Overview
There is an integer overflow present in the xdr_array() function distributed as part of the Sun Microsystems XDR library. This overflow has been shown to lead to remotely exploitable buffer overflows in multiple applications, leading to the execution of arbitrary code. Although the library was originally distributed by Sun Microsystems, multiple vendors have included the vulnerable code in their own implementations.
Description
The XDR (external data representation) libraries are used to provide platform-independent methods for sending data from one system process to another, typically over a network connection. Such routines are commonly used in remote procedure call (RPC) implementations to provide transparency to application programmers who need to use common interfaces to interact with many different types of systems. The xdr_array() function in the XDR library provided by Sun Microsystems contains an integer overflow that can lead to improperly sized dynamic memory allocation. Subsequent problems like buffer overflows may result, depending on how and where the vulnerable xdr_array() function is used. This issue is currently being tracked as VU#192995 by the CERT/CC and as CAN-2002-0391 in the Common Vulnerabilities and Exposures (CVE) dictionary. |
Impact
Because SunRPC-derived XDR libraries are used by a variety of vendors in a variety of applications, this defect may lead to a number of differing security problems. Exploiting this vulnerability will lead to denial of service, execution of arbitrary code, or the disclosure of sensitive information. |
Solution
Apply a patch from your vendor
Note this is an iterative process for each set of patches being applied. |
Disable access to vulnerable services or applications
As a best practice, the CERT/CC recommends disabling all services that are not explicitly required. |
Vendor Information
Apple Computer, Inc. Affected
Notified: July 29, 2002 Updated: September 20, 2002
Status
Affected
Vendor Statement
The vulnerability described in this note is fixed with Security Updates 2002-08-02 and 2002-08-23.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
-----BEGIN PGP SIGNED MESSAGE-----
Security Update 2002-08-23 is now available. This applies the fixes
already available in Security Update 2002-08-02 to the Mac OS X 10.2
(Jaguar) release. Security Update 2002-08-02 was designed for the Mac
OS X 10.1.5 release.
It contains fixes for recent vulnerabilities in:
OpenSSL: Fixes security vulnerabilities CAN-2002-0656,
CAN-2002-0657, CAN-2002-0655, and CAN-2002-0659. Details are
available via: http://www.cert.org/advisories/CA-2002-23.html
mod_ssl: Fixes CAN-2002-0653, an off-by-one buffer overflow in the
mod_ssl Apache module. Details are available via:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0653
Sun RPC: Fixes CAN-2002-039, a buffer overflow in the Sun RPC XDR
decoder.
Details are available via:
http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20823
Affected systems: Mac OS X client and Mac OS X Server
Note: Mac OS X client is configured by default to have these services
turned off, and is only vulnerable if the user has enabled network
services which rely on the affected components. It is still recommended
for Mac OS X client users to apply this security update to their system.
System requirements: Mac OS X 10.2 (Jaguar)
Security Update 2002-08-23 may be obtained from:
* Software Update pane in System Preferences
* Apple's Software Downloads web site:
http://www.info.apple.com/kbnum/n120142
To help verify the integrity of Security Update 2002-08-23 from the
Software Downloads web site:
The download file is titled: SecurityUpd2002-08-23.dmg
Its SHA-1 digest is: fccb3adb478f90650f4484534a79a80bba5f94f3
Information will also be posted to the Apple Product Security web site:
http://www.apple.com/support/security/security_updates.html
This message is signed with Apple's Product Security PGP key, and
details are available at:
http://www.apple.com/support/security/security_pgp.html
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.3
iQEVAwUBPWad3SFlYNdE6F9oAQHuIQf9GdW2n/r7di2U8c4jQU+3JvRtU+HG7Lsl
jlKRVNGyaMvUAurxbYB/yHfHcYDtsj26bupzLUpLXbIt54uZxyXo6UTExzpwreaT
r+UJm7+q9kG6lcAmrcz2WNzlnD6icXKKuyf/hR8NUo3yBP7MoR6QGjvFqodvTOHR
J2YXH8AEPAmWFf511AzbG1yYvlDhocZ+/gBFTlaB3nYt11Edz2yRE4qeumQYEIyf
gLFxzp1BVFNDJck66WjPWgHqDuq9QWPBzHl1qhd09ctD84w+Hda972dqxRn08Jo7
jTGs2zmUpyPxLxCHEd5uzRNuMquIoddW2Nsg8LeJNHqRDlklVSJTUA==
=CJ2Y
-----END PGP SIGNATURE-----
_______________________________________________
---- Original Message ----
From:Product Security
Date:Fri 8/2/02 20:02
To:security-announce@lists.apple.com
Subject:Security Update 2002-08-02 for OpenSSL, Sun RPC, mod_ssl
-----BEGIN PGP SIGNED MESSAGE-----
Security Update 2002-08-02 is now available. It contains fixes for
recent
vulnerabilities in:
OpenSSL: Fixes security vulnerabilities CAN-2002-0656,
CAN-2002-0657,
CAN-2002-0655, and CAN-2002-0659. Details are available via:
http://www.cert.org/advisories/CA-2002-23.html
mod_ssl: Fixes CAN-2002-0653, an off-by-one buffer overflow in the
mod_ssl Apache module. Details are available via:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0653
Sun RPC: Fixes CAN-2002-039, a buffer overflow in the Sun RPC XDR
decoder.
Details are available via:
http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20823
Affected systems: Mac OS X client and Mac OS X Server
Note: Mac OS X client is configured by default to have these services
turned
off, and is only vulnerable if the user has enabled network services
which rely
on the affected components. It is still recommended for Mac OS X
client users
to apply this security update to their system.
System requirements: Mac OS X 10.1.5
Security Update 2002-08-02 may be obtained from:
* Software Update pane in System Preferences
* Apple's Software Downloads web site:
http://docs.info.apple.com/article.html?artnum=120139
SSL server:
https://depot.info.apple.com/security/129403bc5e184e3b7367.html
To help verify the integrity of Security Update 2002-08-02 from the
Software Downloads web site:
The download file is titled: SecurityUpd2002-08-02.dmg
Its SHA-1 digest is: 54f6eebe0398181db8f1129403bc5e184e3b7367
Information will also be posted to the Apple Product Security web site:
http://www.apple.com/support/security/security_updates.html
This message is signed with Apple's Product Security PGP key, and
details are available at:
http://www.apple.com/support/security/security_pgp.html
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.3
iQEVAwUBPUsLOiFlYNdE6F9oAQGAigf+JV+lazuko1g4oZSNFTd2puXCtOGQ0M8c
2cZ/BdaEBA8jLGrPkhWuvmMwpN9z6G9chnN8s9EXiavcBG5e/ejtTo3ZHoOGP7bg
789zLQLK2JTB75nc0fNyx2CdfHlEIM00v8c2jXySLlnqF+kzwqVnjUL7i2O97Fk5
tWXLc2dWK2Nf2SUk0/yLgfjceZKEPCPXTpuKYuah/w9NwzL+LsbPcfXA/H1f4ngc
vRPc2sn2HYu9IJw/BrMEsDlS8IWHf6ozXdZ9qaVCVRrZlsd9gSSmB2Jba4be/MRX
FauTTepMF9+JfCkx+2wtpwWhBcXoJnjwIZXOXwbbRjqXHmzzgu8D/Q==
=fdGO
-----END PGP SIGNATURE-----
_______________________________________________
security-announce mailing list | security-announce@lists.apple.com
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/security-
announce
Do not post admin requests to the list. They will be ignored.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Debian Linux Affected
Notified: July 29, 2002 Updated: August 06, 2002
Status
Affected
Vendor Statement
The Debian GNU/Linux distribution was vulnerable with regard to the the XDR problem as stated above with the following vulnerability matrix:
OpenAFS Kerberos5 GNU lib
Debian 2.2 (potato) not included not included vulnerable
Debian 3.0 (woody) vulnerable (DSA 142-1) vulnerable (DSA 143-1) vulnerable
Debian unstable (sid) vulnerable (DSA 142-1) vulnerable (DSA 143-1) vulnerable
DSA 142-1 OpenAFS (safe version are: 1.2.3final2-6 (woody) and 1.2.6-1 (sid))
DSA 143-1 Kerberos5 (safe version are: 1.2.4-5woody1 (woody) and 1.2.5-2 (sid))
The advisory for the GNU libc is pending, it is currently being recompiled. The fixed versions will probably be:
- Debian 2.2 (potato) glibc 2.1.3-23 or later
Debian 3.0 (woody) glibc 2.2.5-11.1 or later
Debian unstable (sid) glibc 2.2.5-12 or later
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
FreeBSD, Inc. Affected
Notified: July 29, 2002 Updated: August 01, 2002
Status
Affected
Vendor Statement
Please see ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:34.rpc.asc
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Note this is a REVISED advisory pointing to patches correct on 07/31/2002.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
GNU glibc Affected
Notified: July 31, 2002 Updated: August 06, 2002
Status
Affected
Vendor Statement
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Version 2.2.5 and earlier versions of the GNU C Library are
vulnerable. For Version 2.2.5, we suggest the following patch.
This patch is also available from the GNU C Library CVS repository at:
http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/sunrpc/xdr_array.c.diff?r1=1.5&r2=1.5.2.1&cvsroot=glibc
2002-08-02 Jakub Jelinek <jakub@redhat.com>
* sunrpc/xdr_array.c (xdr_array): Check for overflow on
multiplication. Patch by Solar Designer <solar@openwall.com>.
===================================================================
RCS file: /cvs/glibc/libc/sunrpc/xdr_array.c,v
retrieving revision 1.5
retrieving revision 1.5.2.1
diff -u -r1.5 -r1.5.2.1
- --- libc/sunrpc/xdr_array.c2001/08/17 04:48:311.5
+++ libc/sunrpc/xdr_array.c2002/08/02 01:35:391.5.2.1
@@ -45,6 +45,7 @@
#include <rpc/types.h>
#include <rpc/xdr.h>
#include <libintl.h>
+#include <limits.h>
#ifdef USE_IN_LIBIO
# include <wchar.h>
@@ -81,7 +82,11 @@
return FALSE;
}
c = *sizep;
- - if ((c > maxsize) && (xdrs->x_op != XDR_FREE))
+ /*
+ * XXX: Let the overflow possibly happen with XDR_FREE because mem_free()
+ * doesn't actually use its second argument anyway.
+ */
+ if ((c > maxsize || c > UINT_MAX / elsize) && (xdrs->x_op != XDR_FREE))
{
return FALSE;
}
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (SunOS)
Comment: Processed by Mailcrypt 3.5.6 and Gnu Privacy Guard <http://www.gnupg.org/>
iD8DBQE9Tv0wddnqSFPI1IgRAmomAJ9cK6vT8zZMGdO/0Z4nOIZwUej2BwCfbRT3
mnvR4B781bGEg3y6PVaRdDw=
=qn87
-----END PGP SIGNATURE-----
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Hewlett-Packard Company Affected
Notified: July 29, 2002 Updated: August 01, 2002
Status
Affected
Vendor Statement
SOURCE: Hewlett-Packard Company
RE: Potential RPC XDR buffer overflow
At the time of writing this document, Hewlett Packard is currently investigating the potential impact to HP's released perating System software products.
As further information becomes available HP will provide notice f the availability of any necessary
patches through>standard security bulletin announcements and be vailable from your normal HP Services support channel.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
IBM Corporation Affected
Notified: July 29, 2002 Updated: September 03, 2002
Status
Affected
Vendor Statement
IBM is vulnerable to the above XDR Library issues in both the 4.3 and 5.1 releases of AIX. A temporary patch is currently available through an efix pacakge. Efixes are available from
ftp.software.ibm.com/aix/efixes/security
See the README file in this directory for additional information on the efixes.
The following APARs will be available in the near future:
AIX 4.3.3: APAR #IY34194 ( available approx 10/1/2002 )
AIX 5.1.0: APAR #IY34158 ( available approx 10/16/2002 )
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Previously on 08/06/2002 IBM stated:
IBM has analyzed AIX with regard to the XDR vulnerability and found that the 4.3.3 and 5.1.0 releases are exposed. We are currently working on an efix package for this issue which will be available shortly.
We will update this statement when more information once the efixes are available.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
MIT Kerberos Development Team Affected
Notified: August 02, 2002 Updated: August 02, 2002
Status
Affected
Vendor Statement
Please see http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2002-001-xdr.txt
The patch is available directly:
http://web.mit.edu/kerberos/www/advisories/2002-001-xdr_array_patch.txt
The following detached PGP signature should be used to verify the authenticity and integrity of the patch:
http://web.mit.edu/kerberos/www/advisories/2002-001-xdr_array_patch.txt.asc
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
-----BEGIN PGP SIGNED MESSAGE-----
MIT krb5 Security Advisory 2002-001
2002-08-02
Topic: Remote root vulnerability in MIT krb5 admin system
Severity: Remote user may be able to gain root access to a KDC host.
SUMMARY
=======
There is an integer overflow bug in the SUNRPC-derived RPC library
used by the Kerberos 5 administration system that could be exploited
to gain unauthorized root access to a KDC host. It is believed that
the attacker needs to be able to authenticate to the kadmin daemon for
this attack to be successful. No exploits are known to exist yet.
IMPACT
======
A remote attacker can potentially execute arbitrary code on the KDC
with the privileges of the user running the kadmin daemon (usually
root). This can lead to compromise of the Kerberos database.
AFFECTED SOFTWARE
=================
All releases of MIT Kerberos 5, up to and including krb5-1.2.5.
FIXES
=====
Apply the following patch to src/lib/rpc/xdr_array.c:
Index: xdr_array.c
===================================================================
RCS file: /cvs/krbdev/krb5/src/lib/rpc/xdr_array.c,v
retrieving revision 1.5
diff -c -r1.5 xdr_array.c
*** xdr_array.c1998/02/14 02:27:231.5
- --- xdr_array.c2002/08/02 17:25:05
***************
*** 75,81 ****
return (FALSE);
}
c = *sizep;
! if ((c > maxsize) && (xdrs->x_op != XDR_FREE)) {
return (FALSE);
}
nodesize = c * elsize;
- --- 75,82 ----
return (FALSE);
}
c = *sizep;
! if ((c > maxsize || c > LASTUNSIGNED / elsize)
! && (xdrs->x_op != XDR_FREE)) {
return (FALSE);
}
nodesize = c * elsize;
and rebuild your tree. The patch was generated against krb5-1.2.5;
patches to other releases may apply with some offset.
This patch may also be found at:
http://web.mit.edu/kerberos/www/advisories/2002-001-xdr_array_patch.txt
The associated detached PGP signature is at:
http://web.mit.edu/kerberos/www/advisories/2002-001-xdr_array_patch.txt.asc
This announcement and code patches related to it may be found on the
MIT Kerberos security advisory page at:
http://web.mit.edu/kerberos/www/advisories/index.html
The main MIT Kerberos web page is at:
http://web.mit.edu/kerberos/www/index.html
ACKNOWLEDGMENTS
===============
Thanks to ISS for discovery of the vulnerability.
Thanks to Jeffrey Hutzelman for assistance in discovering the
particulars of this bug.
DETAILS
=======
The xdr_array() decoder computes the value of the NODESIZE variable in
a way that can lead to integer overflow. An attacker can construct an
XDR encoding that will take advantage of this integer overflow in
order to overflow the allocated heap buffer, depending on the
specifics of the caller of the xdr_array() function.
The uses of xdr_array() in the kadm5 library, which implements the
Kerberos 5 adminstration protocol, are unsafe in an environment where
this bug exists. A remote user may be able to use the buffer overflow
to execute arbitrary code on the KDC host, possibly leading to
unauthorized root access. It is believed that the remote user must
first successfully authenticate to the kadmin daemon in order to
exercise this vulnerability, though the user may not need to posess
any special privileges.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (SunOS)
iQCVAwUBPUrNEqbDgE/zdoE9AQHSPgQAlGS7HO8TZ1BHwek+niF5hA7exEt9Z8IA
fvxGpqirHciJQTfmBUiJhXhCTqosFgftQzt9KyvXmfMS3InZxAEmB7ahkevuBYkO
FvfWyA3Ew8J3bGhBJis1xTMFebb1N0crDH3rRjUGZApQ7uJNZ+9nQo41+P0+z3uD
yqpAbP9HTnw=
=MqNV
-----END PGP SIGNATURE-----
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Microsoft Corporation Affected
Notified: July 29, 2002 Updated: October 03, 2002
Status
Affected
Vendor Statement
Microsoft is currently conducting an investigation based on this report. We will update this advisory with information once it is complete.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Please see http://www.microsoft.com/technet/security/bulletin/ms02-057.asp
Statement date: 10/2/2002 6:13:15 PM
-----BEGIN PGP SIGNED MESSAGE-----
- ----------------------------------------------------------------------
Title: Flaw in Services for Unix 3.0 Interix SDK Could Allow
Code Execution (Q329209)
Released: 02 October 2002
Software: Services for Unix 3.0 Interix SDK
Impact: Buffer overrun and denial of service
Max Risk: Moderate
Bulletin: MS02-057
Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS02-057.asp.
- ----------------------------------------------------------------------
Issue:
======
All three vulnerabilities discussed in this bulletin involve the
inclusion of the Sun [TM] Microsystems RPC library in Microsoft's
Services for UNIX (SFU) 3.0 on the Interix SDK. Developers who
created applications or utilities using the Sun RPC library from
the Interix SDK need to evaluate three vulnerabilities.
Windows Services for UNIX (SFU) 3.0 provides a full range of cross-
platform services to integrate Windows into existing UNIX environ-
ments. In version 3.0, the Interix subsystem technology is built in
so that Windows Services for UNIX 3.0 can provide platform inter-
operability and application migration in one fully integrated and
supported product from Microsoft. Developers who have integrated
Windows into their existing UNIX environments may have used the
Interix SDK to develop custom applications and utilities so that
applications that only ran on the UNIX platform can now run in a
Windows environment. Developers who used the Interix SDK to develop
applications or utilities should read this bulletin.
The first vulnerability is an integer overflow in the XDR library
that ships with the Sun RPC library on the Interix SDK for
Microsoft's Services for Unix (SFU) 3.0. An attacker could send a
malicious RPC request to the RPC server from a remote machine and
cause corruption in the server program. This can cause the server
to fail and potentially allow the attacker to run code of his or
her choice in the context of the server program.
The second vulnerability is a buffer overrun. An attacker could send
a malicious RPC request to the RPC server with an improper parameter
size check. This could lead to a buffer overrun, causing the server
to fail and preventing it from servicing any further requests from
clients.
The third vulnerability is an RPC implementation error. An app-
Lication using the Sun RPC library does not properly check the size
of client TCP requests. This could result in a denial of service
to a server application using the Sun RPC library. The RPC library
expects client TCP requests to specify the size of the record
that follows. Because there is a flaw in the way RPC detects
client packets, an attacker could send a malformed RPC request to
the RPC server from a remote machine and cause the server to fail
by not servicing any further client requests.
After applying the patch, it is necessary to recompile any Interix
application that is statically linked with the Interix SDK Sun RPC
library.
Mitigating Factors:
====================
*Only applications or utilities that were created using the
Interix SDK and specifically that use the Sun RPC library,
would be affected by these vulnerabilities.
*If an administrator or developer has only installed the
Interix SDK but has not actually created applications with
the SDK that use the Sun RPC library, the systems where the
SDK was installed would not be vulnerable.
Risk Rating:
============
- Internet systems: Moderate
- Intranet systems: Moderate
- Client systems: Moderate
Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read the
Security Bulletin at
http://www.microsoft.com/technet/security/bulletin/ms02-057.asp
for information on obtaining this patch.
- ---------------------------------------------------------------------
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED
"AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT
SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY
DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES
SO THE FOREGOING LIMITATION MAY NOT APPLY.
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1
iQEVAwUBPZtve40ZSRQxA/UrAQHdXgf/ejvlfeHIg3/qqRNVr05cITb88aElEzmS
54vEwb1h9YXhMzMBwm4nXyFLcG97wxJdWSUFkqKx8gzQtlJazOzCFHCKKCC1wU3Y
teNZJY0D/xEgkRTaYeeEIqNqTq6646M4dHmhFlyfLPLz5Ak50lpeGAk3ZyMPnfl8
uhypyBCy+1CmuxQE3RNMHw2Orz5jIwKWVYRjhfgQH11U537rCCW2cePadxYoDVpz
VyR1iHTDo5bvZa7101qMb06rftijbAKRF4049USw14dd6v/0FxxmjfXu2w9ECL1U
zwvrt8MaOWRPw/vt+kbF7kRFIDSUVuTN4xlf2kSC+zIOKdluvelhgw==
=Y+ML
-----END PGP SIGNATURE-----
If you have feedback, comments, or additional information about this vulnerability, please send us email.
NetBSD Affected
Notified: July 29, 2002 Updated: September 20, 2002
Status
Affected
Vendor Statement
Please see ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-011.txt.asc
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
-----BEGIN PGP SIGNED MESSAGE-----
NetBSD Security Advisory 2002-011
=================================
Topic:Sun RPC XDR decoder contains buffer overflow
Version:NetBSD-current: source prior to August 1, 2002
NetBSD-1.6 beta: affected
NetBSD-1.5.3: affected
NetBSD-1.5.2: affected
NetBSD-1.5.1: affected
NetBSD-1.5: affected
NetBSD-1.4.*: affected
severity:Possible remote root compromise if RPC services
are enabled
Fixed:NetBSD-current:August 1, 2002
NetBSD-1.6 branch:August 2, 2002 (1.6 includes the fix)
NetBSD-1.5 branch:August 1, 2002
NetBSD-1.4 branch:not yet
Abstract
========
Integer overflows exist in the RPC code in libc. These cause a buffer to
be mistakenly allocated too small, and then overflown.
The Automounter amd(8) and its query tool amq(8), and the rusers(1)
client binary use the flawed code in a way which could be exploitable.
Other uses of the RPC functions have been examined and are believed to
not be exploitable.
No RPC-based services are enabled by default.
Technical Details
=================
Sun RPC is a remote procedure call framework which allows clients
to invoke procedures in a server process over a network somewhat
transparently. XDR is a mechanism for encoding data structures for
use with RPC. NFS, NIS, and many other network services are built
upon Sun RPC.
The NetBSD C runtime library (libc) contains an XDR encoder/decoder
derived from Sun's RPC implementation.
Any application using Sun RPC may be vulnerable to a heap buffer
overflow. Depending upon the application, this vulnerability may be
exploitable and lead to arbitrary code execution.
An error in the calculation of memory needed for unpacking arrays in
the XDR decoder can result in a heap buffer overflow.
Though no exploits are known to exist currently, RPC-based services
often run as the superuser, and the vulnerability in amd(8) could be
exploitable.
Again, no RPC-based services are enabled by default.
Solutions and Workarounds
=========================
The recent NetBSD 1.6 release is not vulnerable to this issue. A full
upgrade to NetBSD 1.6 is the recommended resolution for all users able
to do so. Many security-related improvements have been made, and
indeed this release has been delayed several times in order to include
fixes for a number of recent issues.
If you do not run any of the affected RPC services (amd/amq/rusers)
your system is not affected. However, we suggest you upgrade your
system to avoid running vulnerable RPC code by mistake.
The following instructions describe how to upgrade your libc (which
includes RPC code) by updating your source tree and rebuilding and
installing a new version of libc.
Note that if you have any statically-linked binaries that uses RPC,
you need to recompile them.
* NetBSD-current:
Systems running NetBSD-current dated from before 2002-08-01
should be upgraded to NetBSD-current dated 2002-08-01 or later.
The following directories need to be updated from the
netbsd-current CVS branch (aka HEAD):
lib/libc/rpc
To update from CVS, re-build, and re-install libc:
# cd src
# cvs update -d -P lib/libc/rpc
# cd lib/libc
# make cleandir dependall
# make install
* NetBSD 1.6 beta:
Systems running NetBSD 1.6 BETAs and Release Candidates should
be upgraded to the NetBSD 1.6 release.
If a source-based point upgrade is required, sources from the
NetBSD 1.6 branch dated 2002-08-02 or later should be used.
The following directories need to be updated from the
netbsd-1-6 CVS branch:
lib/libc/rpc
To update from CVS, re-build, and re-install libc:
# cd src
# cvs update -d -P -r netbsd-1-6 lib/libc/rpc
# cd lib/libc
# make cleandir dependall
# make install
* NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3:
Systems running NetBSD-1.5 branch dated from before 2002-08-02
should be upgraded to NetBSD-1.5 branch dated 2002-08-02 or later.
The following directories need to be updated from the
netbsd-1-5 CVS branch:
lib/libc/rpc
To update from CVS, re-build, and re-install libc:
# cd src
# cvs update -d -P -r netbsd-1-5 lib/libc/rpc
# cd lib/libc
# make cleandir dependall
# make install
* NetBSD 1.4, 1.4.1, 1.4.2, 1.4.3:
The advisory will be updated to include instructions to remedy
this problem for systems running the NetBSD-1.4 branch.
Thanks To
=========
CERT for notification.
Charles Hannum for scope analysis and commentary.
FreeBSD security-officers. Parts of the advisory text are based on
the FreeBSD advisory.
The NetBSD Release Engineering teams, for great patience and
assistance in dealing with repeated security issues discovered
recently.
Revision History
================
2002-08-01Initial release
2002-08-021.5/1.6 branch info
2002-09-16Re-release with updated information
More Information
================
An up-to-date PGP signed copy of this release will be maintained at
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-011.txt.asc
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.
Copyright 2002, The NetBSD Foundation, Inc. All Rights Reserved.
$NetBSD: NetBSD-SA2002-011.txt,v 1.13 2002/09/16 05:17:55 dan Exp $
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
iQCVAwUBPYVqKj5Ru2/4N2IFAQGEYAP+K1lgLUVy/CrmvtRikjSv5UKYY4pAWAca
fKwDpVlp/5q3kSc/b5NY7bgi7gUPVvbaW1v/PgfRIA47PBtAt7juvsnEDIO6IJ8M
9rDwfrikYdShm0R5ejxyIfu1CwjD9gWOvJ2xYGQ7XW67tLPG3udwa1B1UhWeQTnK
9OhEncw7mcw=
=YcPw
-----END PGP SIGNATURE-----
If you have feedback, comments, or additional information about this vulnerability, please send us email.
OpenAFS Affected
Updated: August 05, 2002
Status
Affected
Vendor Statement
Please see http://www.openafs.org/pages/security/OPENAFS-SA-2002-001.txt
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
-----BEGIN PGP SIGNED MESSAGE-----
OpenAFS Security Advisory 2002-001
Topic: Remote root vulnerability in OpenAFS servers
Issued: 03-Aug-2002
Last Update: 03-Aug-2002
Severity: High
Affected: OpenAFS 1.0 - 1.2.5, OpenAFS 1.3.0 - 1.3.2
A remote user may be able to gain root access to an OpenAFS database
server or fileserver host. In addition, certain administrative clients
may be attacked if they make requests to a rogue server.
SUMMARY
=======
There is an integer overflow bug in the SUNRPC-derived RPC library
used by OpenAFS that could be exploited to crash certain OpenAFS
servers (volserver, vlserver, ptserver, buserver) or to obtain
unauthorized root access to a host running one of these processes.
In addition, it is possible for a rogue server to attack certain
administrative clients (vos, pts, backup, butc, rxstat), but only
if certain RPC requests are made to the rogue server.
The OpenAFS fileserver and cache manager (client) are not vulnerable
to these attacks. No exploits are presently known to be available
for this vulnerability.
IMPACT
======
A remote attacker can potentially execute arbitrary code on an OpenAFS
server host with the privileges of the user running the OpenAFS server
processes (usually root). This can lead to compromise of the OpenAFS
administrative databases, data stored on a compromised server, or
possible root access on a server host. Once a server host has been
compromised, the attacker is able to obtain access to any other OpenAFS
servers in the same cell.
AFFECTED SOFTWARE
=================
All releases of OpenAFS 1.0.x and 1.1.x.
All releases of OpenAFS 1.2.x, up to and including OpenAFS 1.2.5.
All releases of OpenAFS 1.3.x, up to and including OpenAFS 1.3.2.
FIXES
=====
The OpenAFS project recommends that all users upgrade to OpenAFS
1.2.6 or newer. The latest stable OpenAFS release is always available
from http://www.openafs.org/release/latest.html.
No update is presently available for the OpenAFS-unstable series.
For those who are unable to upgrade, apply the following patch to
correct the XDR vulnerability, and rebuild your tree.
===================================================================
RCS file: /cvs/openafs/src/rx/Makefile.in,v
retrieving revision 1.4.2.1
retrieving revision 1.4.2.2
diff -u -r1.4.2.1 -r1.4.2.2
- --- openafs/src/rx/Makefile.in2002/01/20 08:38:381.4.2.1
+++ openafs/src/rx/Makefile.in2002/08/02 02:45:141.4.2.2
@@ -38,7 +38,7 @@
# Generic xdr objects (or, at least, xdr stuff that's not newly defined for rx).
# Really the xdr stuff should be in its own directory.
#
- -XDROBJS = xdr_arrayn.o xdr_rx.o xdr_afsuuid.o
+XDROBJS = xdr.o xdr_array.o xdr_arrayn.o xdr_rx.o xdr_afsuuid.o
RXOBJS = rx_clock.o rx_event.o rx_user.o rx_lwp.o rx.o rx_null.o rx_globals.o \
rx_getaddr.o rx_misc.o rx_packet.o rx_rdwr.o rx_trace.o rx_conncache.o \
===================================================================
RCS file: /cvs/openafs/src/rx/xdr.c,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
- --- openafs/src/rx/xdr.c2002/06/08 04:43:381.4
+++ openafs/src/rx/xdr.c2002/07/31 23:13:091.5
@@ -558,6 +558,8 @@
u_int size;
u_int nodesize;
+ if (maxsize > ((~0) >> 1) - 1) maxsize = ((~0) >> 1) - 1;
+
/*
* first deal with the length since xdr strings are counted-strings
*/
===================================================================
RCS file: /cvs/openafs/src/rx/xdr_array.c,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
- --- openafs/src/rx/xdr_array.c2001/08/08 00:03:571.4
+++ openafs/src/rx/xdr_array.c2002/07/31 23:13:091.5
@@ -84,7 +84,10 @@
register caddr_t target = *addrp;
register u_int c; /* the actual element count */
register bool_t stat = TRUE;
- -register int nodesize;
+register u_int nodesize;
+
+ i = ((~0) >> 1) / elsize;
+ if (maxsize > i) maxsize = i;
/* like strings, arrays are really counted arrays */
if (! xdr_u_int(xdrs, sizep)) {
===================================================================
RCS file: /cvs/openafs/src/rx/xdr_arrayn.c,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
- --- openafs/src/rx/xdr_arrayn.c2001/08/08 00:03:571.4
+++ openafs/src/rx/xdr_arrayn.c2002/07/31 23:13:091.5
@@ -89,7 +89,10 @@
register caddr_t target = *addrp;
register u_int c; /* the actual element count */
register bool_t stat = TRUE;
- -register int nodesize;
+register u_int nodesize;
+
+ i = ((~0) >> 1) / elsize;
+ if (maxsize > i) maxsize = i;
/* like strings, arrays are really counted arrays */
if (! xdr_u_int(xdrs, sizep)) {
===================================================================
This patch may also be found at:
http://www.openafs.org/security/xdr-updates-20020731.delta
The associated detached PGP signature is at
http://www.openafs.org/security/xdr-updates-20020731.delta.asc
It was generated against OpenAFS 1.2.5, but should apply to earlier
releases, possibly with some offset.
This announcement and code patches related to it may be found on the
OpenAFS security advisory page at:
http://www.openafs.org/security/
The main OpenAFS web page is at:
http://www.openafs.org/
ACKNOWLEDGMENTS
===============
Thanks to ISS for discovery of the vulnerability.
Thanks to Nickolai Zeldovich for assistance in discovering the
particulars of this bug and developing a fix.
Thanks also to Tom Yu and the MIT Kerberos Development Team for their
advisory MITKRB5-SA-2002-001, the form and much of the text of which
was shamelessly stolen to produce this alert.
DETAIL
======
The xdr_array() decoder computes the value of the NODESIZE variable in
a way that can lead to integer overflow. An attacker can construct an
XDR encoding that will take advantage of this integer overflow in
order to overflow the allocated heap buffer, depending on the
specifics of the caller of the xdr_array() function.
Several uses of xdr_array() in various AFS protocols are unsafe in an
environment where this bug exists. In particular, any use of a
counted array with unbounded size (represented in the Rx protocol
description with an empty pair of angle brackets '<>') is unsafe. Such
uses appear in input arguments to procedures in the PTS, VLDB, volserver,
and backup database protocols, and output arguments from procedures in all
of these protocols and in the Rx statistics interface implemented by most
OpenAFS servers.
A remote user may be able to use the buffer overflow to execute arbitrary
code on the server under attack, possibly leading to unauthorized root
access. Similarly a rogue server may be able to use the buffer overflow
to attack a client which makes one of the RPC's with unsafe output
arguments.
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
iQBVAwUBPUxo8bD+655x7JNnAQGOYAH/ZzSzw5FyLI8YTmgJH4qSO7rKQVpy8F+L
aIU3Xy4HngBpYALsOrJLkCI7h966Li00YhyXgsm4UW9NzbCORc80Kw==
=iILR
-----END PGP SIGNATURE-----
_______________________________________________
OpenAFS-announce mailing list
OpenAFS-announce@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-announce
If you have feedback, comments, or additional information about this vulnerability, please send us email.
OpenBSD Affected
Notified: July 29, 2002 Updated: July 31, 2002
Status
Affected
Vendor Statement
Please see http://www.openbsd.org/errata.html#xdr
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Common patches available here ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.1/common/012_xdr.patch
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Openwall GNU/*/Linux Affected
Updated: August 06, 2002
Status
Affected
Vendor Statement
The xdr_array(3) integer overflow was present in the glibc package on
Openwall GNU/*/Linux until 2002/08/01 when it was corrected for
Owl-current and documented as a security fix in the system-wide change
log available at:
http://www.openwall.com/Owl/CHANGES.shtml
The same glibc package update also fixes a very similar but different
calloc(3) integer overflow possibility that is currently not known to
allow for an attack on a particular application, but has been patched
as a proactive measure. The Sun RPC xdr_array(3) overflow may allow
for passive attacks on mount(8) by malicious or spoofed NFSv3 servers
as well as for both passive and active attacks on RPC clients or
services that one might install on Owl. (There're no RPC services
included with Owl.)
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Red Hat, Inc. Affected
Notified: July 29, 2002 Updated: August 05, 2002
Status
Affected
Vendor Statement
Red Hat distributes affected packages glibc and Kerberos in all Red Hat Linux distributions. We are currently working on producing errata packages, when complete these will be available along with our advisory at the URLs below. At the same time users of the Red Hat Network will be able to update their systems using the 'up2date' tool.
http://rhn.redhat.com/errata/RHSA-2002-166.html (glibc)
http://rhn.redhat.com/errata/RHSA-2002-172.html (Kerberos 5)
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
SGI Affected
Notified: July 29, 2002 Updated: August 19, 2002
Status
Affected
Vendor Statement
Patches available per SGI Security Advisory 20020801-01-P.
-----BEGIN PGP SIGNED MESSAGE-----
______________________________________________________________________________
SGI Security Advisory
Title: Sun RPC xdr_array vulnerability
Number: 20020801-01-P
Date: August 16, 2002
Reference: CERT® CA-2002-25
Reference: SGI Security Advisory 20020801-01-A
Reference: CAN-2002-0391
______________________________________________________________________________
- -----------------------
- --- Issue Specifics ---
- -----------------------
This is a followup to SGI Security Bulletin 20020801-01-A.
It's been reported that there is a buffer overflow vulnerability in the Sun
RPC functions supplied with the IRIX 6.5 operating system.
The portmapper, NFS and NIS RPC services do NOT use the relevant RPC XDR
functions in libc in a manner that makes them vulnerable. But other RPC
services from IRIX, third-parties, freeware, etc. might use XDR functions.
See http://www.cert.org/advisories/CA-2002-25.html and
http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20823
for additional details.
SGI has investigated the issue and recommends the following steps for
neutralizing the exposure. It is HIGHLY RECOMMENDED that these measures be
implemented on ALL vulnerable SGI systems.
These issues have been corrected in future releases of IRIX and with a
series of patches.
- --------------
- --- Impact ---
- --------------
The vulnerabilities exist within libc, which is installed by default on
IRIX 6.5 systems as part of eoe.sw.base.
To determine the version of IRIX you are running, execute the following
command:
# uname -R
That will return a result similar to the following:
# 6.5 6.5.16f
The first number ("6.5") is the release name, the second ("6.5.16f" in
this case) is the extended release name. The extended release name is
the "version" we refer to throughout this document.
This vulnerability was assigned the following CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0391
This vulnerability was assigned the following VU:
http://www.kb.cert.org/vuls/id/192995
- ----------------------------
- --- Temporary Workaround ---
- ----------------------------
There is no effective workaround available for these problems. SGI
recommends either upgrading to a minimum of IRIX 6.5.18, or installing the
appropriate patch from the listing below.
- ----------------
- --- Solution ---
- ----------------
SGI has provided a series of patches for these vulnerabilities. Our
recommendation is to upgrade to IRIX 6.5.18 when available, or install the
appropriate patch.
OS Version Vulnerable? Patch # Other Actions
---------- ----------- ------- -------------
IRIX 3.x unknown Note 1
IRIX 4.x unknown Note 1
IRIX 5.x unknown Note 1
IRIX 6.0.x unknown Note 1
IRIX 6.1 unknown Note 1
IRIX 6.2 unknown Note 1
IRIX 6.3 unknown Note 1
IRIX 6.4 unknown Note 1
IRIX 6.5 yes Notes 2 & 3
IRIX 6.5.1 yes Notes 2 & 3
IRIX 6.5.2 yes Notes 2 & 3
IRIX 6.5.3 yes Notes 2 & 3
IRIX 6.5.4 yes Notes 2 & 3
IRIX 6.5.5 yes Notes 2 & 3
IRIX 6.5.6 yes Notes 2 & 3
IRIX 6.5.7 yes Notes 2 & 3
IRIX 6.5.8 yes Notes 2 & 3
IRIX 6.5.9 yes Notes 2 & 3
IRIX 6.5.10 yes Notes 2 & 3
IRIX 6.5.11 yes Notes 2 & 3
IRIX 6.5.12 yes Notes 2 & 3
IRIX 6.5.13m yes 4740 Note 2
IRIX 6.5.13f yes 4739 Note 2
IRIX 6.5.14m yes 4742 Note 2
IRIX 6.5.14f yes 4741 Note 2
IRIX 6.5.15m yes 4744 Note 2
IRIX 6.5.15f yes 4743 Note 2
IRIX 6.5.16m yes 4746 Note 2
IRIX 6.5.16f yes 4745 Note 2
IRIX 6.5.17m yes 4748 Note 2
IRIX 6.5.17f yes 4747 Note 2
IRIX 6.5.18 no
NOTES
1) This version of the IRIX operating has been retired. Upgrade to an
actively supported IRIX operating system. See
http://support.sgi.com/irix/news/index.html#policy for more
information.
2) If you have not received an IRIX 6.5.X CD for IRIX 6.5, contact your
SGI Support Provider or URL: http://support.sgi.com/irix/swupdates/
3) Upgrade to IRIX 6.5.18m or 6.5.18f.
##### Patch File Checksums ####
The actual patch will be a tar file containing the following files:
Filename: README.patch.4739
Algorithm #1 (sum -r): 17376 8 README.patch.4739
Algorithm #2 (sum): 52194 8 README.patch.4739
MD5 checksum: FD3C0D821DF71D7F44E43FFF32D0E76A
Filename: patchSG0004739
Algorithm #1 (sum -r): 19705 5 patchSG0004739
Algorithm #2 (sum): 34493 5 patchSG0004739
MD5 checksum: 25417784900089D5D08F7C94CF7E8ACF
Filename: patchSG0004739.dev_sw
Algorithm #1 (sum -r): 38179 2866 patchSG0004739.dev_sw
Algorithm #2 (sum): 55114 2866 patchSG0004739.dev_sw
MD5 checksum: 50592422C16AC9653884CA6579B0BAE6
Filename: patchSG0004739.eoe_sw
Algorithm #1 (sum -r): 06410 14185 patchSG0004739.eoe_sw
Algorithm #2 (sum): 5223 14185 patchSG0004739.eoe_sw
MD5 checksum: D4E5F744A55173CF1BB1EEE1AFE24ACB
Filename: patchSG0004739.eoe_sw64
Algorithm #1 (sum -r): 41610 5436 patchSG0004739.eoe_sw64
Algorithm #2 (sum): 29732 5436 patchSG0004739.eoe_sw64
MD5 checksum: B2EF2038FFD7A4DDBE2B0ED8AD7EB424
Filename: patchSG0004739.idb
Algorithm #1 (sum -r): 38687 7 patchSG0004739.idb
Algorithm #2 (sum): 53498 7 patchSG0004739.idb
MD5 checksum: C546FD1A1866DF5E9D971E2B092A01C8
Filename: README.patch.4740
Algorithm #1 (sum -r): 62983 8 README.patch.4740
Algorithm #2 (sum): 51976 8 README.patch.4740
MD5 checksum: F79EF7FC534A9F788DC5F4DFA8FD38C6
Filename: patchSG0004740
Algorithm #1 (sum -r): 34224 4 patchSG0004740
Algorithm #2 (sum): 49244 4 patchSG0004740
MD5 checksum: 434ED9064D6A46C78F3F9C5F6FE38F3F
Filename: patchSG0004740.dev_sw
Algorithm #1 (sum -r): 56972 2818 patchSG0004740.dev_sw
Algorithm #2 (sum): 10979 2818 patchSG0004740.dev_sw
MD5 checksum: 1EFC8359CD1E09A215E628E0ADFF4139
Filename: patchSG0004740.eoe_sw
Algorithm #1 (sum -r): 32948 13964 patchSG0004740.eoe_sw
Algorithm #2 (sum): 48417 13964 patchSG0004740.eoe_sw
MD5 checksum: DE6845D0909AA11ACA7FD11B976A55D0
Filename: patchSG0004740.eoe_sw64
Algorithm #1 (sum -r): 01071 5364 patchSG0004740.eoe_sw64
Algorithm #2 (sum): 33961 5364 patchSG0004740.eoe_sw64
MD5 checksum: EB913551876A45D56F07767131E7F592
Filename: patchSG0004740.idb
Algorithm #1 (sum -r): 41640 7 patchSG0004740.idb
Algorithm #2 (sum): 53351 7 patchSG0004740.idb
MD5 checksum: FE6B18A2AA32639D8D1E2C0659E43A90
Filename: README.patch.4741
Algorithm #1 (sum -r): 46292 9 README.patch.4741
Algorithm #2 (sum): 58428 9 README.patch.4741
MD5 checksum: 5BD40F294334AC167243F86FF9AB0244
Filename: patchSG0004741
Algorithm #1 (sum -r): 35746 4 patchSG0004741
Algorithm #2 (sum): 63296 4 patchSG0004741
MD5 checksum: 3D2AEECD36495798CB6D8A26C1FF821D
Filename: patchSG0004741.dev_sw
Algorithm #1 (sum -r): 35551 2861 patchSG0004741.dev_sw
Algorithm #2 (sum): 11028 2861 patchSG0004741.dev_sw
MD5 checksum: 63C3BCBBB2F16E83A6CE138C6E0B0C90
Filename: patchSG0004741.eoe_sw
Algorithm #1 (sum -r): 47290 14241 patchSG0004741.eoe_sw
Algorithm #2 (sum): 20959 14241 patchSG0004741.eoe_sw
MD5 checksum: 906B2552ECAD0BD4F03730C1E6DA80A3
Filename: patchSG0004741.eoe_sw64
Algorithm #1 (sum -r): 51758 5454 patchSG0004741.eoe_sw64
Algorithm #2 (sum): 1612 5454 patchSG0004741.eoe_sw64
MD5 checksum: C796DD1711D14CBFD500AA70412C6C8A
Filename: patchSG0004741.idb
Algorithm #1 (sum -r): 11787 6 patchSG0004741.idb
Algorithm #2 (sum): 43916 6 patchSG0004741.idb
MD5 checksum: 6840C4B819339F639D09CB1895A1DF19
Filename: README.patch.4742
Algorithm #1 (sum -r): 50773 9 README.patch.4742
Algorithm #2 (sum): 58461 9 README.patch.4742
MD5 checksum: 4C5EB29413762291C461B6F5560A29F6
Filename: patchSG0004742
Algorithm #1 (sum -r): 36972 4 patchSG0004742
Algorithm #2 (sum): 63162 4 patchSG0004742
MD5 checksum: 7EF5D0DFA0C75A9537B67AC5412ECECD
Filename: patchSG0004742.dev_sw
Algorithm #1 (sum -r): 21521 2829 patchSG0004742.dev_sw
Algorithm #2 (sum): 57073 2829 patchSG0004742.dev_sw
MD5 checksum: 6B70E50307D06EFDAE3A5FC8D73A50A5
Filename: patchSG0004742.eoe_sw
Algorithm #1 (sum -r): 38562 14004 patchSG0004742.eoe_sw
Algorithm #2 (sum): 22516 14004 patchSG0004742.eoe_sw
MD5 checksum: 78452CABCE7569EFB73FA0E47C65FC03
Filename: patchSG0004742.eoe_sw64
Algorithm #1 (sum -r): 31249 5378 patchSG0004742.eoe_sw64
Algorithm #2 (sum): 1826 5378 patchSG0004742.eoe_sw64
MD5 checksum: DF82029A99D74908CA24065A2D35552E
Filename: patchSG0004742.idb
Algorithm #1 (sum -r): 54786 6 patchSG0004742.idb
Algorithm #2 (sum): 44002 6 patchSG0004742.idb
MD5 checksum: EEAC01E3BCDF632EB515DA3697FDC109
Filename: README.patch.4743
Algorithm #1 (sum -r): 15948 8 README.patch.4743
Algorithm #2 (sum): 45429 8 README.patch.4743
MD5 checksum: 3E15972E0AF21A717B45A698A9890BA7
Filename: patchSG0004743
Algorithm #1 (sum -r): 51688 4 patchSG0004743
Algorithm #2 (sum): 50416 4 patchSG0004743
MD5 checksum: ED38340DD8FAC5C86F743878AE1728D1
Filename: patchSG0004743.dev_sw
Algorithm #1 (sum -r): 40350 2861 patchSG0004743.dev_sw
Algorithm #2 (sum): 97 2861 patchSG0004743.dev_sw
MD5 checksum: 8EBC7CAAD1142B5566B976380364A37E
Filename: patchSG0004743.eoe_sw
Algorithm #1 (sum -r): 44069 14162 patchSG0004743.eoe_sw
Algorithm #2 (sum): 34540 14162 patchSG0004743.eoe_sw
MD5 checksum: DDF3BE55CB5F1EAE93B62BBD3FEF55A6
Filename: patchSG0004743.eoe_sw64
Algorithm #1 (sum -r): 30426 5440 patchSG0004743.eoe_sw64
Algorithm #2 (sum): 59672 5440 patchSG0004743.eoe_sw64
MD5 checksum: 6D0D872F815DA621B0992A9FD9324671
Filename: patchSG0004743.idb
Algorithm #1 (sum -r): 01715 7 patchSG0004743.idb
Algorithm #2 (sum): 55881 7 patchSG0004743.idb
MD5 checksum: 5CE041BDAB7430DBDF87511754D28CCA
Filename: README.patch.4744
Algorithm #1 (sum -r): 44285 8 README.patch.4744
Algorithm #2 (sum): 45488 8 README.patch.4744
MD5 checksum: D438FE6315E0F332108225D165D2EFB7
Filename: patchSG0004744
Algorithm #1 (sum -r): 00653 4 patchSG0004744
Algorithm #2 (sum): 47744 4 patchSG0004744
MD5 checksum: C19320CF91D7677290FF736E56C9FED5
Filename: patchSG0004744.dev_sw
Algorithm #1 (sum -r): 28428 2811 patchSG0004744.dev_sw
Algorithm #2 (sum): 5201 2811 patchSG0004744.dev_sw
MD5 checksum: 60A77A0A373EEC1EBF3EB9AF5FC79F3B
Filename: patchSG0004744.eoe_sw
Algorithm #1 (sum -r): 18899 13870 patchSG0004744.eoe_sw
Algorithm #2 (sum): 21781 13870 patchSG0004744.eoe_sw
MD5 checksum: EA1848F5C8B67056F05A9FE9B57CA9E2
Filename: patchSG0004744.eoe_sw64
Algorithm #1 (sum -r): 58911 5361 patchSG0004744.eoe_sw64
Algorithm #2 (sum): 50085 5361 patchSG0004744.eoe_sw64
MD5 checksum: 130FF3A636C961FB3954C16E442C0B6F
Filename: patchSG0004744.idb
Algorithm #1 (sum -r): 13486 7 patchSG0004744.idb
Algorithm #2 (sum): 55824 7 patchSG0004744.idb
MD5 checksum: 0CEBC15BCF39EA355446255A5D75D805
Filename: README.patch.4745
Algorithm #1 (sum -r): 15799 8 README.patch.4745
Algorithm #2 (sum): 35275 8 README.patch.4745
MD5 checksum: D6B712256A62F8E6B2ACD0976763DCCA
Filename: patchSG0004745
Algorithm #1 (sum -r): 58964 3 patchSG0004745
Algorithm #2 (sum): 34473 3 patchSG0004745
MD5 checksum: 37DD6BFA2D081654929172C5FFA85D03
Filename: patchSG0004745.dev_sw
Algorithm #1 (sum -r): 43608 2865 patchSG0004745.dev_sw
Algorithm #2 (sum): 26907 2865 patchSG0004745.dev_sw
MD5 checksum: 9CC4426260A13DD11D8787A75616B533
Filename: patchSG0004745.eoe_sw
Algorithm #1 (sum -r): 46222 14145 patchSG0004745.eoe_sw
Algorithm #2 (sum): 2014 14145 patchSG0004745.eoe_sw
MD5 checksum: 05732207843259769B88ACB5086F0E9D
Filename: patchSG0004745.eoe_sw64
Algorithm #1 (sum -r): 28294 5432 patchSG0004745.eoe_sw64
Algorithm #2 (sum): 35373 5432 patchSG0004745.eoe_sw64
MD5 checksum: E315BF430F7F55705EBB9059B618615C
Filename: patchSG0004745.idb
Algorithm #1 (sum -r): 08259 7 patchSG0004745.idb
Algorithm #2 (sum): 55819 7 patchSG0004745.idb
MD5 checksum: 9C00336D9796E94A5EECB18E032835BC
Filename: README.patch.4746
Algorithm #1 (sum -r): 32906 8 README.patch.4746
Algorithm #2 (sum): 35306 8 README.patch.4746
MD5 checksum: 875BAC2CC2801F9CA4B7C7C5DBD1D747
Filename: patchSG0004746
Algorithm #1 (sum -r): 38467 3 patchSG0004746
Algorithm #2 (sum): 31867 3 patchSG0004746
MD5 checksum: E7E3FB06A6133FB036B9E798959B3205
Filename: patchSG0004746.dev_sw
Algorithm #1 (sum -r): 02250 2814 patchSG0004746.dev_sw
Algorithm #2 (sum): 8724 2814 patchSG0004746.dev_sw
MD5 checksum: 6EE1AE6822CFCC275BF92BAEE44C6102
Filename: patchSG0004746.eoe_sw
Algorithm #1 (sum -r): 42525 13917 patchSG0004746.eoe_sw
Algorithm #2 (sum): 56304 13917 patchSG0004746.eoe_sw
MD5 checksum: B119365083193E8EFDB4D4EA06BD90B8
Filename: patchSG0004746.eoe_sw64
Algorithm #1 (sum -r): 47973 5358 patchSG0004746.eoe_sw64
Algorithm #2 (sum): 48931 5358 patchSG0004746.eoe_sw64
MD5 checksum: E5A80390E8E1017A559ACBCB6C64D2EE
Filename: patchSG0004746.idb
Algorithm #1 (sum -r): 21733 7 patchSG0004746.idb
Algorithm #2 (sum): 55840 7 patchSG0004746.idb
MD5 checksum: 23784F6416174D2794CA958A5FD27C5A
Filename: README.patch.4747
Algorithm #1 (sum -r): 40141 8 README.patch.4747
Algorithm #2 (sum): 28747 8 README.patch.4747
MD5 checksum: 5E6CD892484FAFF3DED05366F2F5EA89
Filename: patchSG0004747
Algorithm #1 (sum -r): 37009 3 patchSG0004747
Algorithm #2 (sum): 35605 3 patchSG0004747
MD5 checksum: 0109A515389D8C94EFBBE15043B08557
Filename: patchSG0004747.dev_sw
Algorithm #1 (sum -r): 60690 2915 patchSG0004747.dev_sw
Algorithm #2 (sum): 7035 2915 patchSG0004747.dev_sw
MD5 checksum: 128FD717AEBA71B8993DC3E9DC880F79
Filename: patchSG0004747.eoe_sw
Algorithm #1 (sum -r): 53956 14492 patchSG0004747.eoe_sw
Algorithm #2 (sum): 27214 14492 patchSG0004747.eoe_sw
MD5 checksum: 9590837AF84D5A0D6EFC916C851F0AD6
Filename: patchSG0004747.eoe_sw64
Algorithm #1 (sum -r): 28387 5585 patchSG0004747.eoe_sw64
Algorithm #2 (sum): 29573 5585 patchSG0004747.eoe_sw64
MD5 checksum: 6AFBDD4D8D5915613AB86DC690DB2F4D
Filename: patchSG0004747.idb
Algorithm #1 (sum -r): 13314 7 patchSG0004747.idb
Algorithm #2 (sum): 55955 7 patchSG0004747.idb
MD5 checksum: FDFFBD812D3964D9AC3C16D5BDAAF82D
Filename: README.patch.4748
Algorithm #1 (sum -r): 17856 8 README.patch.4748
Algorithm #2 (sum): 28761 8 README.patch.4748
MD5 checksum: 77CC00A1EE9DCD4FB02F8B9F1540BB20
Filename: patchSG0004748
Algorithm #1 (sum -r): 64080 3 patchSG0004748
Algorithm #2 (sum): 33271 3 patchSG0004748
MD5 checksum: 1DC2039E57A656D89D34D219A863B9AA
Filename: patchSG0004748.dev_sw
Algorithm #1 (sum -r): 57598 2867 patchSG0004748.dev_sw
Algorithm #2 (sum): 6373 2867 patchSG0004748.dev_sw
MD5 checksum: 7FEC56E9DF6C7F9E957E33C78B62B2B3
Filename: patchSG0004748.eoe_sw
Algorithm #1 (sum -r): 44400 14293 patchSG0004748.eoe_sw
Algorithm #2 (sum): 12872 14293 patchSG0004748.eoe_sw
MD5 checksum: 660F5D22F3F897C50DD2649DFA990122
Filename: patchSG0004748.eoe_sw64
Algorithm #1 (sum -r): 02612 5505 patchSG0004748.eoe_sw64
Algorithm #2 (sum): 61325 5505 patchSG0004748.eoe_sw64
MD5 checksum: 2A6D329F8D1E4469E524A85EEF6E157D
Filename: patchSG0004748.idb
Algorithm #1 (sum -r): 61381 7 patchSG0004748.idb
Algorithm #2 (sum): 56061 7 patchSG0004748.idb
MD5 checksum: 5F8AD4C318190D8316A7D406DAC8BBA1
- ------------------------
- --- Acknowledgments ----
- ------------------------
SGI wishes to thank CERT, ISS, FIRST and the users of the Internet Community
at large for their assistance in this matter.
- -------------
- --- Links ---
- -------------
SGI Security Advisories can be found at:
http://www.sgi.com/support/security/ and
ftp://patches.sgi.com/support/free/security/advisories/
SGI Security Patches can be found at:
http://www.sgi.com/support/security/ and
ftp://patches.sgi.com/support/free/security/patches/
SGI patches for IRIX can be found at the following patch servers:
http://support.sgi.com/irix/ and ftp://patches.sgi.com/
SGI freeware updates for IRIX can be found at:
http://freeware.sgi.com/
SGI fixes for SGI open sourced code can be found on:
http://oss.sgi.com/projects/
SGI patches and RPMs for Linux can be found at:
http://support.sgi.com/linux/ or
http://oss.sgi.com/projects/sgilinux-combined/download/security-fixes/
SGI patches for Windows NT or 2000 can be found at:
http://support.sgi.com/nt/
IRIX 5.2-6.4 Recommended/Required Patch Sets can be found at:
http://support.sgi.com/irix/ and ftp://patches.sgi.com/support/patchset/
IRIX 6.5 Maintenance Release Streams can be found at:
http://support.sgi.com/colls/patches/tools/relstream/index.html
IRIX 6.5 Software Update CDs can be obtained from:
http://support.sgi.com/irix/swupdates/
The primary SGI anonymous FTP site for security advisories and patches is
patches.sgi.com (216.32.174.211). Security advisories and patches are
located under the URL ftp://patches.sgi.com/support/free/security/
For security and patch management reasons, ftp.sgi.com (mirrors
patches.sgi.com security FTP repository) lags behind and does not do a
real-time update.
- -----------------------------------------
- --- SGI Security Information/Contacts ---
- -----------------------------------------
If there are questions about this document, email can be sent to
security-info@sgi.com.
------oOo------
SGI provides security information and patches for use by the entire SGI
community. This information is freely available to any person needing the
information and is available via anonymous FTP and the Web.
The primary SGI anonymous FTP site for security advisories and patches is
patches.sgi.com (216.32.174.211). Security advisories and patches are
located under the URL ftp://patches.sgi.com/support/free/security/
The SGI Security Headquarters Web page is accessible at the URL:
http://www.sgi.com/support/security/
For issues with the patches on the FTP sites, email can be sent to
security-info@sgi.com.
For assistance obtaining or working with security patches, please
contact your SGI support provider.
------oOo------
SGI provides a free security mailing list service called wiretap and
encourages interested parties to self-subscribe to receive (via email) all
SGI Security Advisories when they are released. Subscribing to the mailing
list can be done via the Web
(http://www.sgi.com/support/security/wiretap.html) or by sending email to
SGI as outlined below.
% mail wiretap-request@sgi.com
subscribe wiretap < YourEmailAddress such as aaanalyst@sgi.com >
end
^d
In the example above, <YourEmailAddress> is the email address that you wish
the mailing list information sent to. The word end must be on a separate
line to indicate the end of the body of the message. The control-d (^d) is
used to indicate to the mail program that you are finished composing the
mail message.
------oOo------
SGI provides a comprehensive customer World Wide Web site. This site is
located at http://www.sgi.com/support/security/ .
------oOo------
If there are general security questions on SGI systems, email can be sent to
security-info@sgi.com.
For reporting *NEW* SGI security issues, email can be sent to
security-alert@sgi.com or contact your SGI support provider. A support
contract is not required for submitting a security report.
______________________________________________________________________________
This information is provided freely to all interested parties
and may be redistributed provided that it is not altered in any
way, SGI is appropriately credited and the document retains and
includes its valid PGP signature.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBPV0oS7Q4cFApAP75AQGhDwQAkku0E5iUbcsge/axWgiBaocSYKnLL1iU
Fpd+5XmMN/7ADLDub8PU3N9Wfb9AtK69XNHUvnWaJZBGGfOu5ibfJCd0liJcma9x
xlsIkCW3LKM7BhprI8lUxfvuAPTVFo7JvyDiUvv/NJ2pJf9JTUHTBPAaSOVKsGbq
yi56nsVrNew=
=xbac
-----END PGP SIGNATURE-----
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
SGI was previously looking into the matter on August 1, 2002, per:
ftp://patches.sgi.com/support/free/security/advisories/20020801-01-A
-----BEGIN PGP SIGNED MESSAGE-----
______________________________________________________________________________
SGI Security Advisory
Title: Sun RPC xdr_array vulnerability
Number: 20020801-01-A
Date: August 1, 2002
______________________________________________________________________________
SGI provides this information freely to the SGI user community for its
consideration, interpretation, implementation and use. SGI recommends
that this information be acted upon as soon as possible.
SGI provides the information in this Security Advisory on an "AS-IS" basis
only, and disclaims all warranties with respect thereto, express, implied
or otherwise, including, without limitation, any warranty of merchantability
or fitness for a particular purpose. In no event shall SGI be liable for
any loss of profits, loss of business, loss of data or for any indirect,
special, exemplary, incidental or consequential damages of any kind arising
from your use of, failure to use or improper use of any of the instructions
or information in this Security Advisory.
______________________________________________________________________________
SGI acknowledges the Sun RPC vulnerability reported by ISS X-Force Advisory:
http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20823
and is currently investigating.
No further information is available at this time. As further information
becomes available, additional advisories will be issued.
For the protection of all our customers, SGI does not disclose, discuss
or confirm vulnerabilities until a full investigation has occurred and
any necessary patch(es) or release streams are available for all vulnerable
and supported Linux and IRIX operating systems.
Until SGI has more definitive information to provide, customers are encouraged
to assume all security vulnerabilities as exploitable and take appropriate
steps according to local site security policies and requirements.
As further information becomes available, additional advisories will be
issued via the normal SGI security information distribution methods
including the wiretap mailing list.
- -----------------------------------------
- --- SGI Security Information/Contacts ---
- -----------------------------------------
If there are questions about this document, email can be sent to
security-info@sgi.com.
------oOo------
SGI provides security information and patches for use by the entire
SGI community. This information is freely available to any person
needing the information and is available via anonymous FTP and the Web.
The primary SGI anonymous FTP site for security advisories and patches
is patches.sgi.com (216.32.174.211). Security advisories and patches
are located under the URL ftp://patches.sgi.com/support/free/security/
The SGI Security Headquarters Web page is accessible at the URL
http://www.sgi.com/support/security/
For issues with the patches on the FTP sites, email can be sent to
security-info@sgi.com.
For assistance obtaining or working with security patches, please
contact your SGI support provider.
------oOo------
SGI provides a free security mailing list service called wiretap and
encourages interested parties to self-subscribe to receive (via email) all
SGI Security Advisories when they are released. Subscribing to the mailing
list can be done via the Web (http://www.sgi.com/support/security/wiretap.html)
or by sending email to SGI as outlined below.
% mail wiretap-request@sgi.com
subscribe wiretap <YourEmailAddress>
end
^d
In the example above, <YourEmailAddress> is the email address that you
wish the mailing list information sent to. The word end must be on a
separate line to indicate the end of the body of the message. The
control-d (^d) is used to indicate to the mail program that you are
finished composing the mail message.
------oOo------
SGI provides a comprehensive customer World Wide Web site. This site is
located at http://www.sgi.com/support/security/ .
------oOo------
For reporting *NEW* SGI security issues, email can be sent to
security-alert@sgi.com or contact your SGI support provider. A
support contract is not required for submitting a security report.
______________________________________________________________________________
This information is provided freely to all interested parties and
may be redistributed provided that it is not altered in any way,
SGI is appropriately credited and the document retains and includes
its valid PGP signature.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBPUlll7Q4cFApAP75AQH+pQQAr7rQG3oL5ZtqdMwEeiAd9wSI300FzY7B
nl9WQDOBGBPg9m6sPBIDvKxMRPAPZokRRofJc/MYqAAzK5Ye2xcfh8ILNBmCD/Xe
IB2Xc2WhrnDHGSiy7/HBFrFCpa40nct9q4Nwx0/Ej9MTjoYkX/YvhSv/dgIhw96Y
aLjFXVnhbos=
=6lyf
-----END PGP SIGNATURE-----
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Sun Microsystems, Inc. Affected
Notified: July 29, 2002 Updated: August 05, 2002
Status
Affected
Vendor Statement
Sun can confirm that there is a type overflow vulnerability in the xdr_array(3NSL) function which is part of the network services library, libnsl(3LIB), on Solaris 2.5.1 through 9. Sun has published Sun Alert 46122 which describes the issue, applications affected, and workaround information. The Sun Alert will be updated as more information or patches become available and is located here:
Sun will be publishing a Sun Security Bulletin for this issue once all of the patches are available which will be located at:
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
[text downloaded at Thu Aug 1 2002 11:30:51 (-0400)]
Xerox Corporation Affected
Notified: July 30, 2002 Updated: May 29, 2003
Status
Affected
Vendor Statement
A response to this advisory is available from our web site: http://www.xerox.com/security.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
[Begin cached statement: 05/29/2003 20:08:48 UTC]
[End cached statement]
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Juniper Networks, Inc. Not Affected
Notified: July 30, 2002 Updated: August 01, 2002
Status
Not Affected
Vendor Statement
The Juniper Networks SDX-300 Service Deployment System (SSC) does use XDR for communication with an ERX edge router, but does not make use of the Sun RPC libraries. The SDX-300 product is not vulnerable to the Sun RPC XDR buffer overflow as outlined in this CERT advisory.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
KTH Kerberos Not Affected
Notified: August 02, 2002 Updated: August 05, 2002
Status
Not Affected
Vendor Statement
kth-krb and heimdal are not vulnerable to this problem since they do not use any Sun RPC at all.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Network Appliance Not Affected
Notified: July 30, 2002 Updated: August 02, 2002
Status
Not Affected
Vendor Statement
NetApp systems are not vulnerable to this problem.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
e-Security Inc. Not Affected
Updated: August 06, 2002
Status
Not Affected
Vendor Statement
Not Vulnerable
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
AT&T Unknown
Notified: July 30, 2002 Updated: July 31, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Alcatel Unknown
Notified: July 30, 2002 Updated: July 31, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Cisco Systems, Inc. Unknown
Notified: July 30, 2002 Updated: July 31, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Computer Associates Unknown
Notified: July 30, 2002 Updated: July 31, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Cray Inc. Unknown
Notified: July 29, 2002 Updated: August 01, 2002
Status
Unknown
Vendor Statement
Cray Inc. is still investigating this issue. Concerned customers can refer to Cray SPR 722876 for details.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Data General Unknown
Notified: July 29, 2002 Updated: July 31, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
F5 Networks, Inc. Unknown
Notified: July 30, 2002 Updated: July 31, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Fujitsu Unknown
Notified: July 29, 2002 Updated: July 31, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Guardian Digital Inc. Unknown
Notified: July 29, 2002 Updated: July 31, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Intel Unknown
Notified: July 30, 2002 Updated: July 31, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Lucent Technologies Unknown
Notified: July 30, 2002 Updated: July 31, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Mandriva, Inc. Unknown
Notified: July 29, 2002 Updated: July 31, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
NEC Corporation Unknown
Notified: July 29, 2002 Updated: July 31, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
NeXT Unknown
Notified: July 29, 2002 Updated: July 31, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Nortel Networks, Inc. Unknown
Notified: July 30, 2002 Updated: July 31, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
SUSE Linux Unknown
Notified: July 29, 2002 Updated: July 31, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Sequent Computer Systems, Inc. Unknown
Notified: July 29, 2002 Updated: July 31, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Sony Corporation Unknown
Notified: July 29, 2002 Updated: July 31, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
The Open Group Unknown
Notified: July 29, 2002 Updated: July 31, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
The SCO Group (SCO Linux) Unknown
Notified: July 29, 2002 Updated: July 31, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
The SCO Group (SCO Unix) Unknown
Notified: July 29, 2002 Updated: July 31, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Unisphere Networks Unknown
Notified: July 30, 2002 Updated: August 01, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Unisys Unknown
Notified: July 29, 2002 Updated: July 31, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Wind River Systems, Inc. Unknown
Notified: July 29, 2002 Updated: July 31, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Xi Graphics Unknown
Notified: July 29, 2002 Updated: July 31, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
- http://www.FreeBSD.org/cgi/man.cgi?query=xdr_array&apropos=0&sektion=3&manpath=FreeBSD+4.6-RELEASE&format=html
- ftp://ftp.isi.edu/in-notes/rfc4506.txt
- http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert%2F46122&zone_32=category%3Asecurity
- http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2002-001-xdr.txt
- http://CERT.Uni-Stuttgart.DE/advisories/calloc.php
- http://online.securityfocus.com/bid/5356
- http://www.iss.net/security_center/static/9170.php
- http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20823
Acknowledgements
Thanks to Sun Microsystems for working with the CERT/CC to make this document possible. The initial vulnerability research and demonstration was performed by Internet Security Systems (ISS).
This document was written by Jeffrey S. Havrilla.
Other Information
| CVE IDs: | CVE-2002-0391 |
| CERT Advisory: | CA-2002-25 |
| Severity Metric: | 27.29 |
| Date Public: | 2002-07-31 |
| Date First Published: | 2002-08-01 |
| Date Last Updated: | 2006-05-15 15:47 UTC |
| Document Revision: | 45 |