发布日期：2010-08-04
更新日期：2010-08-05

受影响系统：

Stuart Caie cabextract 1.2

描述：

---

BUGTRAQ  ID: 42173
CVE ID: CVE-2010-2801

cabextract是用于解压.CAB文件的开源解压软件。

在Quantum解码器中，如果到达了窗口换行，所有当前未写入的数据都会被flush到磁盘。有时flush的数据过多，导致out_bytes变量为负值。

当主解码循环完成时，如果out_bytes非0就会最终调用write()。在这种情况下，会使用负数的字节计数来调用mspack_system->write()。在cabextract的-t（测试档案）模式中，负值会被转换为无符整形并传送给md5_process_bytes()，导致读过有效进程空间的末尾，触发分段错误。

<*来源：Jan iankko Lieskovsky
  
  链接：http://permalink.gmane.org/gmane.comp.security.oss.general/3252
        http://bugs.gentoo.org/show_bug.cgi?format=multiple&id=329891
        http://www.debian.org/security/2010/dsa-2087
*>

建议：

---

厂商补丁：

Debian
------
Debian已经为此发布了一个安全公告（DSA-2087-1）以及相应补丁:
DSA-2087-1：New cabextract packages fix arbitrary code execution
链接：http://www.debian.org/security/2010/dsa-2087

补丁下载：

Source archives:

http://security.debian.org/pool/updates/main/c/cabextract/cabextract_1.2-3+lenny1.diff.gz
Size/MD5 checksum:    12789 59cdfd8b274110f63d1beb1270c52e34
http://security.debian.org/pool/updates/main/c/cabextract/cabextract_1.2.orig.tar.gz
Size/MD5 checksum:   194006 dc421a690648b503265c82ade84e143e
http://security.debian.org/pool/updates/main/c/cabextract/cabextract_1.2-3+lenny1.dsc
Size/MD5 checksum:      998 f2c2dc4b8af289ec37195023ad189869

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/c/cabextract/cabextract_1.2-3+lenny1_alpha.deb
Size/MD5 checksum:    59536 243aa2fa601416f5acd638c6a17a9ad2

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/c/cabextract/cabextract_1.2-3+lenny1_amd64.deb
Size/MD5 checksum:    55546 a5624b197fe5bdf751d1f921b7644a82

arm architecture (ARM)

http://security.debian.org/pool/updates/main/c/cabextract/cabextract_1.2-3+lenny1_arm.deb
Size/MD5 checksum:    55500 6788e3148a1802bf7dd028c4aa338b9c

armel architecture (ARM EABI)

http://security.debian.org/pool/updates/main/c/cabextract/cabextract_1.2-3+lenny1_armel.deb
Size/MD5 checksum:    55674 6fe60d3d8cc54202c93b9876529aec39

i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/c/cabextract/cabextract_1.2-3+lenny1_i386.deb
Size/MD5 checksum:    55246 7bfc1b77c7e0eafccf57ba15183b714f

ia64 architecture (Intel ia64)

http://security.debian.org/pool/updates/main/c/cabextract/cabextract_1.2-3+lenny1_ia64.deb
Size/MD5 checksum:    73968 418f4acb6fd4c76212fe8b8f035a9ef1

mips architecture (MIPS (Big Endian))

http://security.debian.org/pool/updates/main/c/cabextract/cabextract_1.2-3+lenny1_mips.deb
Size/MD5 checksum:    56558 ec0192d5a6a4bf58e8635a4bce1d91df

mipsel architecture (MIPS (Little Endian))

http://security.debian.org/pool/updates/main/c/cabextract/cabextract_1.2-3+lenny1_mipsel.deb
Size/MD5 checksum:    56266 9ed34aa46e5f892814c899ce47ba194d

powerpc architecture (PowerPC)

http://security.debian.org/pool/updates/main/c/cabextract/cabextract_1.2-3+lenny1_powerpc.deb
Size/MD5 checksum:    57348 1f9a74ca9c84eb6bbf1229669e54eca1

s390 architecture (IBM S/390)

http://security.debian.org/pool/updates/main/c/cabextract/cabextract_1.2-3+lenny1_s390.deb
Size/MD5 checksum:    56782 f23310e7a6e249c6c1d27a3db1fcf553

sparc architecture (Sun SPARC/UltraSPARC)

http://security.debian.org/pool/updates/main/c/cabextract/cabextract_1.2-3+lenny1_sparc.deb
Size/MD5 checksum:    54192 b2c7a8a5e74ae9432f79329736002038

补丁安装方法：

1. 手工安装补丁包：

  首先，使用下面的命令来下载补丁软件：
  # wget url  (url是补丁下载链接地址)

  然后，使用下面的命令来安装补丁：  
  # dpkg -i file.deb (file是相应的补丁名)

2. 使用apt-get自动安装补丁包：

   首先，使用下面的命令更新内部数据库：
   # apt-get update
  
   然后，使用下面的命令安装更新软件包：
   # apt-get upgrade

Stuart Caie
-----------
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载：

http://libmspack.svn.sourceforge.net/viewvc/libmspack/libmspack/trunk/mspack/qtmd.c?r1=114&r2=113
http://libmspack.svn.sourceforge.net/viewvc/libmspack?view=revision&revision=118

浏览次数：3108
严重程度：0（网友投票）