[TECH] rpc.cmsd - one bug or two?
Mike Prosser made the following observation about CAN-1999-0696 (the
recent rpc.cmsd). Is this the same problem as CVE-1999-0320? Any
Phase: Proposed (19991208)
Buffer overflow in CDE Calendar Manager Service Daemon (rpc.cmsd)
>Correct me if I am wrong as I don't have the facilities to test this, but
>Sun originally reported this vulnerability in Sun Bulletin 0166, Mar 1998.
>The CVE Board accepted it as CVE-1999-0320. The 00188 Sun Bulletin in July
>1999 is an exact dupe of the 98 bulletin with the exception of some
>additional patches for CDE on later versions of SunOS/Solaris. The CERT and
>other vendor alerts are additional information on this BO for other vendor's
>systems(why it took over a year?), but we already have a CVE number
>outstanding for this vulnerability. Are these seperate vulnerabilities? Or
>the same one just found to affect more than originally thought? If so,
>recommend merging this CAN into the existing CVE, and just adjust the
>description in the existing CVE to reflect the additional vulnerable vendor
>Additional reference: BID 486 and 524
I think the two problems might be different.
First of all, CAN-1999-0696 explicitly describes a buffer overflow in
the Sun and CERT advisories. CVE-1999-0320 doesn't mention a buffer
overflow, and describes an attack scenario where someone can overwrite
files, which usually makes me think of following symbolic links or
using a .. attack or whatever, but not a buffer overflow.
It is weird that the patches are the same, though, except for the
patches for later CDE versions. Perhaps they didn't preserve the
patch in later versions?