[VIM] vuldb confusion between OpenPegasus issues

Mark J Cox mjc at redhat.com
Tue Jan 15 09:39:06 UTC 2008


It seems that some vulndbs have got a bit confused by the OpenPegasus 
issues that were reported a couple of weeks ago.  That misinformation is 
working it's way up into public reports.  So, for the record:

In December 2007, VMWare contacted the vendor-sec mailing list to let us 
know they'd found a pre-authentication buffer overflow in OpenPegasus 
versions prior to 2.7.  This issue was credited as being discovered by 
Alexander Sotirov of VMware and allocated CVE-2007-5360.

This overflow only affected OpenPegasus builds that had been compiled to 
use PAM and with the (optional) PEGASUS_USE_PAM_STANDALONE_PROC define. 
This issue affected the VMWare OpenPegasus builds, but not the Red Hat 
OpenPegasus builds.

http://marc.info/?l=full-disclosure&m=119975801904357&w=2
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2007-5360

However, whilst investigating this issue, the Red Hat Security Response 
Team discovered that there was a similar pre-authentication buffer 
overflow affecting OpenPegasus versions prior to 2.7, but this time it 
affected servers that had been compiled with PAM but without the 
PEGASUS_USE_PAM_STANDALONE_PROC define, and was in a different piece of 
code to the CVE-2007-5360 flaw.  This issue did affect the Red Hat 
OpenPegasus builds.  We allocated CVE-2008-0003 to this issue.

https://rhn.redhat.com/errata/RHSA-2008-0002.html
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-0003

Both of the issues were corrected upstream by a single patch, attached to 
OpenPegasus bug 7220, the patch was written by Roger Kumpf.  Versions 2.7
were already not vulnerable as both bits of affected code had been 
refactored for that release.
http://cvs.opengroup.org/bugzilla/show_bug.cgi?id=7220

Thanks, Mark
--
Mark J Cox / Red Hat Security Response Team


More information about the VIM mailing list