[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: 20020820: XDR libary buffer overflow vulnerability

Subject: Re: 20020820: XDR libary buffer overflow vulnerability
Date: Tue, 20 Aug 2002 10:10:51 -0600

>To: address@hidden
>From: "hanscom-2k\\winick\\address@hidden" <address@hidden>
>Subject: XDR libary buffer overflow vulnerability
>Organization: AFRL
>Keywords: 200208201446.g7KEk5K11946 netCDF XDR security

Hi Jeremy,

> I have updated my glibc on Linux for the vulnerability in the
> XDR call (SUN provided function) and was wondering whether that
> vulnerability was present in the netcdf-3.4-9 pre-built binary rpm package?
> I see that there is version netcdf-3.5.0-2 for i686 available for download,
> but the change log didn't suggest any changes. Since it does require glibc,
> are all the references to the offending function call fixed by updating that
> package?

NetCDF versions 2.4.3 (November 1996) and prior used xdr_array() from
the Sun library, so might be vulnerable.  None of the versions of
netCDF since that time call xdr_array() or any XDR library functions,
but instead use our own simpler (and presumably more secure)
substitutes.  See src/libsrc/ncx.x for our implementation of the XDR
functionality we needed for netCDF.

--Russ

_____________________________________________________________________

Russ Rew                                         UCAR Unidata Program
address@hidden                     http://www.unidata.ucar.edu

Prev by Date: 20020819: netcdf.mod for PC?
Next by Date: Re: 20020820: NetCDF data files
Previous by thread: 20020819: netcdf.mod for PC?
Next by thread: Re: 20020820: NetCDF data files
Index(es):
- Date
- Thread