Home | FAQ | Contact | Privacy Policy
US-CERT
Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information
 

 View Notes By
Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric

 Other Documents
Technical Alerts

Technical Bulletins

Alerts

Security Tips

SCO Information for VU#274043

Date Notified:
Date Updated:
Status Summary:Vulnerable

Vendor Statement

___________________________________________________________________________

Caldera International, Inc. Security Advisory

Subject: OpenServer: remote buffer overflow vulnerability in BSD line printer daemon
Advisory number: CSSA-2001-SCO.20
Issue date: 2001 September 26
Cross reference:
___________________________________________________________________________



1. Problem Description

The BSD-derived lpd daemon is vulnerable to a buffer overflow.
This could be used by an unauthorized user to gain privilege.


2. Vulnerable Versions

Operating System Version Affected Files
------------------------------------------------------------------
OpenServer <= 5.0.6a /usr/lib/lpd
/usr/bin/lpstat


3. Workaround

None.


4. OpenServer

4.1 Location of Fixed Binaries

ftp://stage.caldera.com/pub/security/openserver/CSSA-2001-SCO.20/


4.2 Verification

md5 checksums:

48f989acb3a6606181575b3b765cd89e lpd.tar.Z


md5 is available for download from

ftp://stage.caldera.com/pub/security/tools/


4.3 Installing Fixed Binaries

Upgrade the affected binaries with the following commands:

Download the tar file to /tmp
# cd /tmp
# uncompress lpd.tar.Z
# tar xvf lpd.tar
# mv /usr/lib/lpd /usr/lib/lpd-
# mv /usr/bin/lpstat /usr/bin/lpstat-
# cp lpstat /usr/bin
# chown bin /usr/bin/lpstat
# chgrp lp /usr/bin/lpstat
# chmod 2111 /usr/bin/lpstat
# cp lpd /usr/lib
# chown root /usr/lib/lpd
# chgrp bin /usr/lib/lpd
# chmod 2711 /usr/lib/lpd

5. References

http://xforce.iss.net/alerts/advise94.php

This and other advisories are located at
http://stage.caldera.com/support/security

This advisory addresses Caldera Security internal incident
sr851853.


6. Disclaimer

Caldera International, Inc. is not responsible for the misuse
of any of the information we provide on our website and/or
through our security advisories. Our advisories are a service
to our customers intended to promote secure installation and
use of Caldera International products.


7. Acknowledgements

Caldera International wishes to thank the Internet Security
Systems (ISS) X-Force for discovering and reporting this
problem.


___________________________________________________________________________

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

Produced 2008 by US-CERT, a government organization
Disclaimers and copyright information