绿盟科技NSFOCUS安全漏洞系统

安全研究

安全漏洞

CUPS gif_read_lzw()函数GIF文件处理缓冲区溢出漏洞

发布日期：2008-04-01
更新日期：2008-04-02

受影响系统：

Easy Software Products CUPS 1.3.6

描述：

BUGTRAQ  ID: 28544
CVE(CAN) ID: CVE-2008-1373

Common Unix Printing System (CUPS)是一款通用Unix打印系统，是Unix环境下的跨平台打印解决方案，基于Internet打印协议，提供大多数PostScript和raster打印机服务。

CUPS处理畸形格式的GIF文件时存在漏洞，远程攻击者可能利用此漏洞控制服务器。

CUPS打印系统所使用的GIF解析代码直接从GIF图形中读取了code_size值，且没有经过验证便用于初始化gif_read_lzw()中的表格数组，这可能导致静态溢出。由于在for循环中用作上边界的clear_code为short型，因此溢出仅限于大约4k到16k的short int值。此外，攻击者仅能部分控制写过缓冲区的值。

<*来源：Tomas Hoger （thoger@redhat.com）

  链接：https://bugzilla.redhat.com/long_list.cgi?buglist=438303
        http://marc.info/?l=bugtraq&m=120110205511630&w=4
        https://www.redhat.com/support/errata/RHSA-2008-0206.html
        https://www.redhat.com/support/errata/RHSA-2008-0192.html
        http://security.gentoo.org/glsa/glsa-200804-01.xml
        http://www.debian.org/security/2008/dsa-1625
*>

测试方法：

警告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

http://vexillium.org/dl.php?sdlgifdos

建议：

厂商补丁：

Debian
------
Debian已经为此发布了一个安全公告（DSA-1625-1）以及相应补丁:
DSA-1625-1：New cupsys packages fix arbitrary code execution
链接：http://www.debian.org/security/2008/dsa-1625

补丁下载：
Source archives:

http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7.orig.tar.gz
Size/MD5 checksum:  4214272 c9ba33356e5bb93efbcf77b6e142e498
http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch4.diff.gz
Size/MD5 checksum:   107641 b1ae0953050580975ef0c6ff495e912d
http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch4.dsc
Size/MD5 checksum:     1376 4f8938f4dac4a9732efd621f4aabb63a

Architecture independent packages:

http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-gnutls10_1.2.7-4etch4_all.deb
Size/MD5 checksum:    45758 fbb5c3eaf74a1207d887e12bb75f6182
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-common_1.2.7-4etch4_all.deb
Size/MD5 checksum:   924012 43e775475535e31f2f6963947c03525d

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/c/cupsys/cupsys-dbg_1.2.7-4etch4_amd64.deb
Size/MD5 checksum:  1087542 cb6a29323e4cd1069b669c89963a1fac
http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2-dev_1.2.7-4etch4_amd64.deb
Size/MD5 checksum:    53024 090d638da135798424a129257b51b157
http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.2.7-4etch4_amd64.deb
Size/MD5 checksum:   142544 0d446b8acb588ec2b1c8c22067aa2364
http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch4_amd64.deb
Size/MD5 checksum:  1574904 cdd7afb0953a56cf8d213778cbe1773e
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.2.7-4etch4_amd64.deb
Size/MD5 checksum:    80706 687de2f8bf779ca898863fb94a07a12b
http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2_1.2.7-4etch4_amd64.deb
Size/MD5 checksum:    85968 8d69f2ac63f2d4fbd923c2caa33c604d
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.2.7-4etch4_amd64.deb
Size/MD5 checksum:    36352 02c24a715c2f06dd8bc62a851591948e
http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.2.7-4etch4_amd64.deb
Size/MD5 checksum:   162230 0e2325c67bf23841038be68557ba8758

arm architecture (ARM)

http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2-dev_1.2.7-4etch4_arm.deb
Size/MD5 checksum:    48718 28a8ac4acad82bd582358e38c0c23013
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.2.7-4etch4_arm.deb
Size/MD5 checksum:    78910 6566d320a557b02cf94f379b84f0dba9
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.2.7-4etch4_arm.deb
Size/MD5 checksum:    35936 6ae06d35d6c40084adfd8bfd65866174
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-dbg_1.2.7-4etch4_arm.deb
Size/MD5 checksum:  1025732 5c3e851e94f3a41216d7a7149839c8d4
http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.2.7-4etch4_arm.deb
Size/MD5 checksum:   132040 3eb0b900c59ea118d768b1459898ea90
http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.2.7-4etch4_arm.deb
Size/MD5 checksum:   154878 02d749b77969111a813a4cba408bd74d
http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch4_arm.deb
Size/MD5 checksum:  1568968 5c60803b01b551503017f750bea5526e
http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2_1.2.7-4etch4_arm.deb
Size/MD5 checksum:    85168 5b2a0162f00efdcc8cd1d93e0bc7486b

hppa architecture (HP PA RISC)

http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.2.7-4etch4_hppa.deb
Size/MD5 checksum:   172120 3b9de8875c9be02866143463b0c919f0
http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2_1.2.7-4etch4_hppa.deb
Size/MD5 checksum:    91152 ab272c582600f995706b46709c510f32
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-dbg_1.2.7-4etch4_hppa.deb
Size/MD5 checksum:  1022644 b587ee12458f80bd76a1d7b84869b741
http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2-dev_1.2.7-4etch4_hppa.deb
Size/MD5 checksum:    57192 4e117dab53e958404f958b99b08da4c1
http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.2.7-4etch4_hppa.deb
Size/MD5 checksum:   154086 2a27882b763ce10df0fd172cfa8d22bb
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.2.7-4etch4_hppa.deb
Size/MD5 checksum:    86898 aebbadb4ddb70dde9a524fd56b7bfb46
http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch4_hppa.deb
Size/MD5 checksum:  1624440 67216c81ae5f4d2f1d8b571f7099492e
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.2.7-4etch4_hppa.deb
Size/MD5 checksum:    39270 1bbd6351cb6cd5f686faaddbeb731c4f

i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2_1.2.7-4etch4_i386.deb
Size/MD5 checksum:    86844 5dd05c3c3f08b1e2a60405bcaef83146
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.2.7-4etch4_i386.deb
Size/MD5 checksum:    79334 2002dc686f12bb5250d9fafb9b63a268
http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2-dev_1.2.7-4etch4_i386.deb
Size/MD5 checksum:    53272 1723eb6d5f00ce02702b52b60610c586
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.2.7-4etch4_i386.deb
Size/MD5 checksum:    36230 cda0348c0c9b6dbd145e3c02e0c44fd2
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-dbg_1.2.7-4etch4_i386.deb
Size/MD5 checksum:  1004104 10a43e1b53f782d065362e92ff0998f9
http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.2.7-4etch4_i386.deb
Size/MD5 checksum:   137972 203602cf657f98ee38a372c3922b7ae1
http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.2.7-4etch4_i386.deb
Size/MD5 checksum:   160382 2fa7444168c9f43a22eb776bd9638827
http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch4_i386.deb
Size/MD5 checksum:  1559230 dfca65e3edd6f0fb4bdc18973efef89a

ia64 architecture (Intel ia64)

http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.2.7-4etch4_ia64.deb
Size/MD5 checksum:   203930 b457e7ae7fb11f876225150e559a4272
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.2.7-4etch4_ia64.deb
Size/MD5 checksum:    46330 922f2bd1d98fcbb40badcebd7c0cc07c
http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2_1.2.7-4etch4_ia64.deb
Size/MD5 checksum:   106642 b61d48e93e413245d3fd5ebe47c31243
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-dbg_1.2.7-4etch4_ia64.deb
Size/MD5 checksum:  1107892 65945b9397a13a31fb8646cb71ef7794
http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.2.7-4etch4_ia64.deb
Size/MD5 checksum:   192372 eea62b30397305acdf6f98a6df50cf8e
http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch4_ia64.deb
Size/MD5 checksum:  1770682 398872427b493f8206c38a3504fc1904
http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2-dev_1.2.7-4etch4_ia64.deb
Size/MD5 checksum:    74158 e1f00e7e8be7549ac2b58adaeba0f5b2
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.2.7-4etch4_ia64.deb
Size/MD5 checksum:   106226 fb838547edf473df7efaa8fe41cf42f1

mips architecture (MIPS (Big Endian))

http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2_1.2.7-4etch4_mips.deb
Size/MD5 checksum:    86546 02bd3a3bb274f21179f65edfb28c1f7e
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.2.7-4etch4_mips.deb
Size/MD5 checksum:    76158 53a90a54e6cf7418b81e0b40db39566b
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.2.7-4etch4_mips.deb
Size/MD5 checksum:    36116 8d78c13d605160ee0caa835961667913
http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.2.7-4etch4_mips.deb
Size/MD5 checksum:   150982 b48a8bcf9dbff3e842f83f4ca05e0421
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-dbg_1.2.7-4etch4_mips.deb
Size/MD5 checksum:  1097820 db2ff50e5555b022b54252f07b442992
http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.2.7-4etch4_mips.deb
Size/MD5 checksum:   157742 94a7c2d49b7234c0a54291446c5ba06d
http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch4_mips.deb
Size/MD5 checksum:  1567460 dffd05c006a78e53bc8c03dc8beaa4ea
http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2-dev_1.2.7-4etch4_mips.deb
Size/MD5 checksum:    57688 cbce6e984252bef94c0bd7ace9afdcdf

mipsel architecture (MIPS (Little Endian))

http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2_1.2.7-4etch4_mipsel.deb
Size/MD5 checksum:    86688 7c91af84b2fab2419fa4939bb8080097
http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch4_mipsel.deb
Size/MD5 checksum:  1552918 7d7af09023892fdd9e862ddcbb590fb3
http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.2.7-4etch4_mipsel.deb
Size/MD5 checksum:   150896 ba6b2f7c16957759b63e20d66d5964f2
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.2.7-4etch4_mipsel.deb
Size/MD5 checksum:    36064 702ec7fbc7b2716e10a97f7b7c11e75a
http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.2.7-4etch4_mipsel.deb
Size/MD5 checksum:   158270 0354f63d7126c3775cc74a95426052d4
http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2-dev_1.2.7-4etch4_mipsel.deb
Size/MD5 checksum:    57846 2ee768d4dc5f9c8cbd046a801f154ef8
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-dbg_1.2.7-4etch4_mipsel.deb
Size/MD5 checksum:  1084676 bb31572c9939fe22762ceef59550b25e
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.2.7-4etch4_mipsel.deb
Size/MD5 checksum:    77456 5884939dabb325cda97351bafdb62cfe

powerpc architecture (PowerPC)

http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.2.7-4etch4_powerpc.deb
Size/MD5 checksum:   162918 05df3db670b3f2a4dbb9d8a2d666eaca
http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2_1.2.7-4etch4_powerpc.deb
Size/MD5 checksum:    88204 4546a01b202669d3ffa97dca5b93bf03
http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch4_powerpc.deb
Size/MD5 checksum:  1576028 67c38bd81585274c0844efeedca40153
http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2-dev_1.2.7-4etch4_powerpc.deb
Size/MD5 checksum:    51894 321b1c0c9d59643294a87b00f81f7895
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.2.7-4etch4_powerpc.deb
Size/MD5 checksum:    41310 45f55f0797900433a145028d63f6a6ef
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.2.7-4etch4_powerpc.deb
Size/MD5 checksum:    90004 61698739b3b436e6d1651dc388a89575
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-dbg_1.2.7-4etch4_powerpc.deb
Size/MD5 checksum:  1142660 10680b3b7efdeb10e9d834e869944206
http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.2.7-4etch4_powerpc.deb
Size/MD5 checksum:   136880 e5c2d81190a9233eb291b519c3b83de6

s390 architecture (IBM S/390)

http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.2.7-4etch4_s390.deb
Size/MD5 checksum:   166424 a2a07e7c586a10000b519c6f6c2ec4e2
http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch4_s390.deb
Size/MD5 checksum:  1586828 1e581be3892b978e7284de896c3121de
http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2_1.2.7-4etch4_s390.deb
Size/MD5 checksum:    87588 b3d0d3e7dbb84414f606b4670c6e2692
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-dbg_1.2.7-4etch4_s390.deb
Size/MD5 checksum:  1036620 bd1b35bd24260dfb340e0a3173a811a2
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.2.7-4etch4_s390.deb
Size/MD5 checksum:    37430 622787f6d8b910f3657f98e0f5bf97bc
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.2.7-4etch4_s390.deb
Size/MD5 checksum:    82342 40a55f0afa5b2fa03285fd4d4cd8666c
http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2-dev_1.2.7-4etch4_s390.deb
Size/MD5 checksum:    52468 470a81c78c7ececae0569e75bfab9ca7
http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.2.7-4etch4_s390.deb
Size/MD5 checksum:   144932 9ab43b87566469af9e4a79c9c1fae493

sparc architecture (Sun SPARC/UltraSPARC)

http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.2.7-4etch4_sparc.deb
Size/MD5 checksum:   139570 5f5faa6504275ed43f4a55787519fdfe
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.2.7-4etch4_sparc.deb
Size/MD5 checksum:    78516 7066d103f739cd570fd141aa4fa780f6
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.2.7-4etch4_sparc.deb
Size/MD5 checksum:    36032 c4e4289091dc19e5fbf7a6937ffb36f7
http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.2.7-4etch4_sparc.deb
Size/MD5 checksum:   158816 f33bda24ec7774227b3bdb3dddcf1c46
http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2-dev_1.2.7-4etch4_sparc.deb
Size/MD5 checksum:    51754 47ce5271662e6b980e34badfc9689009
http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2_1.2.7-4etch4_sparc.deb
Size/MD5 checksum:    84956 96aa28ac50548723754274f30db15379
http://security.debian.org/pool/updates/main/c/cupsys/cupsys-dbg_1.2.7-4etch4_sparc.deb
Size/MD5 checksum:   991408 13a41c49f94085ca6a7f74a030506d3c
http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch4_sparc.deb
Size/MD5 checksum:  1562092 2bfd90bca7dbac40df73303f8e1e4b6f

补丁安装方法：

1. 手工安装补丁包：

  首先，使用下面的命令来下载补丁软件：
  # wget url  (url是补丁下载链接地址)

  然后，使用下面的命令来安装补丁：
  # dpkg -i file.deb (file是相应的补丁名)

2. 使用apt-get自动安装补丁包：

   首先，使用下面的命令更新内部数据库：
   # apt-get update

   然后，使用下面的命令安装更新软件包：
   # apt-get upgrade

Easy Software Products
----------------------
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载：

http://www.cups.org/str.php?L2765

RedHat
------
RedHat已经为此发布了安全公告（RHSA-2008:0206-01/RHSA-2008:0192-01）以及相应补丁:
RHSA-2008:0206-01：Moderate: cups security update
链接：https://www.redhat.com/support/errata/RHSA-2008-0206.html

RHSA-2008:0192-01：Moderate: cups security update
链接：https://www.redhat.com/support/errata/RHSA-2008-0192.html

Gentoo
------
Gentoo已经为此发布了一个安全公告（GLSA-200804-01）以及相应补丁:
GLSA-200804-01：CUPS: Multiple vulnerabilities
链接：http://security.gentoo.org/glsa/glsa-200804-01.xml

所有CUPS用户都应升级到最新版本：

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=net-print/cups-1.2.12-r7"

浏览次数：2711
严重程度：0（网友投票）

本安全漏洞由绿盟科技翻译整理，版权所有，未经许可，不得转载
绿盟科技给您安全的保障

关于我们: 公司介绍; 公司荣誉; 公司新闻

联系我们: 公司总部; 分支机构; 海外机构

快速链接: 绿盟云; 绿盟威胁情报中心NTI; 技术博客