COMMAND

    NLS (Natural Language Service)

SYSTEMS AFFECTED

    Cray Research - A Silicon Graphics Company (maybe)
    Data General Corporation (maybe)
    Hewlett-Packard Company (maybe)
    IBM Corporation
    Linux Systems
    The Santa Cruz Operation (SCO) (maybe)

PROBLEM

    The following text is based on CERT advisory.

    A buffer  overflow condition  affects libraries  using the Natural
    Language Service (NLS). The NLS  is the component of UNIX  systems
    that  provides  facilities  for  customizing  the natural language
    formatting   for   the   system.   Examples   of   the   types  of
    characteristics that  can be  set are  language, monetary  symbols
    and delimiters, numeric delimiters, and time formats.

    Some  libraries  that  use   a  particular  environment   variable
    associated with the NLS contain a vulnerability in which a  buffer
    overflow condition  can be  triggered. The  particular environment
    variable involved is  NLSPATH on some  systems and PATH_LOCALE  on
    others  (see  exploit  for  NLSPATH  for Linux on Security Bugware
    which means this page under Linux section).

    It  is   possible  to   exploit  this   vulnerability  to   attain
    unauthorized access  by supplying  carefully crafted  arguments to
    programs that  are owned  by a  privileged user-id  and that  have
    setuid or setgid bits set.

    Local users (users  with access to  an account on  the system) are
    able to execute  arbitrary programs as  a privileged user  without
    authorization.  There is  a possibility (with some  old libraries)
    that the vulnerability can be exploited by a remote user.

SOLUTION

    Install  a  patch  for  this  problem  when one becomes available.
    Currently, there is no workaround  to use in the meantime.   Below
    is a  list of  vendors who  have provided  information about  this
    problem.  Not mentioned are not vulnerable.

    Following vendors are investigating the problem:

        Cray Research - A Silicon Graphics Company
        Data General Corporation
        Hewlett-Packard Company
        The Santa Cruz Operation (SCO)

    All AIX releases are vulnerable to a variation of this.
    Apply the following fix for AIX 3.2.5 system:

        PTFs - U447656 U447671 U447676 U447682 U447705 U447723  (APAR IX67405)

    Apply the following fix for AIX 4.1 system:

        APAR - IX67407

    Apply the following fix for AIX 4.2 system:

        APAR - IX67377 IX65693

    Linux  systems  running  older  C  libraries  are  vulnerable.   C
    libraries older  than 5.3.12  (that is  libc5.2.18, libc5.0.9 etc)
    are vulnerable to this bug  and you should upgrade the  C library.
    The release versions of libc 5.4.x are immune to this attack.   If
    you  have  libc5.3.12  it  is  insecure  unless it is the modified
    libc5.3.12 shipped with Red Hat 4.1,  or as an upgrade on Red  Hat
    4.0. libc-5.3.12-17 indicates you have version 17 of the  package.
    This is the safe one.

    Red Hat  4.0 users  who have  not already  upgraded their libc can
    obtain this package at:

        ftp://ftp.redhat.com/pub/redhat/old-releases/redhat-4.0/updates/