This archive contains answers to questions sent to Unidata support through mid-2025. Note that the archive is no longer being updated. We provide the archive for reference; many of the answers presented here remain technically correct, even if somewhat outdated. For the most up-to-date information on the use of NSF Unidata software and data services, please consult the Software Documentation first.
>To: address@hidden >From: "hanscom-2k\\winick\\address@hidden" <address@hidden> >Subject: XDR libary buffer overflow vulnerability >Organization: AFRL >Keywords: 200208201446.g7KEk5K11946 netCDF XDR security Hi Jeremy, > I have updated my glibc on Linux for the vulnerability in the > XDR call (SUN provided function) and was wondering whether that > vulnerability was present in the netcdf-3.4-9 pre-built binary rpm package? > I see that there is version netcdf-3.5.0-2 for i686 available for download, > but the change log didn't suggest any changes. Since it does require glibc, > are all the references to the offending function call fixed by updating that > package? NetCDF versions 2.4.3 (November 1996) and prior used xdr_array() from the Sun library, so might be vulnerable. None of the versions of netCDF since that time call xdr_array() or any XDR library functions, but instead use our own simpler (and presumably more secure) substitutes. See src/libsrc/ncx.x for our implementation of the XDR functionality we needed for netCDF. --Russ _____________________________________________________________________ Russ Rew UCAR Unidata Program address@hidden http://www.unidata.ucar.edu