Subject: Re: CERT Advisory CA-2003-10 Integer overflow in Sun RPC XDR library
To: None <>
From: Christos Zoulas <>
List: tech-security
Date: 03/24/2003 21:08:07
In article <>,
Jeremy C. Reed <> wrote:
>On Wed, 19 Mar 2003, CERT Advisory wrote:
>> NetBSD
>>    The  length  types  of  the  various xdr*_getbytes functions were made
>>    consistent somewhere back in 1997 (all u_int), so we're not vulnerable
>>    in that area.
>Does this mean NetBSD is not vulernable at all to this CERT Advisory
>CA-2003-10 Integer overflow in Sun RPC XDR library routines?

We were vulnerable, but in a slightly different attack. All fixes have
been applied to current, and pulled up to 1.6.x and 1.5.x.