绿盟科技NSFOCUS安全漏洞系统

安全研究

安全漏洞

Python-cjson Unicode字符编码缓冲区溢出漏洞

发布日期：2010-05-25
更新日期：2010-07-06

受影响系统：

Dan Pascu python-cjson 1.0.5

描述：

BUGTRAQ  ID: 41279
CVE ID: CVE-2010-1666

python-cjson是Python使用的快速JSON编码/解码器模块。

在启用了UCS-4编码的情况下，远程攻击者可以通过向python-cjson模块的cjson.encode函数提交超长的Unicode输入触发缓冲区溢出，导致拒绝服务或完全入侵使用该模块的应用所在系统。

<*来源：Matt Giuca

  链接：http://secunia.com/advisories/40335
        https://bugs.launchpad.net/ubuntu/+source/python-cjson/+bug/585274
        http://www.debian.org/security/2010/dsa-2068
*>

建议：

厂商补丁：

Debian
------
Debian已经为此发布了一个安全公告（DSA-2068-1）以及相应补丁:
DSA-2068-1：New python-cjson packages fix denial of service
链接：http://www.debian.org/security/2010/dsa-2068

补丁下载：
Source archives:

http://security.debian.org/pool/updates/main/p/python-cjson/python-cjson_1.0.5.orig.tar.gz
Size/MD5 checksum:    10978 4d55b66ecdf0300313af9d030d9644a3
http://security.debian.org/pool/updates/main/p/python-cjson/python-cjson_1.0.5-1+lenny1.diff.gz
Size/MD5 checksum:     3892 106f2da130d255e076a7bf8f5c58a593
http://security.debian.org/pool/updates/main/p/python-cjson/python-cjson_1.0.5-1+lenny1.dsc
Size/MD5 checksum:     1222 64a01e8f53b2ede46a66bca6ac19b693

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/p/python-cjson/python-cjson-dbg_1.0.5-1+lenny1_alpha.deb
Size/MD5 checksum:    73356 543d592991961edf70ba9b1dcd8e581c
http://security.debian.org/pool/updates/main/p/python-cjson/python-cjson_1.0.5-1+lenny1_alpha.deb
Size/MD5 checksum:    16624 c3e3a1e12ca21be520f4695938b7e6df

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/p/python-cjson/python-cjson-dbg_1.0.5-1+lenny1_amd64.deb
Size/MD5 checksum:    73264 058c96847871f8a1850c2e6b785b38d5
http://security.debian.org/pool/updates/main/p/python-cjson/python-cjson_1.0.5-1+lenny1_amd64.deb
Size/MD5 checksum:    16882 7fca836c1f1ddaf1a3cb689ab18e9ed7

arm architecture (ARM)

http://security.debian.org/pool/updates/main/p/python-cjson/python-cjson-dbg_1.0.5-1+lenny1_arm.deb
Size/MD5 checksum:    64148 eddbd4ab8ed83a0c71407b64b85c939d
http://security.debian.org/pool/updates/main/p/python-cjson/python-cjson_1.0.5-1+lenny1_arm.deb
Size/MD5 checksum:    14316 321156989fc68dccd2b2fd636fca9f47

armel architecture (ARM EABI)

http://security.debian.org/pool/updates/main/p/python-cjson/python-cjson-dbg_1.0.5-1+lenny1_armel.deb
Size/MD5 checksum:    65278 25fa488695e376a0b09c56817466c584
http://security.debian.org/pool/updates/main/p/python-cjson/python-cjson_1.0.5-1+lenny1_armel.deb
Size/MD5 checksum:    14914 bf0c565b9145ac5d461064d834e463b1

hppa architecture (HP PA RISC)

http://security.debian.org/pool/updates/main/p/python-cjson/python-cjson-dbg_1.0.5-1+lenny1_hppa.deb
Size/MD5 checksum:    65442 6f296a2884b0a7851d3f8f665fd9a2b5
http://security.debian.org/pool/updates/main/p/python-cjson/python-cjson_1.0.5-1+lenny1_hppa.deb
Size/MD5 checksum:    15522 09617cae5456886281fe98861e908c05

i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/p/python-cjson/python-cjson_1.0.5-1+lenny1_i386.deb
Size/MD5 checksum:    14446 ee7ebf4760e7332d810cbc75899f077f
http://security.debian.org/pool/updates/main/p/python-cjson/python-cjson-dbg_1.0.5-1+lenny1_i386.deb
Size/MD5 checksum:    61442 6e0b7db1b436d7cf95d9b2c160fabefa

ia64 architecture (Intel ia64)

http://security.debian.org/pool/updates/main/p/python-cjson/python-cjson-dbg_1.0.5-1+lenny1_ia64.deb
Size/MD5 checksum:    81688 b41279a42693faf74bcaec4db6e3e4bd
http://security.debian.org/pool/updates/main/p/python-cjson/python-cjson_1.0.5-1+lenny1_ia64.deb
Size/MD5 checksum:    26956 820381374705502062ead4a26b0867e1

mips architecture (MIPS (Big Endian))

http://security.debian.org/pool/updates/main/p/python-cjson/python-cjson-dbg_1.0.5-1+lenny1_mips.deb
Size/MD5 checksum:    66044 b6425d327583fcd7d259683f0256800c
http://security.debian.org/pool/updates/main/p/python-cjson/python-cjson_1.0.5-1+lenny1_mips.deb
Size/MD5 checksum:    14618 d5ca589e8f259bd13592e61a7a80ec22

mipsel architecture (MIPS (Little Endian))

http://security.debian.org/pool/updates/main/p/python-cjson/python-cjson-dbg_1.0.5-1+lenny1_mipsel.deb
Size/MD5 checksum:    65290 74f63444c91ecd17056f5dfda603496f
http://security.debian.org/pool/updates/main/p/python-cjson/python-cjson_1.0.5-1+lenny1_mipsel.deb
Size/MD5 checksum:    14592 715e866822dc71ccca1791ad0c7709c3

powerpc architecture (PowerPC)

http://security.debian.org/pool/updates/main/p/python-cjson/python-cjson_1.0.5-1+lenny1_powerpc.deb
Size/MD5 checksum:    18926 8711a13d0f5b309598b3e6e408d3cd5d
http://security.debian.org/pool/updates/main/p/python-cjson/python-cjson-dbg_1.0.5-1+lenny1_powerpc.deb
Size/MD5 checksum:    81490 f9b9489b6fbb66d90fe63e566874a7a0

s390 architecture (IBM S/390)

http://security.debian.org/pool/updates/main/p/python-cjson/python-cjson-dbg_1.0.5-1+lenny1_s390.deb
Size/MD5 checksum:    63572 43ef034d108fc60a394fa48622706f10
http://security.debian.org/pool/updates/main/p/python-cjson/python-cjson_1.0.5-1+lenny1_s390.deb
Size/MD5 checksum:    14494 c1ab81a9d467d56f137439717cae2fde

sparc architecture (Sun SPARC/UltraSPARC)

http://security.debian.org/pool/updates/main/p/python-cjson/python-cjson_1.0.5-1+lenny1_sparc.deb
Size/MD5 checksum:    14158 26d07f1edd3caa21ac055ad9d6c98bcf
http://security.debian.org/pool/updates/main/p/python-cjson/python-cjson-dbg_1.0.5-1+lenny1_sparc.deb
Size/MD5 checksum:    60610 260ee7d6e76937dca05b40aba15bd1c5

补丁安装方法：

1. 手工安装补丁包：

  首先，使用下面的命令来下载补丁软件：
  # wget url  (url是补丁下载链接地址)

  然后，使用下面的命令来安装补丁：
  # dpkg -i file.deb (file是相应的补丁名)

2. 使用apt-get自动安装补丁包：

   首先，使用下面的命令更新内部数据库：
   # apt-get update

   然后，使用下面的命令安装更新软件包：
   # apt-get upgrade

浏览次数：3656
严重程度：0（网友投票）

本安全漏洞由绿盟科技翻译整理，版权所有，未经许可，不得转载
绿盟科技给您安全的保障

关于我们: 公司介绍; 公司荣誉; 公司新闻

联系我们: 公司总部; 分支机构; 海外机构

快速链接: 绿盟云; 绿盟威胁情报中心NTI; 技术博客