Hewlett-Packard Co. is recommending that users patch HP-UX to fix a pair of vulnerabilities that could allow remote denial-of-service attacks, local privilege escalation and local denial of service.
The first vulnerability involves the calloc function, which is used to calculate memory for buffers. A known problem with the function can result in an integer overflow, which could produce a buffer too small for what the application requires. During execution, the too-small buffer may lead to a buffer overflow. This can crash the application, causing a denial of service. In this particular case, the buffer is open to remote access.
This vulnerability occurs in HP-UX version 11.x -- specifically on HP9000 servers running versions B.11.00, B.11.04 and B.11.11. This same calloc problem has affected many other libraries and applications, including GNU libc 2.2.5, GNU C++ Compiler, GNU Ada Compiler and Microsoft Visual C++.
A less-critical vulnerability could allow a local user to gain unauthorized privileges or cause a denial of service. The HP-UX SharedX function accesses files in an insecure manner, HP says. This vulnerability occurs in HP-UX versions B.11.00, B.11.11 and B.11.22.
The patch can be downloaded from HP's Web site.