[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[TECH] rpc.cmsd - one bug or two?
All: Mike Prosser made the following observation about CAN-1999-0696 (the recent rpc.cmsd). Is this the same problem as CVE-1999-0320? Any ideas? ================================= Candidate: CAN-1999-0696 Phase: Proposed (19991208) Category: SF Reference: CIAC:J-051 Reference: SUN:00188 Reference: CERT:CA-99-08 Reference: HP:00102 Reference: COMPAQ:SSRT0614U_RPC_CMSD Buffer overflow in CDE Calendar Manager Service Daemon (rpc.cmsd) >Correct me if I am wrong as I don't have the facilities to test this, but >Sun originally reported this vulnerability in Sun Bulletin 0166, Mar 1998. >The CVE Board accepted it as CVE-1999-0320. The 00188 Sun Bulletin in July >1999 is an exact dupe of the 98 bulletin with the exception of some >additional patches for CDE on later versions of SunOS/Solaris. The CERT and >other vendor alerts are additional information on this BO for other vendor's >systems(why it took over a year?), but we already have a CVE number >outstanding for this vulnerability. Are these seperate vulnerabilities? Or >the same one just found to affect more than originally thought? If so, >recommend merging this CAN into the existing CVE, and just adjust the >description in the existing CVE to reflect the additional vulnerable vendor >systems. >Additional reference: BID 486 and 524 I think the two problems might be different. First of all, CAN-1999-0696 explicitly describes a buffer overflow in the Sun and CERT advisories. CVE-1999-0320 doesn't mention a buffer overflow, and describes an attack scenario where someone can overwrite files, which usually makes me think of following symbolic links or using a .. attack or whatever, but not a buffer overflow. It is weird that the patches are the same, though, except for the patches for later CDE versions. Perhaps they didn't preserve the patch in later versions? - Steve