(Apple Issues Fix) 'libc' Off-by-One Overflow in realpath() May Let Remote Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1007503 |
|
SecurityTracker URL: http://securitytracker.com/id/1007503
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Aug 15 2003
|
Impact:
Denial of service via local system, Denial of service via network, Execution of arbitrary code via local system, Execution of arbitrary code via network, Root access via local system, Root access via network, User access via local system, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 2.3.2
|
Description:
A buffer overflow vulnerability was reported in libc. A remote or local user may be able to crash an application, execute arbitrary code, or gain elevated privileges on the target system. The specific impact depends on the applications that use the vulnerable realpath() function in libc.
It is reported that a user can supply a specially crafted pathname that is 1024 characters in length to the realpath() function. If the pathname string contains two or more directory separators, a buffer can be overwritten with a single byte (NULL).
The impact depends on the application that uses the vulnerable function, the underlying operating system, and other factors.
This vulnerability was originally reported in Alert ID #1007353 on July 31, 2003 (CVE: CAN-2003-0466) as a flaw in wu-ftpd. However, according to FreeBSD, the vulnerability resides in the underlying 'libc' realpath() function.
Janusz Niewiadomski <funkysh@isec.pl> and Wojciech Purczynski <cliph@isec.pl> are credited with reporting this flaw.
|
Impact:
A remote or local user may be able to cause the system to crash or arbitrary code to be executed. The specific impact depends on the application that uses the affected function.
|
Solution:
Apple has released Security Update 2003-08-14. According to Apple, the vulnerable code is used by the FTPServer and Libc projects.
Two separate versions of the update are available: one for Mac OS X Server 10.2.6 and one for Mac OS X Client 10.2.6.
Security Update 2003-08-14 for Mac OS X Server 10.2.6 is available at:
* Software Update pane in System Preferences
- OR -
* Apple's Software Downloads web site:
http://www.info.apple.com/kbnum/n120238
The download file is named: "SecUpdSrvr2003-08-14.dmg"
Its SHA-1 digest is: 1b27363f080378c085d04436b0ded0507f0bf23e
Security Update 2003-08-14 for Mac OS X 10.2.6 (Client) is available at:
* Software Update pane in System Preferences
- OR -
* Apple's Software Downloads web site:
http://www.info.apple.com/kbnum/n120239
The download file is named: "SecurityUpd2003-08-14.dmg"
Its SHA-1 digest is: 6b3779275007b84bcc0273b60c9ed8b8ae153435
Additional information is available at:
http://docs.info.apple.com/article.html?artnum=61798
|
Vendor URL: www.info.apple.com/kbnum/n120238 (Links to External Site)
|
Cause:
Boundary error
|
Underlying OS:
UNIX (OS X)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Thu, 14 Aug 2003 17:53:39 -0700
Subject: APPLE-SA-2003-08-14 realpath
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Security Update 2003-08-14 is now available APPLE-SA-2003-08-14 realpath.
It addresses CAN-2003-0466, a potential vulnerability in the
fb_realpath() function, used by the FTPServer and Libc projects, which
could allow a local or remote user to gain unauthorized root privileges
to a system.
Security Update 2003-08-14 is available as two separate packages: one
for Mac OS X Server 10.2.6, and the other for Mac OS X 10.2.6 (Client).
Security Update 2003-08-14 for Mac OS X Server 10.2.6 may be obtained
from:
* Software Update pane in System Preferences
- OR -
* Apple's Software Downloads web site:
http://www.info.apple.com/kbnum/n120238
The download file is named: "SecUpdSrvr2003-08-14.dmg"
Its SHA-1 digest is: 1b27363f080378c085d04436b0ded0507f0bf23e
Security Update 2003-08-14 for Mac OS X 10.2.6 (Client) may be obtained
from:
* Software Update pane in System Preferences
- OR -
* Apple's Software Downloads web site:
http://www.info.apple.com/kbnum/n120239
The download file is named: "SecurityUpd2003-08-14.dmg"
Its SHA-1 digest is: 6b3779275007b84bcc0273b60c9ed8b8ae153435
Information will also be posted to the Apple Support web site:
http://docs.info.apple.com/article.html?artnum=61798
This message is signed with Apple's Product Security PGP key, and
details are available at:
http://www.apple.com/support/security/security_pgp.html
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2
iQEVAwUBPzwufHeI0z6bzFr0AQKouwf8DoDrU2UfFKAFKdt8qbzBOyKaFI/TGvAT
Dt8GY9OfV/MWPieok85lo5zD4175WuhxTXjmaTvONO0wMo5WfcJsredYx6l0Egt6
AQrcTEvSN6n6AFlic2SbiZEjF7XEjjnvXDhs2kMXydwB5TntKKOqNOXB2s7aof3Z
1Yi0otnddEKrwyuryNWpMZNJbtuqjmR3JE+EmNbaDnw8vrgd0LqjK/9mN+b0lniO
C5D6g/brli/pOzUcbO7ES5v+BQg6rSywL6HCnUB83jdGr1PPEOEjbopMXLmAn4+t
bbG2fohH8ZJrjrFn3fpdWMc2FT90BLRLFHZlTBleL790sWAnUrW3Bg==
=ibVT
-----END PGP SIGNATURE-----
_______________________________________________
security-announce mailing list | security-announce@lists.apple.com
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/security-announce
Do not post admin requests to the list. They will be ignored.
|
|
