LWN.net Logo

Advertisement

TrustCommerce

E-Commerce & credit card processing - the Open Source way!

Advertise here

Not logged in

Log in now

Create an account

Subscribe to LWN

Sponsored link

Vyatta – Linux & Open Source Alternative to Cisco – Advanced Routing, Firewall, VPN, QoS..
Free Download ->

Recent Features

LK2008: The values of the Linux community

LWN.net Weekly Edition for October 9, 2008

Plugging into GCC

LWN.net Weekly Edition for October 2, 2008

Ubuntu debuts its Upstream Report

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Eridani alert ERISA-2002:036 (glibc)



From:
    	      Eridani Star System <linux@eridani.co.uk>


To:
    	      eridani-announce@eridani.co.uk


Subject:
    	      [Eridani-Announce] ERISA-2002:036 - glibc


Date:
    	      Tue, 13 Aug 2002 22:31:30 +0100 (BST)



=========================================================================
		ERIDANI LINUX - SECURITY ANNOUNCEMENT
=========================================================================

Package:	glibc
Summary:	Buffer overflow in Sun RPC XDR decoder
Date:		2002-08-13
ID:		ERISA-2002:036

=========================================================================

Problem description:

  The Sun Remote Procedure Call framework is built-in component of GNU libc.
  XDR is a process for encoding data structures to be used by RPC.  Many
  network services, including NFS and NIS, use this framework.  The XDR
  decoder and encoder present in glibc is derived from Sun's implementation,
  and has been recently demonstrated to be vulnerable to a heap buffer
  overflow.

  The XDR decoder in glibc 2.2.5 and earlier miscalculates the amount of
  memory required to unpack arrays, and this can result in the buffer
  overflow. Certain applications using this framework could find themselves
  open to exploitation with possible arbitary code execution.

  The packages supercedes those released for ERISA-2002:028 and the old
  packages have been removed from the FTP server.

-------------------------------------------------------------------------
Updated packages:

  a03ff4e5871fbb1b65f0787eaf4b6acc  glibc-2.1.3-27.src.rpm

  36b02859e4e0ada5e2fdd88b069e069e  glibc-2.1.3-27.i386.rpm
  9cf672eb3f648c3bef75dc5281607e97  glibc-devel-2.1.3-27.i386.rpm
  e6fa1987bca29eb706fb41a7879797f7  glibc-profile-2.1.3-27.i386.rpm
  654d5bb4fb2fcdf2b403dbd25679ec4c  nscd-2.1.3-27.i386.rpm

-------------------------------------------------------------------------
References:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0391

=========================================================================

Packages available from ftp://ftp.eridani.co.uk/pub/Aeryn/
or by HTTP from http://ftp.eridani.co.uk/

Packages are signed with our GNU GPG key, also on our FTP site.

Users of releases of Eridani Linux prior to 6.3 are advised to download
the source RPM and rebuild for their system.

Copyright (C)2002 Eridani Star System

-- Michael "Soruk" McConnell                       http://www.eridani.co.uk
Eridani Linux  --  The Most Up-to-Date Red Hat-based Linux CDROMs Available
Email: linux@eridani.co.uk -- Also Debian, Slackware, Mandrake and more...

_______________________________________________
Eridani-Announce mailing list
To be removed from this list email linux@eridani.co.uk requesting removal.
(Log in to post comments)

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds