 			libnis vuls, Sun 5.5.1


extract_secret() | D | 85 | publickey.c |
                   overflows buffer with *raw.. at very top.. 
                   probability is high

getkeys_nis() | D | 140 | publickey.c |
                overflows the key with a value too big.. yp_match()
                must return no errors for this to succeed.. so I 
                think if they are on a legit server, the probability
                is high, otherwise.. we'll say average/moderate

getpublickey() | D | 421 | publickey.c |
                 calls getkeys_nis() (see above).. __nsw_getconfig()
                 succeeding is probably for the better.. but it might
                 not need to succeed.. it doesn't return or anything..
                 just uses a default list. probability is probably
                 moderate/average to high

getsecretkey() | U | 481 | publickey.c |
		 calls getkeys_nis() (see above).. same probability as
                 getpublickey() (see above)


__nis_init_callback()
getkeys_nis() | D | 140 | key/publickey.c |
                overflows the key with a value too big.. yp_match()
                must return no errors for this to succeed.. so I 
                think if they are on a legit server, the probability
                is high, otherwise.. we'll say average/moderate
                [note: this is actually in the key/ directory.. but
                 it relates to nis so I included it here]

__callback_stub() | D | 370 | nis_callback.c |
                    overflows in *argp passed to it.. at top.. probability
                    is high

__nis_core_lookup() | D | 40 | nis_lookup.c |
		      overflows when copying parameters into local buffer..
                      probably is high
 
nis_make_rpchandle() | U/D | 1269 | nis_subr.c |
                      U = calls host2netname().. which can be overflowed
                          by spoofing..
                      D = overflow copying server name
                      probability is high as long as a few conditions are
                      met: (ZMH_AUTH != 0, srv->key_type == NIS_PK_DH...
                      has to also have either: ZHM_VC or ZHM_DG), and
                      nis_find_sockaddr succeeds
		      
nis_dump_r() | U | 200 | nis_misc.c |
               calls nis_make_rpchandle (see above).. 
               probability is the same as nis_make_rpchandle()
 
nis_dump() | U | 254 | nis_misc.c |
	     calls nis_dump_r().. at bottom so probability is average

add_cred_item() | D | 47 | nis_misc_proc.c |
	     overflows malloc'd memory. only useful for DoS.
             probability is high.

find_cred_item() | D | 64 | nis_misc_proc.c |
                   same situation and probably as above

__nis_auth2princ | D | 78 | nis_misc_proc.c |
		   overflows from the machine name.. probability is
		   high as long as certain conditions (using AUTH_SYS
                   and auid 0)
 
parse_path() | D | 192 | nis_names.c |
	       overflows in the local and name buffers.. probability 
               is high

nis_getnames() | U | 250 | nis_names.c |
		 calls parse_path().. probability is high as long as
                 it doesn't end with a "." overflowed with $NIS_* 
                 enviromental variables

__nis_host2nis_server() 
__nis_get_server()
nis_name_of_r() 
__nis_principal() 
__bind_rpc() 
nis_old_data_r() 
nis_data_r() 
nis_data() 
__nis_tag_proc() 
nis_list() 
nis_nameops() 
nis_add() 
nis_remove() 
nis_modify() 
nis_ibops()
nis_add_entry() 
nis_remove_entry()
nis_modify_request()
nis_first_entry()
nis_next_entry()
nis_mkdir()
nis_rmdir() 

