CVE-1999-0389

• BID:324
• URL:http://www.securityfocus.com/bid/324
• BUGTRAQ:19990103 [SECURITY] New versions of netstd fixes buffer overflows
• DEBIAN:19990104

 Christey> Is CVE-1999-0389 a duplicate of CVE-1999-0798?  CVE-1999-0389
   has January 1999 dates associated with it, while CVE-1999-0798
   was reported in late December.
   
   Also, is this the same line of code as CVE-1999-0914?  Both are in
   the netstd package, it could look like a library problem.
   
   However, deep in the changelog in the
   netstd_3.07-7slink.3.diff on Debian, Herbert Xu includes
   the following entry:
   
   +netstd (3.07-7slink.1) frozen; urgency=high
   +
   +  * bootpd:     Applied patch from Redhat as well as a fix for the overflow in
   +                report() (fixes #30675).
   +  * netkit-ftp: Applied patch from RedHat that fixes some obscure overflow
   +                bugs.
   +
   + -- Herbert Xu <herbert@debian.org>  Sat, 19 Dec 1998 14:36:48 +1100
   
   This tells me that two separate bugs are involved.
   
   Note that Red Hat posted *some* fix for *some* bootp problem
   in June 1998.  See:
   http://www.redhat.com/support/errata/rh42-errata-general.html#bootp
 Frech> XF:debian-netstd-bo
 Christey> Further analysis indicates that this is a duplicate of CVE-1999-0799
 CHANGE> [Christey changed vote from REJECT to REVIEWING]
 Christey> The fix information for BID:324 suggests that there are two
   overflows, one of which is in handle_request (bootpd.c) and is
   likely related to a file name; but there is another issue in
   report (report.c) which also looks like a straightforward
   overflow, which would suggest that this is not a duplicate of
   CVE-1999-0798 or CVE-1999-0799.
   
   Note: see comments for CVE-1999-0798 which explain how that
   candidate is not related to CVE-1999-0799.