CVE-2003-0028
CVSS7.5
发布时间 :2003-03-25 00:00:00
修订时间 :2016-10-17 22:28:33
NMCOS    

[原文]Integer overflow in the xdrmem_getbytes() function, and possibly other functions, of XDR (external data representation) libraries derived from SunRPC, including libnsl, libc, glibc, and dietlibc, allows remote attackers to execute arbitrary code via certain integer values in length fields, a different vulnerability than CVE-2002-0391.


[CNNVD]多家厂商XDR实现远程缓冲区溢出漏洞(CNNVD-200303-077)

        
        XDR(外部数据表示)库用来提供一种平台无关的方法来将数据从一个系统进程发送给其他系统进程。
        Sun Microsystems提供的XDR库中包含的xdrmem_getbytes()函数存在一个整数溢出 ,远程攻击者利用这个漏洞对使用XDR库的应用程序进行攻击,可能以应用程序进程权限在系统上执行任意指令。
        问题存在于'usr/src/lib/libnsl/rpc/xdr_mem.c'的168行的xdrmem_getbytes()函数:
        static bool_t
        xdrmem_getbytes(XDR *xdrs, caddr_t addr, int len)
        {
         int tmp;
         trace2(TR_xdrmem_getbytes, 0, len);
         if ((tmp = (xdrs->x_handy - len)) < 0) { <--- VULNERABILITY
         syslog(LOG_WARNING,
         .....
         .....
         return (FALSE);
         }
         xdrs->x_handy = tmp;
         (void) memcpy(addr, xdrs->x_private, len); <--- VULNERABILITY
         xdrs->x_private += len;
         trace1(TR_xdrmem_getbytes, 1);
         return (TRUE);
        }
        上面代码中"len"是有符号整数,因此如果"len"为负数就会导致缓冲区溢出:
        if ((tmp = (xdrs->x_handy - len)) < 0) { -->这个检查会绕过
        但是在memcpy(addr, xdrs->x_private, len);处理时就会导致溢出。攻击者可以构造一个特殊的XDR编码来触发整数溢出,依赖于使用者如何调用xdrmem_getbytes()函数,攻击者可能覆盖一个已经分配的堆区缓冲区,造成堆缓冲区溢出。攻击者可能造成远程服务崩溃或者利用memcpy()实现的一些特点来改变内存数据并执行任意代码。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/o:sgi:irix:6.5.18mSGI IRIX 6.5.18m
cpe:/o:sun:solaris:7.0::x86
cpe:/o:sgi:irix:6.5.5fSGI IRIX 6.5.5f
cpe:/o:sgi:irix:6.5.10mSGI IRIX 6.5.10m
cpe:/a:gnu:glibc:2.2.4GNU glibc 2.2.4
cpe:/a:openafs:openafs:1.0.3
cpe:/o:ibm:aix:5.2IBM AIX 5.2
cpe:/a:openafs:openafs:1.0.4
cpe:/o:ibm:aix:5.1IBM AIX 5.1
cpe:/a:gnu:glibc:2.2.5GNU glibc 2.2.5
cpe:/a:openafs:openafs:1.0.4a
cpe:/a:gnu:glibc:2.2.3GNU glibc 2.2.3
cpe:/a:openafs:openafs:1.1.1a
cpe:/a:openafs:openafs:1.0.1
cpe:/o:sgi:irix:6.5.18fSGI IRIX 6.5.18f
cpe:/a:gnu:glibc:2.2.1GNU glibc 2.2.1
cpe:/a:openafs:openafs:1.0.2
cpe:/o:sun:solaris:8.0
cpe:/o:sgi:irix:6.5.5mSGI IRIX 6.5.5m
cpe:/o:sun:solaris:2.5.1::x86
cpe:/o:sgi:irix:6.5.6fSGI IRIX 6.5.6f
cpe:/o:hp:hp-ux:10.24HP HP-UX 10.24
cpe:/o:sgi:irix:6.5.11fSGI IRIX 6.5.11f
cpe:/o:sgi:irix:6.5.11mSGI IRIX 6.5.11m
cpe:/o:freebsd:freebsd:4.6:release
cpe:/o:openbsd:openbsd:3.0OpenBSD 3.0
cpe:/o:freebsd:freebsd:4.7:release
cpe:/a:gnu:glibc:2.1.3GNU glibc 2.1.3
cpe:/o:freebsd:freebsd:4.3:release
cpe:/o:openbsd:openbsd:3.2OpenBSD 3.2
cpe:/o:freebsd:freebsd:4.5:release
cpe:/o:openbsd:openbsd:3.1OpenBSD 3.1
cpe:/o:sgi:irix:6.5.11SGI IRIX 6.5.11
cpe:/o:cray:unicos:7.0Cray UNICOS 7.0
cpe:/o:sgi:irix:6.5.16SGI IRIX 6.5.16
cpe:/o:sgi:irix:6.5.17SGI IRIX 6.5.17
cpe:/o:sgi:irix:6.5.14SGI IRIX 6.5.14
cpe:/o:sgi:irix:6.5.12SGI IRIX 6.5.12
cpe:/o:sgi:irix:6.5.13SGI IRIX 6.5.13
cpe:/o:sgi:irix:6.5.10SGI IRIX 6.5.10
cpe:/o:sgi:irix:6.5.12fSGI IRIX 6.5.12f
cpe:/o:ibm:aix:4.3.3IBM AIX 4.3.3
cpe:/o:sgi:irix:6.5.6mSGI IRIX 6.5.6m
cpe:/o:sgi:irix:6.5.7mSGI IRIX 6.5.7m
cpe:/o:sun:solaris:8.0::x86
cpe:/o:freebsd:freebsd:4.1.1FreeBSD 4.1.1
cpe:/o:sgi:irix:6.5.7fSGI IRIX 6.5.7f
cpe:/o:sgi:irix:6.5.19SGI IRIX 6.5.19
cpe:/o:sgi:irix:6.5.8fSGI IRIX 6.5.8f
cpe:/o:sgi:irix:6.5.15SGI IRIX 6.5.15
cpe:/o:cray:unicos:9.0Cray UNICOS 9.0
cpe:/o:sgi:irix:6.5.18SGI IRIX 6.5.18
cpe:/a:openafs:openafs:1.3.1
cpe:/a:openafs:openafs:1.3.2
cpe:/o:sun:solaris:7.0
cpe:/a:gnu:glibc:2.1.1GNU glibc 2.1.1
cpe:/a:gnu:glibc:2.1.2GNU glibc 2.1.2
cpe:/a:openafs:openafs:1.3
cpe:/a:openafs:openafs:1.2
cpe:/o:sgi:irix:6.5.17mSGI IRIX 6.5.17m
cpe:/a:openafs:openafs:1.1
cpe:/o:sgi:irix:6.5.8mSGI IRIX 6.5.8m
cpe:/o:sgi:irix:6.5.2SGI IRIX 6.5.2
cpe:/o:sgi:irix:6.5.7SGI IRIX 6.5.7
cpe:/o:sgi:irix:6.5.9fSGI IRIX 6.5.9f
cpe:/o:sgi:irix:6.5.8SGI IRIX 6.5.8
cpe:/o:sgi:irix:6.5.5SGI IRIX 6.5.5
cpe:/o:sgi:irix:6.5.3SGI IRIX 6.5.3
cpe:/o:sgi:irix:6.5.4SGI IRIX 6.5.4
cpe:/o:sgi:irix:6.5.1SGI IRIX 6.5.1
cpe:/o:cray:unicos:6.1Cray UNICOS 6.1
cpe:/o:cray:unicos:6.0Cray UNICOS 6.0
cpe:/o:freebsd:freebsd:5.0FreeBSD 5.0
cpe:/o:sgi:irix:6.5.6SGI IRIX 6.5.6
cpe:/o:freebsd:freebsd:4.2:stable
cpe:/o:sgi:irix:6.5.17fSGI IRIX 6.5.17f
cpe:/o:freebsd:freebsd:4.3:stable
cpe:/o:freebsd:freebsd:4.4:stable
cpe:/o:sgi:irix:6.5.9SGI IRIX 6.5.9
cpe:/o:freebsd:freebsd:4.5:stable
cpe:/o:freebsd:freebsd:4.6:stable
cpe:/o:freebsd:freebsd:4.7:stable
cpe:/o:sgi:irix:6.5.20SGI IRIX 6.5.20
cpe:/o:sgi:irix:6.5.10fSGI IRIX 6.5.10f
cpe:/o:sun:solaris:9.0::x86
cpe:/o:sgi:irix:6.5.14mSGI IRIX 6.5.14m
cpe:/o:cray:unicos:8.0Cray UNICOS 8.0
cpe:/a:openafs:openafs:1.2.1
cpe:/a:openafs:openafs:1.2.2
cpe:/o:freebsd:freebsd:4.1.1:release
cpe:/a:openafs:openafs:1.2.3
cpe:/a:openafs:openafs:1.2.4
cpe:/a:openafs:openafs:1.2.2a
cpe:/a:openafs:openafs:1.2.2b
cpe:/o:sun:solaris:2.6
cpe:/o:hp:hp-ux:11.11HP-UX 11.11
cpe:/a:openafs:openafs:1.2.5
cpe:/o:sgi:irix:6.5.9mSGI IRIX 6.5.9m
cpe:/o:cray:unicos:9.0.2.5Cray UNICOS 9.0.2.5
cpe:/a:openafs:openafs:1.2.6
cpe:/o:sgi:irix:6.5.15fSGI IRIX 6.5.15f
cpe:/a:openafs:openafs:1.0
cpe:/o:sgi:irix:6.5.15mSGI IRIX 6.5.15m
cpe:/o:sun:solaris:2.5.1
cpe:/o:freebsd:freebsd:4.2FreeBSD 4.2
cpe:/o:freebsd:freebsd:4.3FreeBSD 4.3
cpe:/a:gnu:glibc:2.3.1GNU glibc 2.3.1
cpe:/o:freebsd:freebsd:4.6FreeBSD 4.6
cpe:/o:freebsd:freebsd:4.7FreeBSD 4.7
cpe:/o:freebsd:freebsd:4.0FreeBSD 4.0
cpe:/o:freebsd:freebsd:4.1FreeBSD 4.1
cpe:/o:freebsd:freebsd:4.6.2FreeBSD 4.6.2
cpe:/o:cray:unicos:9.2Cray UNICOS 9.2
cpe:/o:freebsd:freebsd:4.4FreeBSD 4.4
cpe:/o:hp:hp-ux_series_800:10.20HP hp-ux series 800 10.20
cpe:/o:freebsd:freebsd:4.5FreeBSD 4.5
cpe:/o:sgi:irix:6.5.16fSGI IRIX 6.5.16f
cpe:/o:sun:solaris:9.0::sparc
cpe:/o:sgi:irix:6.5.2mSGI IRIX 6.5.2m
cpe:/o:hp:hp-ux:11.22HP-UX 11i v1.6
cpe:/o:sgi:irix:6.5.2fSGI IRIX 6.5.2f
cpe:/o:sgi:irix:6.5.16mSGI IRIX 6.5.16m
cpe:/o:hp:hp-ux:11.20HP-UX 11i v1.5
cpe:/a:mit:kerberos:5-1.2MIT Kerberos 5 1.2
cpe:/o:sgi:irix:6.5.12mSGI IRIX 6.5.12m
cpe:/o:freebsd:freebsd:4.1.1:stable
cpe:/a:mit:kerberos:5-1.2.3MIT Kerberos 5 1.2.3
cpe:/o:sgi:irix:6.5.3fSGI IRIX 6.5.3f
cpe:/o:sun:solaris:2.6::x86
cpe:/a:mit:kerberos:5-1.2.4MIT Kerberos 5 1.2.4
cpe:/a:mit:kerberos:5-1.2.1MIT Kerberos 5 1.2.1
cpe:/o:sgi:irix:6.5SGI IRIX 6.5
cpe:/a:mit:kerberos:5-1.2.2MIT Kerberos 5 1.2.2
cpe:/a:mit:kerberos:5-1.2.7MIT Kerberos 5 1.2.7
cpe:/a:mit:kerberos:5-1.2.5MIT Kerberos 5 1.2.5
cpe:/a:mit:kerberos:5-1.2.6MIT Kerberos 5 1.2.6
cpe:/o:cray:unicos:6.0eCray UNICOS 6.0E
cpe:/a:gnu:glibc:2.3.2GNU glibc 2.3.2
cpe:/a:openafs:openafs:1.1.1
cpe:/a:gnu:glibc:2.1GNU glibc 2.1
cpe:/o:sgi:irix:6.5.13fSGI IRIX 6.5.13f
cpe:/a:gnu:glibc:2.3GNU glibc 2.3
cpe:/o:hp:hp-ux:10.20HP HP-UX 10.20
cpe:/a:gnu:glibc:2.2GNU glibc 2.2
cpe:/o:cray:unicos:9.2.4Cray UNICOS 9.2.4
cpe:/o:sgi:irix:6.5.3mSGI IRIX 6.5.3m
cpe:/o:hp:hp-ux:11.04HP HP-UX 11.04
cpe:/o:openbsd:openbsd:2.9OpenBSD 2.9
cpe:/o:openbsd:openbsd:2.8OpenBSD 2.8
cpe:/o:sgi:irix:6.5.13mSGI IRIX 6.5.13m
cpe:/o:openbsd:openbsd:2.5OpenBSD 2.5
cpe:/o:openbsd:openbsd:2.4OpenBSD 2.4
cpe:/o:sgi:irix:6.5.4fSGI IRIX 6.5.4f
cpe:/o:openbsd:openbsd:2.1OpenBSD 2.1
cpe:/o:openbsd:openbsd:2.0OpenBSD 2.0
cpe:/a:gnu:glibc:2.2.2GNU glibc 2.2.2
cpe:/o:openbsd:openbsd:2.7OpenBSD 2.7
cpe:/o:openbsd:openbsd:2.6OpenBSD 2.6
cpe:/o:openbsd:openbsd:2.3OpenBSD 2.3
cpe:/o:openbsd:openbsd:2.2OpenBSD 2.2
cpe:/o:cray:unicos:8.3Cray UNICOS 8.3
cpe:/o:hp:hp-ux_series_700:10.20HP hp-ux series 700 10.20
cpe:/o:sgi:irix:6.5.14fSGI IRIX 6.5.14f
cpe:/o:hp:hp-ux:11.00HP-UX 11.00
cpe:/o:sgi:irix:6.5.4mSGI IRIX 6.5.4m

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:230xdrmem_bytes() Integer Overflow Vulnerability
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0028
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0028
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200303-077
(官方数据源) CNNVD

- 其它链接及资源

ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2003-008.txt.asc
(UNKNOWN)  NETBSD  NetBSD-SA2003-008
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0140.html
(UNKNOWN)  VULNWATCH  20030319 EEYE: XDR Integer Overflow
http://marc.info/?l=bugtraq&m=104810574423662&w=2
(UNKNOWN)  BUGTRAQ  20030319 EEYE: XDR Integer Overflow
http://marc.info/?l=bugtraq&m=104811415301340&w=2
(UNKNOWN)  BUGTRAQ  20030319 MITKRB5-SA-2003-003: faulty length checks in xdrmem_getbytes
http://marc.info/?l=bugtraq&m=104860855114117&w=2
(UNKNOWN)  BUGTRAQ  20030325 GLSA: glibc (200303-22)
http://marc.info/?l=bugtraq&m=104878237121402&w=2
(UNKNOWN)  TRUSTIX  2003-0014
http://marc.info/?l=bugtraq&m=105362148313082&w=2
(UNKNOWN)  BUGTRAQ  20030522 [slackware-security] glibc XDR overflow fix (SSA:2003-141-03)
http://www.cert.org/advisories/CA-2003-10.html
(VENDOR_ADVISORY)  CERT  CA-2003-10
http://www.debian.org/security/2003/dsa-266
(UNKNOWN)  DEBIAN  DSA-266
http://www.debian.org/security/2003/dsa-272
(UNKNOWN)  DEBIAN  DSA-272
http://www.debian.org/security/2003/dsa-282
(UNKNOWN)  DEBIAN  DSA-282
http://www.eeye.com/html/Research/Advisories/AD20030318.html
(VENDOR_ADVISORY)  EEYE  AD20030318
http://www.kb.cert.org/vuls/id/516825
(UNKNOWN)  CERT-VN  VU#516825
http://www.linuxsecurity.com/advisories/engarde_advisory-3024.html
(UNKNOWN)  ENGARDE  ESA-20030321-010
http://www.mandriva.com/security/advisories?name=MDKSA-2003:037
(UNKNOWN)  MANDRAKE  MDKSA-2003:037
http://www.novell.com/linux/security/advisories/2003_027_glibc.html
(UNKNOWN)  SUSE  SuSE-SA:2003:027
http://www.redhat.com/support/errata/RHSA-2003-051.html
(UNKNOWN)  REDHAT  RHSA-2003:051
http://www.redhat.com/support/errata/RHSA-2003-052.html
(UNKNOWN)  REDHAT  RHSA-2003:052
http://www.redhat.com/support/errata/RHSA-2003-089.html
(UNKNOWN)  REDHAT  RHSA-2003:089
http://www.redhat.com/support/errata/RHSA-2003-091.html
(UNKNOWN)  REDHAT  RHSA-2003:091
http://www.securityfocus.com/archive/1/archive/1/315638/30/25430/threaded
(UNKNOWN)  BUGTRAQ  20030319 RE: EEYE: XDR Integer Overflow
http://www.securityfocus.com/archive/1/archive/1/316931/30/25250/threaded
(UNKNOWN)  BUGTRAQ  20030331 GLSA: dietlibc (200303-29)
http://www.securityfocus.com/archive/1/archive/1/316960/30/25250/threaded
(UNKNOWN)  BUGTRAQ  20030331 GLSA: krb5 & mit-krb5 (200303-28)

- 漏洞信息

多家厂商XDR实现远程缓冲区溢出漏洞
高危 设计错误
2003-03-25 00:00:00 2006-01-30 00:00:00
远程※本地  
        
        XDR(外部数据表示)库用来提供一种平台无关的方法来将数据从一个系统进程发送给其他系统进程。
        Sun Microsystems提供的XDR库中包含的xdrmem_getbytes()函数存在一个整数溢出 ,远程攻击者利用这个漏洞对使用XDR库的应用程序进行攻击,可能以应用程序进程权限在系统上执行任意指令。
        问题存在于'usr/src/lib/libnsl/rpc/xdr_mem.c'的168行的xdrmem_getbytes()函数:
        static bool_t
        xdrmem_getbytes(XDR *xdrs, caddr_t addr, int len)
        {
         int tmp;
         trace2(TR_xdrmem_getbytes, 0, len);
         if ((tmp = (xdrs->x_handy - len)) < 0) { <--- VULNERABILITY
         syslog(LOG_WARNING,
         .....
         .....
         return (FALSE);
         }
         xdrs->x_handy = tmp;
         (void) memcpy(addr, xdrs->x_private, len); <--- VULNERABILITY
         xdrs->x_private += len;
         trace1(TR_xdrmem_getbytes, 1);
         return (TRUE);
        }
        上面代码中"len"是有符号整数,因此如果"len"为负数就会导致缓冲区溢出:
        if ((tmp = (xdrs->x_handy - len)) < 0) { -->这个检查会绕过
        但是在memcpy(addr, xdrs->x_private, len);处理时就会导致溢出。攻击者可以构造一个特殊的XDR编码来触发整数溢出,依赖于使用者如何调用xdrmem_getbytes()函数,攻击者可能覆盖一个已经分配的堆区缓冲区,造成堆缓冲区溢出。攻击者可能造成远程服务崩溃或者利用memcpy()实现的一些特点来改变内存数据并执行任意代码。
        

- 公告与补丁

        厂商补丁:
        FreeBSD
        -------
        FreeBSD已经为此发布了一个安全公告(FreeBSD-SA-03:05)以及相应补丁:
        FreeBSD-SA-03:05:remote denial-of-service in XDR encoder/decoder
        链接:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-03:05.xdr.asc
        补丁下载:
        one of the following:
        1) Upgrade your vulnerable system to the FreeBSD 4-STABLE branch; or
        to the RELENG_4_7 (4.7-RELEASE-p8), RELENG_4_6 (4.6-RELEASE-p11), or
        RELENG_5_0 (5.0-RELEASE-p5) security branch dated after the correction
        date.
        2) To patch your present system:
        The following patch has been verified to apply to FreeBSD 4.6, and 4.7
        systems.
        a) Download the relevant patch from the location below, and verify the
        detached PGP signature using your PGP utility.
        # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:05/xdr-4.patch
        # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:05/xdr-4.patch.asc
        The following patch has been verified to apply to FreeBSD 5.0 systems.
        a) Download the relevant patch from the location below, and verify the
        detached PGP signature using your PGP utility.
        # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:05/xdr-5.patch
        # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:05/xdr-5.patch.asc
        b) 请以root身份执行下列命令:
        # cd /usr/src
        # patch < /path/to/patch
        c) Recompile the operating system as described in
        
        http://www.freebsd.org/doc/handbook/makeworld.html>.
        Note that any statically linked applications that are not part of
        the base system (i.e. from the Ports Collection or other 3rd-party
        sources) must be recompiled.
        All affected applications must be restarted for them to use the
        corrected library. Though not required, rebooting may be the easiest
        way to accomplish this.
        GNU
        ---
        GNU glibc
        GNU C库2.3.1版本存在此漏洞,早期版本也受此漏洞影响,下面的补丁已经安装在CVS源代码中,在下一个版本的GNU C库中也应该包含,补丁地址为:
        
        http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/sunrpc/rpc/xdr.h.diff?r1=1.26&r2=1.27&cvsroot=glibc

        http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/sunrpc/xdr_mem.c.diff?r1=1.13&r2=1.15&cvsroot=glibc

        http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/sunrpc/xdr_rec.c.diff?r1=1.26&r2=1.27&cvsroot=glibc

        http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/sunrpc/xdr_sizeof.c.diff?r1=1.5&r2=1.6&cvsroot=glibc

        http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/sunrpc/xdr_stdio.c.diff?r1=1.15&r2=1.16&cvsroot=glibc

        2002-12-16 Roland McGrath
         * sunrpc/xdr_mem.c (xdrmem_inline): Fix argument type.
         * sunrpc/xdr_rec.c (xdrrec_inline): Likewise.
         * sunrpc/xdr_stdio.c (xdrstdio_inline): Likewise.
        2002-12-13 Paul Eggert
         * sunrpc/rpc/xdr.h (struct XDR.xdr_ops.x_inline): 2nd arg
         is now u_int, not int.
         (struct XDR.x_handy): Now u_int, not int.
         * sunrpc/xdr_mem.c: Include .
         (xdrmem_getlong, xdrmem_putlong, xdrmem_getbytes, xdrmem_putbytes,
         xdrmem_inline, xdrmem_getint32, xdrmem_putint32):
         x_handy is now unsigned, not signed.
         Do not decrement x_handy if no change is made.
         (xdrmem_setpos): Check for int overflow.
         * sunrpc/xdr_sizeof.c (x_inline): 2nd arg is now unsigned.
         (xdr_sizeof): Remove cast that is now unnecessary, now that
         x_handy is unsigned.
        IBM
        ---
        AIX系统4.3.3, 5.1.0和5.2.0存在此漏洞,IBM已经提供如下官方补丁:
        APAR number for AIX 4.3.3: IY38524
        APAR number for AIX 5.1.0: IY38434
        APAR number for AIX 5.2.0: IY39231
        请联系供应商获得相关补丁。
        MIT
        ---
        MIT Kerberos Development Team
        利用这个漏洞可使kadmind server进程崩溃,或读取一些敏感信息,如密钥等。相关补丁下载:
        
        http://web.mit.edu/kerberos/www/advisories/2003-003-xdr_patch.txt

        RedHat
        ------
        RedHat已经为此发布了一个安全公告(RHSA-2003:089-00)以及相应补丁:
        RHSA-2003:089-00:Updated glibc packages fix vulnerabilities in RPC XDR decoder
        链接:https://www.redhat.com/support/errata/RHSA-2003-089.html
        补丁下载:
        Red Hat Linux 6.2:
        SRPMS:
        ftp://updates.redhat.com/6.2/en/os/SRPMS/glibc-2.1.3-29.src.rpm
        i386:
        ftp://updates.redhat.com/6.2/en/os/i386/glibc-2.1.3-29.i386.rpm
        ftp://updates.redhat.com/6.2/en/os/i386/glibc-devel-2.1.3-29.i386.rpm
        ftp://updates.redhat.com/6.2/en/os/i386/glibc-profile-2.1.3-29.i386.rpm
        ftp://updates.redhat.com/6.2/en/os/i386/nscd-2.1.3-29.i386.rpm
        Red Hat Linux 7.0:
        SRPMS:
        ftp://updates.redhat.com/7.0/en/os/SRPMS/glibc-2.2.4-18.7.0.9.src.rpm
        i386:
        ftp://updates.redhat.com/7.0/en/os/i386/glibc-2.2.4-18.7.0.9.i386.rpm
        ftp://updates.redhat.com/7.0/en/os/i386/glibc-common-2.2.4-18.7.0.9.i386.rpm
        ftp://updates.redhat.com/7.0/en/os/i386/glibc-devel-2.2.4-18.7.0.9.i386.rpm
        ftp://updates.redhat.com/7.0/en/os/i386/glibc-profile-2.2.4-18.7.0.9.i386.rpm
        ftp://updates.redhat.com/7.0/en/os/i386/nscd-2.2.4-18.7.0.9.i386.rpm
        i686:
        ftp://updates.redhat.com/7.0/en/os/i686/glibc-2.2.4-18.7.0.9.i686.rpm
        Red Hat Linux 7.1:
        SRPMS:
        ftp://updates.redhat.com/7.1/en/os/SRPMS/glibc-2.2.4-32.src.rpm
        i386:
        ftp://updates.redhat.com/7.1/en/os/i386/glibc-2.2.4-32.i386.rpm
        

- 漏洞信息

4501
RPC XDR xdrmem_getbytes() Function Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Vendor Verified

- 漏洞描述

- 时间线

2003-03-19 Unknow
Unknow Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Sun XDR Library xdrmem_getbytes() Integer Overflow Vulnerability
Design Error 7123
Yes Yes
2003-03-17 12:00:00 2009-07-11 09:06:00
The discovery of this vulnerability has been credited to Riley Hassell of eEye.

- 受影响的程序版本

Sun Solaris 2.5.1 _x86
Sun Solaris 2.5.1
Sun Solaris 9_x86
Sun Solaris 9
Sun Solaris 8_x86
Sun Solaris 8_sparc
Sun Solaris 7.0_x86
Sun Solaris 7.0
Sun Solaris 2.6_x86
Sun Solaris 2.6
SGI IRIX 6.5.20
SGI IRIX 6.5.19 m
SGI IRIX 6.5.19 f
SGI IRIX 6.5.19
SGI IRIX 6.5.18 m
SGI IRIX 6.5.18 f
SGI IRIX 6.5.18
SGI IRIX 6.5.17 m
SGI IRIX 6.5.17 f
SGI IRIX 6.5.17
SGI IRIX 6.5.16 m
SGI IRIX 6.5.16 f
SGI IRIX 6.5.16
SGI IRIX 6.5.15 m
SGI IRIX 6.5.15 f
SGI IRIX 6.5.15
SGI IRIX 6.5.14 m
SGI IRIX 6.5.14 f
SGI IRIX 6.5.14
SGI IRIX 6.5.13 m
SGI IRIX 6.5.13 f
SGI IRIX 6.5.13
SGI IRIX 6.5.12 m
SGI IRIX 6.5.12 f
SGI IRIX 6.5.12
SGI IRIX 6.5.11 m
SGI IRIX 6.5.11 f
SGI IRIX 6.5.11
SGI IRIX 6.5.10 m
SGI IRIX 6.5.10 f
SGI IRIX 6.5.10
SGI IRIX 6.5.9 m
SGI IRIX 6.5.9 f
SGI IRIX 6.5.9
SGI IRIX 6.5.8 m
SGI IRIX 6.5.8 f
SGI IRIX 6.5.8
SGI IRIX 6.5.7 m
SGI IRIX 6.5.7 f
SGI IRIX 6.5.7
SGI IRIX 6.5.6 m
SGI IRIX 6.5.6 f
SGI IRIX 6.5.6
SGI IRIX 6.5.5 m
SGI IRIX 6.5.5 f
SGI IRIX 6.5.5
SGI IRIX 6.5.4 m
SGI IRIX 6.5.4 f
SGI IRIX 6.5.4
SGI IRIX 6.5.3 m
SGI IRIX 6.5.3 f
SGI IRIX 6.5.3
SGI IRIX 6.5.2 m
SGI IRIX 6.5.2 f
SGI IRIX 6.5.2
SGI IRIX 6.5.1
SGI IRIX 6.5
OpenBSD OpenBSD 2.9
OpenBSD OpenBSD 2.8
OpenBSD OpenBSD 2.7
OpenBSD OpenBSD 2.6
OpenBSD OpenBSD 2.5
OpenBSD OpenBSD 2.4
OpenBSD OpenBSD 2.3
OpenBSD OpenBSD 2.2
OpenBSD OpenBSD 2.1
OpenBSD OpenBSD 2.0
OpenBSD OpenBSD 3.2
OpenBSD OpenBSD 3.1
OpenBSD OpenBSD 3.0
OpenAFS OpenAFS 1.3.2
OpenAFS OpenAFS 1.3.1
OpenAFS OpenAFS 1.3
OpenAFS OpenAFS 1.2.6
OpenAFS OpenAFS 1.2.5
OpenAFS OpenAFS 1.2.4
OpenAFS OpenAFS 1.2.3
OpenAFS OpenAFS 1.2.2 b
OpenAFS OpenAFS 1.2.2 a
OpenAFS OpenAFS 1.2.2
OpenAFS OpenAFS 1.2.1
OpenAFS OpenAFS 1.2
OpenAFS OpenAFS 1.1.1 a
OpenAFS OpenAFS 1.1.1
OpenAFS OpenAFS 1.1
OpenAFS OpenAFS 1.0.4 a
OpenAFS OpenAFS 1.0.4
OpenAFS OpenAFS 1.0.3
OpenAFS OpenAFS 1.0.2
OpenAFS OpenAFS 1.0.1
OpenAFS OpenAFS 1.0
NetBSD NetBSD 1.6
NetBSD NetBSD 1.5.3
NetBSD NetBSD 1.5.2
NetBSD NetBSD 1.5.1
NetBSD NetBSD 1.5
NetBSD NetBSD 1.4.3
NetBSD NetBSD 1.4.2
NetBSD NetBSD 1.4.1
NetBSD NetBSD 1.4
MIT Kerberos 5 1.2.7
MIT Kerberos 5 1.2.6
MIT Kerberos 5 1.2.5
+ MandrakeSoft Corporate Server 2.1 x86_64
+ MandrakeSoft Corporate Server 2.1
+ Mandriva Linux Mandrake 9.0
+ RedHat Linux 8.0 i386
+ RedHat Linux 8.0
+ Turbolinux Home
+ Turbolinux Turbolinux 10 F...
+ Turbolinux Turbolinux Desktop 10.0
+ Turbolinux Turbolinux Server 8.0
+ Wirex Immunix OS 7+
MIT Kerberos 5 1.2.4
MIT Kerberos 5 1.2.3
MIT Kerberos 5 1.2.2
MIT Kerberos 5 1.2.1
MIT Kerberos 5 1.2
MIT Kerberos 5 1.1.1
+ Red Hat Linux 6.2
- RedHat Linux 7.1 ia64
- RedHat Linux 7.1 i386
- RedHat Linux 7.1 alpha
- RedHat Linux 7.1
- RedHat Linux 7.0 i386
- RedHat Linux 7.0 alpha
- RedHat Linux 7.0
+ RedHat Linux 6.2 sparc
+ RedHat Linux 6.2 i386
+ RedHat Linux 6.2 alpha
IBM AIX 4.3.3
IBM AIX 5.2
IBM AIX 5.1
HP HP-UX 11.22
HP HP-UX 11.20
HP HP-UX 11.11
HP HP-UX 11.0 4
HP HP-UX 11.0
HP HP-UX 10.24
HP HP-UX 10.20 Series 800
HP HP-UX 10.20 Series 700
HP HP-UX 10.20
GNU glibc 2.3.2
GNU glibc 2.3.1
GNU glibc 2.3
GNU glibc 2.2.5
GNU glibc 2.2.4
GNU glibc 2.2.3
+ Conectiva Linux 7.0
GNU glibc 2.2.2
GNU glibc 2.2.1
GNU glibc 2.2
+ S.u.S.E. Linux 7.1 x86
+ S.u.S.E. Linux 7.1 sparc
+ S.u.S.E. Linux 7.1 ppc
+ S.u.S.E. Linux 7.1 alpha
+ S.u.S.E. Linux 7.1
+ Wirex Immunix OS 7+
GNU glibc 2.1.3
GNU glibc 2.1.2
GNU glibc 2.1.1
GNU glibc 2.1
FreeBSD FreeBSD 5.0
FreeBSD FreeBSD 4.7 -STABLE
FreeBSD FreeBSD 4.7 -RELEASE
FreeBSD FreeBSD 4.7
FreeBSD FreeBSD 4.6.2
FreeBSD FreeBSD 4.6 -STABLE
FreeBSD FreeBSD 4.6 -RELEASE
FreeBSD FreeBSD 4.6
FreeBSD FreeBSD 4.5 -STABLE
FreeBSD FreeBSD 4.5 -RELEASE
FreeBSD FreeBSD 4.5
FreeBSD FreeBSD 4.4 -STABLE
FreeBSD FreeBSD 4.4
FreeBSD FreeBSD 4.3 -STABLE
FreeBSD FreeBSD 4.3 -RELEASE
FreeBSD FreeBSD 4.3
FreeBSD FreeBSD 4.2 -STABLE
FreeBSD FreeBSD 4.2 -RELEASE
FreeBSD FreeBSD 4.2
FreeBSD FreeBSD 4.1.1 -STABLE
FreeBSD FreeBSD 4.1.1 -RELEASE
FreeBSD FreeBSD 4.1.1
FreeBSD FreeBSD 4.1
FreeBSD FreeBSD 4.0
diet libc diet libc 0.19
diet libc diet libc 0.18
diet libc diet libc 0.17
diet libc diet libc 0.16
diet libc diet libc 0.15
diet libc diet libc 0.12
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0
Cray UNICOS 9.2 .4
Cray UNICOS 9.2
Cray UNICOS 9.0.2 .5
Cray UNICOS 9.0
Cray UNICOS 8.3
Cray UNICOS 8.0
Cray UNICOS 7.0
Cray UNICOS 6.1
Cray UNICOS 6.0 E
Cray UNICOS 6.0
Caldera OpenLinux Workstation 3.1.1
Caldera OpenLinux Workstation 3.1
Caldera OpenLinux Server 3.1.1
Caldera OpenLinux Server 3.1
Apple Mac OS X 10.2.4
Apple Mac OS X 10.2.3
Apple Mac OS X 10.2.2
Apple Mac OS X 10.2.1
Apple Mac OS X 10.2
Apple Mac OS X 10.1.5
Apple Mac OS X 10.1.4
Apple Mac OS X 10.1.3
Apple Mac OS X 10.1.2
Apple Mac OS X 10.1.1
Apple Mac OS X 10.1
Apple Mac OS X 10.1
Apple Mac OS X 10.0.4
Apple Mac OS X 10.0.3
Apple Mac OS X 10.0.2
Apple Mac OS X 10.0.1
Apple Mac OS X 10.0
NetBSD NetBSD 1.6.1
NetBSD NetBSD 1.6
NetBSD NetBSD 1.5.3
NetBSD NetBSD 1.5.2
NetBSD NetBSD 1.5.1
NetBSD NetBSD 1.5
NetBSD NetBSD 1.4.3
NetBSD NetBSD 1.4.2
NetBSD NetBSD 1.4.1
NetBSD NetBSD 1.4
NetBSD NetBSD 1.3.3
NetBSD NetBSD 1.3.2
NetBSD NetBSD 1.3.1
NetBSD NetBSD 1.3
NetBSD NetBSD 1.2.1
NetBSD NetBSD 1.2
NetBSD NetBSD 1.1
NetBSD NetBSD 1.0
Apple Mac OS X Server 10.2.4
Apple Mac OS X Server 10.2.3
Apple Mac OS X Server 10.2.2
Apple Mac OS X Server 10.2.1
Apple Mac OS X Server 10.2
Apple Mac OS X Server 10.0
Apple Mac OS X 10.2.4
Apple Mac OS X 10.2.3
Apple Mac OS X 10.2.2
Apple Mac OS X 10.2.1
Apple Mac OS X 10.2
Apple Mac OS X 10.1.5
Apple Mac OS X 10.1.4
Apple Mac OS X 10.1.3
Apple Mac OS X 10.1.2
Apple Mac OS X 10.1.1
Apple Mac OS X 10.1
Apple Mac OS X 10.1
Apple Mac OS X 10.0.4
Apple Mac OS X 10.0.3
Apple Mac OS X 10.0.2
Apple Mac OS X 10.0.1
Apple Mac OS X 10.0

- 不受影响的程序版本

NetBSD NetBSD 1.6.1
NetBSD NetBSD 1.6
NetBSD NetBSD 1.5.3
NetBSD NetBSD 1.5.2
NetBSD NetBSD 1.5.1
NetBSD NetBSD 1.5
NetBSD NetBSD 1.4.3
NetBSD NetBSD 1.4.2
NetBSD NetBSD 1.4.1
NetBSD NetBSD 1.4
NetBSD NetBSD 1.3.3
NetBSD NetBSD 1.3.2
NetBSD NetBSD 1.3.1
NetBSD NetBSD 1.3
NetBSD NetBSD 1.2.1
NetBSD NetBSD 1.2
NetBSD NetBSD 1.1
NetBSD NetBSD 1.0
Apple Mac OS X Server 10.2.4
Apple Mac OS X Server 10.2.3
Apple Mac OS X Server 10.2.2
Apple Mac OS X Server 10.2.1
Apple Mac OS X Server 10.2
Apple Mac OS X Server 10.0
Apple Mac OS X 10.2.4
Apple Mac OS X 10.2.3
Apple Mac OS X 10.2.2
Apple Mac OS X 10.2.1
Apple Mac OS X 10.2
Apple Mac OS X 10.1.5
Apple Mac OS X 10.1.4
Apple Mac OS X 10.1.3
Apple Mac OS X 10.1.2
Apple Mac OS X 10.1.1
Apple Mac OS X 10.1
Apple Mac OS X 10.1
Apple Mac OS X 10.0.4
Apple Mac OS X 10.0.3
Apple Mac OS X 10.0.2
Apple Mac OS X 10.0.1
Apple Mac OS X 10.0

- 漏洞讨论

A vulnerability has been discovered in the Sun XDR library. Specifically, an integer overflow as been found in the xdrmem_getbytes() function. As a result, applications implementing the vulnerable library call may be prone to denial of service attacks.

It should be noted that the vulnerable library code has been implemented by various libraries including BSD's libc, Glibc, and Sun Microsystem's libnsl.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com &lt;mailto:vuldb@securityfocus.com&gt;.

- 解决方案

Conectiva has released a security advisory (CLA-2003:633). The referenced advisory contains information pertaining to obtaining and applying fixes that address this issue. Users are advised to upgrade as soon as possible.

Sorcerer Linux has advised that users update using the following commands:

augur synch && augur update

MIT has released a security advisory (2003-03-18) which contains a patch for KRB5 1.2.7.

Red Hat has released a security advisory (RHSA-2003:089-00) which contains fixes addressing this issue.

CERT has released a security advisory (CA-2003-10) which contains various vendor status information. Further details are available in the attached advisory.

The glibc 2.3.1 CVS tree has been updated to contain the necessary fixes. Further information can be found the in the attached CERT advisory.

It has been reported that IBM has released APAR IY38524, IY38434, IY39231, for AIX 4.3.3, 5.1, and 5.2 respectively. Users are advised to contact IBM support for further assistance.

FreeBSD has released an advisory (FreeBSD-SA-03:05) containing patches for version 4.6, 4.7, and 5.0. Users are advised to upgrade as soon as possible.

EnGarde has released a security advisory (ESA-20030321-010) containing a fix for this issue.

Debian has released a security advisory [DSA 266-1] containing fixes for this issue.

Debian has also released an advisory and fixes for dietlibc. See the References section for details.

Gentoo has released glibc-2.3.1-r4 (arm: glibc-2.2.5-r8) which addresses this issue. Users are advised to upgrade by performing the following commands:

emerge sync
emerge glibc
emerge clean

Gentoo has also released dietlibc-0.22-r1 which addresses this issue. Users are advised to upgrade by performing the following commands:

emerge sync
emerge dietlibc
emerge clean

MandrakeSoft has released an advisory (MDKSA-2003:037), which contain fixes for glibc. Further information about obtaining and applying fixes are available in the referenced advisory.

NetBSD has released a security advisory (2003-008) which contains information about obtaining fixes via CVS. Further information is available from the attached advisory.

Trustix has released a security advisory (TSLSA-2003-0014) which contains fixes addressing this issue. Users are advised to upgrade as soon as possible.

SGI has released a security advisory (20030402-01-P) which contains fixes addressing this issue.

Debian has released a new advisory (DSA 282-1) for glibc. Affected users are advised to obtain and install new packages. Further information is available in the referenced advisory. Users of the apt-get system can issue the following commands to install new packages:

apt-get update
apt-get upgrade

Conectiva has released a security advisory (CLA-2003:639) containing fixes which address this issue. Users are advised to upgrade as soon as possible.

Red Hat has released a new security advisory (RHSA-2003-090) containing fixes to address this issue. Fixes are available via the Red Hat Network. Further information can be obtained via the attached advisory or by contacting the vendor.

SuSE has released advisory SuSE-SA:2003:027 to address this issue.

Revised HP advisory HPSBUX0303-252 SSRT2439 Rev.11 is has been released to address this issue.

Fixes available:


Sun Solaris 8_sparc

Sun Solaris 7.0

diet libc diet libc 0.12

MIT Kerberos 5 1.1.1

MIT Kerberos 5 1.2.5

HP HP-UX 10.20

GNU glibc 2.2

FreeBSD FreeBSD 4.6

FreeBSD FreeBSD 5.0

SGI IRIX 6.5.15 m

SGI IRIX 6.5.16 f

SGI IRIX 6.5.16 m

SGI IRIX 6.5.17 m

SGI IRIX 6.5.19 f

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站