NetBSD Security Advisory 2008-006: Integer overflow in strfmon(3) function

[NetBSD Security-Officer <security-officer%netbsd.org@localhost>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


                 NetBSD Security Advisory 2008-006
                 =================================

Topic:          Integer overflow in strfmon(3) function

Version:        NetBSD-current:         affected
                NetBSD 4.0:             affected
                NetBSD 3.1.*:           unaffected
                NetBSD 3.1:             unaffected
                NetBSD 3.0:             unaffected
                NetBSD 3.0.*:           unaffected

Severity:       Local user may be able to execute arbitrary code

Fixed:          NetBSD-current:         March 18, 2008
                NetBSD-4 branch:        March 19, 2008
                        (4.1 will include the fix)
                NetBSD-4-0 branch:      March 19, 2008
                        (4.0.1 will include the fix)


Abstract
========

The strfmon() function contains multiple integer overflows which can be
exploited by a local attacker to cause a crash or potentially execute
arbitrary code.


Technical Details
=================

The vulnerability exists in strfmon() because of the use of the GET_NUMBER()
macro.  This macro does not check for integer overflow, and its value is
passed as an argument to the memmove() and memset() functions, which can
result in a crash or possibly the execution of arbitrary code.

This issue has been assigned CVE reference CVE-2008-1391.


Solutions and Workarounds
=========================

The following instructions describe how to upgrade your libc binaries
by updating your source tree and rebuilding and installing a new version
of libc.

* NetBSD-current:

        Systems running NetBSD-current dated from before 2008-03-18
        should be upgraded to NetBSD-current dated 2008-03-19 or later.

        The following files need to be updated from the
        netbsd-current CVS branch (aka HEAD):
                lib/libc/stdlib/strfmon.c

        To update from CVS, re-build, and re-install libc:

                # cd src
                # cvs update lib/libc/stdlib/strfmon.c
                # cd lib/libc
                # make USETOOLS=no cleandir dependall
                # make USETOOLS=no install

* NetBSD 4.*:

        Systems running NetBSD 4.* sources dated from before
        2008-03-19 should be upgraded from NetBSD 4.* source dated
        2008-03-20 or later.

        The following files need to be updated from the
        netbsd-4 or netbsd-4-0 CVS branches:
                lib/libc/stdlib/strfmon.c

        To update from CVS, re-build, and re-install libc:

                # cd src
                # cvs update -r <branch_name> lib/libc/stdlib/strfmon.c
                # cd lib/libc
                # make USETOOLS=no cleandir dependall
                # make USETOOLS=no install

Thanks To
=========

Maksymilian Arciemowicz for reporting this problem and Christos Zoulas
for providing a fix.

Revision History
================

        2008-04-21      Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
  ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2008-006.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.


Copyright 2008, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2008-006.txt,v 1.1 2008/04/15 20:19:56 adrianp Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (NetBSD)

iQCVAwUBSAUSOD5Ru2/4N2IFAQLzCAQAp1P1sXgdVdcBYZ792JaU+ojWGMW3PqR1
tjSnp8rbkENkfGdtGKlkT2rLHshKiM0DzZL6SyiEDleSZtAv4cuzVQZf2ia+5WWR
SI9TOo/WkPivXnwuKxW1XVefH00wv/KK5wsZAXNxWFY/oIs1pNWQ6QUi4umGmj8L
C7he0Od/rdk=
=2ESK
-----END PGP SIGNATURE-----