Azarah, Here are some more links you should check. I haven't seen any other Linux distribution issuing SA about this, only FreeBSD. I will make patches based on the advisorys and attach them to this bug. (in no order) http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0391 http://online.securityfocus.com/archive/1/285758/2002-07-30/2002-08-05/0 http://online.securityfocus.com/archive/1/285740/2002-07-30/2002-08-05/0 ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02%3A34.rpc.asc http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20823 http://online.securityfocus.com/archive/1/285558/2002-07-30/2002-08-05/0
Created attachment 2751 [details, diff] Patch against glibc-2.2.5-r5 Based on the FreeBSD patch.
Created attachment 2754 [details, diff] Patch against krb5-1.2.5-r1.ebuild Also based on the FreeBSD patch.
Here is another fix I've found, this might be a better fix. -nodesize = c * elsize; +{ + unsigned int i; + nodesize = 0; + for (i=c; i; --i) { + unsigned int tmp=nodesize+elsize; + if (tmp<nodesize) /* overflow */ + return FALSE; + nodesize=tmp; + } +}
RedHat's fix for glibc: --- libc/sunrpc/xdr_array.c 2001/08/17 04:48:31 1.5 +++ libc/sunrpc/xdr_array.c 2002/08/02 01:35:39 1.5.2.1 @@ -45,6 +45,7 @@ #include <rpc/types.h> #include <rpc/xdr.h> #include <libintl.h> +#include <limits.h> #ifdef USE_IN_LIBIO # include <wchar.h> @@ -81,7 +82,11 @@ return FALSE; } c = *sizep; - if ((c > maxsize) && (xdrs->x_op != XDR_FREE)) + /* + * XXX: Let the overflow possibly happen with XDR_FREE because mem_free() + * doesn't actually use its second argument anyway. + */ + if ((c > maxsize || c > UINT_MAX / elsize) && (xdrs->x_op != XDR_FREE)) { return FALSE; }
Hi Daniel .. did you also fix krb5 ? If so, assign this to yourself, and complete it, as you did all the work and should thus recieve the credit =)