OpenBSD contains buffer overflow in "select" call

Overview

A locally exploitable buffer overflow exists in all versions of OpenBSD.

Description

The buffer overflow exists in the select(2) system call. The overflow occurs if select is supplied with arbitrary negative values.

---

Impact

Local users can gain system privileges and execute code in the context of the kernel.

---

Solution

From the OpenBSD Security Advisory: “Apply one of the supplied kernel patches or update to 3.0-stable or 3.1-stable from 2002-08-11 17:00 EDT or later.”

---

Vendor Information

259787

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

OpenBSD __ Affected

Updated: August 15, 2002

Status

Affected

Vendor Statement

See <http://www.openbsd.org/errata.html#scarg&gt;.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23259787 Feedback>).

Apple Computer Inc. __ Not Affected

Notified: August 16, 2002 Updated: August 16, 2002

Status

Not Affected

Vendor Statement

Mac OS X and Mac OS X Server do not contain the vulnerability described in this report.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23259787 Feedback>).

Cisco Systems Inc. __ Not Affected

Updated: August 21, 2002

Status

Not Affected

Vendor Statement

None of the products are vulnerable.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23259787 Feedback>).

FreeBSD __ Not Affected

Notified: August 16, 2002 Updated: August 16, 2002

Status

Not Affected

Vendor Statement

FreeBSD is unaffected.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23259787 Feedback>).

NEC Corporation __ Not Affected

Updated: August 26, 2002

Status

Not Affected

Vendor Statement

sent on August 26, 2002

[Server Products]

• EWS/UP 48 Series operating system
  - is NOT vulnerable.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23259787 Feedback>).

NetBSD __ Not Affected

Notified: August 16, 2002 Updated: August 16, 2002

Status

Not Affected

Vendor Statement

We have examined this issue, and no vesion of NetBSD is vulnerable to it.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23259787 Feedback>).

Openwall GNU/*/Linux __ Not Affected

Updated: September 09, 2002

Status

Not Affected

Vendor Statement

Openwall GNU/*/Linux is not vulnerable. In fact, none of Linux 2.0, 2.2, and 2.4 are. As the corresponding limits are configurable on 2.2 and 2.4 and in order to be safe in case of future code changes, we’re, however, also adding redundant defensive hard-coded limits right into both select(2) and poll(2).

More detail:

Linux 2.0 only has select(2) and a hard-coded limit.

Linux 2.2 and 2.4 have both calls and configurable limits, but expand_fd_array() and expand_fdset() wouldn’t let files->max_fds and files->max_fdset grow beyond a defensive hard-coded limit, even if a higher limit has been set via procfs or sysctl. And it’s precisely files->max_fds and files->max_fdset which are used by select(2) and poll(2).

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23259787 Feedback>).

Sun Microsystems Inc. __ Not Affected

Updated: December 13, 2002

Status

Not Affected

Vendor Statement

Sun is not affected by this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23259787 Feedback>).

Nortel Networks Unknown

Notified: August 16, 2002 Updated: December 03, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23259787 Feedback>).

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.1/common/014_scarg.patch&gt;
• <http://www.securityfocus.com/bid/5442&gt;

Acknowledgements

Thanks to Niels Provos for reporting this vulnerability.

This document was written by Ian A Finlay.

Other Information

CVE IDs:	CVE-2002-1420
Severity Metric:	18.00 Date Public: