COMMAND

    DoS

SYSTEMS AFFECTED

    OSF/DCE security server

PROBLEM

    Open Group found  following. It has  been discovered that  OSF/DCE
    has a potential  problem in the  security server that  could allow
    for a denial of service attack.

    If  a  principal,  group,  or  organization  is  greater than 1024
    characters (including the cell name,  so the actual name limit  is
    less than  1024) when  passed to  security daemon  (secd), it will
    cause  secd  core  dump.   The  buffer  is  overrun causing memory
    corruption.   In  certain  cases,  the  lookup  attempt (or add or
    whatever) on the client will  then rebind to another secd  to make
    the request, eventually crashing all security daemons in the cell.

SOLUTION

    This  potential  denial  of  service  attack  has  existed  in all
    releases of OSF/DCE to date.   The Open Group sent a  notification
    to all current DCE support licensees providing the following  fix.
    The Open Group is in the  process of incorporating a fix for  this
    defect to all future DCE maintenance releases.  The end-users  may
    ask  their  DCE  vendors  for  such  a  fix.  The quick fix is the
    following:

    In  rsdb_name_util.c,  the  "rsdb_name_util_complete_name" routine
    should perform the following check after the ustrncpy.

    /* Retrieve the name_key record of the given domain directory.  */
    if(!check_domain(domain)) {
        SET_STATUS(st, sec_rgy_bad_domain);
        return false;
    }

    rsdb_util_get_key_of_id(domain, START_OF_LIST,
                             (Pointer)&name_key, &name_key_len);
    ustrncpy(complete_name, name_key.name, name_key.name_len);
    complete_name[name_key.name_len] = '\0';
    #ifdef FIX
       if (object_name_len < 1     ||
          object_name_len + name_key.name_len + 1 > sec_rgy_name_t_size - 1)
       {
           return false;
       }
    #endif /* FIX */

    if(object_name_len > 0) {
        ustrcat(complete_name, "/");
    ustrcat(complete_name, object_name);
    }
    return true;

    IRIX issued following patches:

        OS Version      Patch #
        ----------      -------
        IRIX 5.3        upgrade
        IRIX 6.2        2678 or 2679
        IRIX 6.3        2680 or 2681
        IRIX 6.4        2682 or 2683

    Patches 2679, 2681 and 2683  are for the U.S. domestic  version of
    OSF/DCE &  DFS 1.1C  and are  not available  from the standard SGI
    patch sources because they include strong encryption which  cannot
    be exported outside of the United States without authorization.