Re: SubRPC vulnerability: is Debian libc6 affected?

To: debian-security@lists.debian.org
Cc: debian-glibc@lists.debian.org
Subject: Re: SubRPC vulnerability: is Debian libc6 affected?
From: GOTO Masanori <gotom@debian.or.jp>
Date: Tue, 13 Aug 2002 11:37:11 +0900
Message-id: <[🔎] w53wuqv4h7s.wl@megaela.fe.dis.titech.ac.jp>
In-reply-to: <[🔎] 20020812085946.GA6064@sam-solutions.net>
References: <[🔎] 20020812085946.GA6064@sam-solutions.net>

At Mon, 12 Aug 2002 11:59:46 +0300,
Dmitry Borodaenko wrote:
> Recently several glibc vulnerabilities have been published, and there is
> only some disjoint information about their status for Debian here and
> there. Maybe this bunch of issues is worth one combined DSA that will
> explain what is fixed?
> 
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0391
> 
>    Integer overflow in xdr_array function in RPC servers for operating
>    systems that use libc, glibc, or other code based on SunRPC including
>                           ^^^^^
>    dietlibc, allows remote attackers to execute arbitrary code by
>    passing a large number of arguments to xdr_array through RPC services
>    such as rpc.cmsd and dmispd.

Yes, glibc is caught this bug.

> There are 3 DSAs (142, 143, 146) fixing this bug in other packages, but
> I haven't found any statement from Debian Security Team or from glibc
> maintainer, except following notice already mentioned on this list:
> 
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=155529&repeatmerged=yes
>
>    > calloc() contains an integer overflow which means that in some
>    > cases, the allocated buffer is too small. See the following page
>    > for details:
>    > 
>    > http://cert.uni-stuttgart.de/advisories/calloc.php
>    <...>
> 
>    Currently, woody and potato fixed packages have been uploaded to
>    security.d.o (same update as the xdr bug was fixed in). Sid(unstable)
>    is coming soon.
> 
> Is "the xdr bug" the one mentioned in CAN-2002-0391? BTW calloc() bug
> also went below radar, while to me it seems serious enough to be worth
> mention.
> 
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0684
> 
>    Buffer overflow in DNS resolver functions that perform lookup of
>    network names and addresses, as used in BIND 4.9.8 and ported to
>    glibc 2.2.5 and earlier, allows remote malicious DNS servers to
>    execute arbitrary code through a subroutine used by functions such as
>    getnetbyname and getnetbyaddr.

Glibc 2.2.5-13 on sid already contains "XDR bug" fix patch.

However calloc fix patch was dropped at that time because upstream was
discussing about this issue. It's problem. It seems that the new patch
is ready for this, but well-tests does not suffice.  So we should test
its stability because calloc patch can cause the serious breakage.

I plan to upload glibc_2.2.5-14, which is added calloc overflow patch
(which is applied in cvs at malloc/malloc.c:cALLOc()) and fixing alpha
build failure patch. Updating for the latest cvs sounds nice, but it's
needed more test, so I drop it at present.

> It looks like it is fixed in glibc 2.2.5-8, but again, it never made
> into official announcement.

On woody, I believe Ben have been already working, but I don't know
its status.  Ben? Should I go ahead for woody?

-- gotom

Reply to:

Follow-Ups:
- Re: SubRPC vulnerability: is Debian libc6 affected?
  - From: Ben Collins <bcollins@debian.org>

References:
- SubRPC vulnerability: is Debian libc6 affected?
  - From: Dmitry Borodaenko <d.borodaenko@sam-solutions.net>

Prev by Date: Fwd: openssl overflow
Next by Date: Re: SubRPC vulnerability: is Debian libc6 affected?
Previous by thread: SubRPC vulnerability: is Debian libc6 affected?
Next by thread: Re: SubRPC vulnerability: is Debian libc6 affected?
Index(es):
- Date
- Thread