Subject: Re: CERT Advisory CA-2003-10 Integer overflow in Sun RPC XDR library
To: None <firstname.lastname@example.org>
From: Christos Zoulas <email@example.com>
Date: 03/24/2003 21:08:07
In article <Pine.LNX.firstname.lastname@example.org>,
Jeremy C. Reed <email@example.com> wrote:
>On Wed, 19 Mar 2003, CERT Advisory wrote:
>> The length types of the various xdr*_getbytes functions were made
>> consistent somewhere back in 1997 (all u_int), so we're not vulnerable
>> in that area.
>Does this mean NetBSD is not vulernable at all to this CERT Advisory
>CA-2003-10 Integer overflow in Sun RPC XDR library routines?
We were vulnerable, but in a slightly different attack. All fixes have
been applied to current, and pulled up to 1.6.x and 1.5.x.