[an error occurred while processing this directive]

Common Data Format (CDF) Version 3.2 and earlier Buffer Overflow Vulnerability

The libraries for the scientific data file format, Common Data Format (CDF) version 3.2 and earlier, have the potential for a buffer overflow vulnerability when reading specially-crafted (invalid) CDF files. If successful, this could trigger execution of arbitrary code within the context of the CDF-reading program that could be exploited to compromise a system, or otherwise crash the program. While it's unlikely that you would open CDFs from untrusted sources, we recommend everyone upgrade to the latest CDF libraries on their systems, including the IDL and Matlab plugins. Most worrisome is any service that enables the general public to submit CDF files for processing.

The vulnerability is in the CDF library routines not properly checking the length tags on a CDF file before copying data to a stack buffer. Exploitation requires the user to explicitly open a specially-crafted file. CDF users should not open files from untrusted third parties until the patch is applied (and continue then to exercise normal caution for files from untrusted third parties).

CDF 3.2.1 addresses this vulnerability and introduces further usability fixes. Updates for Perl, IDL, Matlab and Java WebStart are also available. Java WebStart applications that refer to http://sscweb.gsfc.nasa.gov/skteditor/cdf/cdf-latest.jnlp, will automatically be updated to include this fix the next time the application is started while connected to the Internet.

Older versions of CDF have not been updated and have been moved to the obsolete section of the CDF FTP site. The latest versions of CDF have added support for very large files, optional pico-second time variables (Epoch16), detection of file corruption by internal checksum comparison, internal file compression, and performance improvements. For compatibility with older libraries, the CDF 3.2 library can create CDF 2.7 files by calling the CDFsetFileBackward function or setting the CDF_FILEBACKWARD environment variable (see section 4.18 of the CDF C or Fortran Reference Manuals). Please contact the CDF team if you still need older versions updated.

CDF 3.2.1 supports the following operating systems: OpenVMS, Windows 2000/XP/Vista, Linux, Solaris, and Mac OS X. If you need to run CDF 3.2 on other platforms, such as HP-UX or IBM AIX, please contact the CDF team.

The CDF team greatly appreciates the efforts of Alfredo Ortega, from CORE IMPACT's Exploit Writing Team (EWT), at Core Security Technologies for discovering, researching and reporting this vulnerability. Their advisory (Advisory ID: CORE-2008-0326, published 2008 May 5) is available at http://www.coresecurity.com/?action=item&id=2260.

As always, but particularly due to the urgency in getting this update out, please report any problems, issues or questions to gsfc-cdf-support@lists.nasa.gov or call Robert Candey at 1-301-286-6707.