From bugzilla@redhat.com Tue Aug 13 19:10:33 2002 From: bugzilla@redhat.com To: redhat-watch-list@redhat.com, redhat-announce-list@redhat.com Date: Tue, 13 Aug 2002 01:11 -0400 Subject: [RHSA-2002:166-07] Updated glibc packages fix vulnerabilities in RPC XDR decoder [The following text is in the "iso-8859-1" character set] [Your display is set for the "US-ASCII" character set] [Some characters may be displayed incorrectly] --------------------------------------------------------------------- Red Hat, Inc. Red Hat Security Advisory Synopsis: Updated glibc packages fix vulnerabilities in RPC XDR decoder Advisory ID: RHSA-2002:166-07 Issue date: 2002-08-01 Updated on: 2002-08-12 Product: Red Hat Linux Keywords: sun RPC XDR buffer overflow Cross references: Obsoletes: RHSA-2002:139 CVE Names: CAN-2002-0391 --------------------------------------------------------------------- 1. Topic: Updated glibc packages are available to fix a buffer overflow in the XDR decoder. 2. Relevant releases/architectures: Red Hat Linux 6.2 - alpha, i386, i686, sparc, sparcv9 Red Hat Linux 7.0 - alpha, alphaev6, i386, i686 Red Hat Linux 7.1 - alpha, alphaev6, i386, i686, ia64 Red Hat Linux 7.2 - i386, i686, ia64 Red Hat Linux 7.3 - i386, i686 3. Problem description: The glibc package contains standard libraries which are used by multiple programs on the system. Sun RPC is a remote procedure call framework which allows clients to invoke procedures in a server process over a network. XDR is a mechanism for encoding data structures for use with RPC. NFS, NIS, and many other network services are built upon Sun RPC. glibc contains an XDR encoder/decoder derived from Sun's RPC implementation which was recently demonstrated to be vulnerable to a heap overflow. An error in the calculation of memory needed for unpacking arrays in the XDR decoder in glibc 2.2.5 and earlier can result in a heap buffer overflow. Depending upon the application, this vulnerability may be exploitable and lead to arbitrary code execution. All users should upgrade to these errata packages which contain patches to the glibc libraries and therefore are not vulnerable to these issues. Thanks to Solar Designer for providing patches for this issue 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via Red Hat Network. Many people find this an easier way to apply updates. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date This will start an interactive process that will result in the appropriate RPMs being upgraded on your system.0 5. RPMs required: Red Hat Linux 6.2: SRPMS: ftp://updates.redhat.com/6.2/en/os/SRPMS/glibc-2.1.3-26.src.rpm alpha: ftp://updates.redhat.com/6.2/en/os/alpha/glibc-2.1.3-26.alpha.rpm ftp://updates.redhat.com/6.2/en/os/alpha/glibc-devel-2.1.3-26.alpha.rpm ftp://updates.redhat.com/6.2/en/os/alpha/glibc-profile-2.1.3-26.alpha.rpm ftp://updates.redhat.com/6.2/en/os/alpha/nscd-2.1.3-26.alpha.rpm i386: ftp://updates.redhat.com/6.2/en/os/i386/glibc-2.1.3-26.i386.rpm ftp://updates.redhat.com/6.2/en/os/i386/glibc-devel-2.1.3-26.i386.rpm ftp://updates.redhat.com/6.2/en/os/i386/glibc-profile-2.1.3-26.i386.rpm ftp://updates.redhat.com/6.2/en/os/i386/nscd-2.1.3-26.i386.rpm sparc: ftp://updates.redhat.com/6.2/en/os/sparc/glibc-2.1.3-26.sparc.rpm ftp://updates.redhat.com/6.2/en/os/sparc/glibc-devel-2.1.3-26.sparc.rpm ftp://updates.redhat.com/6.2/en/os/sparc/glibc-profile-2.1.3-26.sparc.rpm ftp://updates.redhat.com/6.2/en/os/sparc/nscd-2.1.3-26.sparc.rpm sparcv9: ftp://updates.redhat.com/6.2/en/os/sparcv9/glibc-2.1.3-26.sparcv9.rpm Red Hat Linux 7.0: SRPMS: ftp://updates.redhat.com/7.0/en/os/SRPMS/glibc-2.2.4-18.7.0.6.src.rpm alpha: ftp://updates.redhat.com/7.0/en/os/alpha/glibc-2.2.4-18.7.0.6.alpha.rpm ftp://updates.redhat.com/7.0/en/os/alpha/glibc-common-2.2.4-18.7.0.6.alpha.rpm ftp://updates.redhat.com/7.0/en/os/alpha/glibc-devel-2.2.4-18.7.0.6.alpha.rpm ftp://updates.redhat.com/7.0/en/os/alpha/glibc-profile-2.2.4-18.7.0.6.alpha.rpm ftp://updates.redhat.com/7.0/en/os/alpha/nscd-2.2.4-18.7.0.6.alpha.rpm alphaev6: ftp://updates.redhat.com/7.0/en/os/alphaev6/glibc-2.2.4-18.7.0.6.alphaev6.rpm i386: ftp://updates.redhat.com/7.0/en/os/i386/glibc-2.2.4-18.7.0.6.i386.rpm ftp://updates.redhat.com/7.0/en/os/i386/glibc-common-2.2.4-18.7.0.6.i386.rpm ftp://updates.redhat.com/7.0/en/os/i386/glibc-devel-2.2.4-18.7.0.6.i386.rpm ftp://updates.redhat.com/7.0/en/os/i386/glibc-profile-2.2.4-18.7.0.6.i386.rpm ftp://updates.redhat.com/7.0/en/os/i386/nscd-2.2.4-18.7.0.6.i386.rpm i686: ftp://updates.redhat.com/7.0/en/os/i686/glibc-2.2.4-18.7.0.6.i686.rpm Red Hat Linux 7.1: SRPMS: ftp://updates.redhat.com/7.1/en/os/SRPMS/glibc-2.2.4-29.src.rpm alpha: ftp://updates.redhat.com/7.1/en/os/alpha/glibc-2.2.4-29.alpha.rpm ftp://updates.redhat.com/7.1/en/os/alpha/glibc-common-2.2.4-29.alpha.rpm ftp://updates.redhat.com/7.1/en/os/alpha/glibc-devel-2.2.4-29.alpha.rpm ftp://updates.redhat.com/7.1/en/os/alpha/glibc-profile-2.2.4-29.alpha.rpm ftp://updates.redhat.com/7.1/en/os/alpha/nscd-2.2.4-29.alpha.rpm alphaev6: ftp://updates.redhat.com/7.1/en/os/alphaev6/glibc-2.2.4-29.alphaev6.rpm i386: ftp://updates.redhat.com/7.1/en/os/i386/glibc-2.2.4-29.i386.rpm ftp://updates.redhat.com/7.1/en/os/i386/glibc-common-2.2.4-29.i386.rpm ftp://updates.redhat.com/7.1/en/os/i386/glibc-devel-2.2.4-29.i386.rpm ftp://updates.redhat.com/7.1/en/os/i386/glibc-profile-2.2.4-29.i386.rpm ftp://updates.redhat.com/7.1/en/os/i386/nscd-2.2.4-29.i386.rpm i686: ftp://updates.redhat.com/7.1/en/os/i686/glibc-2.2.4-29.i686.rpm ia64: ftp://updates.redhat.com/7.1/en/os/ia64/glibc-2.2.4-29.ia64.rpm ftp://updates.redhat.com/7.1/en/os/ia64/glibc-common-2.2.4-29.ia64.rpm ftp://updates.redhat.com/7.1/en/os/ia64/glibc-devel-2.2.4-29.ia64.rpm ftp://updates.redhat.com/7.1/en/os/ia64/glibc-profile-2.2.4-29.ia64.rpm ftp://updates.redhat.com/7.1/en/os/ia64/nscd-2.2.4-29.ia64.rpm Red Hat Linux 7.2: SRPMS: ftp://updates.redhat.com/7.2/en/os/SRPMS/glibc-2.2.4-29.src.rpm i386: ftp://updates.redhat.com/7.2/en/os/i386/glibc-2.2.4-29.i386.rpm ftp://updates.redhat.com/7.2/en/os/i386/glibc-common-2.2.4-29.i386.rpm ftp://updates.redhat.com/7.2/en/os/i386/glibc-devel-2.2.4-29.i386.rpm ftp://updates.redhat.com/7.2/en/os/i386/glibc-profile-2.2.4-29.i386.rpm ftp://updates.redhat.com/7.2/en/os/i386/nscd-2.2.4-29.i386.rpm i686: ftp://updates.redhat.com/7.2/en/os/i686/glibc-2.2.4-29.i686.rpm ia64: ftp://updates.redhat.com/7.2/en/os/ia64/glibc-2.2.4-29.ia64.rpm ftp://updates.redhat.com/7.2/en/os/ia64/glibc-common-2.2.4-29.ia64.rpm ftp://updates.redhat.com/7.2/en/os/ia64/glibc-devel-2.2.4-29.ia64.rpm ftp://updates.redhat.com/7.2/en/os/ia64/glibc-profile-2.2.4-29.ia64.rpm ftp://updates.redhat.com/7.2/en/os/ia64/nscd-2.2.4-29.ia64.rpm Red Hat Linux 7.3: SRPMS: ftp://updates.redhat.com/7.3/en/os/SRPMS/glibc-2.2.5-39.src.rpm i386: ftp://updates.redhat.com/7.3/en/os/i386/glibc-2.2.5-39.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/glibc-common-2.2.5-39.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/glibc-debug-2.2.5-39.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/glibc-debug-static-2.2.5-39.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/glibc-devel-2.2.5-39.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/glibc-profile-2.2.5-39.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/glibc-utils-2.2.5-39.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/nscd-2.2.5-39.i386.rpm i686: ftp://updates.redhat.com/7.3/en/os/i686/glibc-2.2.5-39.i686.rpm ftp://updates.redhat.com/7.3/en/os/i686/glibc-debug-2.2.5-39.i686.rpm 6. Verification: MD5 sum Package Name -------------------------------------------------------------------------- 902fde40eb756d84154ab7e20627278d 6.2/en/os/SRPMS/glibc-2.1.3-26.src.rpm 4c1a1334bb64e0b8ff8ee98ef437f3fb 6.2/en/os/alpha/glibc-2.1.3-26.alpha.rpm 27a6555f8ea06873f93ffef4cc38078d 6.2/en/os/alpha/glibc-devel-2.1.3-26.alpha.rpm 50230bbda0951a6f221e08a4107fd69c 6.2/en/os/alpha/glibc-profile-2.1.3-26.alpha.rpm 85dc4eddd46e8325901d3f971051184b 6.2/en/os/alpha/nscd-2.1.3-26.alpha.rpm 99c1a729ffb9ce3b317754efa6534cf2 6.2/en/os/i386/glibc-2.1.3-26.i386.rpm f10040cfae13b8c484353953a6fbd3d4 6.2/en/os/i386/glibc-devel-2.1.3-26.i386.rpm 47b9d894586152080d4cb4ca235ac59b 6.2/en/os/i386/glibc-profile-2.1.3-26.i386.rpm b4e147b72613425bb3913ab500804ffb 6.2/en/os/i386/nscd-2.1.3-26.i386.rpm ae42b1cdb4eec6c9b06e1cd9126c3d6c 6.2/en/os/sparc/glibc-2.1.3-26.sparc.rpm 589d5f111617b191d18313c16d8b2476 6.2/en/os/sparc/glibc-devel-2.1.3-26.sparc.rpm 198367455fcc4e60ee01267e8804c66f 6.2/en/os/sparc/glibc-profile-2.1.3-26.sparc.rpm a4fb24a2479c8359a589f81cd69977c8 6.2/en/os/sparc/nscd-2.1.3-26.sparc.rpm 15164392fd5206f9d431757e56952949 6.2/en/os/sparcv9/glibc-2.1.3-26.sparcv9.rpm dda9b8c1513a0d8c028145d4807cf060 7.0/en/os/SRPMS/glibc-2.2.4-18.7.0.6.src.rpm ea0970bfb37241810aa67aaf67619f65 7.0/en/os/alpha/glibc-2.2.4-18.7.0.6.alpha.rpm ebbfecb12072364cec91e3f2a5f40eab 7.0/en/os/alpha/glibc-common-2.2.4-18.7.0.6.alpha.rpm dcec7d9ecfc495b10df9cec032b8cd00 7.0/en/os/alpha/glibc-devel-2.2.4-18.7.0.6.alpha.rpm 9d859fff6feb3647bd7646c0830ae889 7.0/en/os/alpha/glibc-profile-2.2.4-18.7.0.6.alpha.rpm 15c5c4d3e673e85348a1dc888f3ed51d 7.0/en/os/alpha/nscd-2.2.4-18.7.0.6.alpha.rpm 5461890fabd2da122193c270a8ac4d59 7.0/en/os/alphaev6/glibc-2.2.4-18.7.0.6.alphaev6.rpm 05699af0cc5f2b22ae9047b9cab3162a 7.0/en/os/i386/glibc-2.2.4-18.7.0.6.i386.rpm 34d43767ba3af94e3fbd1c54b04e7cbc 7.0/en/os/i386/glibc-common-2.2.4-18.7.0.6.i386.rpm 9f446d3c5f901da653b20db9535b6629 7.0/en/os/i386/glibc-devel-2.2.4-18.7.0.6.i386.rpm f73d5c9afe51df1c2bb16073b4894d93 7.0/en/os/i386/glibc-profile-2.2.4-18.7.0.6.i386.rpm 7a729f073702e0b7f09177b6883f2153 7.0/en/os/i386/nscd-2.2.4-18.7.0.6.i386.rpm f34fc0d1eda45d6eeaa4f4ef4a473b62 7.0/en/os/i686/glibc-2.2.4-18.7.0.6.i686.rpm 54a0f0ab5858fc4a2c3aa8ede75cfd2b 7.1/en/os/SRPMS/glibc-2.2.4-29.src.rpm 78f97e6419fa24beeecd0d035c951c8c 7.1/en/os/alpha/glibc-2.2.4-29.alpha.rpm 157ff2a64d725590bb0f489227cb59e0 7.1/en/os/alpha/glibc-common-2.2.4-29.alpha.rpm 9306da2d1bf0fa9387b253f9bed84f55 7.1/en/os/alpha/glibc-devel-2.2.4-29.alpha.rpm c9a97967eb783ded680e93c9e5481cef 7.1/en/os/alpha/glibc-profile-2.2.4-29.alpha.rpm bb589a903f6660094f869d68d4cb8e84 7.1/en/os/alpha/nscd-2.2.4-29.alpha.rpm 9265cf46c9c5ac1245e8c89530dcb943 7.1/en/os/alphaev6/glibc-2.2.4-29.alphaev6.rpm f3d389a4ca38cb96d4a3f7e37c405741 7.1/en/os/i386/glibc-2.2.4-29.i386.rpm 76d59b340658260e4e1a8d1ce057b8b7 7.1/en/os/i386/glibc-common-2.2.4-29.i386.rpm 27ac76715305a224aff00b828f514048 7.1/en/os/i386/glibc-devel-2.2.4-29.i386.rpm 36f4838eb0b0e604207d72b931e6d704 7.1/en/os/i386/glibc-profile-2.2.4-29.i386.rpm eb564de42736b1c9f67e51616e57371f 7.1/en/os/i386/nscd-2.2.4-29.i386.rpm 5b8d21ae3fb3d46c8f90a2db557c2e52 7.1/en/os/i686/glibc-2.2.4-29.i686.rpm 08ea8d99e1ac9dc564b43f97796f7aba 7.1/en/os/ia64/glibc-2.2.4-29.ia64.rpm fbb8f1131f892fbb25b173a19237698c 7.1/en/os/ia64/glibc-common-2.2.4-29.ia64.rpm 9b682a108f0cde4c20fe41b90a82f122 7.1/en/os/ia64/glibc-devel-2.2.4-29.ia64.rpm 471b7a20e567eec15bd46c058a637e98 7.1/en/os/ia64/glibc-profile-2.2.4-29.ia64.rpm db4bb2ce6b3d210b66b2899b9807d7ec 7.1/en/os/ia64/nscd-2.2.4-29.ia64.rpm 54a0f0ab5858fc4a2c3aa8ede75cfd2b 7.2/en/os/SRPMS/glibc-2.2.4-29.src.rpm f3d389a4ca38cb96d4a3f7e37c405741 7.2/en/os/i386/glibc-2.2.4-29.i386.rpm 76d59b340658260e4e1a8d1ce057b8b7 7.2/en/os/i386/glibc-common-2.2.4-29.i386.rpm 27ac76715305a224aff00b828f514048 7.2/en/os/i386/glibc-devel-2.2.4-29.i386.rpm 36f4838eb0b0e604207d72b931e6d704 7.2/en/os/i386/glibc-profile-2.2.4-29.i386.rpm eb564de42736b1c9f67e51616e57371f 7.2/en/os/i386/nscd-2.2.4-29.i386.rpm 5b8d21ae3fb3d46c8f90a2db557c2e52 7.2/en/os/i686/glibc-2.2.4-29.i686.rpm 08ea8d99e1ac9dc564b43f97796f7aba 7.2/en/os/ia64/glibc-2.2.4-29.ia64.rpm fbb8f1131f892fbb25b173a19237698c 7.2/en/os/ia64/glibc-common-2.2.4-29.ia64.rpm 9b682a108f0cde4c20fe41b90a82f122 7.2/en/os/ia64/glibc-devel-2.2.4-29.ia64.rpm 471b7a20e567eec15bd46c058a637e98 7.2/en/os/ia64/glibc-profile-2.2.4-29.ia64.rpm db4bb2ce6b3d210b66b2899b9807d7ec 7.2/en/os/ia64/nscd-2.2.4-29.ia64.rpm b6a08de99a9a584962cb49efe831df02 7.3/en/os/SRPMS/glibc-2.2.5-39.src.rpm 2025431dfbb109c0b0c50d825f7fee27 7.3/en/os/i386/glibc-2.2.5-39.i386.rpm a8c38b4ee8b84964a636d3989f9e10bb 7.3/en/os/i386/glibc-common-2.2.5-39.i386.rpm bad388217f5aa3528892f7690a9655b9 7.3/en/os/i386/glibc-debug-2.2.5-39.i386.rpm 68ebf1bb3a7993e92aedfea151ef14be 7.3/en/os/i386/glibc-debug-static-2.2.5-39.i386.rpm d2721bfd9582422283671a10c13f3bd6 7.3/en/os/i386/glibc-devel-2.2.5-39.i386.rpm e5416c72ed687a9c96d6115c7543477f 7.3/en/os/i386/glibc-profile-2.2.5-39.i386.rpm f53f1577950d5a9571f63af65f2b0ee9 7.3/en/os/i386/glibc-utils-2.2.5-39.i386.rpm 19b9bb5182518d3bcf9ba8d2a8ee6421 7.3/en/os/i386/nscd-2.2.5-39.i386.rpm 04475ca3f7e3d715bbadba4be684adae 7.3/en/os/i686/glibc-2.2.5-39.i686.rpm de47bae77ce5763fe0a40d63957abc27 7.3/en/os/i686/glibc-debug-2.2.5-39.i686.rpm These packages are GPG signed by Red Hat, Inc. for security. Our key is available at: http://www.redhat.com/about/contact/pgpkey.html You can verify each package with the following command: rpm --checksig If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: rpm --checksig --nogpg 7. References: http://online.securityfocus.com/archive/1/285308 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0391 Copyright(c) 2000, 2001, 2002 Red Hat, Inc.