Lucene search

CERTVU:192995

HistoryAug 01, 2002 - 12:00 a.m.

Integer overflow in xdr_array() function when deserializing the XDR stream

2002-08-0100:00:00

www.kb.cert.org

0.85 High

EPSS

Percentile

98.5%

JSON

Overview

There is an integer overflow present in the xdr_array() function distributed as part of the Sun Microsystems XDR library. This overflow has been shown to lead to remotely exploitable buffer overflows in multiple applications, leading to the execution of arbitrary code. Although the library was originally distributed by Sun Microsystems, multiple vendors have included the vulnerable code in their own implementations.

Description

The XDR (external data representation) libraries are used to provide platform-independent methods for sending data from one system process to another, typically over a network connection. Such routines are commonly used in remote procedure call (RPC) implementations to provide transparency to application programmers who need to use common interfaces to interact with many different types of systems. The xdr_array() function in the XDR library provided by Sun Microsystems contains an integer overflow that can lead to improperly sized dynamic memory allocation. Subsequent problems like buffer overflows may result, depending on how and where the vulnerable xdr_array() function is used.

This issue is currently being tracked as VU#192995 by the CERT/CC and as CAN-2002-0391 in the Common Vulnerabilities and Exposures (CVE) dictionary.

Impact

Because SunRPC-derived XDR libraries are used by a variety of vendors in a variety of applications, this defect may lead to a number of differing security problems. Exploiting this vulnerability will lead to denial of service, execution of arbitrary code, or the disclosure of sensitive information.

Specific impacts reported include the ability to execute arbitrary code with root privileges (by exploiting dmispd, rpc.cmsd, or kadmind, for example). In addition, intruders who exploit the XDR overflow in MIT KRB5 kadmind may be able to gain control of a Key Distribution Center (KDC) and improperly authenticate to other services within a trusted Kerberos realm.

Solution

Apply a patch from your vendor

Note that XDR libraries can be used by multiple applications on most systems. It may be necessary to upgrade or apply multiple patches and then recompile statically linked applications.

Applications that are statically linked must be recompiled using patched libraries. Applications that are dynamically linked do not need to be recompiled; however, running services need to be restarted in order to use the patched libraries.

System administrators should consider the following process when addressing this issue:

Patch or obtain updated XDR/RPC libraries.
Restart any dynamically linked services that make use of the XDR/RPC libraries.
Recompile any statically linked applications using the patched or updated XDR/RPC libraries.

Note this is an iterative process for each set of patches being applied.

Disable access to vulnerable services or applications

Until patches are available and can be applied, you may wish to disable access to services or applications compiled with the vulnerable xdr_array() function. Such applications include, but are not limited to, the following:

* DMI Service Provider daemon (dmispd) 
* CDE Calendar Manager Service daemon (rpc.cmsd) 
* MIT Kerberos 5 Administration daemon (kadmind)

As a best practice, the CERT/CC recommends disabling all services that are not explicitly required.

Vendor Information

192995

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Apple Computer, Inc. __ Affected

Notified: July 29, 2002 Updated: September 20, 2002

Status

Affected

Vendor Statement

The vulnerability described in this note is fixed with Security Updates 2002-08-02 and 2002-08-23.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

-----BEGIN PGP SIGNED MESSAGE-----
Security Update 2002-08-23 is now available. This applies the fixes already available in Security Update 2002-08-02 to the Mac OS X 10.2 (Jaguar) release. Security Update 2002-08-02 was designed for the Mac OS X 10.1.5 release.
It contains fixes for recent vulnerabilities in:
OpenSSL: Fixes security vulnerabilities CAN-2002-0656, CAN-2002-0657, CAN-2002-0655, and CAN-2002-0659. Details are available via: ``<http://www.cert.org/advisories/CA-2002-23.html>``
mod_ssl: Fixes CAN-2002-0653, an off-by-one buffer overflow in the mod_ssl Apache module. Details are available via: ``<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0653>``
Sun RPC: Fixes CAN-2002-039, a buffer overflow in the Sun RPC XDR decoder. Details are available via:
<http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20823>``
Affected systems: Mac OS X client and Mac OS X Server
Note: Mac OS X client is configured by default to have these services turned off, and is only vulnerable if the user has enabled network services which rely on the affected components. It is still recommended for Mac OS X client users to apply this security update to their system.
System requirements: Mac OS X 10.2 (Jaguar)
Security Update 2002-08-23 may be obtained from:
* Software Update pane in System Preferences
* Apple's Software Downloads web site: ``<http://www.info.apple.com/kbnum/n120142>``
To help verify the integrity of Security Update 2002-08-23 from the Software Downloads web site:
The download file is titled: SecurityUpd2002-08-23.dmg Its SHA-1 digest is: fccb3adb478f90650f4484534a79a80bba5f94f3
Information will also be posted to the Apple Product Security web site: ``<http://www.apple.com/support/security/security_updates.html>``
This message is signed with Apple's Product Security PGP key, and details are available at: ``<http://www.apple.com/support/security/security_pgp.html>``
-----BEGIN PGP SIGNATURE----- Version: PGP 7.0.3
`iQEVAwUBPWad3SFlYNdE6F9oAQHuIQf9GdW2n/r7di2U8c4jQU+3JvRtU+HG7Lsl
jlKRVNGyaMvUAurxbYB/yHfHcYDtsj26bupzLUpLXbIt54uZxyXo6UTExzpwreaT
r+UJm7+q9kG6lcAmrcz2WNzlnD6icXKKuyf/hR8NUo3yBP7MoR6QGjvFqodvTOHR
J2YXH8AEPAmWFf511AzbG1yYvlDhocZ+/gBFTlaB3nYt11Edz2yRE4qeumQYEIyf
gLFxzp1BVFNDJck66WjPWgHqDuq9QWPBzHl1qhd09ctD84w+Hda972dqxRn08Jo7
jTGs2zmUpyPxLxCHEd5uzRNuMquIoddW2Nsg8LeJNHqRDlklVSJTUA==
=CJ2Y
-----END PGP SIGNATURE-----

`
-— Original Message ----
From:Product Security
Date:Fri 8/2/02 20:02
To:[email protected]
Subject:Security Update 2002-08-02 for OpenSSL, Sun RPC, mod_ssl

-----BEGIN PGP SIGNED MESSAGE-----

Security Update 2002-08-02 is now available. It contains fixes for
recent
vulnerabilities in:

OpenSSL: Fixes security vulnerabilities CAN-2002-0656,
CAN-2002-0657,
CAN-2002-0655, and CAN-2002-0659. Details are available via:
_<http://www.cert.org/advisories/CA-2002-23.html>_

mod_ssl: Fixes CAN-2002-0653, an off-by-one buffer overflow in the
mod_ssl Apache module. Details are available via:
_<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0653>_

Sun RPC: Fixes CAN-2002-039, a buffer overflow in the Sun RPC XDR
decoder.
Details are available via:

_<http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20823>_

Affected systems: Mac OS X client and Mac OS X Server

Note: Mac OS X client is configured by default to have these services
turned
off, and is only vulnerable if the user has enabled network services
which rely
on the affected components. It is still recommended for Mac OS X
client users
to apply this security update to their system.

System requirements: Mac OS X 10.1.5

Security Update 2002-08-02 may be obtained from:

Software Update pane in System Preferences
Apple’s Software Downloads web site:
_<http://docs.info.apple.com/article.html?artnum=120139>_

SSL server:
_<https://depot.info.apple.com/security/129403bc5e184e3b7367.html>_

To help verify the integrity of Security Update 2002-08-02 from the
Software Downloads web site:

The download file is titled: SecurityUpd2002-08-02.dmg
Its SHA-1 digest is: 54f6eebe0398181db8f1129403bc5e184e3b7367

Information will also be posted to the Apple Product Security web site:
_<http://www.apple.com/support/security/security_updates.html>_

This message is signed with Apple’s Product Security PGP key, and
details are available at:
_<http://www.apple.com/support/security/security_pgp.html>_

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.3

iQEVAwUBPUsLOiFlYNdE6F9oAQGAigf+JV+lazuko1g4oZSNFTd2puXCtOGQ0M8c
2cZ/BdaEBA8jLGrPkhWuvmMwpN9z6G9chnN8s9EXiavcBG5e/ejtTo3ZHoOGP7bg
789zLQLK2JTB75nc0fNyx2CdfHlEIM00v8c2jXySLlnqF+kzwqVnjUL7i2O97Fk5
tWXLc2dWK2Nf2SUk0/yLgfjceZKEPCPXTpuKYuah/w9NwzL+LsbPcfXA/H1f4ngc
vRPc2sn2HYu9IJw/BrMEsDlS8IWHf6ozXdZ9qaVCVRrZlsd9gSSmB2Jba4be/MRX
FauTTepMF9+JfCkx+2wtpwWhBcXoJnjwIZXOXwbbRjqXHmzzgu8D/Q==
=fdGO
-----END PGP SIGNATURE-----

security-announce mailing list | [email protected]
Help/Unsubscribe/Archives: _<http://www.lists.apple.com/mailman/listinfo/security>_-
announce
Do not post admin requests to the list. They will be ignored.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23192995 Feedback>).

Debian Linux __ Affected

Notified: July 29, 2002 Updated: August 06, 2002

Status

Affected

Vendor Statement

The Debian GNU/Linux distribution was vulnerable with regard to the the XDR problem as stated above with the following vulnerability matrix:

OpenAFS Kerberos5 GNU lib
Debian 2.2 (potato) not included not included vulnerable Debian 3.0 (woody) vulnerable (DSA 142-1) vulnerable (DSA 143-1) vulnerable Debian unstable (sid) vulnerable (DSA 142-1) vulnerable (DSA 143-1) vulnerable
However, the following advisories were raised recently which contain and announced fixes:

DSA 142-1 OpenAFS (safe version are: 1.2.3final2-6 (woody) and 1.2.6-1 (sid))
DSA 143-1 Kerberos5 (safe version are: 1.2.4-5woody1 (woody) and 1.2.5-2 (sid))

The advisory for the GNU libc is pending, it is currently being recompiled. The fixed versions will probably be:

Debian 2.2 (potato) glibc 2.1.3-23 or later
Debian 3.0 (woody) glibc 2.2.5-11.1 or later
Debian unstable (sid) glibc 2.2.5-12 or later

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23192995 Feedback>).

FreeBSD, Inc. __ Affected

Notified: July 29, 2002 Updated: August 01, 2002

Status

Affected

Vendor Statement

Please see <ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:34.rpc.asc>

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Note this is a REVISED advisory pointing to patches correct on 07/31/2002.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23192995 Feedback>).

GNU glibc __ Affected

Notified: July 31, 2002 Updated: August 06, 2002

Status

Affected

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

Version 2.2.5 and earlier versions of the GNU C Library are vulnerable. For Version 2.2.5, we suggest the following patch. This patch is also available from the GNU C Library CVS repository at:
[http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/sunrpc/xdr_array.c.diff?r1=1.5&r2=1.5.2.1&cvsroot=glibc](<http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/sunrpc/xdr_array.c.diff?r1=1.5&r2=1.5.2.1&cvsroot=glibc>)

2002-08-02 Jakub Jelinek <[email protected]>
* sunrpc/xdr_array.c (xdr_array): Check for overflow on multiplication. Patch by Solar Designer <[email protected]>.
`===================================================================
RCS file: /cvs/glibc/libc/sunrpc/xdr_array.c,v
retrieving revision 1.5
retrieving revision 1.5.2.1
diff -u -r1.5 -r1.5.2.1

— libc/sunrpc/xdr_array.c2001/08/17 04:48:311.5
+++ libc/sunrpc/xdr_array.c2002/08/02 01:35:391.5.2.1
@@ -45,6 +45,7 @@
#include <rpc/types.h>
#include <rpc/xdr.h>
#include <libintl.h>
+#include <limits.h>
#ifdef USE_IN_LIBIO

include <wchar.h>

@@ -81,7 +82,11 @@
return FALSE;
}
c = *sizep;

- if ((c > maxsize) && (xdrs->x_op != XDR_FREE))

/*
- XXX: Let the overflow possibly happen with XDR_FREE because mem_free()
- doesn’t actually use its second argument anyway.
*/
if ((c > maxsize || c > UINT_MAX / elsize) && (xdrs->x_op != XDR_FREE))
{
return FALSE;
}
`

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (SunOS) Comment: Processed by Mailcrypt 3.5.6 and Gnu Privacy Guard <<http://www.gnupg.org/>>
iD8DBQE9Tv0wddnqSFPI1IgRAmomAJ9cK6vT8zZMGdO/0Z4nOIZwUej2BwCfbRT3 mnvR4B781bGEg3y6PVaRdDw= =qn87 -----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23192995 Feedback>).

Hewlett-Packard Company __ Affected

Notified: July 29, 2002 Updated: August 01, 2002

Status

Affected

Vendor Statement

SOURCE: Hewlett-Packard Company

RE: Potential RPC XDR buffer overflow

At the time of writing this document, Hewlett Packard is currently investigating the potential impact to HP’s released perating System software products.

As further information becomes available HP will provide notice f the availability of any necessary
patches through>standard security bulletin announcements and be vailable from your normal HP Services support channel.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23192995 Feedback>).

IBM Corporation __ Affected

Notified: July 29, 2002 Updated: September 03, 2002

Status

Affected

Vendor Statement

IBM is vulnerable to the above XDR Library issues in both the 4.3 and 5.1 releases of AIX. A temporary patch is currently available through an efix pacakge. Efixes are available from

ftp.software.ibm.com/aix/efixes/security

See the README file in this directory for additional information on the efixes.

The following APARs will be available in the near future:

>
AIX 4.3.3: APAR #IY34194 ( available approx 10/1/2002 )
AIX 5.1.0: APAR #IY34158 ( available approx 10/16/2002 )

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Previously on 08/06/2002 IBM stated:

>
IBM has analyzed AIX with regard to the XDR vulnerability and found that the 4.3.3 and 5.1.0 releases are exposed. We are currently working on an efix package for this issue which will be available shortly.

We will update this statement when more information once the efixes are available.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23192995 Feedback>).

MIT Kerberos Development Team __ Affected

Notified: August 02, 2002 Updated: August 02, 2002

Status

Affected

Vendor Statement

Please see <http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2002-001-xdr.txt>

The patch is available directly:

<http://web.mit.edu/kerberos/www/advisories/2002-001-xdr_array_patch.txt>

The following detached PGP signature should be used to verify the authenticity and integrity of the patch:

<http://web.mit.edu/kerberos/www/advisories/2002-001-xdr_array_patch.txt.asc>

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

-----BEGIN PGP SIGNED MESSAGE-----

MIT krb5 Security Advisory 2002-001

2002-08-02

Topic: Remote root vulnerability in MIT krb5 admin system

Severity: Remote user may be able to gain root access to a KDC host.

SUMMARY

There is an integer overflow bug in the SUNRPC-derived RPC library
used by the Kerberos 5 administration system that could be exploited
to gain unauthorized root access to a KDC host. It is believed that
the attacker needs to be able to authenticate to the kadmin daemon for
this attack to be successful. No exploits are known to exist yet.

IMPACT

A remote attacker can potentially execute arbitrary code on the KDC
with the privileges of the user running the kadmin daemon (usually
root). This can lead to compromise of the Kerberos database.

AFFECTED SOFTWARE

All releases of MIT Kerberos 5, up to and including krb5-1.2.5.

FIXES

Apply the following patch to src/lib/rpc/xdr_array.c:

Index: xdr_array.c

RCS file: /cvs/krbdev/krb5/src/lib/rpc/xdr_array.c,v
retrieving revision 1.5
diff -c -r1.5 xdr_array.c
*** xdr_array.c1998/02/14 02:27:231.5
- — xdr_array.c2002/08/02 17:25:05
*************** *** 75,81 ****
return (FALSE);
}
c = *sizep;
! if ((c > maxsize) && (xdrs->x_op != XDR_FREE)) {
return (FALSE);
}
nodesize = c * elsize;
- — 75,82 ----
return (FALSE);
}
c = *sizep;
! if ((c > maxsize || c > LASTUNSIGNED / elsize)
! && (xdrs->x_op != XDR_FREE)) {
return (FALSE);
}
nodesize = c * elsize;

and rebuild your tree. The patch was generated against krb5-1.2.5;
patches to other releases may apply with some offset.

This patch may also be found at:

_<http://web.mit.edu/kerberos/www/advisories/2002-001-xdr_array_patch.txt>_

The associated detached PGP signature is at:

_<http://web.mit.edu/kerberos/www/advisories/2002-001-xdr_array_patch.txt.asc>_

This announcement and code patches related to it may be found on the
MIT Kerberos security advisory page at:

_<http://web.mit.edu/kerberos/www/advisories/index.html>_

The main MIT Kerberos web page is at:

_<http://web.mit.edu/kerberos/www/index.html>_

ACKNOWLEDGMENTS

Thanks to ISS for discovery of the vulnerability.

Thanks to Jeffrey Hutzelman for assistance in discovering the
particulars of this bug.

DETAILS

The xdr_array() decoder computes the value of the NODESIZE variable in
a way that can lead to integer overflow. An attacker can construct an
XDR encoding that will take advantage of this integer overflow in
order to overflow the allocated heap buffer, depending on the
specifics of the caller of the xdr_array() function.

The uses of xdr_array() in the kadm5 library, which implements the
Kerberos 5 adminstration protocol, are unsafe in an environment where
this bug exists. A remote user may be able to use the buffer overflow
to execute arbitrary code on the KDC host, possibly leading to
unauthorized root access. It is believed that the remote user must
first successfully authenticate to the kadmin daemon in order to
exercise this vulnerability, though the user may not need to posess
any special privileges.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (SunOS)

iQCVAwUBPUrNEqbDgE/zdoE9AQHSPgQAlGS7HO8TZ1BHwek+niF5hA7exEt9Z8IA
fvxGpqirHciJQTfmBUiJhXhCTqosFgftQzt9KyvXmfMS3InZxAEmB7ahkevuBYkO
FvfWyA3Ew8J3bGhBJis1xTMFebb1N0crDH3rRjUGZApQ7uJNZ+9nQo41+P0+z3uD
yqpAbP9HTnw=
=MqNV
-----END PGP SIGNATURE-----

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23192995 Feedback>).

Microsoft Corporation __ Affected

Notified: July 29, 2002 Updated: October 03, 2002

Status

Affected

Vendor Statement

Microsoft is currently conducting an investigation based on this report. We will update this advisory with information once it is complete.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see _<http://www.microsoft.com/technet/security/bulletin/ms02-057.asp>_

Statement date: 10/2/2002 6:13:15 PM

-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------
Title: Flaw in Services for Unix 3.0 Interix SDK Could Allow
Code Execution (Q329209)
Released: 02 October 2002
Software: Services for Unix 3.0 Interix SDK
Impact: Buffer overrun and denial of service
Max Risk: Moderate
Bulletin: MS02-057

Microsoft encourages customers to review the Security Bulletin at:
_<http://www.microsoft.com/technet/security/bulletin/MS02-057.asp>_.
- ----------------------------------------------------------------------
Issue:

All three vulnerabilities discussed in this bulletin involve the
inclusion of the Sun [TM] Microsystems RPC library in Microsoft’s
Services for UNIX (SFU) 3.0 on the Interix SDK. Developers who
created applications or utilities using the Sun RPC library from
the Interix SDK need to evaluate three vulnerabilities.

Windows Services for UNIX (SFU) 3.0 provides a full range of cross-
platform services to integrate Windows into existing UNIX environ-
ments. In version 3.0, the Interix subsystem technology is built in
so that Windows Services for UNIX 3.0 can provide platform inter-
operability and application migration in one fully integrated and
supported product from Microsoft. Developers who have integrated
Windows into their existing UNIX environments may have used the
Interix SDK to develop custom applications and utilities so that
applications that only ran on the UNIX platform can now run in a
Windows environment. Developers who used the Interix SDK to develop
applications or utilities should read this bulletin.

The first vulnerability is an integer overflow in the XDR library
that ships with the Sun RPC library on the Interix SDK for
Microsoft’s Services for Unix (SFU) 3.0. An attacker could send a
malicious RPC request to the RPC server from a remote machine and
cause corruption in the server program. This can cause the server
to fail and potentially allow the attacker to run code of his or
her choice in the context of the server program.

The second vulnerability is a buffer overrun. An attacker could send
a malicious RPC request to the RPC server with an improper parameter
size check. This could lead to a buffer overrun, causing the server
to fail and preventing it from servicing any further requests from
clients.

The third vulnerability is an RPC implementation error. An app-
Lication using the Sun RPC library does not properly check the size
of client TCP requests. This could result in a denial of service
to a server application using the Sun RPC library. The RPC library
expects client TCP requests to specify the size of the record
that follows. Because there is a flaw in the way RPC detects
client packets, an attacker could send a malformed RPC request to
the RPC server from a remote machine and cause the server to fail
by not servicing any further client requests.

After applying the patch, it is necessary to recompile any Interix
application that is statically linked with the Interix SDK Sun RPC
library.

Mitigating Factors:

*Only applications or utilities that were created using the
Interix SDK and specifically that use the Sun RPC library,
would be affected by these vulnerabilities.
*If an administrator or developer has only installed the
Interix SDK but has not actually created applications with
the SDK that use the Sun RPC library, the systems where the
SDK was installed would not be vulnerable.

Risk Rating:

- Internet systems: Moderate
- Intranet systems: Moderate
- Client systems: Moderate

Patch Availability:

- A patch is available to fix this vulnerability. Please read the
Security Bulletin at
_<http://www.microsoft.com/technet/security/bulletin/ms02-057.asp>_
for information on obtaining this patch.

- ---------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED
“AS IS” WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT
SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY
DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES
SO THE FOREGOING LIMITATION MAY NOT APPLY.

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQEVAwUBPZtve40ZSRQxA/UrAQHdXgf/ejvlfeHIg3/qqRNVr05cITb88aElEzmS
54vEwb1h9YXhMzMBwm4nXyFLcG97wxJdWSUFkqKx8gzQtlJazOzCFHCKKCC1wU3Y
teNZJY0D/xEgkRTaYeeEIqNqTq6646M4dHmhFlyfLPLz5Ak50lpeGAk3ZyMPnfl8
uhypyBCy+1CmuxQE3RNMHw2Orz5jIwKWVYRjhfgQH11U537rCCW2cePadxYoDVpz
VyR1iHTDo5bvZa7101qMb06rftijbAKRF4049USw14dd6v/0FxxmjfXu2w9ECL1U
zwvrt8MaOWRPw/vt+kbF7kRFIDSUVuTN4xlf2kSC+zIOKdluvelhgw==
=Y+ML
-----END PGP SIGNATURE-----

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23192995 Feedback>).

NetBSD __ Affected

Notified: July 29, 2002 Updated: September 20, 2002

Status

Affected

Vendor Statement

Please see <ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-011.txt.asc>

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

-----BEGIN PGP SIGNED MESSAGE-----

` NetBSD Security Advisory 2002-011

Topic:Sun RPC XDR decoder contains buffer overflow
Version:NetBSD-current: source prior to August 1, 2002
NetBSD-1.6 beta: affected
NetBSD-1.5.3: affected
NetBSD-1.5.2: affected
NetBSD-1.5.1: affected
NetBSD-1.5: affected
NetBSD-1.4.*: affected
severity:Possible remote root compromise if RPC services
are enabled
Fixed:NetBSD-current:August 1, 2002
NetBSD-1.6 branch:August 2, 2002 (1.6 includes the fix)
NetBSD-1.5 branch:August 1, 2002
NetBSD-1.4 branch:not yet
`

`Abstract

Integer overflows exist in the RPC code in libc. These cause a buffer to
be mistakenly allocated too small, and then overflown.
The Automounter amd(8) and its query tool amq(8), and the rusers(1)
client binary use the flawed code in a way which could be exploitable.
Other uses of the RPC functions have been examined and are believed to
not be exploitable.
No RPC-based services are enabled by default.
`

`Technical Details

make cleandir dependall

make install

* NetBSD 1.4, 1.4.1, 1.4.2, 1.4.3:
The advisory will be updated to include instructions to remedy this problem for systems running the NetBSD-1.4 branch.

`Thanks To

CERT for notification.
Charles Hannum for scope analysis and commentary.
FreeBSD security-officers. Parts of the advisory text are based on
the FreeBSD advisory.
The NetBSD Release Engineering teams, for great patience and
assistance in dealing with repeated security issues discovered
recently.
`

`Revision History

2002-08-01Initial release
2002-08-021.5/1.6 branch info
2002-09-16Re-release with updated information
`

`More Information

An up-to-date PGP signed copy of this release will be maintained at
<ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-011.txt.asc>
Information about NetBSD and NetBSD security can be found at
<http://www.NetBSD.ORG/> and <http://www.NetBSD.ORG/Security/>.
`

Copyright 2002, The NetBSD Foundation, Inc. All Rights Reserved.
$NetBSD: NetBSD-SA2002-011.txt,v 1.13 2002/09/16 05:17:55 dan Exp $

-----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv
iQCVAwUBPYVqKj5Ru2/4N2IFAQGEYAP+K1lgLUVy/CrmvtRikjSv5UKYY4pAWAca fKwDpVlp/5q3kSc/b5NY7bgi7gUPVvbaW1v/PgfRIA47PBtAt7juvsnEDIO6IJ8M 9rDwfrikYdShm0R5ejxyIfu1CwjD9gWOvJ2xYGQ7XW67tLPG3udwa1B1UhWeQTnK 9OhEncw7mcw= =YcPw -----END PGP SIGNATURE-----

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23192995 Feedback>).

OpenAFS __ Affected

Updated: August 05, 2002

Status

Affected

Vendor Statement

Please see <http://www.openafs.org/pages/security/OPENAFS-SA-2002-001.txt>

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

-----BEGIN PGP SIGNED MESSAGE-----

OpenAFS Security Advisory 2002-001

Topic: Remote root vulnerability in OpenAFS servers

Issued: 03-Aug-2002
Last Update: 03-Aug-2002
Severity: High
Affected: OpenAFS 1.0 - 1.2.5, OpenAFS 1.3.0 - 1.3.2

A remote user may be able to gain root access to an OpenAFS database
server or fileserver host. In addition, certain administrative clients
may be attacked if they make requests to a rogue server.

SUMMARY

There is an integer overflow bug in the SUNRPC-derived RPC library
used by OpenAFS that could be exploited to crash certain OpenAFS
servers (volserver, vlserver, ptserver, buserver) or to obtain
unauthorized root access to a host running one of these processes.

In addition, it is possible for a rogue server to attack certain
administrative clients (vos, pts, backup, butc, rxstat), but only
if certain RPC requests are made to the rogue server.

The OpenAFS fileserver and cache manager (client) are not vulnerable
to these attacks. No exploits are presently known to be available
for this vulnerability.

IMPACT

A remote attacker can potentially execute arbitrary code on an OpenAFS
server host with the privileges of the user running the OpenAFS server
processes (usually root). This can lead to compromise of the OpenAFS
administrative databases, data stored on a compromised server, or
possible root access on a server host. Once a server host has been
compromised, the attacker is able to obtain access to any other OpenAFS
servers in the same cell.

AFFECTED SOFTWARE

All releases of OpenAFS 1.0.x and 1.1.x.
All releases of OpenAFS 1.2.x, up to and including OpenAFS 1.2.5.
All releases of OpenAFS 1.3.x, up to and including OpenAFS 1.3.2.

FIXES

The OpenAFS project recommends that all users upgrade to OpenAFS
1.2.6 or newer. The latest stable OpenAFS release is always available
from _<http://www.openafs.org/release/latest.html>_.

No update is presently available for the OpenAFS-unstable series.

For those who are unable to upgrade, apply the following patch to
correct the XDR vulnerability, and rebuild your tree.

===================================================================
RCS file: /cvs/openafs/src/rx/Makefile.in,v
retrieving revision 1.4.2.1
retrieving revision 1.4.2.2
diff -u -r1.4.2.1 -r1.4.2.2
- — openafs/src/rx/Makefile.in2002/01/20 08:38:381.4.2.1
+++ openafs/src/rx/Makefile.in2002/08/02 02:45:141.4.2.2
@@ -38,7 +38,7 @@

Generic xdr objects (or, at least, xdr stuff that’s not newly defined for rx).

Really the xdr stuff should be in its own directory.

- -XDROBJS = xdr_arrayn.o xdr_rx.o xdr_afsuuid.o
+XDROBJS = xdr.o xdr_array.o xdr_arrayn.o xdr_rx.o xdr_afsuuid.o

RXOBJS = rx_clock.o rx_event.o rx_user.o rx_lwp.o rx.o rx_null.o rx_globals.o \
rx_getaddr.o rx_misc.o rx_packet.o rx_rdwr.o rx_trace.o rx_conncache.o \

RCS file: /cvs/openafs/src/rx/xdr.c,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
- — openafs/src/rx/xdr.c2002/06/08 04:43:381.4
+++ openafs/src/rx/xdr.c2002/07/31 23:13:091.5
@@ -558,6 +558,8 @@
u_int size;
u_int nodesize;

+ if (maxsize > ((~0) >> 1) - 1) maxsize = ((~0) >> 1) - 1;
+
/*

first deal with the length since xdr strings are counted-strings
*/
===================================================================
RCS file: /cvs/openafs/src/rx/xdr_array.c,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
- — openafs/src/rx/xdr_array.c2001/08/08 00:03:571.4
+++ openafs/src/rx/xdr_array.c2002/07/31 23:13:091.5
@@ -84,7 +84,10 @@
register caddr_t target = addrp;
register u_int c; / the actual element count */
register bool_t stat = TRUE;
- -register int nodesize;
+register u_int nodesize;

+ i = ((~0) >> 1) / elsize;
+ if (maxsize > i) maxsize = i;

/* like strings, arrays are really counted arrays */
if (! xdr_u_int(xdrs, sizep)) {

RCS file: /cvs/openafs/src/rx/xdr_arrayn.c,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
- — openafs/src/rx/xdr_arrayn.c2001/08/08 00:03:571.4
+++ openafs/src/rx/xdr_arrayn.c2002/07/31 23:13:091.5
@@ -89,7 +89,10 @@
register caddr_t target = addrp;
register u_int c; / the actual element count */
register bool_t stat = TRUE;
- -register int nodesize;
+register u_int nodesize;
+
+ i = ((~0) >> 1) / elsize;
+ if (maxsize > i) maxsize = i;

/* like strings, arrays are really counted arrays */
if (! xdr_u_int(xdrs, sizep)) {

This patch may also be found at:

_<http://www.openafs.org/security/xdr-updates-20020731.delta>_

The associated detached PGP signature is at

_<http://www.openafs.org/security/xdr-updates-20020731.delta.asc>_

It was generated against OpenAFS 1.2.5, but should apply to earlier
releases, possibly with some offset.

This announcement and code patches related to it may be found on the
OpenAFS security advisory page at:

_<http://www.openafs.org/security/>_

The main OpenAFS web page is at:

_<http://www.openafs.org/>_

ACKNOWLEDGMENTS

Thanks to ISS for discovery of the vulnerability.

Thanks to Nickolai Zeldovich for assistance in discovering the
particulars of this bug and developing a fix.

Thanks also to Tom Yu and the MIT Kerberos Development Team for their
advisory MITKRB5-SA-2002-001, the form and much of the text of which
was shamelessly stolen to produce this alert.

DETAIL

Several uses of xdr_array() in various AFS protocols are unsafe in an
environment where this bug exists. In particular, any use of a
counted array with unbounded size (represented in the Rx protocol
description with an empty pair of angle brackets ‘<>’) is unsafe. Such
uses appear in input arguments to procedures in the PTS, VLDB, volserver,
and backup database protocols, and output arguments from procedures in all
of these protocols and in the Rx statistics interface implemented by most
OpenAFS servers.

A remote user may be able to use the buffer overflow to execute arbitrary
code on the server under attack, possibly leading to unauthorized root
access. Similarly a rogue server may be able to use the buffer overflow
to attack a client which makes one of the RPC’s with unsafe output
arguments.

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQBVAwUBPUxo8bD+655x7JNnAQGOYAH/ZzSzw5FyLI8YTmgJH4qSO7rKQVpy8F+L
aIU3Xy4HngBpYALsOrJLkCI7h966Li00YhyXgsm4UW9NzbCORc80Kw==
=iILR
-----END PGP SIGNATURE-----

OpenAFS-announce mailing list
[email protected]
_<https://lists.openafs.org/mailman/listinfo/openafs-announce>_

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23192995 Feedback>).

OpenBSD __ Affected

Notified: July 29, 2002 Updated: July 31, 2002

Status

Affected

Patches available per SGI Security Advisory 20020801-01-P.

-----BEGIN PGP SIGNED MESSAGE-----
______________________________________________________________________________ SGI Security Advisory
Title: Sun RPC xdr_array vulnerability Number: 20020801-01-P Date: August 16, 2002 Reference: CERT® CA-2002-25 Reference: SGI Security Advisory 20020801-01-A Reference: CAN-2002-0391
______________________________________________________________________________
- -----------------------
`- — Issue Specifics —

-----------------------`

This is a followup to SGI Security Bulletin 20020801-01-A.
It's been reported that there is a buffer overflow vulnerability in the Sun RPC functions supplied with the IRIX 6.5 operating system.
The portmapper, NFS and NIS RPC services do NOT use the relevant RPC XDR functions in libc in a manner that makes them vulnerable. But other RPC services from IRIX, third-parties, freeware, etc. might use XDR functions.
See ``<http://www.cert.org/advisories/CA-2002-25.html>`` and ``<http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20823>`` for additional details.
SGI has investigated the issue and recommends the following steps for neutralizing the exposure. It is HIGHLY RECOMMENDED that these measures be implemented on ALL vulnerable SGI systems.
These issues have been corrected in future releases of IRIX and with a series of patches.

- --------------
`- — Impact —

--------------`

The vulnerabilities exist within libc, which is installed by default on IRIX 6.5 systems as part of eoe.sw.base.
To determine the version of IRIX you are running, execute the following command:
# uname -R
That will return a result similar to the following:
# 6.5 6.5.16f
The first number ("6.5") is the release name, the second ("6.5.16f" in this case) is the extended release name. The extended release name is the "version" we refer to throughout this document.
This vulnerability was assigned the following CVE: ``<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0391>``
This vulnerability was assigned the following VU: ``<http://www.kb.cert.org/vuls/id/192995>``

- ----------------------------
`- — Temporary Workaround —

----------------------------`

There is no effective workaround available for these problems. SGI recommends either upgrading to a minimum of IRIX 6.5.18, or installing the appropriate patch from the listing below.

- ----------------
`- — Solution —

----------------`

SGI has provided a series of patches for these vulnerabilities. Our recommendation is to upgrade to IRIX 6.5.18 when available, or install the appropriate patch.
` OS Version Vulnerable? Patch # Other Actions

IRIX 3.x unknown Note 1
IRIX 4.x unknown Note 1
IRIX 5.x unknown Note 1
IRIX 6.0.x unknown Note 1
IRIX 6.1 unknown Note 1
IRIX 6.2 unknown Note 1
IRIX 6.3 unknown Note 1
IRIX 6.4 unknown Note 1
IRIX 6.5 yes Notes 2 & 3
IRIX 6.5.1 yes Notes 2 & 3
IRIX 6.5.2 yes Notes 2 & 3
IRIX 6.5.3 yes Notes 2 & 3
IRIX 6.5.4 yes Notes 2 & 3
IRIX 6.5.5 yes Notes 2 & 3
IRIX 6.5.6 yes Notes 2 & 3
IRIX 6.5.7 yes Notes 2 & 3
IRIX 6.5.8 yes Notes 2 & 3
IRIX 6.5.9 yes Notes 2 & 3
IRIX 6.5.10 yes Notes 2 & 3
IRIX 6.5.11 yes Notes 2 & 3
IRIX 6.5.12 yes Notes 2 & 3
IRIX 6.5.13m yes 4740 Note 2
IRIX 6.5.13f yes 4739 Note 2
IRIX 6.5.14m yes 4742 Note 2
IRIX 6.5.14f yes 4741 Note 2
IRIX 6.5.15m yes 4744 Note 2
IRIX 6.5.15f yes 4743 Note 2
IRIX 6.5.16m yes 4746 Note 2
IRIX 6.5.16f yes 4745 Note 2
IRIX 6.5.17m yes 4748 Note 2
IRIX 6.5.17f yes 4747 Note 2
IRIX 6.5.18 no
NOTES
1) This version of the IRIX operating has been retired. Upgrade to an
actively supported IRIX operating system. See
<http://support.sgi.com/irix/news/index.html#policy> for more
information.
2) If you have not received an IRIX 6.5.X CD for IRIX 6.5, contact your
SGI Support Provider or URL: <http://support.sgi.com/irix/swupdates/>
3) Upgrade to IRIX 6.5.18m or 6.5.18f.
##### Patch File Checksums ####
The actual patch will be a tar file containing the following files:
Filename: README.patch.4739
Algorithm #1 (sum -r): 17376 8 README.patch.4739
Algorithm #2 (sum): 52194 8 README.patch.4739
MD5 checksum: FD3C0D821DF71D7F44E43FFF32D0E76A
Filename: patchSG0004739
Algorithm #1 (sum -r): 19705 5 patchSG0004739
Algorithm #2 (sum): 34493 5 patchSG0004739
MD5 checksum: 25417784900089D5D08F7C94CF7E8ACF
Filename: patchSG0004739.dev_sw
Algorithm #1 (sum -r): 38179 2866 patchSG0004739.dev_sw
Algorithm #2 (sum): 55114 2866 patchSG0004739.dev_sw
MD5 checksum: 50592422C16AC9653884CA6579B0BAE6
Filename: patchSG0004739.eoe_sw
Algorithm #1 (sum -r): 06410 14185 patchSG0004739.eoe_sw
Algorithm #2 (sum): 5223 14185 patchSG0004739.eoe_sw
MD5 checksum: D4E5F744A55173CF1BB1EEE1AFE24ACB
Filename: patchSG0004739.eoe_sw64
Algorithm #1 (sum -r): 41610 5436 patchSG0004739.eoe_sw64
Algorithm #2 (sum): 29732 5436 patchSG0004739.eoe_sw64
MD5 checksum: B2EF2038FFD7A4DDBE2B0ED8AD7EB424
Filename: patchSG0004739.idb
Algorithm #1 (sum -r): 38687 7 patchSG0004739.idb
Algorithm #2 (sum): 53498 7 patchSG0004739.idb
MD5 checksum: C546FD1A1866DF5E9D971E2B092A01C8
`

Filename: README.patch.4740 Algorithm #1 (sum -r): 62983 8 README.patch.4740 Algorithm #2 (sum): 51976 8 README.patch.4740 MD5 checksum: F79EF7FC534A9F788DC5F4DFA8FD38C6
Filename: patchSG0004740 Algorithm #1 (sum -r): 34224 4 patchSG0004740 Algorithm #2 (sum): 49244 4 patchSG0004740 MD5 checksum: 434ED9064D6A46C78F3F9C5F6FE38F3F
Filename: patchSG0004740.dev_sw Algorithm #1 (sum -r): 56972 2818 patchSG0004740.dev_sw Algorithm #2 (sum): 10979 2818 patchSG0004740.dev_sw MD5 checksum: 1EFC8359CD1E09A215E628E0ADFF4139
Filename: patchSG0004740.eoe_sw Algorithm #1 (sum -r): 32948 13964 patchSG0004740.eoe_sw Algorithm #2 (sum): 48417 13964 patchSG0004740.eoe_sw MD5 checksum: DE6845D0909AA11ACA7FD11B976A55D0
Filename: patchSG0004740.eoe_sw64 Algorithm #1 (sum -r): 01071 5364 patchSG0004740.eoe_sw64 Algorithm #2 (sum): 33961 5364 patchSG0004740.eoe_sw64 MD5 checksum: EB913551876A45D56F07767131E7F592
Filename: patchSG0004740.idb Algorithm #1 (sum -r): 41640 7 patchSG0004740.idb Algorithm #2 (sum): 53351 7 patchSG0004740.idb MD5 checksum: FE6B18A2AA32639D8D1E2C0659E43A90

Filename: README.patch.4741 Algorithm #1 (sum -r): 46292 9 README.patch.4741 Algorithm #2 (sum): 58428 9 README.patch.4741 MD5 checksum: 5BD40F294334AC167243F86FF9AB0244
Filename: patchSG0004741 Algorithm #1 (sum -r): 35746 4 patchSG0004741 Algorithm #2 (sum): 63296 4 patchSG0004741 MD5 checksum: 3D2AEECD36495798CB6D8A26C1FF821D
Filename: patchSG0004741.dev_sw Algorithm #1 (sum -r): 35551 2861 patchSG0004741.dev_sw Algorithm #2 (sum): 11028 2861 patchSG0004741.dev_sw MD5 checksum: 63C3BCBBB2F16E83A6CE138C6E0B0C90
Filename: patchSG0004741.eoe_sw Algorithm #1 (sum -r): 47290 14241 patchSG0004741.eoe_sw Algorithm #2 (sum): 20959 14241 patchSG0004741.eoe_sw MD5 checksum: 906B2552ECAD0BD4F03730C1E6DA80A3
Filename: patchSG0004741.eoe_sw64 Algorithm #1 (sum -r): 51758 5454 patchSG0004741.eoe_sw64 Algorithm #2 (sum): 1612 5454 patchSG0004741.eoe_sw64 MD5 checksum: C796DD1711D14CBFD500AA70412C6C8A
Filename: patchSG0004741.idb Algorithm #1 (sum -r): 11787 6 patchSG0004741.idb Algorithm #2 (sum): 43916 6 patchSG0004741.idb MD5 checksum: 6840C4B819339F639D09CB1895A1DF19

Filename: README.patch.4742 Algorithm #1 (sum -r): 50773 9 README.patch.4742 Algorithm #2 (sum): 58461 9 README.patch.4742 MD5 checksum: 4C5EB29413762291C461B6F5560A29F6
Filename: patchSG0004742 Algorithm #1 (sum -r): 36972 4 patchSG0004742 Algorithm #2 (sum): 63162 4 patchSG0004742 MD5 checksum: 7EF5D0DFA0C75A9537B67AC5412ECECD
Filename: patchSG0004742.dev_sw Algorithm #1 (sum -r): 21521 2829 patchSG0004742.dev_sw Algorithm #2 (sum): 57073 2829 patchSG0004742.dev_sw MD5 checksum: 6B70E50307D06EFDAE3A5FC8D73A50A5
Filename: patchSG0004742.eoe_sw Algorithm #1 (sum -r): 38562 14004 patchSG0004742.eoe_sw Algorithm #2 (sum): 22516 14004 patchSG0004742.eoe_sw MD5 checksum: 78452CABCE7569EFB73FA0E47C65FC03
Filename: patchSG0004742.eoe_sw64 Algorithm #1 (sum -r): 31249 5378 patchSG0004742.eoe_sw64 Algorithm #2 (sum): 1826 5378 patchSG0004742.eoe_sw64 MD5 checksum: DF82029A99D74908CA24065A2D35552E
Filename: patchSG0004742.idb Algorithm #1 (sum -r): 54786 6 patchSG0004742.idb Algorithm #2 (sum): 44002 6 patchSG0004742.idb MD5 checksum: EEAC01E3BCDF632EB515DA3697FDC109

Filename: README.patch.4743 Algorithm #1 (sum -r): 15948 8 README.patch.4743 Algorithm #2 (sum): 45429 8 README.patch.4743 MD5 checksum: 3E15972E0AF21A717B45A698A9890BA7
Filename: patchSG0004743 Algorithm #1 (sum -r): 51688 4 patchSG0004743 Algorithm #2 (sum): 50416 4 patchSG0004743 MD5 checksum: ED38340DD8FAC5C86F743878AE1728D1
Filename: patchSG0004743.dev_sw Algorithm #1 (sum -r): 40350 2861 patchSG0004743.dev_sw Algorithm #2 (sum): 97 2861 patchSG0004743.dev_sw MD5 checksum: 8EBC7CAAD1142B5566B976380364A37E
Filename: patchSG0004743.eoe_sw Algorithm #1 (sum -r): 44069 14162 patchSG0004743.eoe_sw Algorithm #2 (sum): 34540 14162 patchSG0004743.eoe_sw MD5 checksum: DDF3BE55CB5F1EAE93B62BBD3FEF55A6
Filename: patchSG0004743.eoe_sw64 Algorithm #1 (sum -r): 30426 5440 patchSG0004743.eoe_sw64 Algorithm #2 (sum): 59672 5440 patchSG0004743.eoe_sw64 MD5 checksum: 6D0D872F815DA621B0992A9FD9324671
Filename: patchSG0004743.idb Algorithm #1 (sum -r): 01715 7 patchSG0004743.idb Algorithm #2 (sum): 55881 7 patchSG0004743.idb MD5 checksum: 5CE041BDAB7430DBDF87511754D28CCA

Filename: README.patch.4744 Algorithm #1 (sum -r): 44285 8 README.patch.4744 Algorithm #2 (sum): 45488 8 README.patch.4744 MD5 checksum: D438FE6315E0F332108225D165D2EFB7
Filename: patchSG0004744 Algorithm #1 (sum -r): 00653 4 patchSG0004744 Algorithm #2 (sum): 47744 4 patchSG0004744 MD5 checksum: C19320CF91D7677290FF736E56C9FED5
Filename: patchSG0004744.dev_sw Algorithm #1 (sum -r): 28428 2811 patchSG0004744.dev_sw Algorithm #2 (sum): 5201 2811 patchSG0004744.dev_sw MD5 checksum: 60A77A0A373EEC1EBF3EB9AF5FC79F3B
Filename: patchSG0004744.eoe_sw Algorithm #1 (sum -r): 18899 13870 patchSG0004744.eoe_sw Algorithm #2 (sum): 21781 13870 patchSG0004744.eoe_sw MD5 checksum: EA1848F5C8B67056F05A9FE9B57CA9E2
Filename: patchSG0004744.eoe_sw64 Algorithm #1 (sum -r): 58911 5361 patchSG0004744.eoe_sw64 Algorithm #2 (sum): 50085 5361 patchSG0004744.eoe_sw64 MD5 checksum: 130FF3A636C961FB3954C16E442C0B6F
Filename: patchSG0004744.idb Algorithm #1 (sum -r): 13486 7 patchSG0004744.idb Algorithm #2 (sum): 55824 7 patchSG0004744.idb MD5 checksum: 0CEBC15BCF39EA355446255A5D75D805

Filename: README.patch.4745 Algorithm #1 (sum -r): 15799 8 README.patch.4745 Algorithm #2 (sum): 35275 8 README.patch.4745 MD5 checksum: D6B712256A62F8E6B2ACD0976763DCCA
Filename: patchSG0004745 Algorithm #1 (sum -r): 58964 3 patchSG0004745 Algorithm #2 (sum): 34473 3 patchSG0004745 MD5 checksum: 37DD6BFA2D081654929172C5FFA85D03
Filename: patchSG0004745.dev_sw Algorithm #1 (sum -r): 43608 2865 patchSG0004745.dev_sw Algorithm #2 (sum): 26907 2865 patchSG0004745.dev_sw MD5 checksum: 9CC4426260A13DD11D8787A75616B533
Filename: patchSG0004745.eoe_sw Algorithm #1 (sum -r): 46222 14145 patchSG0004745.eoe_sw Algorithm #2 (sum): 2014 14145 patchSG0004745.eoe_sw MD5 checksum: 05732207843259769B88ACB5086F0E9D
Filename: patchSG0004745.eoe_sw64 Algorithm #1 (sum -r): 28294 5432 patchSG0004745.eoe_sw64 Algorithm #2 (sum): 35373 5432 patchSG0004745.eoe_sw64 MD5 checksum: E315BF430F7F55705EBB9059B618615C
Filename: patchSG0004745.idb Algorithm #1 (sum -r): 08259 7 patchSG0004745.idb Algorithm #2 (sum): 55819 7 patchSG0004745.idb MD5 checksum: 9C00336D9796E94A5EECB18E032835BC

Filename: README.patch.4746 Algorithm #1 (sum -r): 32906 8 README.patch.4746 Algorithm #2 (sum): 35306 8 README.patch.4746 MD5 checksum: 875BAC2CC2801F9CA4B7C7C5DBD1D747
Filename: patchSG0004746 Algorithm #1 (sum -r): 38467 3 patchSG0004746 Algorithm #2 (sum): 31867 3 patchSG0004746 MD5 checksum: E7E3FB06A6133FB036B9E798959B3205
Filename: patchSG0004746.dev_sw Algorithm #1 (sum -r): 02250 2814 patchSG0004746.dev_sw Algorithm #2 (sum): 8724 2814 patchSG0004746.dev_sw MD5 checksum: 6EE1AE6822CFCC275BF92BAEE44C6102
Filename: patchSG0004746.eoe_sw Algorithm #1 (sum -r): 42525 13917 patchSG0004746.eoe_sw Algorithm #2 (sum): 56304 13917 patchSG0004746.eoe_sw MD5 checksum: B119365083193E8EFDB4D4EA06BD90B8
Filename: patchSG0004746.eoe_sw64 Algorithm #1 (sum -r): 47973 5358 patchSG0004746.eoe_sw64 Algorithm #2 (sum): 48931 5358 patchSG0004746.eoe_sw64 MD5 checksum: E5A80390E8E1017A559ACBCB6C64D2EE
Filename: patchSG0004746.idb Algorithm #1 (sum -r): 21733 7 patchSG0004746.idb Algorithm #2 (sum): 55840 7 patchSG0004746.idb MD5 checksum: 23784F6416174D2794CA958A5FD27C5A

Filename: README.patch.4747 Algorithm #1 (sum -r): 40141 8 README.patch.4747 Algorithm #2 (sum): 28747 8 README.patch.4747 MD5 checksum: 5E6CD892484FAFF3DED05366F2F5EA89
Filename: patchSG0004747 Algorithm #1 (sum -r): 37009 3 patchSG0004747 Algorithm #2 (sum): 35605 3 patchSG0004747 MD5 checksum: 0109A515389D8C94EFBBE15043B08557
Filename: patchSG0004747.dev_sw Algorithm #1 (sum -r): 60690 2915 patchSG0004747.dev_sw Algorithm #2 (sum): 7035 2915 patchSG0004747.dev_sw MD5 checksum: 128FD717AEBA71B8993DC3E9DC880F79
Filename: patchSG0004747.eoe_sw Algorithm #1 (sum -r): 53956 14492 patchSG0004747.eoe_sw Algorithm #2 (sum): 27214 14492 patchSG0004747.eoe_sw MD5 checksum: 9590837AF84D5A0D6EFC916C851F0AD6
Filename: patchSG0004747.eoe_sw64 Algorithm #1 (sum -r): 28387 5585 patchSG0004747.eoe_sw64 Algorithm #2 (sum): 29573 5585 patchSG0004747.eoe_sw64 MD5 checksum: 6AFBDD4D8D5915613AB86DC690DB2F4D
Filename: patchSG0004747.idb Algorithm #1 (sum -r): 13314 7 patchSG0004747.idb Algorithm #2 (sum): 55955 7 patchSG0004747.idb MD5 checksum: FDFFBD812D3964D9AC3C16D5BDAAF82D

Filename: README.patch.4748 Algorithm #1 (sum -r): 17856 8 README.patch.4748 Algorithm #2 (sum): 28761 8 README.patch.4748 MD5 checksum: 77CC00A1EE9DCD4FB02F8B9F1540BB20
Filename: patchSG0004748 Algorithm #1 (sum -r): 64080 3 patchSG0004748 Algorithm #2 (sum): 33271 3 patchSG0004748 MD5 checksum: 1DC2039E57A656D89D34D219A863B9AA
Filename: patchSG0004748.dev_sw Algorithm #1 (sum -r): 57598 2867 patchSG0004748.dev_sw Algorithm #2 (sum): 6373 2867 patchSG0004748.dev_sw MD5 checksum: 7FEC56E9DF6C7F9E957E33C78B62B2B3

Filename: patchSG0004748.eoe_sw Algorithm #1 (sum -r): 44400 14293 patchSG0004748.eoe_sw Algorithm #2 (sum): 12872 14293 patchSG0004748.eoe_sw MD5 checksum: 660F5D22F3F897C50DD2649DFA990122
Filename: patchSG0004748.eoe_sw64 Algorithm #1 (sum -r): 02612 5505 patchSG0004748.eoe_sw64 Algorithm #2 (sum): 61325 5505 patchSG0004748.eoe_sw64 MD5 checksum: 2A6D329F8D1E4469E524A85EEF6E157D
Filename: patchSG0004748.idb Algorithm #1 (sum -r): 61381 7 patchSG0004748.idb Algorithm #2 (sum): 56061 7 patchSG0004748.idb MD5 checksum: 5F8AD4C318190D8316A7D406DAC8BBA1

- ------------------------
`- — Acknowledgments ----

------------------------`

SGI wishes to thank CERT, ISS, FIRST and the users of the Internet Community at large for their assistance in this matter.

- -------------
`- — Links —

-------------`

SGI Security Advisories can be found at: ``<http://www.sgi.com/support/security/>`` and ``<ftp://patches.sgi.com/support/free/security/advisories/>``
SGI Security Patches can be found at: ``<http://www.sgi.com/support/security/>`` and ``<ftp://patches.sgi.com/support/free/security/patches/>``
SGI patches for IRIX can be found at the following patch servers: ``<http://support.sgi.com/irix/>`` and ``<ftp://patches.sgi.com/>``
SGI freeware updates for IRIX can be found at: ``<http://freeware.sgi.com/>``
SGI fixes for SGI open sourced code can be found on: ``<http://oss.sgi.com/projects/>``
SGI patches and RPMs for Linux can be found at: ``<http://support.sgi.com/linux/>`` or ``<http://oss.sgi.com/projects/sgilinux-combined/download/security-fixes/>``
SGI patches for Windows NT or 2000 can be found at: ``<http://support.sgi.com/nt/>``
IRIX 5.2-6.4 Recommended/Required Patch Sets can be found at: ``<http://support.sgi.com/irix/>`` and ``<ftp://patches.sgi.com/support/patchset/>``
IRIX 6.5 Maintenance Release Streams can be found at: ``<http://support.sgi.com/colls/patches/tools/relstream/index.html>``
IRIX 6.5 Software Update CDs can be obtained from: ``<http://support.sgi.com/irix/swupdates/>``
The primary SGI anonymous FTP site for security advisories and patches is patches.sgi.com (216.32.174.211). Security advisories and patches are located under the URL ``<ftp://patches.sgi.com/support/free/security/>``
For security and patch management reasons, ftp.sgi.com (mirrors patches.sgi.com security FTP repository) lags behind and does not do a real-time update.

- -----------------------------------------
`- — SGI Security Information/Contacts —

-----------------------------------------`

If there are questions about this document, email can be sent to [email protected].
------oOo------
SGI provides security information and patches for use by the entire SGI community. This information is freely available to any person needing the information and is available via anonymous FTP and the Web.
The primary SGI anonymous FTP site for security advisories and patches is patches.sgi.com (216.32.174.211). Security advisories and patches are located under the URL ``<ftp://patches.sgi.com/support/free/security/>``
The SGI Security Headquarters Web page is accessible at the URL: ``<http://www.sgi.com/support/security/>``
For issues with the patches on the FTP sites, email can be sent to [email protected].
For assistance obtaining or working with security patches, please contact your SGI support provider.
------oOo------
SGI provides a free security mailing list service called wiretap and encourages interested parties to self-subscribe to receive (via email) all SGI Security Advisories when they are released. Subscribing to the mailing list can be done via the Web (``<http://www.sgi.com/support/security/wiretap.html>``) or by sending email to SGI as outlined below.
% mail [email protected] subscribe wiretap < YourEmailAddress such as [email protected] > end ^d
In the example above, <YourEmailAddress> is the email address that you wish the mailing list information sent to. The word end must be on a separate line to indicate the end of the body of the message. The control-d (^d) is used to indicate to the mail program that you are finished composing the mail message.

------oOo------
SGI provides a comprehensive customer World Wide Web site. This site is located at ``<http://www.sgi.com/support/security/>`` .
------oOo------
If there are general security questions on SGI systems, email can be sent to [email protected].
For reporting *NEW* SGI security issues, email can be sent to [email protected] or contact your SGI support provider. A support contract is not required for submitting a security report.
______________________________________________________________________________ This information is provided freely to all interested parties and may be redistributed provided that it is not altered in any way, SGI is appropriately credited and the document retains and includes its valid PGP signature.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBPV0oS7Q4cFApAP75AQGhDwQAkku0E5iUbcsge/axWgiBaocSYKnLL1iU Fpd+5XmMN/7ADLDub8PU3N9Wfb9AtK69XNHUvnWaJZBGGfOu5ibfJCd0liJcma9x xlsIkCW3LKM7BhprI8lUxfvuAPTVFo7JvyDiUvv/NJ2pJf9JTUHTBPAaSOVKsGbq yi56nsVrNew= =xbac -----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

SGI was previously looking into the matter on August 1, 2002, per:
<ftp://patches.sgi.com/support/free/security/advisories/20020801-01-A>

-----BEGIN PGP SIGNED MESSAGE-----

______________________________________________________________________________
SGI Security Advisory

Title: Sun RPC xdr_array vulnerability
Number: 20020801-01-A
Date: August 1, 2002
______________________________________________________________________________

SGI provides this information freely to the SGI user community for its
consideration, interpretation, implementation and use. SGI recommends
that this information be acted upon as soon as possible.

SGI provides the information in this Security Advisory on an "AS-IS" basis
only, and disclaims all warranties with respect thereto, express, implied
or otherwise, including, without limitation, any warranty of merchantability
or fitness for a particular purpose. In no event shall SGI be liable for
any loss of profits, loss of business, loss of data or for any indirect,
special, exemplary, incidental or consequential damages of any kind arising
from your use of, failure to use or improper use of any of the instructions
or information in this Security Advisory.
______________________________________________________________________________

SGI acknowledges the Sun RPC vulnerability reported by ISS X-Force Advisory:
<http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20823>
and is currently investigating.

No further information is available at this time. As further information
becomes available, additional advisories will be issued.

For the protection of all our customers, SGI does not disclose, discuss
or confirm vulnerabilities until a full investigation has occurred and
any necessary patch(es) or release streams are available for all vulnerable
and supported Linux and IRIX operating systems.

Until SGI has more definitive information to provide, customers are encouraged
to assume all security vulnerabilities as exploitable and take appropriate
steps according to local site security policies and requirements.

As further information becomes available, additional advisories will be
issued via the normal SGI security information distribution methods
including the wiretap mailing list.

- -----------------------------------------
- --- SGI Security Information/Contacts ---
- -----------------------------------------

If there are questions about this document, email can be sent to
[email protected].

------oOo------

SGI provides security information and patches for use by the entire
SGI community. This information is freely available to any person
needing the information and is available via anonymous FTP and the Web.

The primary SGI anonymous FTP site for security advisories and patches
is patches.sgi.com (216.32.174.211). Security advisories and patches
are located under the URL ``<ftp://patches.sgi.com/support/free/security/>

The SGI Security Headquarters Web page is accessible at the URL
<http://www.sgi.com/support/security/>

For issues with the patches on the FTP sites, email can be sent to
[email protected].

For assistance obtaining or working with security patches, please
contact your SGI support provider.

------oOo------

SGI provides a free security mailing list service called wiretap and
encourages interested parties to self-subscribe to receive (via email) all
SGI Security Advisories when they are released. Subscribing to the mailing
list can be done via the Web (``<http://www.sgi.com/support/security/wiretap.html>``)
or by sending email to SGI as outlined below.

% mail [email protected]
subscribe wiretap <YourEmailAddress>
end
^d

In the example above, <YourEmailAddress> is the email address that you
wish the mailing list information sent to. The word end must be on a
separate line to indicate the end of the body of the message. The
control-d (^d) is used to indicate to the mail program that you are
finished composing the mail message.

------oOo------

SGI provides a comprehensive customer World Wide Web site. This site is
located at ``<http://www.sgi.com/support/security/>`` .

------oOo------

For reporting *NEW* SGI security issues, email can be sent to
[email protected] or contact your SGI support provider. A
support contract is not required for submitting a security report.

______________________________________________________________________________
This information is provided freely to all interested parties and
may be redistributed provided that it is not altered in any way,
SGI is appropriately credited and the document retains and includes
its valid PGP signature.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBPUlll7Q4cFApAP75AQH+pQQAr7rQG3oL5ZtqdMwEeiAd9wSI300FzY7B
nl9WQDOBGBPg9m6sPBIDvKxMRPAPZokRRofJc/MYqAAzK5Ye2xcfh8ILNBmCD/Xe
IB2Xc2WhrnDHGSiy7/HBFrFCpa40nct9q4Nwx0/Ej9MTjoYkX/YvhSv/dgIhw96Y
aLjFXVnhbos=
=6lyf
-----END PGP SIGNATURE-----

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23192995 Feedback>).

Sun Microsystems, Inc. __ Affected

Notified: July 29, 2002 Updated: August 05, 2002

Status

Affected

Vendor Statement

Sun can confirm that there is a type overflow vulnerability in the xdr_array(3NSL) function which is part of the network services library, libnsl(3LIB), on Solaris 2.5.1 through 9. Sun has published Sun Alert 46122 which describes the issue, applications affected, and workaround information. The Sun Alert will be updated as more information or patches become available and is located here:

<http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert%2F46122>
Sun will be publishing a Sun Security Bulletin for this issue once all of the patches are available which will be located at:

<http://sunsolve.sun.com/security>

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

[text downloaded at Thu Aug 1 2002 11:30:51 (-0400)]

Xerox Corporation __ Affected

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23192995 Feedback>).

View all 45 vendors __View less vendors __

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

Acknowledgements

Thanks to Sun Microsystems for working with the CERT/CC to make this document possible. The initial vulnerability research and demonstration was performed by Internet Security Systems (ISS).

This document was written by Jeffrey S. Havrilla.

Other Information

CVE IDs:	CVE-2002-0391
CERT Advisory:	CA-2002-25 Severity Metric:

References

ftp://ftp.isi.edu/in-notes/rfc4506.txt

bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20823

CERT.Uni-Stuttgart.DE/advisories/calloc.php

online.securityfocus.com/bid/5356

sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert%2F46122&zone_32=category%3Asecurity

web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2002-001-xdr.txt

www.FreeBSD.org/cgi/man.cgi?query=xdr_array&apropos=0&sektion=3&manpath=FreeBSD+4.6-RELEASE&format=html

www.iss.net/security_center/static/9170.php

0.85 High

EPSS

Percentile

98.5%

JSON

Related for VU:192995

Integer overflow in xdr_array() function when deserializing the XDR stream

Overview

Description

Impact

Solution

Note this is an iterative process for each set of patches being applied.

As a best practice, the CERT/CC recommends disabling all services that are not explicitly required.

Vendor Information

Apple Computer, Inc. __ Affected

Status

Vendor Statement

Vendor Information

Addendum

Debian Linux __ Affected

Status

Vendor Statement

Vendor Information

Addendum

FreeBSD, Inc. __ Affected

Status

Vendor Statement

Vendor Information

Addendum

GNU glibc __ Affected

Status

Vendor Statement

include <wchar.h>

Vendor Information

Addendum

Hewlett-Packard Company __ Affected

Status

Vendor Statement

Vendor Information

Addendum

IBM Corporation __ Affected

Status

Vendor Statement

Vendor Information

Addendum

MIT Kerberos Development Team __ Affected

Status

Vendor Statement

Vendor Information

Addendum

SUMMARY

IMPACT

AFFECTED SOFTWARE

FIXES

Index: xdr_array.c

ACKNOWLEDGMENTS

DETAILS

Microsoft Corporation __ Affected

Status

Vendor Statement

Vendor Information

Addendum

Microsoft encourages customers to review the Security Bulletin at: _<http://www.microsoft.com/technet/security/bulletin/MS02-057.asp&gt;_. - ---------------------------------------------------------------------- Issue:

Mitigating Factors:

Risk Rating:

Patch Availability:

NetBSD __ Affected

Status

Vendor Statement

Vendor Information

Addendum

` NetBSD Security Advisory 2002-011

`Abstract

`Technical Details

`Solutions and Workarounds

cd src

cvs update -d -P lib/libc/rpc

make cleandir dependall

make install

cd src

cvs update -d -P -r netbsd-1-6 lib/libc/rpc

make cleandir dependall

make install

cd src

cvs update -d -P -r netbsd-1-5 lib/libc/rpc

make cleandir dependall

Microsoft encourages customers to review the Security Bulletin at:
_<http://www.microsoft.com/technet/security/bulletin/MS02-057.asp>_.
- ----------------------------------------------------------------------
Issue:

RXOBJS = rx_clock.o rx_event.o rx_user.o rx_lwp.o rx.o rx_null.o rx_globals.o \
rx_getaddr.o rx_misc.o rx_packet.o rx_rdwr.o rx_trace.o rx_conncache.o \

/* like strings, arrays are really counted arrays */
if (! xdr_u_int(xdrs, sizep)) {

/* like strings, arrays are really counted arrays */
if (! xdr_u_int(xdrs, sizep)) {