neon library ne_rfc1036_parse function buffer overflow

neon-library-nerfc1036parse-bo (16192) The risk level is classified as HighHigh Risk

Description:

neon is vulnerable to a heap-based buffer overflow in the date parsing function of the neon library. A remote attacker can supply a specially-crafted date string to the ne_rfc1036_parse function to overflow a buffer and possibly execute arbitrary code on the system, depending on how the application uses the neon library.

Note: OpenOffice and Subversion do not use the ne_rfc1036_parse function and are not vulnerable.


Consequences:

Gain Access

Remedy:

Upgrade to the latest version of neon (0.24.6 or later), available from the WebDAV Web page. See References.

For Debian GNU/Linux 3.0 (woody):
Upgrade to the latest cadaver package (0.18.0-1woody3 or later), as listed in DSA-507-1. See References.

For Conectiva Linux:
Upgrade to the libneon package, as listed below. Refer to Conectiva Linux Security Announcement CLA-2004:841 for more information. See References.

Conectiva Linux 9: 0.23.5-21884U90_2cl or later

For Gentoo Linux Security containing the cadaver package:
Upgrade to the latest version of cadaver (0.22.2 or later), as listed in GLSA 200405-15. See References.

For Gentoo Linux Security containing the neon package:
Upgrade to the latest version of neon (0.24.6 or later), as listed in GLSA 200405-13. See References.

For Mandrake Linux:
Upgrade to the latest apache package, as listed below. Refer to MandrakeSoft Security Advisory MDKSA-2004:078 : OpenOffice.org for more information. See References.

Mandrake Linux 10.0: 1.1.2-3.1.100mdk or later

For OpenPKG:
Refer to OpenPKG Security Advisory OpenPKG-SA-2004.024 for patch, upgrade, or suggested workaround information. See References.

For other distributions:
Contact your vendor for upgrade or patch information.

References:

Platforms Affected:

  • Conectiva Linux 9.0
  • Debian Debian Linux 3.0
  • Gentoo Linux
  • Joe Orton neon 0.24.5 and prior
  • MandrakeSoft Mandrake Linux 10.0
  • MandrakeSoft Mandrake Linux 10.0 AMD64
  • MandrakeSoft Mandrake Linux 9.2 AMD64
  • MandrakeSoft Mandrake Linux 9.2
  • Novell SuSE Linux Enterprise Server 7.0
  • Novell UnitedLinux 1.0
  • OpenPKG OpenPKG 1.3
  • OpenPKG OpenPKG 2.0
  • OpenPKG OpenPKG CURRENT
  • RedHat Enterprise Linux 2.1 WS
  • RedHat Enterprise Linux 2.1 AS
  • RedHat Enterprise Linux 2.1 ES
  • RedHat Linux Advanced Workstation 2.1 Itanium
  • SuSE Linux Enterprise Server 8
  • SuSE SuSE eMail Server III
  • SUSE SuSE Linux 8.0
  • SUSE SuSE Linux 8.1
  • SUSE SuSE Linux 8.2
  • SUSE SuSE Linux 9.0
  • SUSE SuSE Linux 9.1
  • SuSE SuSE Linux Connectivity Server
  • SuSE SuSE Linux Database Server
  • SuSE SuSE Linux Office Server

Reported:

May 19, 2004

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email ignore thisxforceignore this@ignore thisus.ignore thisibm.comignore this

Return to the main page