NetBSD Security Officer <security-officer@netbsd.org> wrote:
>
>		 NetBSD Security Advisory 2002-011
>		 =================================
>
>Topic:		Sun RPC XDR decoder contains buffer overflow
>
>* NetBSD 1.4, 1.4.1, 1.4.2, 1.4.3:
>
>	The advisory will be updated to include instructions to remedy
>	this problem for systems running the NetBSD-1.4 branch.

Is there a reason that the same fix that was applied to the NetBSD-1.5
and NetBSD-1.6 branches (namely, a pullup of revisions 1.13 and 1.14
of lib/libc/rpc/xdr_array.c) can't be applied to the NetBSD-1.4 branch
(other than "nobody's asked for it or tested it yet")?

I've successfully updated a 1.4.3A/i386 machine with said fix and,
though I don't have an exploit available to test it with, the system
runs just fine with the new libc.  I intend to update the compat14
package with new distfiles with this fix and the fix for SA-2002-006,
but it would be preferable if this fix was "officially" on the branch
first.

jdarrow

-- 
John Darrow - Senior Technical Specialist               Office: 630/752-5201
Computing Services, Wheaton College, Wheaton, IL 60187  Fax:    630/752-5968
Pager via email: 6303160707@alphapage.airtouch.com      Pager:  630/316-0707
Email: John.P.Darrow@wheaton.edu (plain text please, no HTML or proprietary)