Bugzilla – Bug 42744
VUL-0: CVE-2003-0252: nfs-utils: xlog() off-by-one bug
Last modified: 2022-02-17 08:41:14 UTC
Date: Sun, 6 Jul 2003 15:32:55 +0200 (CEST) From: Janusz Niewiadomski <funkysh@isec.pl> To: vendor-sec@lst.de Subject: [vendor-sec] Linux nfs-utils xlog() off-by-one bug -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, Some of you may be already informed about nfs-utils vulnerability that we are going to disclose in near future. For the rest, below is attached copy of advisory. Since a fix is already available we (isec and nfs-utils vendors) decided to release advisory and new (1.4.0) version of package at July 14th, 12.00 EST. The question is, is that date acceptable for you? Suggestions would be appreciated. Also please contact Neil Brown <neilb@cse.unsw.edu.au> for any information regarding fix / new version of nfs-utils. Regards, - --8<-- Synopsis: Linux nfs-utils xlog() off-by-one bug Product: nfs-utils Version: <= 1.0.3 Vendor: http://sourceforge.net/projects/nfs/ URL: http://isec.pl/vulnerabilities/ CVE: CAN-2003-0252 Author: Janusz Niewiadomski <funkysh@isec.pl> Date: July 14, 2003 Issue: ====== Linux NFS utils package contains remotely exploitable off-by-one bug. A local or remote attacker could exploit this vulnerability by sending specially crafted request to rpc.mountd daemon. Details: ======== An off-by-one bug exist in xlog() function which handles logging of requests. An overflow occurs when function is trying to add missing trailing newline character to logged string. Due to miscalculation, if a string passed to the functions is equal or longer than 1023 bytes, the '\0' byte will be written beyond the buffer: - ------8<------cut-here------8<------ char buff[1024]; ... va_start(args, fmt); vsnprintf(buff, sizeof (buff), fmt, args); va_end(args); buff[sizeof (buff) - 1] = 0; if ((n = strlen(buff)) > 0 && buff[n-1] != '\n') { buff[n++] = '\n'; buff[n++] = '\0'; } - ------8<------cut-here------8<------ Impact: ======= Local or remote attacker which is capable to send RPC request to vulnerable mountd daemon could execute artitrary code or cause denial of service. Vendor Status: ============== June 10, 2003 Vendor has been contacted - -- Janusz Niewiadomski iSEC Security Research http://isec.pl/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE/CCUVzGsegB5eZ9IRAnKFAJ9xpByOopFUOXf6S1i5hdq0+cfBxACglG78 le515PamUwSTLvcADtOnycQ= =iP4z -----END PGP SIGNATURE----- _______________________________________________ Vendor Security mailing list Vendor Security@lst.de http://www.lst.de/cgi-bin/mailman/listinfo/vendor-sec
<!-- SBZ_reproduce --> s.a.
I have prepared fixed packages and putonftp files; waiting for autobuild to come back to life.
Created attachment 13032 [details] Proposed patch
Packages, putonftp and patchinfo submitted.
Available on MaintWeb http://thor.suse.de/en/psdb/html/8ad601c1bd93ee96c906254272c31fc0.html Product(s): SuSE eMail Server 3.1, SuSE eMail Server III, SuSE Firewall Adminhost VPN, SuSE Linux Admin-CD for Firewall, SuSE Firewall on CD 2 - VPN, SuSE Firewall on CD 2, SuSE Linux Connectivity Server, SuSE Linux Enterprise Server 7 for IA32, SuSE Linux Enterprise Server 7 for IA64, SuSE Linux Enterprise Server 7 for PowerPC, SuSE Linux Enterprise Server 7 for S/390 and zSeries, SuSE Linux Enterprise Server 7 for IBM zSeries, SuSE Linux Enterprise Server 8 for x86, SLES 8 for IBM iSeries and IBM pSeries, SuSE Linux Enterprise Server 8 for IBM S/390 and IBM zSeries, SuSE Linux Enterprise Server 8 for IBM zSeries, SuSE Linux Office Server, SuSE Linux Openexchange Server 4, UnitedLinux 1.0, SuSE Linux Enterprise Server 8 for IA64, SuSE Linux Enterprise Server 8 for AMD64, SuSE Linux Desktop 1.0 Setting to closed.