|
|
|
View Notes By
|
|
|
|
Other Documents
|
|
|
|
|
GNU glibc Information for VU#192995
| Date Notified: | 2002-07-31 |
| Date Updated: | |
| Status Summary: | Vulnerable |
Vendor Statement-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Version 2.2.5 and earlier versions of the GNU C Library are
vulnerable. For Version 2.2.5, we suggest the following patch.
This patch is also available from the GNU C Library CVS repository at:
http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/sunrpc/xdr_array.c.diff?r1=1.5&r2=1.5.2.1&cvsroot=glibc
2002-08-02 Jakub Jelinek <jakub@redhat.com>
* sunrpc/xdr_array.c (xdr_array): Check for overflow on
multiplication. Patch by Solar Designer <solar@openwall.com>.
===================================================================
RCS file: /cvs/glibc/libc/sunrpc/xdr_array.c,v
retrieving revision 1.5
retrieving revision 1.5.2.1
diff -u -r1.5 -r1.5.2.1
- --- libc/sunrpc/xdr_array.c 2001/08/17 04:48:31 1.5
+++ libc/sunrpc/xdr_array.c 2002/08/02 01:35:39 1.5.2.1
@@ -45,6 +45,7 @@
#include <rpc/types.h>
#include <rpc/xdr.h>
#include <libintl.h>
+#include <limits.h>
#ifdef USE_IN_LIBIO
# include <wchar.h>
@@ -81,7 +82,11 @@
return FALSE;
}
c = *sizep;
- - if ((c > maxsize) && (xdrs->x_op != XDR_FREE))
+ /*
+ * XXX: Let the overflow possibly happen with XDR_FREE because mem_free()
+ * doesn't actually use its second argument anyway.
+ */
+ if ((c > maxsize || c > UINT_MAX / elsize) && (xdrs->x_op != XDR_FREE))
{
return FALSE;
}
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (SunOS)
Comment: Processed by Mailcrypt 3.5.6 and Gnu Privacy Guard <http://www.gnupg.org/>
iD8DBQE9Tv0wddnqSFPI1IgRAmomAJ9cK6vT8zZMGdO/0Z4nOIZwUej2BwCfbRT3
mnvR4B781bGEg3y6PVaRdDw=
=qn87
-----END PGP SIGNATURE-----
Vendor InformationThe vendor has not provided us with any further information regarding this vulnerability.
AddendumThe CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us
email.
|
 |
