安全研究
安全漏洞
GNU TAR和CPIO safer_name_suffix远程拒绝服务漏洞
发布日期:2007-11-14
更新日期:2010-03-17
受影响系统:
GNU cpio 2.6描述:
GNU cpio 2.5
GNU cpio 2.4
GNU cpio 1.x
GNU tar 1.16
GNU tar 1.15
GNU tar 1.14
GNU tar 1.13
BUGTRAQ ID: 26445
CVE(CAN) ID: CVE-2007-4476
GNU Tar和GNU Cpio都是流行的用于管理档案文件的程序。
tar和cpio使用的safer_name_suffix()函数使用alloca()报告所要剥离的前缀字符串,而这个字符串的长度(也就是传送给alloca的大小)是受tarball所有者控制的。因此,只要字符串超长就可以触发栈溢出。由于alloca()之后的memcpy()调用,这个溢出只能导致崩溃。
<*来源:Dmitry V. Levin
链接:http://lists.gnu.org/archive/html/bug-cpio/2007-08/msg00002.html
http://bugs.gentoo.org/show_bug.cgi?format=multiple&id=196978
https://bugzilla.redhat.com/show_bug.cgi?format=multiple&id=280961
https://www.redhat.com/support/errata/RHSA-2010-0144.html
https://www.redhat.com/support/errata/RHSA-2010-0141.html
http://sunsolve.sun.com/search/document.do?assetkey=1-66-273551-1
http://www.debian.org/security/2007/dsa-1438
http://www.debian.org/security/2008/dsa-1566
http://security.gentoo.org/glsa/glsa-200711-18.xml
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
建议:
厂商补丁:
Debian
------
Debian已经为此发布了一个安全公告(DSA-1566-1)以及相应补丁:
DSA-1566-1:New cpio packages fix denial of service
链接:http://www.debian.org/security/2008/dsa-1566
补丁下载:
Source archives:
http://security.debian.org/pool/updates/main/c/cpio/cpio_2.6.orig.tar.gz
Size/MD5 checksum: 556018 76b4145f33df088a5bade3bf4373d17d
http://security.debian.org/pool/updates/main/c/cpio/cpio_2.6-18.1+etch1.dsc
Size/MD5 checksum: 556 fdcfe9fa17130663f3fcb21aebb52924
http://security.debian.org/pool/updates/main/c/cpio/cpio_2.6-18.1+etch1.diff.gz
Size/MD5 checksum: 92775 78d1098c15d92c0d5bfe6c5dcc4e5652
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/c/cpio/cpio_2.6-18.1+etch1_alpha.deb
Size/MD5 checksum: 146740 167eeae5237940f15b9eea7b1f754b65
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/c/cpio/cpio_2.6-18.1+etch1_amd64.deb
Size/MD5 checksum: 136734 f827f70099b66a518fbd3e6782e7909b
arm architecture (ARM)
http://security.debian.org/pool/updates/main/c/cpio/cpio_2.6-18.1+etch1_arm.deb
Size/MD5 checksum: 132108 b4ecfb2b81f84d1f82c268c0ccb0081d
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/c/cpio/cpio_2.6-18.1+etch1_hppa.deb
Size/MD5 checksum: 143166 b7ca87731e442f3eaaf117113bfc941a
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/c/cpio/cpio_2.6-18.1+etch1_i386.deb
Size/MD5 checksum: 132096 c490f550663e524725544d389546e56f
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/c/cpio/cpio_2.6-18.1+etch1_ia64.deb
Size/MD5 checksum: 171990 be7ca34414f4bfa4129379c9eea3473f
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/c/cpio/cpio_2.6-18.1+etch1_mips.deb
Size/MD5 checksum: 146084 f57b7e09e1705692427220cd1932ea1a
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/c/cpio/cpio_2.6-18.1+etch1_mipsel.deb
Size/MD5 checksum: 145348 2010baf76d3039417c6b6bca1eba1246
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/c/cpio/cpio_2.6-18.1+etch1_powerpc.deb
Size/MD5 checksum: 138322 229edae58b3b4387dcfdcf8717932cb4
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/c/cpio/cpio_2.6-18.1+etch1_s390.deb
Size/MD5 checksum: 143878 60c6e036d5df8c67e74f301fa14b4e9f
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/c/cpio/cpio_2.6-18.1+etch1_sparc.deb
Size/MD5 checksum: 131248 63a51ec9ac633327f21d27c616d604ba
补丁安装方法:
1. 手工安装补丁包:
首先,使用下面的命令来下载补丁软件:
# wget url (url是补丁下载链接地址)
然后,使用下面的命令来安装补丁:
# dpkg -i file.deb (file是相应的补丁名)
2. 使用apt-get自动安装补丁包:
首先,使用下面的命令更新内部数据库:
# apt-get update
然后,使用下面的命令安装更新软件包:
# apt-get upgrade
RedHat
------
RedHat已经为此发布了一个安全公告(RHSA-2010:0141-01)以及相应补丁:
RHSA-2010:0141-01:Moderate: tar security update
链接:https://www.redhat.com/support/errata/RHSA-2010-0141.html
Sun
---
Sun已经为此发布了一个安全公告(Sun-Alert-6616278)以及相应补丁:
Sun-Alert-6616278:Two Security Vulnerabilities in GNU tar (see gtar(1)) May Lead to Files Being Overwritten, Execution of Arbitrary Code, or a Denial of Service (DoS)
链接:http://sunsolve.sun.com/search/document.do?assetkey=1-66-273551-1
Gentoo
------
Gentoo已经为此发布了一个安全公告(GLSA-200711-18)以及相应补丁:
GLSA-200711-18:Cpio: Buffer overflow
链接:http://security.gentoo.org/glsa/glsa-200711-18.xml
浏览次数:2469
严重程度:0(网友投票)
绿盟科技给您安全的保障