===========================================================================
SCO Security Bulletin 1999.21
15th March 2000
xlock security patch
---------------------------------------------------------------------------

I.   Description
        
        The xlock program had insufficient bounds checking leading to an
        exploitable buffer overflow.

	NOTE:  This is an updated security bulletin.  New holes have been
	found in the xlock program causing exploitable buffer overflow
	conditions.  Even if SSE042 (sse7042a) has been installed, this new
	SSE042 (sse7042b) must be applied.
	

II.  Impact

	Without this patch, users can exploit xlock to gain raised privileges.

III. Releases

	UnixWare 7.0.0 through UnixWare 7.1.1

IV.  Solution

SCO is providing an interim patch to address this issue in the form of a
System Security Enhancement (SSE) package.

SSE064 contains a replacement binary for UnixWare 7-7.1.1 , and is
available for Internet download via anonymous ftp and http.

You can download the SSE package as follows:

Anonymous ftp (World Wide Web URL):

	ftp://ftp.sco.COM/SSE/sse042.ltr    (cover letter, ASCII text)
	ftp://ftp.sco.COM/SSE/sse042.tar.Z  (new binaries, compressed tar file)

Checksums (sum -r):

	60581     3 sse042.ltr
	11870   177 sse042.tar.Z

V.   Updates

This bulletin is available for anonymous ftp download from 
ftp://ftp.sco.COM/SSE/security_bulletins/SB-99.21b, and will be
updated as new information becomes available.

The latest information on security vulnerabilities and fixes from
SCO is available on the world-wide web at http://www.sco.com/security/

VI.  Further Information:

If you have further questions, contact your support provider.  If you
need to contact SCO, please send electronic mail to support@sco.COM, or
contact SCO as follows. 

    USA/Canada: 6am-5pm Pacific Time (PST/PDT)
    -----------
    1-800-347-4381  (voice)
    1-408-427-5443  (fax)

    Pacific Rim, Asia, and Latin American customers: 6am-5pm Pacific
    ------------------------------------------------ Time (PST/PDT)
    1-408-425-4726  (voice)
    1-408-427-5443  (fax)

    Europe, Middle East, Africa: 9am-5:30pm UK Time (GMT/BST)
    ----------------------------
    +44 (0)1923 816344 (voice)
    +44 (0)1923 817781 (fax)

    Credit:

    This security hole was brought to out attention by
    kun@fiskus.islub.lublin.pl.