Re: CERT Advisory CA-2001-34 Buffer Overflow in System V Derived Login

Florian Weimer <Florian.Weimer@RUS.Uni-Stuttgart.DE> · 13 Dec 2001 12:04:03 +0100

CERT Advisory <cert-advisory@cert.org> writes:

> IBM
> 
>    IBM's  AIX  operating system, versions 4.3 and 5.1, are susceptible to
>    this  vulnerability.

Previous versions of AIX seem to be affected, too.  At least AIX 4.2
comes with a login implementation which offers the same environment
variable passing functionality found in AIX 4.3, and passing large
numbers of arguments results in strange behavior.  The tested login
implementation seems to be contained in:

  Fileset                      Level  State  Description 
  ---------------------------------------------------------------------------- 
  bos.rte.security           4.2.1.0    C    Base Security Function 
                             4.2.1.1    C    Base Security Function 

-- 
Florian Weimer 	                  Florian.Weimer@RUS.Uni-Stuttgart.DE
University of Stuttgart           http://cert.uni-stuttgart.de/
RUS-CERT                          +49-711-685-5973/fax +49-711-685-5898