----- Original Message ----- From: "FreeBSD Security Advisories" <[EMAIL PROTECTED]> To: "Bugtraq" <[EMAIL PROTECTED]> Sent: Thursday, March 20, 2003 1:10 PM Subject: FreeBSD Security Advisory FreeBSD-SA-03:05.xdr
> E-mail Premium BOL > Antiv�rus, anti-spam e at� 100 MB de espa�o. Assine j�! > http://email.bol.com.br/ > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > ============================================================================ = > FreeBSD-SA-03:05.xdr Security Advisory > The FreeBSD Project > > Topic: remote denial-of-service in XDR encoder/decoder > > Category: core > Module: libc > Announced: 2003-03-20 > Credits: Riley Hassell, eEye > Todd Miller <[EMAIL PROTECTED]> > Affects: All releases of FreeBSD prior to 4.6-RELEASE-p11, > 4.7-RELEASE-p8, 4.8-RELEASE and 5.0-RELEASE-p5 > Corrected: 2003-03-20 12:59:55 UTC (RELENG_4) > 2003-03-20 13:05:04 UTC (RELENG_4_6) > 2003-03-20 13:05:27 UTC (RELENG_4_7) > 2003-03-20 13:04:46 UTC (RELENG_5_0) > FreeBSD only: NO > > I. Background > > XDR (eXternal Data Representation) is a standard developed by Sun > Microsystems for platform-independent encoding of data types. It is > widely used by the Sun RPC (Remote Procedure Call) protocol and other > protocols. FreeBSD's standard C library includes routines for encoding > and decoding XDR, derived from a library originally distributed by > Sun Microsystems. > > II. Problem Description > > The xdrmem XDR stream object does incorrect bounds-checking. An > internal variable used for tracking bounds is a signed integer. > Bounds-checking is performed by subtracting the object length from > this signed integer, and then testing for a negative result. However, > if the object length is sufficiently large, the internal variable will > wrap and the result will be positive. > > III. Impact > > For some operations on the xdrmem XDR stream object, the > bounds-checking is followed by a memory copy. If the bounds-checking > error is exploited, then the memory copy will operate on a huge region > of memory, resulting in a segmentation violation. Thus, it may be > possible for an attacker to send maliciously formatted messages to a > service which utilizes the xdrmem XDR stream object and cause a > denial-of-service. > > IV. Workaround > > None known. > > V. Solution > > Do one of the following: > > 1) Upgrade your vulnerable system to the FreeBSD 4-STABLE branch; or > to the RELENG_4_7 (4.7-RELEASE-p8), RELENG_4_6 (4.6-RELEASE-p11), or > RELENG_5_0 (5.0-RELEASE-p5) security branch dated after the correction > date. > > 2) To patch your present system: > > The following patch has been verified to apply to FreeBSD 4.6, and 4.7 > systems. > > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. > > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:05/xdr-4.patch > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:05/xdr-4.patch.asc > > The following patch has been verified to apply to FreeBSD 5.0 systems. > > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. > > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:05/xdr-5.patch > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:05/xdr-5.patch.asc > > b) Execute the following commands as root: > > # cd /usr/src > # patch < /path/to/patch > > c) Recompile the operating system as described in > <URL:http://www.freebsd.org/doc/handbook/makeworld.html>. > > Note that any statically linked applications that are not part of > the base system (i.e. from the Ports Collection or other 3rd-party > sources) must be recompiled. > > All affected applications must be restarted for them to use the > corrected library. Though not required, rebooting may be the easiest > way to accomplish this. > > VI. Correction details > > The following list contains the revision numbers of each file that was > corrected in FreeBSD. > > Branch Revision > Path > - ------------------------------------------------------------------------ - > RELENG_4 > src/include/rpc/xdr.h 1.14.2.1 > src/lib/libc/xdr/xdr_mem.c 1.8.2.1 > RELENG_4_6 > src/UPDATING 1.73.2.68.2.38 > src/include/rpc/xdr.h 1.14.10.1 > src/lib/libc/xdr/xdr_mem.c 1.8.10.1 > src/sys/conf/newvers.sh 1.44.2.23.2.28 > RELENG_4_7 > src/UPDATING 1.73.2.74.2.10 > src/include/rpc/xdr.h 1.14.12.1 > src/lib/libc/xdr/xdr_mem.c 1.8.12.1 > src/sys/conf/newvers.sh 1.44.2.26.2.10 > RELENG_5_0 > src/UPDATING 1.229.2.10 > src/include/rpc/xdr.h 1.21.2.1 > src/lib/libc/xdr/xdr_mem.c 1.11.2.1 > src/sys/conf/newvers.sh 1.48.2.6 > - ------------------------------------------------------------------------ - > > VII. References > > <URL: http://www.cert.org/advisories/CA-2003-10.html > > <URL: http://www.eeye.com/html/Research/Advisories/AD20030318.html > > <URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0028 > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.0 (FreeBSD) > Comment: FreeBSD: The Power To Serve > > iD8DBQE+eb5xFdaIBMps37IRAiG+AJ4yWC/mnLQJAinaxAgt/CfvHY2wrQCfeaCR > W5v39BKPf1fGIK5T3/Rwcp8= > =MXpP > -----END PGP SIGNATURE----- > --- Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.463 / Virus Database: 262 - Release Date: 17/3/2003 _______________________________________________________________ Sair da Lista: http://www2.fugspbr.org/mailman/listinfo/fugspbr Historico: http://www4.fugspbr.org/lista/html/FUG-BR/
