Notified:  April 22, 2002 Updated: June 07, 2002

Status

Affected

Vendor Statement

"We discovered an apparent buffer overflow in "rcp" as used in AIX 4.3.x. We tracked the problem down to a corruption of malloc'ed memory in the file_comp() function within rcp.c; this occurred as a result from calling "glob". We determined that the problem of a core dump was happening in glob.c, in the pname() function. Some calls to "strcpy" and "strcat" did not allow for proper bounds checking, resulting in a buffer overflow. "We think this would be a difficult exploit to pull off, but there have been examples in the past of malloc-related exploits, so we fixed the problems in glob.c by using "strncpy" and "strncat" to force bounds checking. "We are not aware of any exploits that are in existence. "The possible security vulnerability was fixed earlier this year. "If customers are running AIX 4.3.x, they need to apply APAR #IY28698 to their systems. If they are running AIX 5.1, they need to apply APAR #IY26503. The APARs can be obtained by going first to this URL: http://techsupport.services.ibm.com/server/nav?fetch=pm and following the relevant links from there."

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.