Sicherheit: Pufferüberlauf in nfs-utils

Lesezeichen hinzufügen

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

______________________________________________________________________________

SCO Security Advisory

Subject: OpenLinux: Linux NFS utils package contains remotely exploitable
off-by-one bug
Advisory number: CSSA-2003-037.0
Issue date: 2003 November 17
Cross reference: sr882699 fz528148 erg712382
______________________________________________________________________________

1. Problem Description

Janusz Niewiadomski has discovered an off-by-one overflow in
xlog() in the nfs-utils package. It is rumoured this bug is
exploitable, however as it writes a single zero byte to memory,
an exploit may be difficult to write.

CAN-2003-0252 Off-by-one error in the xlog function of mountd
in the Linux NFS utils package (nfs-utils) before 1.0.4 allows
remote attackers to cause a denial of service and possibly execute
arbitrary code via certain RPC requests to mountd that do not
contain newlines.

2. Vulnerable Supported Versions

System Package
----------------------------------------------------------------------
OpenLinux 3.1.1 Server prior to nfs-0.2.1-12.i386.rpm
prior to nfs-lockd-0.2.1-12.i386.rpm
prior to nfs-server-0.2.1-12.i386.rpm

OpenLinux 3.1.1 Workstation prior to nfs-0.2.1-12.i386.rpm
prior to nfs-lockd-0.2.1-12.i386.rpm
prior to nfs-server-0.2.1-12.i386.rpm

3. Solution

The proper solution is to install the latest packages. Many
customers find it easier to use the Caldera System Updater, called
cupdate (or kcupdate under the KDE environment), to update these
packages rather than downloading and installing them by hand.

4. OpenLinux 3.1.1 Server

4.1 Package Location

ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-037.0/RPMS

4.2 Packages

30ea43154970596e70e4fe28d975384e nfs-0.2.1-12.i386.rpm
680b5214c57a02e1265229458ae881d3 nfs-lockd-0.2.1-12.i386.rpm
32ee130750f4502fc5bfb51ed46bbbd9 nfs-server-0.2.1-12.i386.rpm

4.3 Installation

rpm -Fvh nfs-0.2.1-12.i386.rpm
rpm -Fvh nfs-lockd-0.2.1-12.i386.rpm
rpm -Fvh nfs-server-0.2.1-12.i386.rpm

4.4 Source Package Location

ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-037.0/SRPMS

4.5 Source Packages

da4e028d9ffe374c7be7e24ffad2b360 nfs-0.2.1-12.src.rpm

5. OpenLinux 3.1.1 Workstation

5.1 Package Location

ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-037.0/RPMS

5.2 Packages

40c11bad18969b6587a9d94b79c2e41c nfs-0.2.1-12.i386.rpm
f98629ebc8412a30a1ab6fe16ea55f77 nfs-lockd-0.2.1-12.i386.rpm
6407294bbb284c9e42f2769ef9941e8a nfs-server-0.2.1-12.i386.rpm

5.3 Installation

rpm -Fvh nfs-0.2.1-12.i386.rpm
rpm -Fvh nfs-lockd-0.2.1-12.i386.rpm
rpm -Fvh nfs-server-0.2.1-12.i386.rpm

5.4 Source Package Location

SRPMS

5.5 Source Packages

f47fea29ce99c7979c50ffb3e91ddf99 nfs-0.2.1-12.src.rpm

6. References

Specific references for this advisory:
http://marc.theaimsgroup.com/?l=bugtraq&m=105839032403325&w=2
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0252

SCO security resources:
http://www.sco.com/support/security/index.html

This security fix closes SCO incidents sr882699 fz528148
erg712382.

7. Disclaimer

SCO is not responsible for the misuse of any of the information
we provide on this website and/or through our security
advisories. Our advisories are a service to our customers intended
to promote secure installation and use of SCO products.

8. Acknowledgements

SCO would like to thank Janusz Niewiadomski for reporting this issue.

______________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (SCO/UNIX_SVR5)

iD8DBQE/uU5lbluZssSXDTERAjKTAKCwv9o4wj3AnK++/g6/MObc4WFUFgCgqdA8
xmjzczTc7zXZECQEkCsW3M4=
=Kq/p
-----END PGP SIGNATURE-----