search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Integer overflow in xdr_array() function when deserializing the XDR stream

Vulnerability Note VU#192995

Original Release Date: 2002-08-01 | Last Revised: 2006-05-15

Overview

There is an integer overflow present in the xdr_array() function distributed as part of the Sun Microsystems XDR library. This overflow has been shown to lead to remotely exploitable buffer overflows in multiple applications, leading to the execution of arbitrary code. Although the library was originally distributed by Sun Microsystems, multiple vendors have included the vulnerable code in their own implementations.

Description

The XDR (external data representation) libraries are used to provide platform-independent methods for sending data from one system process to another, typically over a network connection. Such routines are commonly used in remote procedure call (RPC) implementations to provide transparency to application programmers who need to use common interfaces to interact with many different types of systems. The xdr_array() function in the XDR library provided by Sun Microsystems contains an integer overflow that can lead to improperly sized dynamic memory allocation. Subsequent problems like buffer overflows may result, depending on how and where the vulnerable xdr_array() function is used.

This issue is currently being tracked as VU#192995 by the CERT/CC and as CAN-2002-0391 in the Common Vulnerabilities and Exposures (CVE) dictionary.

Impact

Because SunRPC-derived XDR libraries are used by a variety of vendors in a variety of applications, this defect may lead to a number of differing security problems. Exploiting this vulnerability will lead to denial of service, execution of arbitrary code, or the disclosure of sensitive information.

Specific impacts reported include the ability to execute arbitrary code with root privileges (by exploiting dmispd, rpc.cmsd, or kadmind, for example). In addition, intruders who exploit the XDR overflow in MIT KRB5 kadmind may be able to gain control of a Key Distribution Center (KDC) and improperly authenticate to other services within a trusted Kerberos realm.

Solution

Apply a patch from your vendor

Note that XDR libraries can be used by multiple applications on most systems. It may be necessary to upgrade or apply multiple patches and then recompile statically linked applications.

Applications that are statically linked must be recompiled using patched libraries. Applications that are dynamically linked do not need to be recompiled; however, running services need to be restarted in order to use the patched libraries.

System administrators should consider the following process when addressing this issue:

    1. Patch or obtain updated XDR/RPC libraries.
    2. Restart any dynamically linked services that make use of the XDR/RPC libraries.
    3. Recompile any statically linked applications using the patched or updated XDR/RPC libraries.

    Note this is an iterative process for each set of patches being applied.

    Disable access to vulnerable services or applications

    Until patches are available and can be applied, you may wish to disable access to services or applications compiled with the vulnerable xdr_array() function. Such applications include, but are not limited to, the following:

      • DMI Service Provider daemon (dmispd)
      • CDE Calendar Manager Service daemon (rpc.cmsd)
      • MIT Kerberos 5 Administration daemon (kadmind)

    As a best practice, the CERT/CC recommends disabling all services that are not explicitly required.

    Vendor Information

    192995
     
    Affected   Unknown   Unaffected

    Apple Computer, Inc.

    Notified:  July 29, 2002 Updated:  September 20, 2002

    Status

      Vulnerable

    Vendor Statement

    The vulnerability described in this note is fixed with Security Updates 2002-08-02 and 2002-08-23.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    -----BEGIN PGP SIGNED MESSAGE-----

    Security Update 2002-08-23 is now available.  This applies the fixes
    already available in Security Update 2002-08-02 to the Mac OS X 10.2
    (Jaguar) release.  Security Update 2002-08-02 was designed for the Mac
    OS X 10.1.5 release.

    It contains fixes for recent vulnerabilities in:

        OpenSSL:  Fixes security vulnerabilities CAN-2002-0656,
           CAN-2002-0657, CAN-2002-0655, and CAN-2002-0659.  Details are
           available via:
    http://www.cert.org/advisories/CA-2002-23.html

        mod_ssl:  Fixes CAN-2002-0653, an off-by-one buffer overflow in the
          mod_ssl Apache module.  Details are available via:
         
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0653

        Sun RPC:  Fixes CAN-2002-039, a buffer overflow in the Sun RPC XDR
    decoder.
          Details are available via:

    http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20823

    Affected systems:  Mac OS X client and Mac OS X Server

    Note:  Mac OS X client is configured by default to have these services
    turned off, and is only vulnerable if the user has enabled network
    services which rely on the affected components.  It is still recommended
    for Mac OS X client users to apply this security update to their system.

    System requirements:  Mac OS X 10.2 (Jaguar)

    Security Update 2002-08-23 may be obtained from:

       * Software Update pane in System Preferences

       * Apple's Software Downloads web site:
         
    http://www.info.apple.com/kbnum/n120142

    To help verify the integrity of Security Update 2002-08-23 from the
    Software Downloads web site:

        The download file is titled:  SecurityUpd2002-08-23.dmg
       Its SHA-1 digest is:  fccb3adb478f90650f4484534a79a80bba5f94f3

    Information will also be posted to the Apple Product Security web site:
    http://www.apple.com/support/security/security_updates.html

    This message is signed with Apple's Product Security PGP key, and
    details are available at:
    http://www.apple.com/support/security/security_pgp.html

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 7.0.3

    iQEVAwUBPWad3SFlYNdE6F9oAQHuIQf9GdW2n/r7di2U8c4jQU+3JvRtU+HG7Lsl
    jlKRVNGyaMvUAurxbYB/yHfHcYDtsj26bupzLUpLXbIt54uZxyXo6UTExzpwreaT
    r+UJm7+q9kG6lcAmrcz2WNzlnD6icXKKuyf/hR8NUo3yBP7MoR6QGjvFqodvTOHR
    J2YXH8AEPAmWFf511AzbG1yYvlDhocZ+/gBFTlaB3nYt11Edz2yRE4qeumQYEIyf
    gLFxzp1BVFNDJck66WjPWgHqDuq9QWPBzHl1qhd09ctD84w+Hda972dqxRn08Jo7
    jTGs2zmUpyPxLxCHEd5uzRNuMquIoddW2Nsg8LeJNHqRDlklVSJTUA==
    =CJ2Y
    -----END PGP SIGNATURE-----
    _______________________________________________

    ---- Original Message ----
    From:Product Security
    Date:Fri 8/2/02 20:02
    To:security-announce@lists.apple.com
    Subject:Security Update 2002-08-02 for OpenSSL, Sun RPC, mod_ssl

    -----BEGIN PGP SIGNED MESSAGE-----

    Security Update 2002-08-02 is now available. It contains fixes for
    recent
    vulnerabilities in:

    OpenSSL: Fixes security vulnerabilities CAN-2002-0656,
    CAN-2002-0657,
    CAN-2002-0655, and CAN-2002-0659. Details are available via:
    http://www.cert.org/advisories/CA-2002-23.html

    mod_ssl: Fixes CAN-2002-0653, an off-by-one buffer overflow in the
    mod_ssl Apache module. Details are available via:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0653

    Sun RPC: Fixes CAN-2002-039, a buffer overflow in the Sun RPC XDR
    decoder.
    Details are available via:

    http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20823

    Affected systems: Mac OS X client and Mac OS X Server

    Note: Mac OS X client is configured by default to have these services
    turned
    off, and is only vulnerable if the user has enabled network services
    which rely
    on the affected components. It is still recommended for Mac OS X
    client users
    to apply this security update to their system.

    System requirements: Mac OS X 10.1.5

    Security Update 2002-08-02 may be obtained from:

    * Software Update pane in System Preferences

    * Apple's Software Downloads web site:
    http://docs.info.apple.com/article.html?artnum=120139

    SSL server:
    https://depot.info.apple.com/security/129403bc5e184e3b7367.html

    To help verify the integrity of Security Update 2002-08-02 from the
    Software Downloads web site:

    The download file is titled: SecurityUpd2002-08-02.dmg
    Its SHA-1 digest is: 54f6eebe0398181db8f1129403bc5e184e3b7367

    Information will also be posted to the Apple Product Security web site:
    http://www.apple.com/support/security/security_updates.html

    This message is signed with Apple's Product Security PGP key, and
    details are available at:
    http://www.apple.com/support/security/security_pgp.html

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 7.0.3

    iQEVAwUBPUsLOiFlYNdE6F9oAQGAigf+JV+lazuko1g4oZSNFTd2puXCtOGQ0M8c
    2cZ/BdaEBA8jLGrPkhWuvmMwpN9z6G9chnN8s9EXiavcBG5e/ejtTo3ZHoOGP7bg
    789zLQLK2JTB75nc0fNyx2CdfHlEIM00v8c2jXySLlnqF+kzwqVnjUL7i2O97Fk5
    tWXLc2dWK2Nf2SUk0/yLgfjceZKEPCPXTpuKYuah/w9NwzL+LsbPcfXA/H1f4ngc
    vRPc2sn2HYu9IJw/BrMEsDlS8IWHf6ozXdZ9qaVCVRrZlsd9gSSmB2Jba4be/MRX
    FauTTepMF9+JfCkx+2wtpwWhBcXoJnjwIZXOXwbbRjqXHmzzgu8D/Q==
    =fdGO
    -----END PGP SIGNATURE-----
    _______________________________________________
    security-announce mailing list | security-announce@lists.apple.com
    Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/security-
    announce
    Do not post admin requests to the list. They will be ignored.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Debian Linux

    Notified:  July 29, 2002 Updated:  August 06, 2002

    Status

      Vulnerable

    Vendor Statement

    The Debian GNU/Linux distribution was vulnerable with regard to the the XDR problem as stated above with the following vulnerability matrix:


                               OpenAFS                 Kerberos5               GNU lib
      Debian 2.2 (potato)    not included              not included           vulnerable
      Debian 3.0 (woody)     vulnerable (DSA 142-1)    vulnerable (DSA 143-1) vulnerable
      Debian unstable (sid)  vulnerable (DSA 142-1)    vulnerable (DSA 143-1) vulnerable

    However, the following advisories were raised recently which contain and announced fixes:

    DSA 142-1 OpenAFS (safe version are: 1.2.3final2-6 (woody) and 1.2.6-1 (sid))
    DSA 143-1 Kerberos5 (safe version are: 1.2.4-5woody1 (woody) and 1.2.5-2 (sid))

    The advisory for the GNU libc is pending, it is currently being recompiled. The fixed versions will probably be:
      Debian 2.2 (potato)    glibc 2.1.3-23 or later
      Debian 3.0 (woody)     glibc 2.2.5-11.1 or later
      Debian unstable (sid)  glibc 2.2.5-12 or later

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    FreeBSD, Inc.

    Notified:  July 29, 2002 Updated:  August 01, 2002

    Status

      Vulnerable

    Vendor Statement

    Please see ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:34.rpc.asc

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    Note this is a REVISED advisory pointing to patches correct on 07/31/2002.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    GNU glibc

    Notified:  July 31, 2002 Updated:  August 06, 2002

    Status

      Vulnerable

    Vendor Statement

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Version 2.2.5 and earlier versions of the GNU C Library are
    vulnerable.  For Version 2.2.5, we suggest the following patch.
    This patch is also available from the GNU C Library CVS repository at:

    http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/sunrpc/xdr_array.c.diff?r1=1.5&r2=1.5.2.1&cvsroot=glibc


    2002-08-02  Jakub Jelinek  <jakub@redhat.com>

    * sunrpc/xdr_array.c (xdr_array): Check for overflow on
    multiplication.  Patch by Solar Designer <solar@openwall.com>.

    ===================================================================
    RCS file: /cvs/glibc/libc/sunrpc/xdr_array.c,v
    retrieving revision 1.5
    retrieving revision 1.5.2.1
    diff -u -r1.5 -r1.5.2.1
    - --- libc/sunrpc/xdr_array.c2001/08/17 04:48:311.5
    +++ libc/sunrpc/xdr_array.c2002/08/02 01:35:391.5.2.1
    @@ -45,6 +45,7 @@
    #include <rpc/types.h>
    #include <rpc/xdr.h>
    #include <libintl.h>
    +#include <limits.h>

     #ifdef USE_IN_LIBIO
    # include <wchar.h>
    @@ -81,7 +82,11 @@
          return FALSE;
        }
      c = *sizep;
    - -  if ((c > maxsize) && (xdrs->x_op != XDR_FREE))
    +  /*
    +   * XXX: Let the overflow possibly happen with XDR_FREE because mem_free()
    +   * doesn't actually use its second argument anyway.
    +   */
    +  if ((c > maxsize || c > UINT_MAX / elsize) && (xdrs->x_op != XDR_FREE))
        {
          return FALSE;
        }


    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.7 (SunOS)
    Comment: Processed by Mailcrypt 3.5.6 and Gnu Privacy Guard <http://www.gnupg.org/>

    iD8DBQE9Tv0wddnqSFPI1IgRAmomAJ9cK6vT8zZMGdO/0Z4nOIZwUej2BwCfbRT3
    mnvR4B781bGEg3y6PVaRdDw=
    =qn87
    -----END PGP SIGNATURE-----

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Hewlett-Packard Company

    Notified:  July 29, 2002 Updated:  August 01, 2002

    Status

      Vulnerable

    Vendor Statement

    SOURCE: Hewlett-Packard Company

    RE: Potential RPC XDR buffer overflow

    At the time of writing this document, Hewlett Packard is currently investigating the potential impact to HP's released perating System software products.

    As further information becomes available HP will provide notice f the availability of any necessary
    patches through>standard security bulletin announcements and be vailable from your normal HP Services support channel.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    IBM Corporation

    Notified:  July 29, 2002 Updated:  September 03, 2002

    Status

      Vulnerable

    Vendor Statement

    IBM is vulnerable to the above XDR Library issues in both the 4.3 and 5.1 releases of AIX. A temporary patch is currently available through an efix pacakge. Efixes are available from

    ftp.software.ibm.com/aix/efixes/security

    See the README file in this directory for additional information on the efixes.

    The following APARs will be available in the near future:


    AIX 4.3.3: APAR #IY34194 ( available approx 10/1/2002 )
    AIX 5.1.0: APAR #IY34158 ( available approx 10/16/2002 )

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    Previously on 08/06/2002 IBM stated:



    IBM has analyzed AIX with regard to the XDR vulnerability and found that the 4.3.3 and 5.1.0 releases are exposed. We are currently working on an efix package for this issue which will be available shortly.

    We will update this statement when more information once the efixes are available.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    MIT Kerberos Development Team

    Notified:  August 02, 2002 Updated:  August 02, 2002

    Status

      Vulnerable

    Vendor Statement

    Please see http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2002-001-xdr.txt

    The patch is available directly:

    http://web.mit.edu/kerberos/www/advisories/2002-001-xdr_array_patch.txt

    The following detached PGP signature should be used to verify the authenticity and integrity of the patch:

    http://web.mit.edu/kerberos/www/advisories/2002-001-xdr_array_patch.txt.asc

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    -----BEGIN PGP SIGNED MESSAGE-----

    MIT krb5 Security Advisory 2002-001

    2002-08-02

    Topic: Remote root vulnerability in MIT krb5 admin system

    Severity: Remote user may be able to gain root access to a KDC host.

    SUMMARY
    =======

    There is an integer overflow bug in the SUNRPC-derived RPC library
    used by the Kerberos 5 administration system that could be exploited
    to gain unauthorized root access to a KDC host. It is believed that
    the attacker needs to be able to authenticate to the kadmin daemon for
    this attack to be successful. No exploits are known to exist yet.

    IMPACT
    ======

    A remote attacker can potentially execute arbitrary code on the KDC
    with the privileges of the user running the kadmin daemon (usually
    root). This can lead to compromise of the Kerberos database.

    AFFECTED SOFTWARE
    =================

    All releases of MIT Kerberos 5, up to and including krb5-1.2.5.

    FIXES
    =====

    Apply the following patch to src/lib/rpc/xdr_array.c:

    Index: xdr_array.c
    ===================================================================
    RCS file: /cvs/krbdev/krb5/src/lib/rpc/xdr_array.c,v
    retrieving revision 1.5
    diff -c -r1.5 xdr_array.c
    *** xdr_array.c1998/02/14 02:27:231.5
    - --- xdr_array.c2002/08/02 17:25:05
    ***************
    *** 75,81 ****
    return (FALSE);
    }
    c = *sizep;
    ! if ((c > maxsize) && (xdrs->x_op != XDR_FREE)) {
    return (FALSE);
    }
    nodesize = c * elsize;
    - --- 75,82 ----
    return (FALSE);
    }
    c = *sizep;
    ! if ((c > maxsize || c > LASTUNSIGNED / elsize)
    ! && (xdrs->x_op != XDR_FREE)) {
    return (FALSE);
    }
    nodesize = c * elsize;

    and rebuild your tree. The patch was generated against krb5-1.2.5;
    patches to other releases may apply with some offset.

    This patch may also be found at:

    http://web.mit.edu/kerberos/www/advisories/2002-001-xdr_array_patch.txt

    The associated detached PGP signature is at:

    http://web.mit.edu/kerberos/www/advisories/2002-001-xdr_array_patch.txt.asc

    This announcement and code patches related to it may be found on the
    MIT Kerberos security advisory page at:

    http://web.mit.edu/kerberos/www/advisories/index.html

    The main MIT Kerberos web page is at:

    http://web.mit.edu/kerberos/www/index.html

    ACKNOWLEDGMENTS
    ===============

    Thanks to ISS for discovery of the vulnerability.

    Thanks to Jeffrey Hutzelman for assistance in discovering the
    particulars of this bug.

    DETAILS
    =======

    The xdr_array() decoder computes the value of the NODESIZE variable in
    a way that can lead to integer overflow. An attacker can construct an
    XDR encoding that will take advantage of this integer overflow in
    order to overflow the allocated heap buffer, depending on the
    specifics of the caller of the xdr_array() function.

    The uses of xdr_array() in the kadm5 library, which implements the
    Kerberos 5 adminstration protocol, are unsafe in an environment where
    this bug exists. A remote user may be able to use the buffer overflow
    to execute arbitrary code on the KDC host, possibly leading to
    unauthorized root access. It is believed that the remote user must
    first successfully authenticate to the kadmin daemon in order to
    exercise this vulnerability, though the user may not need to posess
    any special privileges.
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.7 (SunOS)

    iQCVAwUBPUrNEqbDgE/zdoE9AQHSPgQAlGS7HO8TZ1BHwek+niF5hA7exEt9Z8IA
    fvxGpqirHciJQTfmBUiJhXhCTqosFgftQzt9KyvXmfMS3InZxAEmB7ahkevuBYkO
    FvfWyA3Ew8J3bGhBJis1xTMFebb1N0crDH3rRjUGZApQ7uJNZ+9nQo41+P0+z3uD
    yqpAbP9HTnw=
    =MqNV
    -----END PGP SIGNATURE-----

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Microsoft Corporation

    Notified:  July 29, 2002 Updated:  October 03, 2002

    Status

      Vulnerable

    Vendor Statement

    Microsoft is currently conducting an investigation based on this report. We will update this advisory with information once it is complete.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    Please see http://www.microsoft.com/technet/security/bulletin/ms02-057.asp

    Statement date: 10/2/2002 6:13:15 PM

    -----BEGIN PGP SIGNED MESSAGE-----

    - ----------------------------------------------------------------------
    Title: Flaw in Services for Unix 3.0 Interix SDK Could Allow
    Code Execution (Q329209)
    Released: 02 October 2002
    Software: Services for Unix 3.0 Interix SDK
    Impact: Buffer overrun and denial of service
    Max Risk: Moderate
    Bulletin: MS02-057

    Microsoft encourages customers to review the Security Bulletin at:
    http://www.microsoft.com/technet/security/bulletin/MS02-057.asp.
    - ----------------------------------------------------------------------
    Issue:
    ======
    All three vulnerabilities discussed in this bulletin involve the
    inclusion of the Sun [TM] Microsystems RPC library in Microsoft's
    Services for UNIX (SFU) 3.0 on the Interix SDK. Developers who
    created applications or utilities using the Sun RPC library from
    the Interix SDK need to evaluate three vulnerabilities.

    Windows Services for UNIX (SFU) 3.0 provides a full range of cross-
    platform services to integrate Windows into existing UNIX environ-
    ments. In version 3.0, the Interix subsystem technology is built in
    so that Windows Services for UNIX 3.0 can provide platform inter-
    operability and application migration in one fully integrated and
    supported product from Microsoft. Developers who have integrated
    Windows into their existing UNIX environments may have used the
    Interix SDK to develop custom applications and utilities so that
    applications that only ran on the UNIX platform can now run in a
    Windows environment. Developers who used the Interix SDK to develop
    applications or utilities should read this bulletin.

    The first vulnerability is an integer overflow in the XDR library
    that ships with the Sun RPC library on the Interix SDK for
    Microsoft's Services for Unix (SFU) 3.0. An attacker could send a
    malicious RPC request to the RPC server from a remote machine and
    cause corruption in the server program. This can cause the server
    to fail and potentially allow the attacker to run code of his or
    her choice in the context of the server program.

    The second vulnerability is a buffer overrun. An attacker could send
    a malicious RPC request to the RPC server with an improper parameter
    size check. This could lead to a buffer overrun, causing the server
    to fail and preventing it from servicing any further requests from
    clients.

    The third vulnerability is an RPC implementation error. An app-
    Lication using the Sun RPC library does not properly check the size
    of client TCP requests. This could result in a denial of service
    to a server application using the Sun RPC library. The RPC library
    expects client TCP requests to specify the size of the record
    that follows. Because there is a flaw in the way RPC detects
    client packets, an attacker could send a malformed RPC request to
    the RPC server from a remote machine and cause the server to fail
    by not servicing any further client requests.

    After applying the patch, it is necessary to recompile any Interix
    application that is statically linked with the Interix SDK Sun RPC
    library.


    Mitigating Factors:
    ====================
    *Only applications or utilities that were created using the
    Interix SDK and specifically that use the Sun RPC library,
    would be affected by these vulnerabilities.
    *If an administrator or developer has only installed the
    Interix SDK but has not actually created applications with
    the SDK that use the Sun RPC library, the systems where the
    SDK was installed would not be vulnerable.

    Risk Rating:
    ============
    - Internet systems: Moderate
    - Intranet systems: Moderate
    - Client systems: Moderate

    Patch Availability:
    ===================
    - A patch is available to fix this vulnerability. Please read the
    Security Bulletin at
    http://www.microsoft.com/technet/security/bulletin/ms02-057.asp
    for information on obtaining this patch.

    - ---------------------------------------------------------------------

    THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED
    "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL
    WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF
    MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT
    SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY
    DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
    CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
    MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
    POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION
    OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES
    SO THE FOREGOING LIMITATION MAY NOT APPLY.


    -----BEGIN PGP SIGNATURE-----
    Version: PGP 7.1

    iQEVAwUBPZtve40ZSRQxA/UrAQHdXgf/ejvlfeHIg3/qqRNVr05cITb88aElEzmS
    54vEwb1h9YXhMzMBwm4nXyFLcG97wxJdWSUFkqKx8gzQtlJazOzCFHCKKCC1wU3Y
    teNZJY0D/xEgkRTaYeeEIqNqTq6646M4dHmhFlyfLPLz5Ak50lpeGAk3ZyMPnfl8
    uhypyBCy+1CmuxQE3RNMHw2Orz5jIwKWVYRjhfgQH11U537rCCW2cePadxYoDVpz
    VyR1iHTDo5bvZa7101qMb06rftijbAKRF4049USw14dd6v/0FxxmjfXu2w9ECL1U
    zwvrt8MaOWRPw/vt+kbF7kRFIDSUVuTN4xlf2kSC+zIOKdluvelhgw==
    =Y+ML
    -----END PGP SIGNATURE-----

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    NetBSD

    Notified:  July 29, 2002 Updated:  September 20, 2002

    Status

      Vulnerable

    Vendor Statement

    Please see ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-011.txt.asc

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    -----BEGIN PGP SIGNED MESSAGE-----

    NetBSD Security Advisory 2002-011
    =================================

    Topic:Sun RPC XDR decoder contains buffer overflow

    Version:NetBSD-current: source prior to August 1, 2002
    NetBSD-1.6 beta: affected
    NetBSD-1.5.3: affected
    NetBSD-1.5.2: affected
    NetBSD-1.5.1: affected
    NetBSD-1.5: affected
    NetBSD-1.4.*: affected

    severity:Possible remote root compromise if RPC services
    are enabled

    Fixed:NetBSD-current:August 1, 2002
    NetBSD-1.6 branch:August 2, 2002 (1.6 includes the fix)
    NetBSD-1.5 branch:August 1, 2002
    NetBSD-1.4 branch:not yet


    Abstract
    ========

    Integer overflows exist in the RPC code in libc. These cause a buffer to
    be mistakenly allocated too small, and then overflown.

    The Automounter amd(8) and its query tool amq(8), and the rusers(1)
    client binary use the flawed code in a way which could be exploitable.

    Other uses of the RPC functions have been examined and are believed to
    not be exploitable.

    No RPC-based services are enabled by default.


    Technical Details
    =================

    Sun RPC is a remote procedure call framework which allows clients
    to invoke procedures in a server process over a network somewhat
    transparently.  XDR is a mechanism for encoding data structures for
    use with RPC.  NFS, NIS, and many other network services are built
    upon Sun RPC.

    The NetBSD C runtime library (libc) contains an XDR encoder/decoder
    derived from Sun's RPC implementation.

    Any application using Sun RPC may be vulnerable to a heap buffer
    overflow.  Depending upon the application, this vulnerability may be
    exploitable and lead to arbitrary code execution.

    An error in the calculation of memory needed for unpacking arrays in
    the XDR decoder can result in a heap buffer overflow.

    Though no exploits are known to exist currently, RPC-based services
    often run as the superuser, and the vulnerability in amd(8) could be
    exploitable.

    Again, no RPC-based services are enabled by default.


    Solutions and Workarounds
    =========================

    The recent NetBSD 1.6 release is not vulnerable to this issue. A full
    upgrade to NetBSD 1.6 is the recommended resolution for all users able
    to do so. Many security-related improvements have been made, and
    indeed this release has been delayed several times in order to include
    fixes for a number of recent issues.

    If you do not run any of the affected RPC services (amd/amq/rusers)
    your system is not affected.  However, we suggest you upgrade your
    system to avoid running vulnerable RPC code by mistake.

    The following instructions describe how to upgrade your libc (which
    includes RPC code) by updating your source tree and rebuilding and
    installing a new version of libc.

    Note that if you have any statically-linked binaries that uses RPC,
    you need to recompile them.

    * NetBSD-current:

    Systems running NetBSD-current dated from before 2002-08-01
    should be upgraded to NetBSD-current dated 2002-08-01 or later.

    The following directories need to be updated from the
    netbsd-current CVS branch (aka HEAD):
    lib/libc/rpc

    To update from CVS, re-build, and re-install libc:
    # cd src
    # cvs update -d -P lib/libc/rpc

    # cd lib/libc
    # make cleandir dependall
    # make install


    * NetBSD 1.6 beta:

    Systems running NetBSD 1.6 BETAs and Release Candidates should
    be upgraded to the NetBSD 1.6 release.

    If a source-based point upgrade is required, sources from the
    NetBSD 1.6 branch dated 2002-08-02 or later should be used.

    The following directories need to be updated from the
    netbsd-1-6 CVS branch:
    lib/libc/rpc

    To update from CVS, re-build, and re-install libc:
    # cd src
    # cvs update -d -P -r netbsd-1-6 lib/libc/rpc

    # cd lib/libc
    # make cleandir dependall
    # make install


    * NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3:

    Systems running NetBSD-1.5 branch dated from before 2002-08-02
    should be upgraded to NetBSD-1.5 branch dated 2002-08-02 or later.

    The following directories need to be updated from the
    netbsd-1-5 CVS branch:
    lib/libc/rpc

    To update from CVS, re-build, and re-install libc:
    # cd src
    # cvs update -d -P -r netbsd-1-5 lib/libc/rpc

    # cd lib/libc
    # make cleandir dependall
    # make install


    * NetBSD 1.4, 1.4.1, 1.4.2, 1.4.3:

    The advisory will be updated to include instructions to remedy
    this problem for systems running the NetBSD-1.4 branch.


    Thanks To
    =========

    CERT for notification.

    Charles Hannum for scope analysis and commentary.

    FreeBSD security-officers. Parts of the advisory text are based on
    the FreeBSD advisory.

    The NetBSD Release Engineering teams, for great patience and
    assistance in dealing with repeated security issues discovered
    recently.


    Revision History
    ================

    2002-08-01Initial release
    2002-08-021.5/1.6 branch info
    2002-09-16Re-release with updated information


    More Information
    ================

    An up-to-date PGP signed copy of this release will be maintained at
     
    ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-011.txt.asc

    Information about NetBSD and NetBSD security can be found at
    http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.


    Copyright 2002, The NetBSD Foundation, Inc.  All Rights Reserved.

    $NetBSD: NetBSD-SA2002-011.txt,v 1.13 2002/09/16 05:17:55 dan Exp $


    -----BEGIN PGP SIGNATURE-----
    Version: 2.6.3ia
    Charset: noconv

    iQCVAwUBPYVqKj5Ru2/4N2IFAQGEYAP+K1lgLUVy/CrmvtRikjSv5UKYY4pAWAca
    fKwDpVlp/5q3kSc/b5NY7bgi7gUPVvbaW1v/PgfRIA47PBtAt7juvsnEDIO6IJ8M
    9rDwfrikYdShm0R5ejxyIfu1CwjD9gWOvJ2xYGQ7XW67tLPG3udwa1B1UhWeQTnK
    9OhEncw7mcw=
    =YcPw
    -----END PGP SIGNATURE-----

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    OpenAFS

    Updated:  August 05, 2002

    Status

      Vulnerable

    Vendor Statement

    Please see http://www.openafs.org/pages/security/OPENAFS-SA-2002-001.txt

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    -----BEGIN PGP SIGNED MESSAGE-----

    OpenAFS Security Advisory 2002-001

    Topic: Remote root vulnerability in OpenAFS servers

    Issued: 03-Aug-2002
    Last Update: 03-Aug-2002
    Severity: High
    Affected: OpenAFS 1.0 - 1.2.5, OpenAFS 1.3.0 - 1.3.2

    A remote user may be able to gain root access to an OpenAFS database
    server or fileserver host. In addition, certain administrative clients
    may be attacked if they make requests to a rogue server.

    SUMMARY
    =======

    There is an integer overflow bug in the SUNRPC-derived RPC library
    used by OpenAFS that could be exploited to crash certain OpenAFS
    servers (volserver, vlserver, ptserver, buserver) or to obtain
    unauthorized root access to a host running one of these processes.

    In addition, it is possible for a rogue server to attack certain
    administrative clients (vos, pts, backup, butc, rxstat), but only
    if certain RPC requests are made to the rogue server.

    The OpenAFS fileserver and cache manager (client) are not vulnerable
    to these attacks. No exploits are presently known to be available
    for this vulnerability.

    IMPACT
    ======

    A remote attacker can potentially execute arbitrary code on an OpenAFS
    server host with the privileges of the user running the OpenAFS server
    processes (usually root). This can lead to compromise of the OpenAFS
    administrative databases, data stored on a compromised server, or
    possible root access on a server host. Once a server host has been
    compromised, the attacker is able to obtain access to any other OpenAFS
    servers in the same cell.

    AFFECTED SOFTWARE
    =================

    All releases of OpenAFS 1.0.x and 1.1.x.
    All releases of OpenAFS 1.2.x, up to and including OpenAFS 1.2.5.
    All releases of OpenAFS 1.3.x, up to and including OpenAFS 1.3.2.

    FIXES
    =====

    The OpenAFS project recommends that all users upgrade to OpenAFS
    1.2.6 or newer. The latest stable OpenAFS release is always available
    from http://www.openafs.org/release/latest.html.

    No update is presently available for the OpenAFS-unstable series.

    For those who are unable to upgrade, apply the following patch to
    correct the XDR vulnerability, and rebuild your tree.

    ===================================================================
    RCS file: /cvs/openafs/src/rx/Makefile.in,v
    retrieving revision 1.4.2.1
    retrieving revision 1.4.2.2
    diff -u -r1.4.2.1 -r1.4.2.2
    - --- openafs/src/rx/Makefile.in2002/01/20 08:38:381.4.2.1
    +++ openafs/src/rx/Makefile.in2002/08/02 02:45:141.4.2.2
    @@ -38,7 +38,7 @@
    # Generic xdr objects (or, at least, xdr stuff that's not newly defined for rx).
    # Really the xdr stuff should be in its own directory.
    #
    - -XDROBJS = xdr_arrayn.o xdr_rx.o xdr_afsuuid.o
    +XDROBJS = xdr.o xdr_array.o xdr_arrayn.o xdr_rx.o xdr_afsuuid.o

    RXOBJS = rx_clock.o rx_event.o rx_user.o rx_lwp.o rx.o rx_null.o rx_globals.o \
    rx_getaddr.o rx_misc.o rx_packet.o rx_rdwr.o rx_trace.o rx_conncache.o \
    ===================================================================
    RCS file: /cvs/openafs/src/rx/xdr.c,v
    retrieving revision 1.4
    retrieving revision 1.5
    diff -u -r1.4 -r1.5
    - --- openafs/src/rx/xdr.c2002/06/08 04:43:381.4
    +++ openafs/src/rx/xdr.c2002/07/31 23:13:091.5
    @@ -558,6 +558,8 @@
    u_int size;
    u_int nodesize;

    + if (maxsize > ((~0) >> 1) - 1) maxsize = ((~0) >> 1) - 1;
    +
    /*
    * first deal with the length since xdr strings are counted-strings
    */
    ===================================================================
    RCS file: /cvs/openafs/src/rx/xdr_array.c,v
    retrieving revision 1.4
    retrieving revision 1.5
    diff -u -r1.4 -r1.5
    - --- openafs/src/rx/xdr_array.c2001/08/08 00:03:571.4
    +++ openafs/src/rx/xdr_array.c2002/07/31 23:13:091.5
    @@ -84,7 +84,10 @@
    register caddr_t target = *addrp;
    register u_int c; /* the actual element count */
    register bool_t stat = TRUE;
    - -register int nodesize;
    +register u_int nodesize;
    +
    + i = ((~0) >> 1) / elsize;
    + if (maxsize > i) maxsize = i;

    /* like strings, arrays are really counted arrays */
    if (! xdr_u_int(xdrs, sizep)) {
    ===================================================================
    RCS file: /cvs/openafs/src/rx/xdr_arrayn.c,v
    retrieving revision 1.4
    retrieving revision 1.5
    diff -u -r1.4 -r1.5
    - --- openafs/src/rx/xdr_arrayn.c2001/08/08 00:03:571.4
    +++ openafs/src/rx/xdr_arrayn.c2002/07/31 23:13:091.5
    @@ -89,7 +89,10 @@
    register caddr_t target = *addrp;
    register u_int c; /* the actual element count */
    register bool_t stat = TRUE;
    - -register int nodesize;
    +register u_int nodesize;
    +
    + i = ((~0) >> 1) / elsize;
    + if (maxsize > i) maxsize = i;

    /* like strings, arrays are really counted arrays */
    if (! xdr_u_int(xdrs, sizep)) {
    ===================================================================

    This patch may also be found at:

    http://www.openafs.org/security/xdr-updates-20020731.delta

    The associated detached PGP signature is at

    http://www.openafs.org/security/xdr-updates-20020731.delta.asc

    It was generated against OpenAFS 1.2.5, but should apply to earlier
    releases, possibly with some offset.

    This announcement and code patches related to it may be found on the
    OpenAFS security advisory page at:

    http://www.openafs.org/security/

    The main OpenAFS web page is at:

    http://www.openafs.org/

    ACKNOWLEDGMENTS
    ===============

    Thanks to ISS for discovery of the vulnerability.

    Thanks to Nickolai Zeldovich for assistance in discovering the
    particulars of this bug and developing a fix.

    Thanks also to Tom Yu and the MIT Kerberos Development Team for their
    advisory MITKRB5-SA-2002-001, the form and much of the text of which
    was shamelessly stolen to produce this alert.

    DETAIL
    ======

    The xdr_array() decoder computes the value of the NODESIZE variable in
    a way that can lead to integer overflow. An attacker can construct an
    XDR encoding that will take advantage of this integer overflow in
    order to overflow the allocated heap buffer, depending on the
    specifics of the caller of the xdr_array() function.

    Several uses of xdr_array() in various AFS protocols are unsafe in an
    environment where this bug exists. In particular, any use of a
    counted array with unbounded size (represented in the Rx protocol
    description with an empty pair of angle brackets '<>') is unsafe. Such
    uses appear in input arguments to procedures in the PTS, VLDB, volserver,
    and backup database protocols, and output arguments from procedures in all
    of these protocols and in the Rx statistics interface implemented by most
    OpenAFS servers.

    A remote user may be able to use the buffer overflow to execute arbitrary
    code on the server under attack, possibly leading to unauthorized root
    access. Similarly a rogue server may be able to use the buffer overflow
    to attack a client which makes one of the RPC's with unsafe output
    arguments.

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 6.5.8

    iQBVAwUBPUxo8bD+655x7JNnAQGOYAH/ZzSzw5FyLI8YTmgJH4qSO7rKQVpy8F+L
    aIU3Xy4HngBpYALsOrJLkCI7h966Li00YhyXgsm4UW9NzbCORc80Kw==
    =iILR
    -----END PGP SIGNATURE-----

    _______________________________________________
    OpenAFS-announce mailing list
    OpenAFS-announce@openafs.org
    https://lists.openafs.org/mailman/listinfo/openafs-announce

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    OpenBSD

    Notified:  July 29, 2002 Updated:  July 31, 2002

    Status

      Vulnerable

    Vendor Statement

    Please see http://www.openbsd.org/errata.html#xdr

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    Common patches available here ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.1/common/012_xdr.patch

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Openwall GNU/*/Linux

    Updated:  August 06, 2002

    Status

      Vulnerable

    Vendor Statement

    The xdr_array(3) integer overflow was present in the glibc package on
    Openwall GNU/*/Linux until 2002/08/01 when it was corrected for
    Owl-current and documented as a security fix in the system-wide change
    log available at:

    http://www.openwall.com/Owl/CHANGES.shtml

    The same glibc package update also fixes a very similar but different
    calloc(3)
    integer overflow possibility that is currently not known to
    allow for an attack on a particular application, but has been patched
    as a proactive measure.  The Sun RPC xdr_array(3) overflow may allow
    for passive attacks on mount(8) by malicious or spoofed NFSv3 servers
    as well as for both passive and active attacks on RPC clients or
    services that one might install on Owl.  (There're no RPC services
    included with Owl.)

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Red Hat, Inc.

    Notified:  July 29, 2002 Updated:  August 05, 2002

    Status

      Vulnerable

    Vendor Statement

    Red Hat distributes affected packages glibc and Kerberos in all Red Hat Linux distributions. We are currently working on producing errata packages, when complete these will be available along with our advisory at the URLs below. At the same time users of the Red Hat Network will be able to update their systems using the 'up2date' tool.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    SGI

    Notified:  July 29, 2002 Updated:  August 19, 2002

    Status

      Vulnerable

    Vendor Statement

    Patches available per SGI Security Advisory 20020801-01-P.

    -----BEGIN PGP SIGNED MESSAGE-----

    ______________________________________________________________________________
                              SGI Security Advisory

             Title:  Sun RPC xdr_array vulnerability
           Number:  20020801-01-P
             Date:  August 16, 2002
        Reference:  CERT® CA-2002-25
        Reference:  SGI Security Advisory 20020801-01-A
        Reference:  CAN-2002-0391

    ______________________________________________________________________________

    - -----------------------
    - --- Issue Specifics ---
    - -----------------------


    This is a followup to SGI Security Bulletin 20020801-01-A.

    It's been reported that there is a buffer overflow vulnerability in the Sun
    RPC functions supplied with the IRIX 6.5 operating system.

    The portmapper, NFS and NIS RPC services do NOT use the relevant RPC XDR
    functions in libc in a manner that makes them vulnerable.  But other RPC
    services from IRIX, third-parties, freeware, etc. might use XDR functions.

    See http://www.cert.org/advisories/CA-2002-25.html and
    http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20823
    for additional details.

    SGI has investigated the issue and recommends the following steps for
    neutralizing the exposure.  It is HIGHLY RECOMMENDED that these measures be
    implemented on ALL vulnerable SGI systems.

    These issues have been corrected in future releases of IRIX and with a
    series of patches.


    - --------------
    - --- Impact ---
    - --------------


    The vulnerabilities exist within libc, which is installed by default on
    IRIX 6.5 systems as part of eoe.sw.base.

    To determine the version of IRIX you are running, execute the following
    command:

      # uname -R

    That will return a result similar to the following:

      # 6.5 6.5.16f

    The first number ("6.5") is the release name, the second ("6.5.16f" in
    this case) is the extended release name.  The extended release name is
    the "version" we refer to throughout this document.

    This vulnerability was assigned the following CVE:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0391

    This vulnerability was assigned the following VU:
    http://www.kb.cert.org/vuls/id/192995


    - ----------------------------
    - --- Temporary Workaround ---
    - ----------------------------


    There is no effective workaround available for these problems.  SGI
    recommends either upgrading to a minimum of IRIX 6.5.18, or installing the
    appropriate patch from the listing below.


    - ----------------
    - --- Solution ---
    - ----------------


    SGI has provided a series of patches for these vulnerabilities. Our
    recommendation is to upgrade to IRIX 6.5.18 when available, or install the
    appropriate patch.

       OS Version     Vulnerable?     Patch #      Other Actions
      ----------     -----------     -------      -------------
      IRIX 3.x        unknown                     Note 1
      IRIX 4.x        unknown                     Note 1
      IRIX 5.x        unknown                     Note 1
      IRIX 6.0.x      unknown                     Note 1
      IRIX 6.1        unknown                     Note 1
      IRIX 6.2        unknown                     Note 1
      IRIX 6.3        unknown                     Note 1
      IRIX 6.4        unknown                     Note 1
      IRIX 6.5          yes                       Notes 2 & 3
      IRIX 6.5.1        yes                       Notes 2 & 3
      IRIX 6.5.2        yes                       Notes 2 & 3
      IRIX 6.5.3        yes                       Notes 2 & 3
      IRIX 6.5.4        yes                       Notes 2 & 3
      IRIX 6.5.5        yes                       Notes 2 & 3
      IRIX 6.5.6        yes                       Notes 2 & 3
      IRIX 6.5.7        yes                       Notes 2 & 3
      IRIX 6.5.8        yes                       Notes 2 & 3
      IRIX 6.5.9        yes                       Notes 2 & 3
      IRIX 6.5.10       yes                       Notes 2 & 3
      IRIX 6.5.11       yes                       Notes 2 & 3
      IRIX 6.5.12       yes                       Notes 2 & 3
      IRIX 6.5.13m      yes            4740       Note 2
      IRIX 6.5.13f      yes            4739       Note 2
      IRIX 6.5.14m      yes            4742       Note 2
      IRIX 6.5.14f      yes            4741       Note 2
      IRIX 6.5.15m      yes            4744       Note 2
      IRIX 6.5.15f      yes            4743       Note 2
      IRIX 6.5.16m      yes            4746       Note 2
      IRIX 6.5.16f      yes            4745       Note 2
      IRIX 6.5.17m      yes            4748       Note 2
      IRIX 6.5.17f      yes            4747       Note 2
      IRIX 6.5.18       no

       NOTES

         1) This version of the IRIX operating has been retired. Upgrade to an
           actively supported IRIX operating system.  See
           
    http://support.sgi.com/irix/news/index.html#policy for more
           information.

         2) If you have not received an IRIX 6.5.X CD for IRIX 6.5, contact your
           SGI Support Provider or URL:
    http://support.sgi.com/irix/swupdates/

         3) Upgrade to IRIX 6.5.18m or 6.5.18f.

                    ##### Patch File Checksums ####

    The actual patch will be a tar file containing the following files:

    Filename:                 README.patch.4739
    Algorithm #1 (sum -r):    17376 8 README.patch.4739
    Algorithm #2 (sum):       52194 8 README.patch.4739
    MD5 checksum:             FD3C0D821DF71D7F44E43FFF32D0E76A

    Filename:                 patchSG0004739
    Algorithm #1 (sum -r):    19705 5 patchSG0004739
    Algorithm #2 (sum):       34493 5 patchSG0004739
    MD5 checksum:             25417784900089D5D08F7C94CF7E8ACF

    Filename:                 patchSG0004739.dev_sw
    Algorithm #1 (sum -r):    38179 2866 patchSG0004739.dev_sw
    Algorithm #2 (sum):       55114 2866 patchSG0004739.dev_sw
    MD5 checksum:             50592422C16AC9653884CA6579B0BAE6

    Filename:                 patchSG0004739.eoe_sw
    Algorithm #1 (sum -r):    06410 14185 patchSG0004739.eoe_sw
    Algorithm #2 (sum):       5223 14185 patchSG0004739.eoe_sw
    MD5 checksum:             D4E5F744A55173CF1BB1EEE1AFE24ACB

    Filename:                 patchSG0004739.eoe_sw64
    Algorithm #1 (sum -r):    41610 5436 patchSG0004739.eoe_sw64
    Algorithm #2 (sum):       29732 5436 patchSG0004739.eoe_sw64
    MD5 checksum:             B2EF2038FFD7A4DDBE2B0ED8AD7EB424

    Filename:                 patchSG0004739.idb
    Algorithm #1 (sum -r):    38687 7 patchSG0004739.idb
    Algorithm #2 (sum):       53498 7 patchSG0004739.idb
    MD5 checksum:             C546FD1A1866DF5E9D971E2B092A01C8


    Filename:                 README.patch.4740
    Algorithm #1 (sum -r):    62983 8 README.patch.4740
    Algorithm #2 (sum):       51976 8 README.patch.4740
    MD5 checksum:             F79EF7FC534A9F788DC5F4DFA8FD38C6

    Filename:                 patchSG0004740
    Algorithm #1 (sum -r):    34224 4 patchSG0004740
    Algorithm #2 (sum):       49244 4 patchSG0004740
    MD5 checksum:             434ED9064D6A46C78F3F9C5F6FE38F3F

    Filename:                 patchSG0004740.dev_sw
    Algorithm #1 (sum -r):    56972 2818 patchSG0004740.dev_sw
    Algorithm #2 (sum):       10979 2818 patchSG0004740.dev_sw
    MD5 checksum:             1EFC8359CD1E09A215E628E0ADFF4139

    Filename:                 patchSG0004740.eoe_sw
    Algorithm #1 (sum -r):    32948 13964 patchSG0004740.eoe_sw
    Algorithm #2 (sum):       48417 13964 patchSG0004740.eoe_sw
    MD5 checksum:             DE6845D0909AA11ACA7FD11B976A55D0

    Filename:                 patchSG0004740.eoe_sw64
    Algorithm #1 (sum -r):    01071 5364 patchSG0004740.eoe_sw64
    Algorithm #2 (sum):       33961 5364 patchSG0004740.eoe_sw64
    MD5 checksum:             EB913551876A45D56F07767131E7F592

    Filename:                 patchSG0004740.idb
    Algorithm #1 (sum -r):    41640 7 patchSG0004740.idb
    Algorithm #2 (sum):       53351 7 patchSG0004740.idb
    MD5 checksum:             FE6B18A2AA32639D8D1E2C0659E43A90


    Filename:                 README.patch.4741
    Algorithm #1 (sum -r):    46292 9 README.patch.4741
    Algorithm #2 (sum):       58428 9 README.patch.4741
    MD5 checksum:             5BD40F294334AC167243F86FF9AB0244

    Filename:                 patchSG0004741
    Algorithm #1 (sum -r):    35746 4 patchSG0004741
    Algorithm #2 (sum):       63296 4 patchSG0004741
    MD5 checksum:             3D2AEECD36495798CB6D8A26C1FF821D

    Filename:                 patchSG0004741.dev_sw
    Algorithm #1 (sum -r):    35551 2861 patchSG0004741.dev_sw
    Algorithm #2 (sum):       11028 2861 patchSG0004741.dev_sw
    MD5 checksum:             63C3BCBBB2F16E83A6CE138C6E0B0C90

    Filename:                 patchSG0004741.eoe_sw
    Algorithm #1 (sum -r):    47290 14241 patchSG0004741.eoe_sw
    Algorithm #2 (sum):       20959 14241 patchSG0004741.eoe_sw
    MD5 checksum:             906B2552ECAD0BD4F03730C1E6DA80A3

    Filename:                 patchSG0004741.eoe_sw64
    Algorithm #1 (sum -r):    51758 5454 patchSG0004741.eoe_sw64
    Algorithm #2 (sum):       1612 5454 patchSG0004741.eoe_sw64
    MD5 checksum:             C796DD1711D14CBFD500AA70412C6C8A

    Filename:                 patchSG0004741.idb
    Algorithm #1 (sum -r):    11787 6 patchSG0004741.idb
    Algorithm #2 (sum):       43916 6 patchSG0004741.idb
    MD5 checksum:             6840C4B819339F639D09CB1895A1DF19


    Filename:                 README.patch.4742
    Algorithm #1 (sum -r):    50773 9 README.patch.4742
    Algorithm #2 (sum):       58461 9 README.patch.4742
    MD5 checksum:             4C5EB29413762291C461B6F5560A29F6

    Filename:                 patchSG0004742
    Algorithm #1 (sum -r):    36972 4 patchSG0004742
    Algorithm #2 (sum):       63162 4 patchSG0004742
    MD5 checksum:             7EF5D0DFA0C75A9537B67AC5412ECECD

    Filename:                 patchSG0004742.dev_sw
    Algorithm #1 (sum -r):    21521 2829 patchSG0004742.dev_sw
    Algorithm #2 (sum):       57073 2829 patchSG0004742.dev_sw
    MD5 checksum:             6B70E50307D06EFDAE3A5FC8D73A50A5

    Filename:                 patchSG0004742.eoe_sw
    Algorithm #1 (sum -r):    38562 14004 patchSG0004742.eoe_sw
    Algorithm #2 (sum):       22516 14004 patchSG0004742.eoe_sw
    MD5 checksum:             78452CABCE7569EFB73FA0E47C65FC03

    Filename:                 patchSG0004742.eoe_sw64
    Algorithm #1 (sum -r):    31249 5378 patchSG0004742.eoe_sw64
    Algorithm #2 (sum):       1826 5378 patchSG0004742.eoe_sw64
    MD5 checksum:             DF82029A99D74908CA24065A2D35552E

    Filename:                 patchSG0004742.idb
    Algorithm #1 (sum -r):    54786 6 patchSG0004742.idb
    Algorithm #2 (sum):       44002 6 patchSG0004742.idb
    MD5 checksum:             EEAC01E3BCDF632EB515DA3697FDC109


    Filename:                 README.patch.4743
    Algorithm #1 (sum -r):    15948 8 README.patch.4743
    Algorithm #2 (sum):       45429 8 README.patch.4743
    MD5 checksum:             3E15972E0AF21A717B45A698A9890BA7

    Filename:                 patchSG0004743
    Algorithm #1 (sum -r):    51688 4 patchSG0004743
    Algorithm #2 (sum):       50416 4 patchSG0004743
    MD5 checksum:             ED38340DD8FAC5C86F743878AE1728D1

    Filename:                 patchSG0004743.dev_sw
    Algorithm #1 (sum -r):    40350 2861 patchSG0004743.dev_sw
    Algorithm #2 (sum):       97 2861 patchSG0004743.dev_sw
    MD5 checksum:             8EBC7CAAD1142B5566B976380364A37E

    Filename:                 patchSG0004743.eoe_sw
    Algorithm #1 (sum -r):    44069 14162 patchSG0004743.eoe_sw
    Algorithm #2 (sum):       34540 14162 patchSG0004743.eoe_sw
    MD5 checksum:             DDF3BE55CB5F1EAE93B62BBD3FEF55A6

    Filename:                 patchSG0004743.eoe_sw64
    Algorithm #1 (sum -r):    30426 5440 patchSG0004743.eoe_sw64
    Algorithm #2 (sum):       59672 5440 patchSG0004743.eoe_sw64
    MD5 checksum:             6D0D872F815DA621B0992A9FD9324671

    Filename:                 patchSG0004743.idb
    Algorithm #1 (sum -r):    01715 7 patchSG0004743.idb
    Algorithm #2 (sum):       55881 7 patchSG0004743.idb
    MD5 checksum:             5CE041BDAB7430DBDF87511754D28CCA


    Filename:                 README.patch.4744
    Algorithm #1 (sum -r):    44285 8 README.patch.4744
    Algorithm #2 (sum):       45488 8 README.patch.4744
    MD5 checksum:             D438FE6315E0F332108225D165D2EFB7

    Filename:                 patchSG0004744
    Algorithm #1 (sum -r):    00653 4 patchSG0004744
    Algorithm #2 (sum):       47744 4 patchSG0004744
    MD5 checksum:             C19320CF91D7677290FF736E56C9FED5

    Filename:                 patchSG0004744.dev_sw
    Algorithm #1 (sum -r):    28428 2811 patchSG0004744.dev_sw
    Algorithm #2 (sum):       5201 2811 patchSG0004744.dev_sw
    MD5 checksum:             60A77A0A373EEC1EBF3EB9AF5FC79F3B

    Filename:                 patchSG0004744.eoe_sw
    Algorithm #1 (sum -r):    18899 13870 patchSG0004744.eoe_sw
    Algorithm #2 (sum):       21781 13870 patchSG0004744.eoe_sw
    MD5 checksum:             EA1848F5C8B67056F05A9FE9B57CA9E2

    Filename:                 patchSG0004744.eoe_sw64
    Algorithm #1 (sum -r):    58911 5361 patchSG0004744.eoe_sw64
    Algorithm #2 (sum):       50085 5361 patchSG0004744.eoe_sw64
    MD5 checksum:             130FF3A636C961FB3954C16E442C0B6F

    Filename:                 patchSG0004744.idb
    Algorithm #1 (sum -r):    13486 7 patchSG0004744.idb
    Algorithm #2 (sum):       55824 7 patchSG0004744.idb
    MD5 checksum:             0CEBC15BCF39EA355446255A5D75D805


    Filename:                 README.patch.4745
    Algorithm #1 (sum -r):    15799 8 README.patch.4745
    Algorithm #2 (sum):       35275 8 README.patch.4745
    MD5 checksum:             D6B712256A62F8E6B2ACD0976763DCCA

    Filename:                 patchSG0004745
    Algorithm #1 (sum -r):    58964 3 patchSG0004745
    Algorithm #2 (sum):       34473 3 patchSG0004745
    MD5 checksum:             37DD6BFA2D081654929172C5FFA85D03

    Filename:                 patchSG0004745.dev_sw
    Algorithm #1 (sum -r):    43608 2865 patchSG0004745.dev_sw
    Algorithm #2 (sum):       26907 2865 patchSG0004745.dev_sw
    MD5 checksum:             9CC4426260A13DD11D8787A75616B533

    Filename:                 patchSG0004745.eoe_sw
    Algorithm #1 (sum -r):    46222 14145 patchSG0004745.eoe_sw
    Algorithm #2 (sum):       2014 14145 patchSG0004745.eoe_sw
    MD5 checksum:             05732207843259769B88ACB5086F0E9D

    Filename:                 patchSG0004745.eoe_sw64
    Algorithm #1 (sum -r):    28294 5432 patchSG0004745.eoe_sw64
    Algorithm #2 (sum):       35373 5432 patchSG0004745.eoe_sw64
    MD5 checksum:             E315BF430F7F55705EBB9059B618615C

    Filename:                 patchSG0004745.idb
    Algorithm #1 (sum -r):    08259 7 patchSG0004745.idb
    Algorithm #2 (sum):       55819 7 patchSG0004745.idb
    MD5 checksum:             9C00336D9796E94A5EECB18E032835BC


    Filename:                 README.patch.4746
    Algorithm #1 (sum -r):    32906 8 README.patch.4746
    Algorithm #2 (sum):       35306 8 README.patch.4746
    MD5 checksum:             875BAC2CC2801F9CA4B7C7C5DBD1D747

    Filename:                 patchSG0004746
    Algorithm #1 (sum -r):    38467 3 patchSG0004746
    Algorithm #2 (sum):       31867 3 patchSG0004746
    MD5 checksum:             E7E3FB06A6133FB036B9E798959B3205

    Filename:                 patchSG0004746.dev_sw
    Algorithm #1 (sum -r):    02250 2814 patchSG0004746.dev_sw
    Algorithm #2 (sum):       8724 2814 patchSG0004746.dev_sw
    MD5 checksum:             6EE1AE6822CFCC275BF92BAEE44C6102

    Filename:                 patchSG0004746.eoe_sw
    Algorithm #1 (sum -r):    42525 13917 patchSG0004746.eoe_sw
    Algorithm #2 (sum):       56304 13917 patchSG0004746.eoe_sw
    MD5 checksum:             B119365083193E8EFDB4D4EA06BD90B8

    Filename:                 patchSG0004746.eoe_sw64
    Algorithm #1 (sum -r):    47973 5358 patchSG0004746.eoe_sw64
    Algorithm #2 (sum):       48931 5358 patchSG0004746.eoe_sw64
    MD5 checksum:             E5A80390E8E1017A559ACBCB6C64D2EE

    Filename:                 patchSG0004746.idb
    Algorithm #1 (sum -r):    21733 7 patchSG0004746.idb
    Algorithm #2 (sum):       55840 7 patchSG0004746.idb
    MD5 checksum:             23784F6416174D2794CA958A5FD27C5A


    Filename:                 README.patch.4747
    Algorithm #1 (sum -r):    40141 8 README.patch.4747
    Algorithm #2 (sum):       28747 8 README.patch.4747
    MD5 checksum:             5E6CD892484FAFF3DED05366F2F5EA89

    Filename:                 patchSG0004747
    Algorithm #1 (sum -r):    37009 3 patchSG0004747
    Algorithm #2 (sum):       35605 3 patchSG0004747
    MD5 checksum:             0109A515389D8C94EFBBE15043B08557

    Filename:                 patchSG0004747.dev_sw
    Algorithm #1 (sum -r):    60690 2915 patchSG0004747.dev_sw
    Algorithm #2 (sum):       7035 2915 patchSG0004747.dev_sw
    MD5 checksum:             128FD717AEBA71B8993DC3E9DC880F79

    Filename:                 patchSG0004747.eoe_sw
    Algorithm #1 (sum -r):    53956 14492 patchSG0004747.eoe_sw
    Algorithm #2 (sum):       27214 14492 patchSG0004747.eoe_sw
    MD5 checksum:             9590837AF84D5A0D6EFC916C851F0AD6

    Filename:                 patchSG0004747.eoe_sw64
    Algorithm #1 (sum -r):    28387 5585 patchSG0004747.eoe_sw64
    Algorithm #2 (sum):       29573 5585 patchSG0004747.eoe_sw64
    MD5 checksum:             6AFBDD4D8D5915613AB86DC690DB2F4D

    Filename:                 patchSG0004747.idb
    Algorithm #1 (sum -r):    13314 7 patchSG0004747.idb
    Algorithm #2 (sum):       55955 7 patchSG0004747.idb
    MD5 checksum:             FDFFBD812D3964D9AC3C16D5BDAAF82D


    Filename:                 README.patch.4748
    Algorithm #1 (sum -r):    17856 8 README.patch.4748
    Algorithm #2 (sum):       28761 8 README.patch.4748
    MD5 checksum:             77CC00A1EE9DCD4FB02F8B9F1540BB20

    Filename:                 patchSG0004748
    Algorithm #1 (sum -r):    64080 3 patchSG0004748
    Algorithm #2 (sum):       33271 3 patchSG0004748
    MD5 checksum:             1DC2039E57A656D89D34D219A863B9AA

    Filename:                 patchSG0004748.dev_sw
    Algorithm #1 (sum -r):    57598 2867 patchSG0004748.dev_sw
    Algorithm #2 (sum):       6373 2867 patchSG0004748.dev_sw
    MD5 checksum:             7FEC56E9DF6C7F9E957E33C78B62B2B3


    Filename:                 patchSG0004748.eoe_sw
    Algorithm #1 (sum -r):    44400 14293 patchSG0004748.eoe_sw
    Algorithm #2 (sum):       12872 14293 patchSG0004748.eoe_sw
    MD5 checksum:             660F5D22F3F897C50DD2649DFA990122

    Filename:                 patchSG0004748.eoe_sw64
    Algorithm #1 (sum -r):    02612 5505 patchSG0004748.eoe_sw64
    Algorithm #2 (sum):       61325 5505 patchSG0004748.eoe_sw64
    MD5 checksum:             2A6D329F8D1E4469E524A85EEF6E157D

    Filename:                 patchSG0004748.idb
    Algorithm #1 (sum -r):    61381 7 patchSG0004748.idb
    Algorithm #2 (sum):       56061 7 patchSG0004748.idb
    MD5 checksum:             5F8AD4C318190D8316A7D406DAC8BBA1


    - ------------------------
    - --- Acknowledgments ----
    - ------------------------


    SGI wishes to thank CERT, ISS, FIRST and the users of the Internet Community
    at large for their assistance in this matter.


    - -------------
    - --- Links ---
    - -------------


    SGI Security Advisories can be found at:
    http://www.sgi.com/support/security/ and
    ftp://patches.sgi.com/support/free/security/advisories/

    SGI Security Patches can be found at:
    http://www.sgi.com/support/security/ and
    ftp://patches.sgi.com/support/free/security/patches/

    SGI patches for IRIX can be found at the following patch servers:
    http://support.sgi.com/irix/ and ftp://patches.sgi.com/

    SGI freeware updates for IRIX can be found at:
    http://freeware.sgi.com/

    SGI fixes for SGI open sourced code can be found on:
    http://oss.sgi.com/projects/

    SGI patches and RPMs for Linux can be found at:
    http://support.sgi.com/linux/ or
    http://oss.sgi.com/projects/sgilinux-combined/download/security-fixes/

    SGI patches for Windows NT or 2000 can be found at:
    http://support.sgi.com/nt/

    IRIX 5.2-6.4 Recommended/Required Patch Sets can be found at:
    http://support.sgi.com/irix/ and ftp://patches.sgi.com/support/patchset/

    IRIX 6.5 Maintenance Release Streams can be found at:
    http://support.sgi.com/colls/patches/tools/relstream/index.html

    IRIX 6.5 Software Update CDs can be obtained from:
    http://support.sgi.com/irix/swupdates/

    The primary SGI anonymous FTP site for security advisories and patches is
    patches.sgi.com (216.32.174.211).  Security advisories and patches are
    located under the URL
    ftp://patches.sgi.com/support/free/security/

    For security and patch management reasons, ftp.sgi.com (mirrors
    patches.sgi.com security FTP repository) lags behind and does not do a
    real-time update.


    - -----------------------------------------
    - --- SGI Security Information/Contacts ---
    - -----------------------------------------


    If there are questions about this document, email can be sent to
    security-info@sgi.com.

                          ------oOo------

    SGI provides security information and patches for use by the entire SGI
    community.  This information is freely available to any person needing the
    information and is available via anonymous FTP and the Web.

    The primary SGI anonymous FTP site for security advisories and patches is
    patches.sgi.com (216.32.174.211).  Security advisories and patches are
    located under the URL
    ftp://patches.sgi.com/support/free/security/

    The SGI Security Headquarters Web page is accessible at the URL:
    http://www.sgi.com/support/security/

    For issues with the patches on the FTP sites, email can be sent to
    security-info@sgi.com.

    For assistance obtaining or working with security patches, please
    contact your SGI support provider.

                          ------oOo------

    SGI provides a free security mailing list service called wiretap and
    encourages interested parties to self-subscribe to receive (via email) all
    SGI Security Advisories when they are released. Subscribing to the mailing
    list can be done via the Web
    (
    http://www.sgi.com/support/security/wiretap.html) or by sending email to
    SGI as outlined below.

    % mail wiretap-request@sgi.com
    subscribe wiretap < YourEmailAddress such as aaanalyst@sgi.com >
    end
    ^d

    In the example above, <YourEmailAddress> is the email address that you wish
    the mailing list information sent to.  The word end must be on a separate
    line to indicate the end of the body of the message. The control-d (^d) is
    used to indicate to the mail program that you are finished composing the
    mail message.


                          ------oOo------

    SGI provides a comprehensive customer World Wide Web site. This site is
    located at
    http://www.sgi.com/support/security/ .

                          ------oOo------

    If there are general security questions on SGI systems, email can be sent to
    security-info@sgi.com.

    For reporting *NEW* SGI security issues, email can be sent to
    security-alert@sgi.com or contact your SGI support provider.  A support
    contract is not required for submitting a security report.

    ______________________________________________________________________________
         This information is provided freely to all interested parties
         and may be redistributed provided that it is not altered in any
         way, SGI is appropriately credited and the document retains and
         includes its valid PGP signature.

    -----BEGIN PGP SIGNATURE-----
    Version: 2.6.2

    iQCVAwUBPV0oS7Q4cFApAP75AQGhDwQAkku0E5iUbcsge/axWgiBaocSYKnLL1iU
    Fpd+5XmMN/7ADLDub8PU3N9Wfb9AtK69XNHUvnWaJZBGGfOu5ibfJCd0liJcma9x
    xlsIkCW3LKM7BhprI8lUxfvuAPTVFo7JvyDiUvv/NJ2pJf9JTUHTBPAaSOVKsGbq
    yi56nsVrNew=
    =xbac
    -----END PGP SIGNATURE-----

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    SGI was previously looking into the matter on August 1, 2002, per:

    ftp://patches.sgi.com/support/free/security/advisories/20020801-01-A

    -----BEGIN PGP SIGNED MESSAGE-----

    ______________________________________________________________________________
                               SGI Security Advisory

             Title:  Sun RPC xdr_array vulnerability
            Number:  20020801-01-A
              Date:  August 1, 2002
    ______________________________________________________________________________

    SGI provides this information freely to the SGI user community for its
    consideration, interpretation, implementation and use.   SGI recommends
    that this information be acted upon as soon as possible.

    SGI provides the information in this Security Advisory on an "AS-IS" basis
    only, and disclaims all warranties with respect thereto, express, implied
    or otherwise, including, without limitation, any warranty of merchantability
    or fitness for a particular purpose.  In no event shall SGI be liable for
    any loss of profits, loss of business, loss of data or for any indirect,
    special, exemplary, incidental or consequential damages of any kind arising
    from your use of, failure to use or improper use of any of the instructions
    or information in this Security Advisory.
    ______________________________________________________________________________


    SGI acknowledges the Sun RPC vulnerability reported by ISS X-Force Advisory:
    http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20823
    and is currently investigating.

    No further information is available at this time.  As further information
    becomes available, additional advisories will be issued.

    For the protection of all our customers, SGI does not disclose, discuss
    or confirm vulnerabilities until a full investigation has occurred and
    any necessary patch(es) or release streams are available for all vulnerable
    and supported Linux and IRIX operating systems.

    Until SGI has more definitive information to provide, customers are encouraged
    to assume all security vulnerabilities as exploitable and take appropriate
    steps according to local site security policies and requirements.

    As further information becomes available, additional advisories will be
    issued via the normal SGI security information distribution methods
    including the wiretap mailing list.


    - -----------------------------------------
    - --- SGI Security Information/Contacts ---
    - -----------------------------------------

    If there are questions about this document, email can be sent to
    security-info@sgi.com.

                          ------oOo------

    SGI provides security information and patches for use by the entire
    SGI community.  This information is freely available to any person
    needing the information and is available via anonymous FTP and the Web.

    The primary SGI anonymous FTP site for security advisories and patches
    is patches.sgi.com (216.32.174.211).  Security advisories and patches
    are located under the URL ftp://patches.sgi.com/support/free/security/

    The SGI Security Headquarters Web page is accessible at the URL
    http://www.sgi.com/support/security/

    For issues with the patches on the FTP sites, email can be sent to
    security-info@sgi.com.

    For assistance obtaining or working with security patches, please
    contact your SGI support provider.

                          ------oOo------

    SGI provides a free security mailing list service called wiretap and
    encourages interested parties to self-subscribe to receive (via email) all
    SGI Security Advisories when they are released. Subscribing to the mailing
    list can be done via the Web (http://www.sgi.com/support/security/wiretap.html)
    or by sending email to SGI as outlined below.

    % mail wiretap-request@sgi.com
    subscribe wiretap <YourEmailAddress>
    end
    ^d

    In the example above, <YourEmailAddress> is the email address that you
    wish the mailing list information sent to.  The word end must be on a
    separate line to indicate the end of the body of the message. The
    control-d (^d) is used to indicate to the mail program that you are
    finished composing the mail message.


                          ------oOo------

    SGI provides a comprehensive customer World Wide Web site. This site is
    located at http://www.sgi.com/support/security/ .

                          ------oOo------

    For reporting *NEW* SGI security issues, email can be sent to
    security-alert@sgi.com or contact your SGI support provider.  A
    support contract is not required for submitting a security report.

    ______________________________________________________________________________
        This information is provided freely to all interested parties and
        may be redistributed provided that it is not altered in any way,
        SGI is appropriately credited and the document retains and includes
        its valid PGP signature.

    -----BEGIN PGP SIGNATURE-----
    Version: 2.6.2

    iQCVAwUBPUlll7Q4cFApAP75AQH+pQQAr7rQG3oL5ZtqdMwEeiAd9wSI300FzY7B
    nl9WQDOBGBPg9m6sPBIDvKxMRPAPZokRRofJc/MYqAAzK5Ye2xcfh8ILNBmCD/Xe
    IB2Xc2WhrnDHGSiy7/HBFrFCpa40nct9q4Nwx0/Ej9MTjoYkX/YvhSv/dgIhw96Y
    aLjFXVnhbos=
    =6lyf
    -----END PGP SIGNATURE-----

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Sun Microsystems, Inc.

    Notified:  July 29, 2002 Updated:  August 05, 2002

    Status

      Vulnerable

    Vendor Statement

    Sun can confirm that there is a type overflow vulnerability in the xdr_array(3NSL) function which is part of the network services library, libnsl(3LIB), on Solaris 2.5.1 through 9. Sun has published Sun Alert 46122 which describes the issue, applications affected, and workaround information. The Sun Alert will be updated as more information or patches become available and is located here:


    Sun will be publishing a Sun Security Bulletin for this issue once all of the patches are available which will be located at:

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    [text downloaded at Thu Aug 1 2002 11:30:51 (-0400)]

    Xerox Corporation

    Notified:  July 30, 2002 Updated:  May 29, 2003

    Status

      Vulnerable

    Vendor Statement

    A response to this advisory is available from our web site: http://www.xerox.com/security.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    [Begin cached statement: 05/29/2003 20:08:48 UTC]

    CERT_VU192995.pdf

    [End cached statement]

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Juniper Networks, Inc.

    Notified:  July 30, 2002 Updated:  August 01, 2002

    Status

      Not Vulnerable

    Vendor Statement

    The Juniper Networks SDX-300 Service Deployment System (SSC) does use XDR for communication with an ERX edge router, but does not make use of the Sun RPC libraries. The SDX-300 product is not vulnerable to the Sun RPC XDR buffer overflow as outlined in this CERT advisory.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    KTH Kerberos

    Notified:  August 02, 2002 Updated:  August 05, 2002

    Status

      Not Vulnerable

    Vendor Statement

    kth-krb and heimdal are not vulnerable to this problem since they do not use any Sun RPC at all.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Network Appliance

    Notified:  July 30, 2002 Updated:  August 02, 2002

    Status

      Not Vulnerable

    Vendor Statement

    NetApp systems are not vulnerable to this problem.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    e-Security Inc.

    Updated:  August 06, 2002

    Status

      Not Vulnerable

    Vendor Statement

    Not Vulnerable

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    AT&T

    Notified:  July 30, 2002 Updated:  July 31, 2002

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Alcatel

    Notified:  July 30, 2002 Updated:  July 31, 2002

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Cisco Systems, Inc.

    Notified:  July 30, 2002 Updated:  July 31, 2002

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Computer Associates

    Notified:  July 30, 2002 Updated:  July 31, 2002

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Cray Inc.

    Notified:  July 29, 2002 Updated:  August 01, 2002

    Status

      Unknown

    Vendor Statement

    Cray Inc. is still investigating this issue. Concerned customers can refer to Cray SPR 722876 for details.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Data General

    Notified:  July 29, 2002 Updated:  July 31, 2002

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    F5 Networks, Inc.

    Notified:  July 30, 2002 Updated:  July 31, 2002

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Fujitsu

    Notified:  July 29, 2002 Updated:  July 31, 2002

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Guardian Digital Inc.

    Notified:  July 29, 2002 Updated:  July 31, 2002

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Intel

    Notified:  July 30, 2002 Updated:  July 31, 2002

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Lucent Technologies

    Notified:  July 30, 2002 Updated:  July 31, 2002

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Mandriva, Inc.

    Notified:  July 29, 2002 Updated:  July 31, 2002

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    NEC Corporation

    Notified:  July 29, 2002 Updated:  July 31, 2002

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    NeXT

    Notified:  July 29, 2002 Updated:  July 31, 2002

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Nortel Networks, Inc.

    Notified:  July 30, 2002 Updated:  July 31, 2002

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    SUSE Linux

    Notified:  July 29, 2002 Updated:  July 31, 2002

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Sequent Computer Systems, Inc.

    Notified:  July 29, 2002 Updated:  July 31, 2002

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Sony Corporation

    Notified:  July 29, 2002 Updated:  July 31, 2002

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    The Open Group

    Notified:  July 29, 2002 Updated:  July 31, 2002

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    The SCO Group (SCO Linux)

    Notified:  July 29, 2002 Updated:  July 31, 2002

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    The SCO Group (SCO Unix)

    Notified:  July 29, 2002 Updated:  July 31, 2002

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Unisphere Networks

    Notified:  July 30, 2002 Updated:  August 01, 2002

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Unisys

    Notified:  July 29, 2002 Updated:  July 31, 2002

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Wind River Systems, Inc.

    Notified:  July 29, 2002 Updated:  July 31, 2002

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Xi Graphics

    Notified:  July 29, 2002 Updated:  July 31, 2002

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.


    CVSS Metrics

    Group Score Vector
    Base N/A N/A
    Temporal N/A N/A
    Environmental N/A

    References

    Credit

    Thanks to Sun Microsystems for working with the CERT/CC to make this document possible. The initial vulnerability research and demonstration was performed by Internet Security Systems (ISS).

    This document was written by Jeffrey S. Havrilla.

    Other Information

    CVE IDs: CVE-2002-0391
    CERT Advisory: CA-2002-25
    Severity Metric: 27.29
    Date Public: 2002-07-31
    Date First Published: 2002-08-01
    Date Last Updated: 2006-05-15 15:47 UTC
    Document Revision: 45

    Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.