Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Slackware SSA:2003-141-03: Glibc XDR integer overflow

Slackware SSA:2003-141-03: Glibc XDR integer overflow

by Nikola Strahija on May 22nd, 2003 An integer overflow vulnerability has been found in GNU libc which, if exploited, could lead to cause buffer overflow attacks and arbitrary code execution.


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[slackware-security] glibc XDR overflow fix (SSA:2003-141-03)

An integer overflow in the xdrmem_getbytes() function found in the glibc
library has been fixed. This could allow a remote attacker to execute
arbitrary code by exploiting RPC service that use xdrmem_getbytes(). None of
the default RPC services provided by Slackware appear to use this function,
but third-party applications may make use of it.

We recommend upgrading to these new glibc packages.


Here are the details from the Slackware 9.0 ChangeLog:
+--------------------------+
Tue May 20 20:13:09 PDT 2003
patches/packages/glibc-2.3.1-i386-4.tgz: Patched, recompiled.
(* Security fix *)
patches/packages/glibc-debug-2.3.1-i386-4.tgz: Patched, recompiled.
(* Security fix *)
patches/packages/glibc-i18n-2.3.1-noarch-4.tgz: Rebuilt.
patches/packages/glibc-profile-2.3.1-i386-4.tgz: Patched, recompiled.
(* Security fix *)
patches/packages/glibc-solibs-2.3.1-i386-4.tgz: Patched a buffer overflow in
some dead code (xdrmem_getbytes(), which we couldn't find used by anything,
but it doesn't hurt to patch it anyway)
(* Security fix *)
patches/packages/glibc-zoneinfo-2.3.1-noarch-4.tgz: Rebuilt.
+--------------------------+



WHERE TO FIND THE NEW PACKAGES:
+-----------------------------+

Updated packages for Slackware 8.1:
ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/glibc-2.2.5-i386-4.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/glibc-solibs-2.2.5-i386-4.tgz

Updated packages for Slackware 9.0:
ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/glibc-2.3.1-i386-4.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/glibc-debug-2.3.1-i386-4.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/glibc-i18n-2.3.1-noarch-4.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/glibc-profile-2.3.1-i386-4.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/glibc-solibs-2.3.1-i386-4.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/glibc-zoneinfo-2.3.1-noarch-4.tgz



MD5 SIGNATURES:
+-------------+

Slackware 8.1 packages:
ae235701abcccdc726789c9af5a0eb7b glibc-2.2.5-i386-4.tgz
83714476158d8f93a1f597bfdc6945e7 glibc-solibs-2.2.5-i386-4.tgz

Slackware 9.0 packages:
98fb90ce972b42bf5731bc71a722832a glibc-2.3.1-i386-4.tgz
9f2c944389f25dfe1c1dcb13210d9dc4 glibc-debug-2.3.1-i386-4.tgz
fa9fe934fe1dde4c134021e39aadaf7e glibc-i18n-2.3.1-noarch-4.tgz
1b264af8e047fa9378169bb4f8a9836f glibc-profile-2.3.1-i386-4.tgz
7c31f7602c54262c1e3ae16e59f8e0d6 glibc-solibs-2.3.1-i386-4.tgz
35b89aa808f4e7c8424f50eab73d824a glibc-zoneinfo-2.3.1-noarch-4.tgz



INSTALLATION INSTRUCTIONS:
+------------------------+

Upgrade using upgradepkg (as root):

upgradepkg glibc-*.tgz


+-----+

Slackware Linux Security Team
http://slackware.com/gpg-key
[email protected]

+------------------------------------------------------------------------+
| HOW TO REMOVE YOURSELF FROM THIS MAILING LIST: |
+------------------------------------------------------------------------+
| Send an email to [email protected] with this text in the body of |
| the email message: |
| |
| unsubscribe slackware-security |
| |
| You will get a confirmation message back. Follow the instructions to |
| complete the unsubscription. Do not reply to this message to |
| unsubscribe! |
+------------------------------------------------------------------------+

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE+zBCIakRjwEAQIjMRAoYYAJ9eWHfu86BNEDwGoEAUuxpOW2sNlgCfTPZZ
Vt978iIVk+LmvFMcA8j9Foc=
=tSij
-----END PGP SIGNATURE-----


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »