Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 17846

Summary: GNU glibc security vulnerability - overflow in Sun RPC XDR library routines - CA-2003-10
Product: Gentoo Linux Reporter: Bug Hunter <tidoineurope>
Component: [OLD] Core systemAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: critical CC: azarah
Priority: Highest    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.cert.org/advisories/CA-2003-10.html
Whiteboard:
Package list:
Runtime testing required: ---

Description Bug Hunter 2003-03-19 16:37:07 UTC 
From the CERT advisory:

Overview:
There is an integer overflow in the xdrmem_getbytes() function distributed as
part of the Sun
Microsystems XDR library. This overflow can cause remotely exploitable buffer
overflows in multiple
applications, leading to the execution of arbitrary code. Although the library
was originally distributed by 
Sun Microsystems, multiple vendors have included the vulnerable code in their
own implementations. 

GNU glibc:
Version 2.3.1 of the GNU C Library is vulnerable. Earlier versions are also
vulnerable. The following
patches have been installed into the CVS sources, and should appear in the next
version of the GNU 
C Library. These patches are also available from the following URLs:

http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/sunrpc/rpc/xdr.h.diff?r1=1.26&r2=1.27&cvsroot=glibc
http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/sunrpc/xdr_mem.c.diff?r1=1.13&r2=1.15&cvsroot=glibc
http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/sunrpc/xdr_rec.c.diff?r1=1.26&r2=1.27&cvsroot=glibc
http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/sunrpc/xdr_sizeof.c.diff?r1=1.5&r2=1.6&cvsroot=glibc
http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/sunrpc/xdr_stdio.c.diff?r1=1.15&r2=1.16&cvsroot=glibc
Comment 1 Daniel Ahlberg (RETIRED) gentoo-dev 2003-03-21 04:50:38 UTC 
Martin, I've added glibc-2.3.1-r4 (copied from 2.3.1-r3) with the patches to the tree 
but I want your approval before I unmask it. Could you take a look and tell me what 
you think?
Comment 2 Daniel Ahlberg (RETIRED) gentoo-dev 2003-03-25 04:55:16 UTC 
glsa sent