, OpenServer 5.0.7 : Security vulnerability in Merge prior to Release 5.3.23a



To: bugtraq@securityfocus.com announce@lists.caldera.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


______________________________________________________________________________

			SCO Security Advisory

Subject:		UnixWare 7.1.x : Security vulnerability in Merge prior
					 to Release 5.3.23a
Advisory number: 	CSSA-2003-SCO-11
Issue date: 		2003 July 21
Cross reference:	CAN-2003-0597
______________________________________________________________________________


1. Problem Description

	 Previous versions of Merge may include a security vulnerability
	 in /usr/lib/merge/display that could be exploited to allow
	 unauthorized root access to the UNIX system by an unprivileged
	 user with a UNIX login. Release 5.3.23a includes an
	 automatically installed fix for the problem.


2. Vulnerable Supported Versions

	System				Binaries
	----------------------------------------------------------------------
	UnixWare 7.1.2			distribution
	UnixWare 7.1.3			distribution

3. Solution

	The proper solution is to install the latest packages.

4. UnixWare 7.1.3, 7.1.3

	4.1 Location of Fixed Binaries

	http://www.sco.com/download.

         Select NeTraverse Merge 5.3.23 for UnixWare 7.1.2 and UnixWare 7.1.3

	4.2 Verification

	MD5 (uw7_merge5323a.pkg) = 6b28bb98d01d36a098a81413fd8e3f66

	md5 is available for download from
		ftp://ftp.sco.com/pub/security/tools

	4.3 Installing Fixed Binaries

	Upgrade the affected binaries with the following sequence:

	Download uw7_merge5323a.pkg to the /var/spool/pkg directory

	# pkgadd -d /var/spool/pkg/uw7_merge5323a.pkg

7. References

	Specific references for this advisory:

	Specific references for this advisory:
                 The Common Vulnerabilities and Exposures (CVE) project
                 has assigned the name CAN-2003-0597 to this issue.  This
                 is a candidate for inclusion in the CVE list
                 (http://cve.mitre.org), which standardized names for
                 security problems.

         http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0597

	SCO security resources:
		http://www.sco.com/support/security/index.html

	This security fix closes SCO incidents sr875154, fz527518,
	erg712239.


8. Disclaimer

	SCO is not responsible for the misuse of any of the information
	we provide on this web site and/or through our security
	advisories. Our advisories are a service to our customers
	intended to promote secure installation and use of SCO
	products.


9. Acknowledgments

	The Merge development team created the fix for the
	vulnerability.

______________________________________________________________________________


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (SCO_SV)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAj8cOPIACgkQaqoBO7ipriGD3QCeKfB8xVe6dHlZtNzgn0i7l0Ny
kocAn0dGGSHV4umpP5VdH5sIslVD2WgY
=Y+bn
-----END PGP SIGNATURE-----

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC