diff options
Diffstat (limited to 'patches/glibc-2.2.5/generic/generic-xdr_array.diff')
-rw-r--r-- | patches/glibc-2.2.5/generic/generic-xdr_array.diff | 40 |
1 files changed, 40 insertions, 0 deletions
diff --git a/patches/glibc-2.2.5/generic/generic-xdr_array.diff b/patches/glibc-2.2.5/generic/generic-xdr_array.diff new file mode 100644 index 000000000..06c49c519 --- /dev/null +++ b/patches/glibc-2.2.5/generic/generic-xdr_array.diff @@ -0,0 +1,40 @@ +# +# glibc-2.2.5 "xdr_array" fix +# (Category - Essential security fix) +# (Source - glibc cvs glibc-2-2-branch) +# +# There is an integer overflow present in the xdr_array() function +# distributed as part of the Sun Microsystems XDR library. This +# overflow has been shown to lead to remotely exploitable buffer +# overflows in multiple applications, leading to the execution of +# arbitrary code. Although the library was originally distributed by +# Sun Microsystems, multiple vendors have included the vulnerable code +# in their own implementations. +# +# http://www.cert.org/advisories/CA-2002-25.html +# http://www.zipworld.com.au/%7Egschafer/patches/glibc-2.2.5.xdr_array.patch.gz +# +diff -uNr glibc-2.2.5.orig/sunrpc/xdr_array.c glibc-2.2.5/sunrpc/xdr_array.c +--- glibc-2.2.5.orig/sunrpc/xdr_array.c 2001-08-17 14:48:31.000000000 +1000 ++++ glibc-2.2.5/sunrpc/xdr_array.c 2002-08-06 14:14:59.000000000 +1000 +@@ -45,6 +45,7 @@ + #include <rpc/types.h> + #include <rpc/xdr.h> + #include <libintl.h> ++#include <limits.h> + + #ifdef USE_IN_LIBIO + # include <wchar.h> +@@ -81,7 +82,11 @@ + return FALSE; + } + c = *sizep; +- if ((c > maxsize) && (xdrs->x_op != XDR_FREE)) ++ /* ++ * XXX: Let the overflow possibly happen with XDR_FREE because mem_free() ++ * doesn't actually use its second argument anyway. ++ */ ++ if ((c > maxsize || c > UINT_MAX / elsize) && (xdrs->x_op != XDR_FREE)) + { + return FALSE; + } |