Compaq Computer Corporation Information for VU#970472

Network Time Protocol ([x]ntpd) daemon contains buffer overflow in ntp_control:ctl_getitem() function

Status

Affected

Vendor Statement

====================================================

TITLE: SSRT1-85U - xntpd potential buffer overflow
SOURCE: Compaq Computer Corporation,
Software Security Response Team
====================================================
Date: 02-MAY-2001

SEVERITY: HIGH

PROBLEM STATEMENT SUMMARY:

Compaq continues to take a serious approach to the quality
and security of all its software products and makes every
effort to address issues and provide solutions in a timely
manner. In line with this commitment, Compaq is responding
to recent concerns of a potential buffer overflow with xntpd.

The Network Time Protocol daemon for Compaq Tru64 UNIX
contains a potential buffer overflow (even though it would be
difficult to exploit) that may allow unauthorized access to bin
privileges.

IMPACT:

Compaq's Tru64 UNIX V4.0d, V4.0f, V4.0g, V5.0, V5.0a, V5.1

SOLUTION:

Compaq Tru64 UNIX engineering has provided a fix for this
potential problem.

NOTE: The solutions will be included in future releases of
Tru64 UNIX aggregate patch kits. Until that has happened
the kits identified should be reinstalled accordingly after an
upgrade to any affected version listed.

The patches identified are available from the Compaq FTP site
http://ftp1.support.compaq.com/public/dunix/ then choose the
version directory needed and search for the patch by name.
Please review the applicable readme and install files prior
to installation.

Patches:
V4.0D: DUV40D16-C0058302-10580-20010430.tar
V4.0F: DUV40F16-C0042002-10579-20010430.tar
V4.0G: T64V40G16-C0003502-10577-20010430.tar
V5.0: T64V5016-C0006102-10575-20010430.tar
V5.0A: T64V50A16-C0010402-10574-20010430.tar
V5.1: T64V513-C0027202-10573-20010430.tar

NOTE: A patch for Compaq Tru64 UNIX V4.0e is not available
as it is no longer supported by Compaq. If you require a patch
for V4.0e please contact your normal Compaq Services channel.

Compaq appreciates your cooperation and patience. We regret any
inconvenience applying this information may cause.

As always, Compaq urges you to periodically review your system
management and security procedures. Compaq will continue to
review and enhance the security features of its products and work
with customers to maintain and improve the security and integrity
of their systems.

(c) Copyright 2001 Compaq Computer Corporation. All rights reserved

To subscribe to automatically receive future NEW Security
Advisories from the Compaq's Software Security Response Team
via electronic mail,

Use your browser select the URL
http://www.support.compaq.com/patches/mailing-list.shtml
Select "Security and Individual Notices" for immediate dispatch
notifications directly to your mailbox.

To report new Security Vulnerabilities, send mail to:

security-ssrt@compaq.com
=============================================
COMPAQ AND/OR ITS RESPECTIVE SUPPLIERS MAKE
NO REPRESENTATIONS ABOUT THE SUITABILITY OF
THE INFORMATION CONTAINED IN THE DOCUMENTS
AND RELATED GRAPHICS AND/OR SOFTWARE PUBLISHED
ON THIS SERVER FOR ANY PURPOSE. ALL SUCH
DOCUMENTS AND RELATED GRAPHICS ARE PROVIDED
"AS IS" WITHOUT WARRANTY OF ANY KIND AND ARE
SUBJECT TO CHANGE WITHOUT NOTICE. THE ENTIRE RISK
ARISING OUT OF THEIR USE REMAINS WITH THE RECIPIENT.
IN NO EVENT SHALL COMPAQ AND/OR ITS RESPECTIVE
SUPPLIERS BE LIABLE FOR ANY DIRECT, CONSEQUENTIAL,
INCIDENTAL, SPECIAL, PUNITIVE OR OTHER DAMAGES
WHATSOEVER (INCLUDING WITHOUT LIMITATION,
DAMAGES FOR LOSS OF BUSINESS PROFITS, BUSINESS
INTERRUPTION, OR LOSS OF BUSINESS INFORMATION),
EVEN IF COMPAQ HAS BEEN ADVISED OF THE POSSIBILITY
OF SUCH DAMAGES.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References

None

Addendum

Previously is was reported Tru64 and OpenVMS were not vulnerable to this probem.

If you have feedback, comments, or additional information about this vulnerability, please send us email.