Debian Linux Information for VU#192995

Integer overflow in xdr_array() function when deserializing the XDR stream



Vendor Statement

The Debian GNU/Linux distribution was vulnerable with regard to the the XDR problem as stated above with the following vulnerability matrix:

                             OpenAFS                 Kerberos5               GNU lib
    Debian 2.2 (potato)    not included              not included           vulnerable
    Debian 3.0 (woody)     vulnerable (DSA 142-1)    vulnerable (DSA 143-1) vulnerable
    Debian unstable (sid)  vulnerable (DSA 142-1)    vulnerable (DSA 143-1) vulnerable

However, the following advisories were raised recently which contain and announced fixes:

DSA 142-1 OpenAFS (safe version are: 1.2.3final2-6 (woody) and 1.2.6-1 (sid))
DSA 143-1 Kerberos5 (safe version are: 1.2.4-5woody1 (woody) and 1.2.5-2 (sid))

The advisory for the GNU libc is pending, it is currently being recompiled. The fixed versions will probably be:
    Debian 2.2 (potato)    glibc 2.1.3-23 or later
    Debian 3.0 (woody)     glibc 2.2.5-11.1 or later
    Debian unstable (sid)  glibc 2.2.5-12 or later

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Vendor References



    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.