Vulnerability Note VU#516825
Integer overflow in Sun RPC XDR library routines
The XDR library from Sun Microsystems is a widely used implementation for RPC services. Although the library was originally distributed by Sun Microsystems, multiple vendors have included the vulnerable code in their own implementations. Some implementations of standard functions in this API may contain an integer overflow.
The XDR (external data representation) libraries are used to provide platform-independent methods for sending data from one system process to another, typically over a network connection. Such routines are commonly used in remote procedure call (RPC) implementations to provide transparency to application programmers who need to use common interfaces to interact with many different types of systems.
Some memory allocation routines in the XDR library provided by Sun Microsystems contain an integer overflow that can lead to improperly sized dynamic memory allocation. The length of the allocated buffer is interpreted as a signed integer, whereas the callers interpret the length as an unsigned integer. The xdrmem_getbytes() function is one example of where the flaw may occur. Subsequent problems like buffer overflows may result, depending on how and where the vulnerable xdrmem_getbytes() function is used. Other functions in the xdrmem_*() family may suffer from an identical error.
Because Sun RPC-derived XDR libraries are used by a variety of vendors in a variety of applications, this defect may lead to a number of differing security problems. Exploiting this vulnerability will lead to denial of service, execution of arbitrary code, or the disclosure of sensitive information. Furthermore, because RPC services often run as root on affected systems, this vulnerability may be leveraged to gain remote root access on vulnerable systems.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Compaq Computer Corporation||Affected||11 Dec 2002||18 Apr 2003|
|Conectiva||Affected||11 Dec 2002||09 May 2003|
|Debian||Affected||11 Dec 2002||09 Apr 2003|
|FreeBSD||Affected||11 Dec 2002||20 Mar 2003|
|Gentoo Linux||Affected||-||31 Mar 2003|
|GNU glibc||Affected||11 Dec 2002||21 Feb 2003|
|Guardian Digital Inc.||Affected||11 Dec 2002||21 Mar 2003|
|Hewlett-Packard Company||Affected||11 Dec 2002||11 Feb 2004|
|IBM||Affected||11 Dec 2002||18 Mar 2003|
|MandrakeSoft||Affected||11 Dec 2002||01 Apr 2003|
|MiT Kerberos Development Team||Affected||11 Dec 2002||20 Mar 2003|
|NetBSD||Affected||11 Dec 2002||26 Mar 2003|
|Nortel Networks||Affected||11 Dec 2002||09 Apr 2003|
|Red Hat Inc.||Affected||11 Dec 2002||02 Apr 2003|
|SGI||Affected||11 Dec 2002||09 Apr 2003|
CVSS Metrics (Learn More)
Thanks to Riley Hassell of eEye Digital Security for reporting this vulnerability.
This document was written by Chad R Dougherty and Jeffrey S Havrilla.
- CVE IDs: CAN-2003-0028
- CERT Advisory: CA-2003-10
- Date Public: 18 Mar 2003
- Date First Published: 19 Mar 2003
- Date Last Updated: 11 Feb 2004
- Severity Metric: 12.02
- Document Revision: 33
If you have feedback, comments, or additional information about this vulnerability, please send us email.