Lucene search

K

Gentoo FoundationGLSA-200710-01

HistoryOct 04, 2007 - 12:00 a.m.

RPCSEC_GSS library: Buffer overflow

2007-10-0400:00:00

Gentoo Foundation

security.gentoo.org

16

CVSS2

10

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

EPSS

0.967

Percentile

99.7%

Background

librpcsecgss is an implementation of RPCSEC_GSS for secure RPC communications.

Description

A stack based buffer overflow has been discovered in the svcauth_gss_validate() function in file lib/rpc/svc_auth_gss.c when processing an overly long string in a RPC message.

Impact

A remote attacker could send a specially crafted RPC request to an application relying on this library, e.g NFSv4 or Kerberos (GLSA-200709-01), resulting in the execution of arbitrary code with the privileges of the user running the application.

Workaround

There is no known workaround at this time.

Resolution

All librpcsecgss users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose "&gt;=net-libs/librpcsecgss-0.16"

OSVersionArchitecturePackageVersionFilename
Gentooanyallnet-libs/librpcsecgss< 0.16UNKNOWN

CVSS2

10

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

EPSS

0.967

Percentile

99.7%

Related for GLSA-200710-01

nessus41 saint4 openvas38 centos4 debian4 securityvulns2 cert1 ubuntucve2 checkpoint_advisories1 oraclelinux4 zdi1 fedora6 nvd2 ubuntu1 cvelist2 cve2 redhat4 debiancve2 prion2 gentoo1 osv2