=====================================================================
                                 CERT-Renater

                      Note d'Information No. 2001/VULN197
_____________________________________________________________________

DATE                      : 29/09/2001

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : UnixWare 7   
                            
======================================================================

___________________________________________________________________________

            Caldera International, Inc. Security Advisory

Subject:                UnixWare - cron buffer overflow
Advisory number:        CSSA-2001-SCO.3
Issue date:             2001 June, 27
Cross reference:
___________________________________________________________________________



1. Problem Description

        The cron command is vulnerable to a command line argument
        buffer overflow. This could allow a process to execute
        arbitrary code, allowing a malicious user to gain elevated
        privileges.


2. Vulnerable Versions

        Operating System        Version         Affected Files
       
------------------------------------------------------------------
        UnixWare 7              All             /usr/bin/crontab


3. Workaround

        None.


4. UnixWare 7

  4.1 Location of Fixed Binaries

        ftp://ftp.sco.com/pub/security/unixware/sr847406/


  4.2 Verification

        md5 checksums:
        
        2f00acf514126ad9e8bced6ceb7bb66e        erg711714a.Z


        md5 is available for download from

                ftp://ftp.sco.com/pub/security/tools/


  4.3 Installing Fixed Binaries

        Upgrade the affected binaries with the following commands:

        # uncompress /tmp/erg711714a.Z
        # pkgadd -d /tmp/erg711714a


5. References

        http://www.calderasystems.com/support/security/index.html


6. Disclaimer

        Caldera International, Inc. is not responsible for the misuse
        of any of the information we provide on our website and/or
        through our security advisories. Our advisories are a service
        to our customers intended to promote secure installation and
        use of Caldera International, Inc. products.

___________________________________________________________________________



======================================================================

        =========================================================
        Les serveurs de référence du CERT-Renater
        http://www.urec.fr/securite
        http://www.cru.fr/securite
        http://www.renater.fr 
	=========================================================
	+ CERT-RENATER		| tel : 01-53-94-20-44		+
	+ 151 bd de l'Hopital	| fax : 01-53-94-20-41		+
	+ 75013 Paris		| email: certsvp@renater.fr	+
	=========================================================