Home page logo
/

bugtraq logo Bugtraq mailing list archives

Security Update: [CSSA-2003-013.0] Linux: integer overflow vulnerability in XDR/RPC routines
From: security () sco com
Date: Wed, 19 Mar 2003 17:30:54 -0800

To: bugtraq () securityfocus com announce () lists caldera com security-alerts () linuxsecurity com

______________________________________________________________________________

                        SCO Security Advisory

Subject:                Linux: integer overflow vulnerability in XDR/RPC routines
Advisory number:        CSSA-2003-013.0
Issue date:             2003 March 19
Cross reference:
______________________________________________________________________________


1. Problem Description

        The xdrmem_getbytes() function in the XDR library provided by
        Sun Microsystems contains an integer overflow that can lead to
        improperly sized dynamic memory allocation.


2. Vulnerable Supported Versions

        System                          Package
        ----------------------------------------------------------------------

        OpenLinux 3.1.1 Server          prior to glibc-2.2.4-26.i386.rpm
                                        prior to glibc-devel-2.2.4-26.i386.rpm
                                        prior to glibc-devel-static-2.2.4-26.i386.rpm
                                        prior to glibc-localedata-2.2.4-26.i386.rpm

        OpenLinux 3.1.1 Workstation     prior to glibc-2.2.4-26.i386.rpm
                                        prior to glibc-devel-2.2.4-26.i386.rpm
                                        prior to glibc-devel-static-2.2.4-26.i386.rpm
                                        prior to glibc-localedata-2.2.4-26.i386.rpm

        OpenLinux 3.1 Server            prior to glibc-2.2.4-26.i386.rpm
                                        prior to glibc-devel-2.2.4-26.i386.rpm
                                        prior to glibc-devel-static-2.2.4-26.i386.rpm
                                        prior to glibc-localedata-2.2.4-26.i386.rpm

        OpenLinux 3.1 Workstation       prior to glibc-2.2.4-26.i386.rpm
                                        prior to glibc-devel-2.2.4-26.i386.rpm
                                        prior to glibc-devel-static-2.2.4-26.i386.rpm
                                        prior to glibc-localedata-2.2.4-26.i386.rpm


3. Solution

        The proper solution is to install the latest packages. Many
        customers find it easier to use the Caldera System Updater, called
        cupdate (or kcupdate under the KDE environment), to update these
        packages rather than downloading and installing them by hand.


4. OpenLinux 3.1.1 Server

        4.1 Package Location

        ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-013.0/RPMS

        4.2 Packages

        22c6bf3a5dc5423c57eea99f7fef610d        glibc-2.2.4-26.i386.rpm
        ec9c2ce3c84aee5256371fa23067a07b        glibc-devel-2.2.4-26.i386.rpm
        16f2585ecc1b33ff7d3ad9b38e7dcc9a        glibc-devel-static-2.2.4-26.i386.rpm
        c51af00de6e168ee6ae562d91e5db1d1        glibc-localedata-2.2.4-26.i386.rpm

        4.3 Installation

        rpm -Fvh glibc-2.2.4-26.i386.rpm
        rpm -Fvh glibc-devel-2.2.4-26.i386.rpm
        rpm -Fvh glibc-devel-static-2.2.4-26.i386.rpm
        rpm -Fvh glibc-localedata-2.2.4-26.i386.rpm

        4.4 Source Package Location

        ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-013.0/SRPMS

        4.5 Source Packages

        67ba9387370089a15afd038ecc277e1e        glibc-2.2.4-26.src.rpm


5. OpenLinux 3.1.1 Workstation

        5.1 Package Location

        ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-013.0/RPMS

        5.2 Packages

        5774225efb99e5401da7aceaf864206c        glibc-2.2.4-26.i386.rpm
        a1b8257b874681a45a6e89baf63f7b94        glibc-devel-2.2.4-26.i386.rpm
        79311a60b66b2d62dc6ba4e7733dd58b        glibc-devel-static-2.2.4-26.i386.rpm
        294be611e6540c4a821e3a21e9782de1        glibc-localedata-2.2.4-26.i386.rpm

        5.3 Installation

        rpm -Fvh glibc-2.2.4-26.i386.rpm
        rpm -Fvh glibc-devel-2.2.4-26.i386.rpm
        rpm -Fvh glibc-devel-static-2.2.4-26.i386.rpm
        rpm -Fvh glibc-localedata-2.2.4-26.i386.rpm

        5.4 Source Package Location

        ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-013.0/SRPMS

        5.5 Source Packages

        9acadcee5ab04b65760d047b1859c028        glibc-2.2.4-26.src.rpm


6. OpenLinux 3.1 Server

        6.1 Package Location

        ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2003-013.0/RPMS

        6.2 Packages

        4271adc975e6ebaaecb108d72cbb4760        glibc-2.2.4-26.i386.rpm
        d549f0a97100dc9aadde9bf16e8344ee        glibc-devel-2.2.4-26.i386.rpm
        39f53de2a5c120564b6bafeb205c1081        glibc-devel-static-2.2.4-26.i386.rpm
        50b0702cf93243af4905f79ed04a1d67        glibc-localedata-2.2.4-26.i386.rpm

        6.3 Installation

        rpm -Fvh glibc-2.2.4-26.i386.rpm
        rpm -Fvh glibc-devel-2.2.4-26.i386.rpm
        rpm -Fvh glibc-devel-static-2.2.4-26.i386.rpm
        rpm -Fvh glibc-localedata-2.2.4-26.i386.rpm

        6.4 Source Package Location

        ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2003-013.0/SRPMS

        6.5 Source Packages

        caba33ff21c2881251bf5b3c5a2b4975        glibc-2.2.4-26.src.rpm


7. OpenLinux 3.1 Workstation

        7.1 Package Location

        ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2003-013.0/RPMS

        7.2 Packages

        a4278a559231b9511f00f5437cf87bf7        glibc-2.2.4-26.i386.rpm
        acd97a4e0865adbea7581ae2e43be41b        glibc-devel-2.2.4-26.i386.rpm
        29b17471105d85724c77dc1d4b4be06e        glibc-devel-static-2.2.4-26.i386.rpm
        6ede9ea5f28ebe882395bb110fa9c7d3        glibc-localedata-2.2.4-26.i386.rpm

        7.3 Installation

        rpm -Fvh glibc-2.2.4-26.i386.rpm
        rpm -Fvh glibc-devel-2.2.4-26.i386.rpm
        rpm -Fvh glibc-devel-static-2.2.4-26.i386.rpm
        rpm -Fvh glibc-localedata-2.2.4-26.i386.rpm

        7.4 Source Package Location

        ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2003-013.0/SRPMS

        7.5 Source Packages

        69bd935b0ead8c59d30f3ec61ea96d13        glibc-2.2.4-26.src.rpm


8. References

        Specific references for this advisory:

                http://www.kb.cert.org/vuls/id/516825
                http://www.cert.org/advisories/CA-2003-10.html

        SCO security resources:

                http://www.sco.com/support/security/index.html

        This security fix closes SCO incidents sr872633, fz526862,
        erg712183.


9. Disclaimer

        SCO is not responsible for the misuse of any of the information
        we provide on this website and/or through our security
        advisories. Our advisories are a service to our customers intended
        to promote secure installation and use of SCO products.


10. Acknowledgements

        Riley Hassell of eEye discovered and researched the xdrmem_getbytes
        vulnerability.

______________________________________________________________________________

Attachment: _bin
Description:


  By Date           By Thread  

Current thread:
  • Security Update: [CSSA-2003-013.0] Linux: integer overflow vulnerability in XDR/RPC routines security (Mar 20)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]