Debian Security Advisory

DSA-142-1 openafs -- integer overflow

Date Reported:
05 Aug 2002
Affected Packages:
Security database references:
In the Bugtraq database (at SecurityFocus): BugTraq ID 5356.
In Mitre's CVE dictionary: CVE-2002-0391.
CERT's vulnerabilities, advisories and incident notes: VU#192995.
More information:

An integer overflow bug has been discovered in the RPC library used by the OpenAFS database server, which is derived from the SunRPC library. This bug could be exploited to crash certain OpenAFS servers (volserver, vlserver, ptserver, buserver) or to obtain unauthorized root access to a host running one of these processes. No exploits are known to exist yet.

This problem has been fixed in version 1.2.3final2-6 for the current stable distribution (woody) and in version 1.2.6-1 for the unstable distribution (sid). Debian 2.2 (potato) is not affected since it doesn't contain OpenAFS packages.

OpenAFS is only available for the architectures alpha, i386, powerpc, s390, sparc. Hence, we only provide fixed packages for these architectures.

We recommend that you upgrade your openafs packages.

Fixed in:

Debian GNU/Linux 3.0 (woody)

Architecture-independent component:
Intel IA-32:
IBM S/390:
Sun Sparc:

MD5 checksums of the listed files are available in the original advisory.