libnis vuls, Sun 5.5.1 extract_secret() | D | 85 | publickey.c | overflows buffer with *raw.. at very top.. probability is high getkeys_nis() | D | 140 | publickey.c | overflows the key with a value too big.. yp_match() must return no errors for this to succeed.. so I think if they are on a legit server, the probability is high, otherwise.. we'll say average/moderate getpublickey() | D | 421 | publickey.c | calls getkeys_nis() (see above).. __nsw_getconfig() succeeding is probably for the better.. but it might not need to succeed.. it doesn't return or anything.. just uses a default list. probability is probably moderate/average to high getsecretkey() | U | 481 | publickey.c | calls getkeys_nis() (see above).. same probability as getpublickey() (see above) __nis_init_callback() getkeys_nis() | D | 140 | key/publickey.c | overflows the key with a value too big.. yp_match() must return no errors for this to succeed.. so I think if they are on a legit server, the probability is high, otherwise.. we'll say average/moderate [note: this is actually in the key/ directory.. but it relates to nis so I included it here] __callback_stub() | D | 370 | nis_callback.c | overflows in *argp passed to it.. at top.. probability is high __nis_core_lookup() | D | 40 | nis_lookup.c | overflows when copying parameters into local buffer.. probably is high nis_make_rpchandle() | U/D | 1269 | nis_subr.c | U = calls host2netname().. which can be overflowed by spoofing.. D = overflow copying server name probability is high as long as a few conditions are met: (ZMH_AUTH != 0, srv->key_type == NIS_PK_DH... has to also have either: ZHM_VC or ZHM_DG), and nis_find_sockaddr succeeds nis_dump_r() | U | 200 | nis_misc.c | calls nis_make_rpchandle (see above).. probability is the same as nis_make_rpchandle() nis_dump() | U | 254 | nis_misc.c | calls nis_dump_r().. at bottom so probability is average add_cred_item() | D | 47 | nis_misc_proc.c | overflows malloc'd memory. only useful for DoS. probability is high. find_cred_item() | D | 64 | nis_misc_proc.c | same situation and probably as above __nis_auth2princ | D | 78 | nis_misc_proc.c | overflows from the machine name.. probability is high as long as certain conditions (using AUTH_SYS and auid 0) parse_path() | D | 192 | nis_names.c | overflows in the local and name buffers.. probability is high nis_getnames() | U | 250 | nis_names.c | calls parse_path().. probability is high as long as it doesn't end with a "." overflowed with $NIS_* enviromental variables __nis_host2nis_server() __nis_get_server() nis_name_of_r() __nis_principal() __bind_rpc() nis_old_data_r() nis_data_r() nis_data() __nis_tag_proc() nis_list() nis_nameops() nis_add() nis_remove() nis_modify() nis_ibops() nis_add_entry() nis_remove_entry() nis_modify_request() nis_first_entry() nis_next_entry() nis_mkdir() nis_rmdir()