Home » Mailing list archives » netbsd-announce » 2008 » April » 21

NetBSD Security Advisory 2008-006: Integer overflow in strfmon(3) function

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
[view in full thread]
From: NetBSD Security-Officer <security-officer@...>
To: <netbsd-announce@...>
Subject: NetBSD Security Advisory 2008-006: Integer overflow in strfmon(3) function
Date: Monday, April 21, 2008 - 6:28 pm

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1


		 NetBSD Security Advisory 2008-006

		 =================================


Topic:		Integer overflow in strfmon(3) function


Version:	NetBSD-current:		affected

		NetBSD 4.0:		affected

		NetBSD 3.1.*:		unaffected

		NetBSD 3.1:		unaffected

		NetBSD 3.0:		unaffected

		NetBSD 3.0.*:		unaffected


Severity:	Local user may be able to execute arbitrary code


Fixed:		NetBSD-current:		March 18, 2008

		NetBSD-4 branch:	March 19, 2008

			(4.1 will include the fix)

		NetBSD-4-0 branch:	March 19, 2008

			(4.0.1 will include the fix)


Abstract

========


The strfmon() function contains multiple integer overflows which can be

exploited by a local attacker to cause a crash or potentially execute

arbitrary code.


Technical Details

=================


The vulnerability exists in strfmon() because of the use of the GET_NUMBER()

macro.  This macro does not check for integer overflow, and its value is

passed as an argument to the memmove() and memset() functions, which can

result in a crash or possibly the execution of arbitrary code.


This issue has been assigned CVE reference CVE-2008-1391.


Solutions and Workarounds

=========================


The following instructions describe how to upgrade your libc binaries

by updating your source tree and rebuilding and installing a new version

of libc.


* NetBSD-current:


	Systems running NetBSD-current dated from before 2008-03-18

	should be upgraded to NetBSD-current dated 2008-03-19 or later.


	The following files need to be updated from the

	netbsd-current CVS branch (aka HEAD):

		lib/libc/stdlib/strfmon.c


	To update from CVS, re-build, and re-install libc:


		# cd src

		# cvs update lib/libc/stdlib/strfmon.c

		# cd lib/libc

		# make USETOOLS=no cleandir dependall

		# make USETOOLS=no install


* NetBSD 4.*:


	Systems running NetBSD 4.* sources dated from before

	2008-03-19 should be upgraded from NetBSD 4.* source dated

	2008-03-20 or later.


	The following files need to be updated from the

	netbsd-4 or netbsd-4-0 CVS branches:

		lib/libc/stdlib/strfmon.c


	To update from CVS, re-build, and re-install libc:


		# cd src

		# cvs update -r  lib/libc/stdlib/strfmon.c

		# cd lib/libc

		# make USETOOLS=no cleandir dependall

		# make USETOOLS=no install


Thanks To

=========


Maksymilian Arciemowicz for reporting this problem and Christos Zoulas

for providing a fix.


Revision History

================


	2008-04-21	Initial release


More Information

================


Advisories may be updated as new information becomes available.

The most recent version of this advisory (PGP signed) can be found at

  ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2008-006.tx...


Information about NetBSD and NetBSD security can be found at

http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.


Copyright 2008, The NetBSD Foundation, Inc.  All Rights Reserved.

Redistribution permitted only in full, unmodified form.


$NetBSD: NetBSD-SA2008-006.txt,v 1.1 2008/04/15 20:19:56 adrianp Exp $


-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.4.9 (NetBSD)


iQCVAwUBSAUSOD5Ru2/4N2IFAQLzCAQAp1P1sXgdVdcBYZ792JaU+ojWGMW3PqR1

tjSnp8rbkENkfGdtGKlkT2rLHshKiM0DzZL6SyiEDleSZtAv4cuzVQZf2ia+5WWR

SI9TOo/WkPivXnwuKxW1XVefH00wv/KK5wsZAXNxWFY/oIs1pNWQ6QUi4umGmj8L

C7he0Od/rdk=

=2ESK

-----END PGP SIGNATURE-----
Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
Messages in current thread:
NetBSD Security Advisory 2003-001: Encryption weakness in Op..., NetBSD Security Officer, (Tue Mar 4, 2:31 am)
Summary of Changes to the NetBSD Packages Collection in July..., Alistair Crooks, (Mon Sep 1, 2:51 am)
NetBSD Security Advisory 2004-003: OpenSSL 0.9.6 ASN.1 parse..., NetBSD Security-Officer, (Thu Feb 19, 9:36 am)
NetBSD Security Advisory 2008-014: Cross-site request forger..., NetBSD Security-Officer, (Mon Oct 27, 6:46 pm)
Planned network outage for netbsd.org servers Sat Aug 8th 16..., S.P.Zeidler, (Thu Aug 6, 3:21 am)
End of life for the NetBSD 1.5 branch, James Chacon, (Thu Jan 27, 12:04 am)
NetBSD Security Advisory 2005-006: Multiple vulnerabilities ..., NetBSD Security-Officer, (Mon Nov 7, 6:57 pm)
NetBSD Security Advisory 2009-002: tcpdump multiple denial o..., NetBSD Security Officer, (Tue Jun 23, 4:59 pm)
NetBSD Security Advisory 2008-006: Integer overflow in strfm..., NetBSD Security-Officer, (Mon Apr 21, 6:28 pm)
NetBSD 4.0 Release Candidate 3 available for download, Pavel Cahyna, (Fri Oct 19, 2:51 am)
Announcing NetBSD and the Google "Summer of Code" Projects 2..., Hubert Feyrer, (Thu May 25, 6:28 pm)
OpenBSD moderation removal, Christos Zoulas, (Tue Jul 30, 10:54 am)
NetBSD Bugathon: Not quite dead, Elad Efrat, (Sun Sep 24, 7:45 pm)