(NetBSD Issues Fix) libc strfmon() Integer Overflows May Let Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1019912
|
|
SecurityTracker URL: http://securitytracker.com/id?1019912
|
|
CVE Reference: CVE-2008-1391
(Links to External Site)
|
Date: Apr 22 2008
|
Impact: Execution of arbitrary code via network, User access via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Advisory: NetBSD Security Advisory
|
Description: A vulnerability was reported in libc. A user can cause arbitrary code to be executed on the target system.
A remote user can send a specially crafted value that, when processed by the target application that uses libc, will trigger an integer
overflow and execute arbitrary code on the target system. The code will run with the privileges of the target application.
Applications
that use the strfmon() function are affected.
Maksymilian Arciemowicz (cxib) of SecurityReason.com reported this vulnerability.
The
original advisory is available at:
http://securityreason.com/achievement_securityalert/53
|
Impact: A user can cause arbitrary code to be executed on the target system. The specific impact depends on the application using libc.
|
Solution: NetBSD has released a fix.
The NetBSD advisory is available at:
ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2008-006.txt.asc
|
Cause: Boundary error
|
Underlying OS: UNIX (NetBSD)
|
Underlying OS Comments: 4.0
|
Reported By: NetBSD Security-Officer <security-officer@NetBSD.org>
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Mon, 21 Apr 2008 23:28:05 +0100
From: NetBSD Security-Officer <security-officer@NetBSD.org>
Subject: NetBSD Security Advisory 2008-006: Integer overflow in strfmon(3)
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NetBSD Security Advisory 2008-006
=================================
Topic: Integer overflow in strfmon(3) function
Version: NetBSD-current: affected
NetBSD 4.0: affected
NetBSD 3.1.*: unaffected
NetBSD 3.1: unaffected
NetBSD 3.0: unaffected
NetBSD 3.0.*: unaffected
Severity: Local user may be able to execute arbitrary code
Fixed: NetBSD-current: March 18, 2008
NetBSD-4 branch: March 19, 2008
(4.1 will include the fix)
NetBSD-4-0 branch: March 19, 2008
(4.0.1 will include the fix)
Abstract
========
The strfmon() function contains multiple integer overflows which can be
exploited by a local attacker to cause a crash or potentially execute
arbitrary code.
Technical Details
=================
The vulnerability exists in strfmon() because of the use of the GET_NUMBER()
macro. This macro does not check for integer overflow, and its value is
passed as an argument to the memmove() and memset() functions, which can
result in a crash or possibly the execution of arbitrary code.
This issue has been assigned CVE reference CVE-2008-1391.
Solutions and Workarounds
=========================
The following instructions describe how to upgrade your libc binaries
by updating your source tree and rebuilding and installing a new version
of libc.
* NetBSD-current:
Systems running NetBSD-current dated from before 2008-03-18
should be upgraded to NetBSD-current dated 2008-03-19 or later.
The following files need to be updated from the
netbsd-current CVS branch (aka HEAD):
lib/libc/stdlib/strfmon.c
To update from CVS, re-build, and re-install libc:
# cd src
# cvs update lib/libc/stdlib/strfmon.c
# cd lib/libc
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
* NetBSD 4.*:
Systems running NetBSD 4.* sources dated from before
2008-03-19 should be upgraded from NetBSD 4.* source dated
2008-03-20 or later.
The following files need to be updated from the
netbsd-4 or netbsd-4-0 CVS branches:
lib/libc/stdlib/strfmon.c
To update from CVS, re-build, and re-install libc:
# cd src
# cvs update -r <branch_name> lib/libc/stdlib/strfmon.c
# cd lib/libc
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
Thanks To
=========
Maksymilian Arciemowicz for reporting this problem and Christos Zoulas
for providing a fix.
Revision History
================
2008-04-21 Initial release
More Information
================
Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2008-006.txt.asc
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.
Copyright 2008, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.
$NetBSD: NetBSD-SA2008-006.txt,v 1.1 2008/04/15 20:19:56 adrianp Exp $
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (NetBSD)
iQCVAwUBSAUSOD5Ru2/4N2IFAQLzCAQAp1P1sXgdVdcBYZ792JaU+ojWGMW3PqR1
tjSnp8rbkENkfGdtGKlkT2rLHshKiM0DzZL6SyiEDleSZtAv4cuzVQZf2ia+5WWR
SI9TOo/WkPivXnwuKxW1XVefH00wv/KK5wsZAXNxWFY/oIs1pNWQ6QUi4umGmj8L
C7he0Od/rdk=
=2ESK
-----END PGP SIGNATURE-----
|
|
