Bug#185508: CERT Advisory CA-2003-10 Integer overflow in Sun RPC XDR library routines (fwd)
At Wed, 19 Mar 2003 14:40:53 -0600 (CST),
Drew Scott Daniels wrote:
>
> Package: glibc
> Severity: grave
> Tags: security, potato, woody, sarge, sid
>
> I hope I'm not just causing extra work by posting this, but it is a grave
> bug and I haven't seen anything yet about it. The security team should
> already have a copy the CERT advisory, maybe even from before it's public
> release.
Hmm, glibc-2.2.x (stable), 2.3.1-14 (testing), 2.3.1-15 (unstable)
seems be vulnerable. OK, I apply the designated patch, and release
-16 with urgency=high.
BTW, glibc-2.2.x should apply this update, in addition there is a
request to bump up IA-64 stacksize. We should do it at the same time.
Regards,
-- gotom
> GNU glibc
>
> Version 2.3.1 of the GNU C Library is vulnerable. Earlier versions are
> also vulnerable. The following patches have been installed into the
> CVS sources, and should appear in the next version of the GNU C
> Library. These patches are also available from the following URLs:
>
> http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/sunrpc/rpc/xdr.h.
> diff?r1=1.26&r2=1.27&cvsroot=glibc
> http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/sunrpc/xdr_mem.c.
> diff?r1=1.13&r2=1.15&cvsroot=glibc
> http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/sunrpc/xdr_rec.c.
> diff?r1=1.26&r2=1.27&cvsroot=glibc
> http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/sunrpc/xdr_sizeof
> .c.diff?r1=1.5&r2=1.6&cvsroot=glibc
> http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/sunrpc/xdr_stdio.
> c.diff?r1=1.15&r2=1.16&cvsroot=glibc
>
> 2002-12-16 Roland McGrath
>
> * sunrpc/xdr_mem.c (xdrmem_inline): Fix argument type.
> * sunrpc/xdr_rec.c (xdrrec_inline): Likewise.
> * sunrpc/xdr_stdio.c (xdrstdio_inline): Likewise.
>
> 2002-12-13 Paul Eggert
>
> * sunrpc/rpc/xdr.h (struct XDR.xdr_ops.x_inline): 2nd arg
> is now u_int, not int.
> (struct XDR.x_handy): Now u_int, not int.
> * sunrpc/xdr_mem.c: Include .
> (xdrmem_getlong, xdrmem_putlong, xdrmem_getbytes, xdrmem_putbytes,
> xdrmem_inline, xdrmem_getint32, xdrmem_putint32):
> x_handy is now unsigned, not signed.
> Do not decrement x_handy if no change is made.
> (xdrmem_setpos): Check for int overflow.
> * sunrpc/xdr_sizeof.c (x_inline): 2nd arg is now unsigned.
> (xdr_sizeof): Remove cast that is now unnecessary, now that
> x_handy is unsigned.
>
> [ text of diffs available in the links included above --CERT/CC ]
-- gotom
Reply to: