首页 -> 安全研究
安全研究
安全漏洞
CamlImages GIF和JPEG图形解析整数溢出漏洞
发布日期:2009-07-25
更新日期:2009-10-27
受影响系统:
CamlImages CamlImages 2.2描述:
BUGTRAQ ID: 35999
CVE(CAN) ID: CVE-2009-2660
CamlImages是一个开放源码的图形处理库。
CamlImages的gifread.c和jpegread.c文件中存在多个可导致堆溢出的整数溢出漏洞。攻击者可以通过诱骗用户打开设置了超长宽度和高度值的GIF或JPEG图形来触发这个溢出,导致执行任意代码。
<*来源:Tielei Wang (wangtielei@icst.pku.edu.cn)
链接:http://www.openwall.com/lists/oss-security/2009/07/25/2
https://bugs.gentoo.org/show_bug.cgi?format=multiple&id=276235
http://www.debian.org/security/2009/dsa-1912
http://www.gentoo.org/security/en/glsa/glsa-201006-02.xml
*>
建议:
厂商补丁:
Debian
------
Debian已经为此发布了一个安全公告(DSA-1912-2)以及相应补丁:
DSA-1912-2:New advi packages fix arbitrary code execution
链接:http://www.debian.org/security/2009/dsa-1912
补丁下载:
Source archives:
http://security.debian.org/pool/updates/main/a/advi/advi_1.6.0-13+lenny2.diff.gz
Size/MD5 checksum: 51609 21aed220ab54cc689a7ef13e51f801d9
http://security.debian.org/pool/updates/main/a/advi/advi_1.6.0-13+lenny2.dsc
Size/MD5 checksum: 1655 b3702857e76699041f5313515c4ae59c
http://security.debian.org/pool/updates/main/a/advi/advi_1.6.0.orig.tar.gz
Size/MD5 checksum: 11436152 da0e71cbc99a8def27873d4f3c756fa6
Architecture independent packages:
http://security.debian.org/pool/updates/main/a/advi/advi-examples_1.6.0-13+lenny2_all.deb
Size/MD5 checksum: 3896628 78cbd5f431332e48bd6f6838c71c4bd6
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/a/advi/advi_1.6.0-13+lenny2_amd64.deb
Size/MD5 checksum: 738554 ff1868ddb0510d02db84f2c2a3fcdd36
arm architecture (ARM)
http://security.debian.org/pool/updates/main/a/advi/advi_1.6.0-13+lenny2_arm.deb
Size/MD5 checksum: 1315080 5abb37dd7194607f07b956826830e052
armel architecture (ARM EABI)
http://security.debian.org/pool/updates/main/a/advi/advi_1.6.0-13+lenny2_armel.deb
Size/MD5 checksum: 1317700 76f406d64477573fee49c1403914f525
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/a/advi/advi_1.6.0-13+lenny2_hppa.deb
Size/MD5 checksum: 1328012 8d239035d7195a3da2d88a0ce1004df8
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/a/advi/advi_1.6.0-13+lenny2_i386.deb
Size/MD5 checksum: 873922 0ed738039c6877f8a98e462b7990e0fe
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/a/advi/advi_1.6.0-13+lenny2_ia64.deb
Size/MD5 checksum: 1366332 8113261f68b8ab1fa0a560cda28dddfb
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/a/advi/advi_1.6.0-13+lenny2_mips.deb
Size/MD5 checksum: 1319406 9108849fdeed00e2848511b4da97f405
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/a/advi/advi_1.6.0-13+lenny2_mipsel.deb
Size/MD5 checksum: 1317202 87f285d20318111851008f04698f17f0
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/a/advi/advi_1.6.0-13+lenny2_powerpc.deb
Size/MD5 checksum: 862788 260fba666be7c705daf8a4387692aff7
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/a/advi/advi_1.6.0-13+lenny2_sparc.deb
Size/MD5 checksum: 851648 b60cb2ad932c4d094b595a57a632afb8
补丁安装方法:
1. 手工安装补丁包:
首先,使用下面的命令来下载补丁软件:
# wget url (url是补丁下载链接地址)
然后,使用下面的命令来安装补丁:
# dpkg -i file.deb (file是相应的补丁名)
2. 使用apt-get自动安装补丁包:
首先,使用下面的命令更新内部数据库:
# apt-get update
然后,使用下面的命令安装更新软件包:
# apt-get upgrade
Gentoo
------
Gentoo已经为此发布了一个安全公告(GLSA 201006-02)以及相应补丁:
GLSA 201006-02:CamlImages: User-assisted execution of arbitrary code
链接:http://www.gentoo.org/security/en/glsa/glsa-201006-02.xml
CamlImages
----------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
https://bugs.gentoo.org/attachment.cgi?id=199108
浏览次数:2113
严重程度:0(网友投票)
绿盟科技给您安全的保障