[TECH] rpc.cmsd - one bug or two?

["Steven M. Christey" <coley@linus.mitre.org>]

All:

Mike Prosser made the following observation about CAN-1999-0696 (the
recent rpc.cmsd).  Is this the same problem as CVE-1999-0320?  Any
ideas?


=================================
Candidate: CAN-1999-0696
Phase: Proposed (19991208)
Category: SF
Reference: CIAC:J-051
Reference: SUN:00188
Reference: CERT:CA-99-08
Reference: HP:00102
Reference: COMPAQ:SSRT0614U_RPC_CMSD

Buffer overflow in CDE Calendar Manager Service Daemon (rpc.cmsd)


>Correct me if I am wrong as I don't have the facilities to test this, but
>Sun originally reported this vulnerability in Sun Bulletin 0166, Mar 1998.
>The CVE Board accepted it as CVE-1999-0320.  The 00188 Sun Bulletin in July
>1999 is an exact dupe of the 98 bulletin with the exception of some
>additional patches for CDE on later versions of SunOS/Solaris. The CERT and
>other vendor alerts are additional information on this BO for other vendor's
>systems(why it took over a year?), but we already have a CVE number
>outstanding for this vulnerability.  Are these seperate vulnerabilities?  Or
>the same one just found to affect more than originally thought?  If so,
>recommend merging this CAN into the existing CVE, and just adjust the
>description in the existing CVE to reflect the additional vulnerable vendor
>systems.
>Additional reference:  BID 486 and 524

I think the two problems might be different.

First of all, CAN-1999-0696 explicitly describes a buffer overflow in
the Sun and CERT advisories.  CVE-1999-0320 doesn't mention a buffer
overflow, and describes an attack scenario where someone can overwrite
files, which usually makes me think of following symbolic links or
using a .. attack or whatever, but not a buffer overflow.

It is weird that the patches are the same, though, except for the
patches for later CDE versions.  Perhaps they didn't preserve the
patch in later versions?

- Steve