search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

OpenBSD contains buffer overflow in "select" call

Vulnerability Note VU#259787

Original Release Date: 2002-08-15 | Last Revised: 2002-12-13

Overview

A locally exploitable buffer overflow exists in all versions of OpenBSD.

Description

The buffer overflow exists in the select(2) system call. The overflow occurs if select is supplied with arbitrary negative values.

Impact

Local users can gain system privileges and execute code in the context of the kernel.

Solution

From the OpenBSD Security Advisory: "Apply one of the supplied kernel patches or update to 3.0-stable or 3.1-stable from 2002-08-11 17:00 EDT or later."

Vendor Information

259787
 
Expand all

OpenBSD Affected

Updated:  August 15, 2002

Status

Affected

Vendor Statement

See http://www.openbsd.org/errata.html#scarg.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Apple Computer Inc. Not Affected

Notified:  August 16, 2002 Updated: August 16, 2002

Status

Not Affected

Vendor Statement

Mac OS X and Mac OS X Server do not contain the vulnerability described in this report.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Cisco Systems Inc. Not Affected

Updated:  August 21, 2002

Status

Not Affected

Vendor Statement

None of the products are vulnerable.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

FreeBSD Not Affected

Notified:  August 16, 2002 Updated: August 16, 2002

Status

Not Affected

Vendor Statement

FreeBSD is unaffected.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NEC Corporation Not Affected

Updated:  August 26, 2002

Status

Not Affected

Vendor Statement

sent on August 26, 2002

[Server Products]

* EWS/UP 48 Series operating system
- is NOT vulnerable.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NetBSD Not Affected

Notified:  August 16, 2002 Updated: August 16, 2002

Status

Not Affected

Vendor Statement

We have examined this issue, and no vesion of NetBSD is vulnerable to it.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Openwall GNU/*/Linux Not Affected

Updated:  September 09, 2002

Status

Not Affected

Vendor Statement

Openwall GNU/*/Linux is not vulnerable. In fact, none of Linux 2.0, 2.2, and 2.4 are. As the corresponding limits are configurable on 2.2 and 2.4 and in order to be safe in case of future code changes, we're, however, also adding redundant defensive hard-coded limits right into both select(2) and poll(2).

More detail:

Linux 2.0 only has select(2) and a hard-coded limit.

Linux 2.2 and 2.4 have both calls and configurable limits, but expand_fd_array() and expand_fdset() wouldn't let files->max_fds and files->max_fdset grow beyond a defensive hard-coded limit, even if a higher limit has been set via procfs or sysctl. And it's precisely files->max_fds and files->max_fdset which are used by select(2) and poll(2).

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sun Microsystems Inc. Not Affected

Updated:  December 13, 2002

Status

Not Affected

Vendor Statement

Sun is not affected by this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Nortel Networks Unknown

Notified:  August 16, 2002 Updated: December 03, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

Thanks to Niels Provos for reporting this vulnerability.

This document was written by Ian A Finlay.

Other Information

CVE IDs: CVE-2002-1420
Severity Metric: 18.00
Date Public: 2002-08-11
Date First Published: 2002-08-15
Date Last Updated: 2002-12-13 13:33 UTC
Document Revision: 8

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis