Bug 93652 (CVE-2005-2500)

Summary: VUL-0: CVE-2005-2500: kernel: Overflow in xdr input validation
Product: [Novell Products] SUSE Security Incidents Reporter: Andreas Gruenbacher <agruen>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED DUPLICATE QA Contact: Security Team bot <security-team>
Severity: Critical    
Priority: P5 - None CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: All   
Whiteboard: CVE-2005-2500: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: Proposed fix

Description Andreas Gruenbacher 2005-06-23 10:40:52 UTC 
The bounds check in xdr_xcode_array2 can overflow. Reported by  
Florian Weimer <fw@deneb.enyo.de>. This affects the nfsacl protocol.
Comment 1 Andreas Gruenbacher 2005-06-23 10:42:01 UTC 
Created attachment 39735 [details]
Proposed fix

Already in the SP2 CVS, so it will be in RC4.
Comment 2 Marcus Meissner 2005-06-23 10:43:11 UTC 
please assign and/or cc security team on such issues generally ;) 
 
ccing the oither usual suspects too.
Comment 3 Marcus Meissner 2005-06-27 08:21:06 UTC 
potential remote dos
Comment 4 Marcus Meissner 2005-06-27 09:13:05 UTC 
please apply to all 2.6 based branches. 
 
(SL92, SL93 are missing I think.) 
 
Is 2.4 affected too?
Comment 5 Marcus Meissner 2005-06-27 09:34:01 UTC 
just looked at 2.4.21 ... it has way less xdr stuff and is not affected by 
this problem 
 
assign to agruen for apply
Comment 6 Andreas Gruenbacher 2005-06-27 09:47:58 UTC 
It's on the SL91, SL92, SL93, and SLES9_SP1 branches as well now. 2.4 is not  
affected. Back to security team.
Comment 7 Marcus Meissner 2005-06-30 15:32:21 UTC 
thanks!
Comment 8 Ludwig Nussel 2005-07-25 09:44:30 UTC 
Did this come from upstream or directly to us? Does it have a CAN#?
Comment 9 Andreas Gruenbacher 2005-07-25 09:55:39 UTC 
It came via the LKML. I don't think it has a CAN #.
Comment 10 Ludwig Nussel 2005-08-04 07:12:39 UTC 
updates released
Comment 11 Marcus Meissner 2005-08-09 07:49:12 UTC 
====================================================== 
Candidate: CAN-2005-2500 
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2500 
Reference: MISC:http://lkml.org/lkml/2005/6/23/19 
Reference: CONFIRM:http://lkml.org/lkml/2005/6/23/126 
Reference: SUSE:SUSE-SA:2005:044 
Reference: 
+URL:http://www.novell.com/linux/security/advisories/2005_44_kernel.html 
 
Buffer overflow in the xdr_xcode_array2 function in xdr.c in Linux 
kernel 2.6.5 and earlier might allow remote attackers to cause a 
denial of service and possibly execute arbitrary code via crafted XDR 
data for the nfsacl protocol.
Comment 12 Olaf Hering 2005-08-17 15:12:46 UTC 
I have disabled the patch, it conflicts with this commit from 2.6.13-rc6-git9:

http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=58fcb8df0bf663bb6b8f46cd3010bfe8d13d97cf
Comment 13 Andreas Gruenbacher 2005-08-17 15:23:23 UTC 
This has resurfaced today.
Comment 14 Andreas Gruenbacher 2005-08-17 15:23:39 UTC 

*** This bug has been marked as a duplicate of 105101 ***
Comment 15 Thomas Biege 2009-10-13 21:29:22 UTC 
CVE-2005-2500: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)