-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NetBSD Security Advisory 2008-006 ================================= Topic: Integer overflow in strfmon(3) function Version: NetBSD-current: affected NetBSD 4.0: affected NetBSD 3.1.*: unaffected NetBSD 3.1: unaffected NetBSD 3.0: unaffected NetBSD 3.0.*: unaffected Severity: Local user may be able to execute arbitrary code Fixed: NetBSD-current: March 18, 2008 NetBSD-4 branch: March 19, 2008 (4.1 will include the fix) NetBSD-4-0 branch: March 19, 2008 (4.0.1 will include the fix) Abstract ======== The strfmon() function contains multiple integer overflows which can be exploited by a local attacker to cause a crash or potentially execute arbitrary code. Technical Details ================= The vulnerability exists in strfmon() because of the use of the GET_NUMBER() macro. This macro does not check for integer overflow, and its value is passed as an argument to the memmove() and memset() functions, which can result in a crash or possibly the execution of arbitrary code. This issue has been assigned CVE reference CVE-2008-1391. Solutions and Workarounds ========================= The following instructions describe how to upgrade your libc binaries by updating your source tree and rebuilding and installing a new version of libc. * NetBSD-current: Systems running NetBSD-current dated from before 2008-03-18 should be upgraded to NetBSD-current dated 2008-03-19 or later. The following files need to be updated from the netbsd-current CVS branch (aka HEAD): lib/libc/stdlib/strfmon.c To update from CVS, re-build, and re-install libc: # cd src # cvs update lib/libc/stdlib/strfmon.c # cd lib/libc # make USETOOLS=no cleandir dependall # make USETOOLS=no install * NetBSD 4.*: Systems running NetBSD 4.* sources dated from before 2008-03-19 should be upgraded from NetBSD 4.* source dated 2008-03-20 or later. The following files need to be updated from the netbsd-4 or netbsd-4-0 CVS branches: lib/libc/stdlib/strfmon.c To update from CVS, re-build, and re-install libc: # cd src # cvs update -r lib/libc/stdlib/strfmon.c # cd lib/libc # make USETOOLS=no cleandir dependall # make USETOOLS=no install Thanks To ========= Maksymilian Arciemowicz for reporting this problem and Christos Zoulas for providing a fix. Revision History ================ 2008-04-21 Initial release More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2008-006.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/. Copyright 2008, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2008-006.txt,v 1.1 2008/04/15 20:19:56 adrianp Exp $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (NetBSD) iQCVAwUBSAUSOD5Ru2/4N2IFAQLzCAQAp1P1sXgdVdcBYZ792JaU+ojWGMW3PqR1 tjSnp8rbkENkfGdtGKlkT2rLHshKiM0DzZL6SyiEDleSZtAv4cuzVQZf2ia+5WWR SI9TOo/WkPivXnwuKxW1XVefH00wv/KK5wsZAXNxWFY/oIs1pNWQ6QUi4umGmj8L C7he0Od/rdk= =2ESK -----END PGP SIGNATURE-----