[VIM] vuldb confusion between OpenPegasus issues
Mark J Cox
mjc at redhat.com
Tue Jan 15 09:39:06 UTC 2008
It seems that some vulndbs have got a bit confused by the OpenPegasus
issues that were reported a couple of weeks ago. That misinformation is
working it's way up into public reports. So, for the record:
In December 2007, VMWare contacted the vendor-sec mailing list to let us
know they'd found a pre-authentication buffer overflow in OpenPegasus
versions prior to 2.7. This issue was credited as being discovered by
Alexander Sotirov of VMware and allocated CVE-2007-5360.
This overflow only affected OpenPegasus builds that had been compiled to
use PAM and with the (optional) PEGASUS_USE_PAM_STANDALONE_PROC define.
This issue affected the VMWare OpenPegasus builds, but not the Red Hat
OpenPegasus builds.
http://marc.info/?l=full-disclosure&m=119975801904357&w=2
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2007-5360
However, whilst investigating this issue, the Red Hat Security Response
Team discovered that there was a similar pre-authentication buffer
overflow affecting OpenPegasus versions prior to 2.7, but this time it
affected servers that had been compiled with PAM but without the
PEGASUS_USE_PAM_STANDALONE_PROC define, and was in a different piece of
code to the CVE-2007-5360 flaw. This issue did affect the Red Hat
OpenPegasus builds. We allocated CVE-2008-0003 to this issue.
https://rhn.redhat.com/errata/RHSA-2008-0002.html
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-0003
Both of the issues were corrected upstream by a single patch, attached to
OpenPegasus bug 7220, the patch was written by Roger Kumpf. Versions 2.7
were already not vulnerable as both bits of affected code had been
refactored for that release.
http://cvs.opengroup.org/bugzilla/show_bug.cgi?id=7220
Thanks, Mark
--
Mark J Cox / Red Hat Security Response Team
More information about the VIM
mailing list