OpenLinux: Linux NFS utils package contains remotely exploitable off-by-one bug

security_at_sco.com
Date: 11/17/03

  • Next message: security_at_sco.com: "[Full-Disclosure] OpenLinux: Webmin/Usermin Session ID Spoofing Vulnerability"
    To: announce@lists.caldera.com, bugtraq@securityfocus.com, full-disclosure@lists.netsys.com, security-alerts@linuxsecurity.com
    Date: Mon, 17 Nov 2003 14:42:45 -0800 (PST)
    
    

    To: announce@lists.caldera.com bugtraq@securityfocus.com full-disclosure@lists.netsys.com security-alerts@linuxsecurity.com
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    ______________________________________________________________________________

                            SCO Security Advisory

    Subject: OpenLinux: Linux NFS utils package contains remotely exploitable off-by-one bug
    Advisory number: CSSA-2003-037.0
    Issue date: 2003 November 17
    Cross reference: sr882699 fz528148 erg712382
    ______________________________________________________________________________

    1. Problem Description

            Janusz Niewiadomski has discovered an off-by-one overflow in
            xlog() in the nfs-utils package. It is rumoured this bug is
            exploitable, however as it writes a single zero byte to memory,
            an exploit may be difficult to write.

            CAN-2003-0252 Off-by-one error in the xlog function of mountd
            in the Linux NFS utils package (nfs-utils) before 1.0.4 allows
            remote attackers to cause a denial of service and possibly execute
            arbitrary code via certain RPC requests to mountd that do not
            contain newlines.

    2. Vulnerable Supported Versions

            System Package
            ----------------------------------------------------------------------
            OpenLinux 3.1.1 Server prior to nfs-0.2.1-12.i386.rpm
                                            prior to nfs-lockd-0.2.1-12.i386.rpm
                                            prior to nfs-server-0.2.1-12.i386.rpm

            OpenLinux 3.1.1 Workstation prior to nfs-0.2.1-12.i386.rpm
                                            prior to nfs-lockd-0.2.1-12.i386.rpm
                                            prior to nfs-server-0.2.1-12.i386.rpm

    3. Solution

            The proper solution is to install the latest packages. Many
            customers find it easier to use the Caldera System Updater, called
            cupdate (or kcupdate under the KDE environment), to update these
            packages rather than downloading and installing them by hand.

    4. OpenLinux 3.1.1 Server

            4.1 Package Location

            ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-037.0/RPMS

            4.2 Packages

            30ea43154970596e70e4fe28d975384e nfs-0.2.1-12.i386.rpm
            680b5214c57a02e1265229458ae881d3 nfs-lockd-0.2.1-12.i386.rpm
            32ee130750f4502fc5bfb51ed46bbbd9 nfs-server-0.2.1-12.i386.rpm

            4.3 Installation

            rpm -Fvh nfs-0.2.1-12.i386.rpm
            rpm -Fvh nfs-lockd-0.2.1-12.i386.rpm
            rpm -Fvh nfs-server-0.2.1-12.i386.rpm

            4.4 Source Package Location

            ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-037.0/SRPMS

            4.5 Source Packages

            da4e028d9ffe374c7be7e24ffad2b360 nfs-0.2.1-12.src.rpm

    5. OpenLinux 3.1.1 Workstation

            5.1 Package Location

            ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-037.0/RPMS

            5.2 Packages

            40c11bad18969b6587a9d94b79c2e41c nfs-0.2.1-12.i386.rpm
            f98629ebc8412a30a1ab6fe16ea55f77 nfs-lockd-0.2.1-12.i386.rpm
            6407294bbb284c9e42f2769ef9941e8a nfs-server-0.2.1-12.i386.rpm

            5.3 Installation

            rpm -Fvh nfs-0.2.1-12.i386.rpm
            rpm -Fvh nfs-lockd-0.2.1-12.i386.rpm
            rpm -Fvh nfs-server-0.2.1-12.i386.rpm

            5.4 Source Package Location

            ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-037.0/SRPMS

            5.5 Source Packages

            f47fea29ce99c7979c50ffb3e91ddf99 nfs-0.2.1-12.src.rpm

    6. References

            Specific references for this advisory:
                    http://marc.theaimsgroup.com/?l=bugtraq&m=105839032403325&w=2
                    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0252

            SCO security resources:
                    http://www.sco.com/support/security/index.html

            This security fix closes SCO incidents sr882699 fz528148
            erg712382.

    7. Disclaimer

            SCO is not responsible for the misuse of any of the information
            we provide on this website and/or through our security
            advisories. Our advisories are a service to our customers intended
            to promote secure installation and use of SCO products.

    8. Acknowledgements

            SCO would like to thank Janusz Niewiadomski for reporting this issue.

    ______________________________________________________________________________

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.3 (SCO/UNIX_SVR5)

    iD8DBQE/uU5lbluZssSXDTERAjKTAKCwv9o4wj3AnK++/g6/MObc4WFUFgCgqdA8
    xmjzczTc7zXZECQEkCsW3M4=
    =Kq/p
    -----END PGP SIGNATURE-----


  • Next message: security_at_sco.com: "[Full-Disclosure] OpenLinux: Webmin/Usermin Session ID Spoofing Vulnerability"

    Relevant Pages