Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » CSSA-2002-SCO.20-popper buffer overflow and DoS

CSSA-2002-SCO.20-popper buffer overflow and DoS

by Nikola Strahija on May 24th, 2002 /etc/popper will go into a loop if a character string of length 2048 (or more) is sent to it. If the bulldir variable in the user's config file is longer than 256 characters, popper will memory fault.


2. Vulnerable Supported Versions

System Binaries
----------------------------------------------------------------------
OpenServer 5.0.5 /etc/popper
OpenServer 5.0.6 /etc/popper


3. Solution

The proper solution is to install the latest packages.


4. OpenServer 5.0.5

4.1 Location of Fixed Binaries

ftp://stage.caldera.com/pub/security/openserver/CSSA-2002-SCO.20


4.2 Verification

MD5 (VOL.000.000) = f2746cddde194cb93e5ad1b41637a75c

md5 is available for download from
ftp://stage.caldera.com/pub/security/tools/


4.3 Installing Fixed Binaries

Upgrade the affected binaries with the following commands:

1) Download the VOL* files to the /tmp directory

Run the custom command, specify an install from media images,
and specify the /tmp directory as the location of the images.


5. OpenServer 5.0.6

5.1 Location of Fixed Binaries

ftp://stage.caldera.com/pub/security/openserver/CSSA-2002-SCO.20


5.2 Verification

MD5 (VOL.000.000) = f2746cddde194cb93e5ad1b41637a75c

md5 is available for download from
ftp://stage.caldera.com/pub/security/tools/


5.3 Installing Fixed Binaries

Upgrade the affected binaries with the following commands:

1) Download the VOL* files to the /tmp directory

Run the custom command, specify an install from media images,
and specify the /tmp directory as the location of the images.


6. References

Specific references for this advisory:
none

Caldera UNIX security resources:
http://stage.caldera.com/support/security/

Caldera OpenLinux security resources:
http://www.caldera.com/support/security/index.html

This security fix closes Caldera incidents sr863699, fz520822,
erg712033.


7. Disclaimer

Caldera International, Inc. is not responsible for the misuse
of any of the information we provide on this website and/or
through our security advisories. Our advisories are a service
to our customers intended to promote secure installation and
use of Caldera products.


8. Acknowledgements

Marcell Fodor reported the memory fault issue. Dustin Childers
reported the denial-of-service issue.

______________________________________________________________________________


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »