安全研究
安全漏洞
cURL/libcURL URL解析器缓冲区溢出漏洞
发布日期:2005-12-07
更新日期:2005-12-13
受影响系统:
Daniel Stenberg curl <= 7.15.0不受影响系统:
Daniel Stenberg curl 7.15.1描述:
BUGTRAQ ID: 15756
cURL是命令行传输文件工具,支持FTP、FTPS、HTTP、HTTPS、GOPHER、TELNET、DICT、FILE和LDAP。
libcurl在解析URL时存在溢出漏洞,攻击者可以利用这个漏洞绕过PHP的safe_mode/open_basedir限制,或从apache内存窃取本地SSL证书。
libcurl在解析URL时首先会为主机名和路径部分分配特定的缓冲区。如果URL较短的话,会为每个缓冲区至少分配256个字节;如果输入URL超过了256字节限制的话,libcurl就会分配2个缓冲区,大小为输入URL的长度。然后一些sscanf调用会解析URL。畸形的URL会导致sscanf将完整的输入URL拷贝到主机或路径缓冲区。由于最初的分配没有为0字节分配额外的空间,这可能导致大小差一(off-by-one)的情况。
尽管这种溢出已经可以控制某些malloc()/free()的实现,攻击者还可以通过有“?”的主机名导致两个字节的溢出。如果libcurl发现主机名中存在“?”的话,就会认定为畸形URL,并未经任何大小检查便在其前面添加路径分隔符“/”。
<*来源:Stefan Esser (s.esser@ematters.de)
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=113398095610122&w=2
http://www.debian.org/security/2005/dsa-919
*>
建议:
厂商补丁:
Daniel Stenberg
---------------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://curl.haxx.se/download/curl-7.15.1.tar.gz
Debian
------
Debian已经为此发布了一个安全公告(DSA-919-1)以及相应补丁:
DSA-919-1:New curl packages fix potential security problem
链接:http://www.debian.org/security/2005/dsa-919
补丁下载:
Source archives:
http://security.debian.org/pool/updates/main/c/curl/curl_7.9.5-1woody1.dsc
Size/MD5 checksum: 603 c7980d3b9589f2ef20390a70e0b4de74
http://security.debian.org/pool/updates/main/c/curl/curl_7.9.5-1woody1.diff.gz
Size/MD5 checksum: 16631 e35ec4ff7161fa158c04c8cbf716d159
http://security.debian.org/pool/updates/main/c/curl/curl_7.9.5.orig.tar.gz
Size/MD5 checksum: 682397 a4df6bb5aa8962c204e73c8f98077928
Alpha architecture:
http://security.debian.org/pool/updates/main/c/curl/curl_7.9.5-1woody1_alpha.deb
Size/MD5 checksum: 118498 584184fdc57b0b302b1c16b293222492
http://security.debian.org/pool/updates/main/c/curl/libcurl-dev_7.9.5-1woody1_alpha.deb
Size/MD5 checksum: 195922 6a58bcdea99e866fdfbad573b3d6ef8d
http://security.debian.org/pool/updates/main/c/curl/libcurl2_7.9.5-1woody1_alpha.deb
Size/MD5 checksum: 116574 799b6ccd5c223cd8580c8e4fc610fef8
ARM architecture:
http://security.debian.org/pool/updates/main/c/curl/curl_7.9.5-1woody1_arm.deb
Size/MD5 checksum: 114452 028489639e478d66a6223c7a2175cac9
http://security.debian.org/pool/updates/main/c/curl/libcurl-dev_7.9.5-1woody1_arm.deb
Size/MD5 checksum: 172978 ad531498826aaa48ec0e2eb5c2df7207
http://security.debian.org/pool/updates/main/c/curl/libcurl2_7.9.5-1woody1_arm.deb
Size/MD5 checksum: 101852 c7df9a970ef2f5a1ac11f6aae2c539be
Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/c/curl/curl_7.9.5-1woody1_i386.deb
Size/MD5 checksum: 112954 55c016b60375a465dd139b25a9860e3b
http://security.debian.org/pool/updates/main/c/curl/libcurl-dev_7.9.5-1woody1_i386.deb
Size/MD5 checksum: 163696 c88d95d412ef529c8eebc9d21a5d6006
http://security.debian.org/pool/updates/main/c/curl/libcurl2_7.9.5-1woody1_i386.deb
Size/MD5 checksum: 100482 ca2e1ea6b2508888814e75101a9936bf
Intel IA-64 architecture:
http://security.debian.org/pool/updates/main/c/curl/curl_7.9.5-1woody1_ia64.deb
Size/MD5 checksum: 122062 7476d36d7530caab9aa08c8c24bc7b17
http://security.debian.org/pool/updates/main/c/curl/libcurl-dev_7.9.5-1woody1_ia64.deb
Size/MD5 checksum: 210310 5ef9167039cdf11ba26f5380265e9f0e
http://security.debian.org/pool/updates/main/c/curl/libcurl2_7.9.5-1woody1_ia64.deb
Size/MD5 checksum: 139432 6c924348404f96a9d534485d231da013
HP Precision architecture:
http://security.debian.org/pool/updates/main/c/curl/curl_7.9.5-1woody1_hppa.deb
Size/MD5 checksum: 116424 a94545e972184368284431251dc81bc0
http://security.debian.org/pool/updates/main/c/curl/libcurl-dev_7.9.5-1woody1_hppa.deb
Size/MD5 checksum: 186366 a9ef087b21652930a452f9aa61e17040
http://security.debian.org/pool/updates/main/c/curl/libcurl2_7.9.5-1woody1_hppa.deb
Size/MD5 checksum: 112976 9f67b8e55d8578f97913aef8135251cc
Motorola 680x0 architecture:
http://security.debian.org/pool/updates/main/c/curl/curl_7.9.5-1woody1_m68k.deb
Size/MD5 checksum: 112776 246260a28117b2c1fc01d9754e4dc4fe
http://security.debian.org/pool/updates/main/c/curl/libcurl-dev_7.9.5-1woody1_m68k.deb
Size/MD5 checksum: 159130 3e9ce9d21bbdce3688ddbaf4f260ac2f
http://security.debian.org/pool/updates/main/c/curl/libcurl2_7.9.5-1woody1_m68k.deb
Size/MD5 checksum: 97160 01ce2ddf9d7a91373bc02086a0718225
Big endian MIPS architecture:
http://security.debian.org/pool/updates/main/c/curl/curl_7.9.5-1woody1_mips.deb
Size/MD5 checksum: 115468 6e64a1534418bb425a1ad1dc2be0e1f9
http://security.debian.org/pool/updates/main/c/curl/libcurl-dev_7.9.5-1woody1_mips.deb
Size/MD5 checksum: 183938 5978db39fe8acd2a4042c6f184129211
http://security.debian.org/pool/updates/main/c/curl/libcurl2_7.9.5-1woody1_mips.deb
Size/MD5 checksum: 105234 2e48fba8ba1392918aa0c0ad95b0d237
Little endian MIPS architecture:
http://security.debian.org/pool/updates/main/c/curl/curl_7.9.5-1woody1_mipsel.deb
Size/MD5 checksum: 115494 0c3bdfc2517c81dda03e999505711af5
http://security.debian.org/pool/updates/main/c/curl/libcurl-dev_7.9.5-1woody1_mipsel.deb
Size/MD5 checksum: 183856 aef61efcb299d750e575eb1e8cc0a500
http://security.debian.org/pool/updates/main/c/curl/libcurl2_7.9.5-1woody1_mipsel.deb
Size/MD5 checksum: 105328 830278f24a115bf4dfa2a57517507faa
PowerPC architecture:
http://security.debian.org/pool/updates/main/c/curl/curl_7.9.5-1woody1_powerpc.deb
Size/MD5 checksum: 115064 36a580ccb525717018023223252a2dad
http://security.debian.org/pool/updates/main/c/curl/libcurl-dev_7.9.5-1woody1_powerpc.deb
Size/MD5 checksum: 181490 7af33b2711cea9edd18a1e0bf76b7908
http://security.debian.org/pool/updates/main/c/curl/libcurl2_7.9.5-1woody1_powerpc.deb
Size/MD5 checksum: 106400 362227268352e1b6345d665e46cad9f4
IBM S/390 architecture:
http://security.debian.org/pool/updates/main/c/curl/curl_7.9.5-1woody1_s390.deb
Size/MD5 checksum: 114380 e67536f6369452d7eb9c68a526b50acc
http://security.debian.org/pool/updates/main/c/curl/libcurl-dev_7.9.5-1woody1_s390.deb
Size/MD5 checksum: 167516 6a47b2681d358a72dd2da46cd282cde3
http://security.debian.org/pool/updates/main/c/curl/libcurl2_7.9.5-1woody1_s390.deb
Size/MD5 checksum: 104362 f48b9e5257fb2d933676f1bdedf65700
Sun Sparc architecture:
http://security.debian.org/pool/updates/main/c/curl/curl_7.9.5-1woody1_sparc.deb
Size/MD5 checksum: 114212 dcc862dfac0b145a85dd41ee26b8f68a
http://security.debian.org/pool/updates/main/c/curl/libcurl-dev_7.9.5-1woody1_sparc.deb
Size/MD5 checksum: 173280 9d4005552173802f517f84c7b7ff6e7c
http://security.debian.org/pool/updates/main/c/curl/libcurl2_7.9.5-1woody1_sparc.deb
Size/MD5 checksum: 107954 1bcfdf01ff3c281aca72220de9c36285
Debian GNU/Linux 3.1 alias sarge
- --------------------------------
Source archives:
http://security.debian.org/pool/updates/main/c/curl/curl_7.13.2-2sarge4.dsc
Size/MD5 checksum: 810 da7861471f869f9a9ec5134d5fd38d19
http://security.debian.org/pool/updates/main/c/curl/curl_7.13.2-2sarge4.diff.gz
Size/MD5 checksum: 171255 d385dd607b786b7f850a9f24babcc65a
http://security.debian.org/pool/updates/main/c/curl/curl_7.13.2.orig.tar.gz
Size/MD5 checksum: 2201086 b3bd4a303f35f9a2a3ed3671cedf8329
Alpha architecture:
http://security.debian.org/pool/updates/main/c/curl/curl_7.13.2-2sarge4_alpha.deb
Size/MD5 checksum: 150884 bd55a60b515ee8c2465fd17f7de29d50
http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.13.2-2sarge4_alpha.deb
Size/MD5 checksum: 251276 2f8cc5197eb54c78b18f25f63207d286
http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.13.2-2sarge4_alpha.deb
Size/MD5 checksum: 1010862 797c1b435ae57f09704840682615fed9
http://security.debian.org/pool/updates/main/c/curl/libcurl3-dev_7.13.2-2sarge4_alpha.deb
Size/MD5 checksum: 1279412 1d9b9bcaeb4f55b4e1029ab24b74cb7f
http://security.debian.org/pool/updates/main/c/curl/libcurl3-gssapi_7.13.2-2sarge4_alpha.deb
Size/MD5 checksum: 132164 b81c4278c3cbdf9c78266ca451110745
AMD64 architecture:
http://security.debian.org/pool/updates/main/c/curl/curl_7.13.2-2sarge4_amd64.deb
Size/MD5 checksum: 148002 b56233f49b100362e368b03e66218720
http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.13.2-2sarge4_amd64.deb
Size/MD5 checksum: 239260 d13d8eaecec3d63810e1ed73a6268ee2
http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.13.2-2sarge4_amd64.deb
Size/MD5 checksum: 1004100 712cffdd8bb0678bbd5372f8038bf743
http://security.debian.org/pool/updates/main/c/curl/libcurl3-dev_7.13.2-2sarge4_amd64.deb
Size/MD5 checksum: 1237918 5b7ab2089d6c421223ab1d5bca45ccc8
http://security.debian.org/pool/updates/main/c/curl/libcurl3-gssapi_7.13.2-2sarge4_amd64.deb
Size/MD5 checksum: 119332 a29338d6eebb002f76b64eb8db25669d
ARM architecture:
http://security.debian.org/pool/updates/main/c/curl/curl_7.13.2-2sarge4_arm.deb
Size/MD5 checksum: 147036 4d7dd6a1e18101e9f82ca47bd71adee6
http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.13.2-2sarge4_arm.deb
Size/MD5 checksum: 232254 7e7aa0f0d63d809380c5cf16a7bd9998
http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.13.2-2sarge4_arm.deb
Size/MD5 checksum: 1006512 1b6bba8334374b9a0973834db013deec
http://security.debian.org/pool/updates/main/c/curl/libcurl3-dev_7.13.2-2sarge4_arm.deb
Size/MD5 checksum: 1236324 d6e759826948dfc0b85100aa0721acbd
http://security.debian.org/pool/updates/main/c/curl/libcurl3-gssapi_7.13.2-2sarge4_arm.deb
Size/MD5 checksum: 112850 6a4bb805155911126e0da34c9a69caba
Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/c/curl/curl_7.13.2-2sarge4_i386.deb
Size/MD5 checksum: 146622 b5c28b5df70be2f14ccc38ba76445184
http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.13.2-2sarge4_i386.deb
Size/MD5 checksum: 237394 deeefb82e0e50917d334cd58e941c703
http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.13.2-2sarge4_i386.deb
Size/MD5 checksum: 1003560 5a072f044f577601edf276a80eee1a16
http://security.debian.org/pool/updates/main/c/curl/libcurl3-dev_7.13.2-2sarge4_i386.deb
Size/MD5 checksum: 1223642 101c390bd001489d4338f18b64c7564f
http://security.debian.org/pool/updates/main/c/curl/libcurl3-gssapi_7.13.2-2sarge4_i386.deb
Size/MD5 checksum: 118476 0b34194348da0cf2e73833791321f8be
Intel IA-64 architecture:
http://security.debian.org/pool/updates/main/c/curl/curl_7.13.2-2sarge4_ia64.deb
Size/MD5 checksum: 156700 c40c8b873384b31606d0f86f62f87d62
http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.13.2-2sarge4_ia64.deb
Size/MD5 checksum: 279198 15bb908f6a841d8ffab2051484691d6d
http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.13.2-2sarge4_ia64.deb
Size/MD5 checksum: 1014686 c515f26ae840693a7af303b939e533de
http://security.debian.org/pool/updates/main/c/curl/libcurl3-dev_7.13.2-2sarge4_ia64.deb
Size/MD5 checksum: 1293752 a96384202ca09ebb218eb7ab0872da4d
http://security.debian.org/pool/updates/main/c/curl/libcurl3-gssapi_7.13.2-2sarge4_ia64.deb
Size/MD5 checksum: 160754 e197fcb10908f1201b12105d6a4fe988
HP Precision architecture:
http://security.debian.org/pool/updates/main/c/curl/curl_7.13.2-2sarge4_hppa.deb
Size/MD5 checksum: 150516 e80d05b29994e4a4aa921a060f1aaa4a
http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.13.2-2sarge4_hppa.deb
Size/MD5 checksum: 251178 95c1f4a011dd7509e631326175c6f4ac
http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.13.2-2sarge4_hppa.deb
Size/MD5 checksum: 1002034 069328e53c666557d876adc4c7df762a
http://security.debian.org/pool/updates/main/c/curl/libcurl3-dev_7.13.2-2sarge4_hppa.deb
Size/MD5 checksum: 1253588 66b90d2a50a329df1a6d2deb5db11caf
http://security.debian.org/pool/updates/main/c/curl/libcurl3-gssapi_7.13.2-2sarge4_hppa.deb
Size/MD5 checksum: 132258 345e3389c3d58356d4324b6cb09b4ce1
Motorola 680x0 architecture:
http://security.debian.org/pool/updates/main/c/curl/curl_7.13.2-2sarge4_m68k.deb
Size/MD5 checksum: 144622 dcd9d447dc466637937f1390df4efe8c
http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.13.2-2sarge4_m68k.deb
Size/MD5 checksum: 227834 d354dcd599d04d9c592b8fdbbe833775
http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.13.2-2sarge4_m68k.deb
Size/MD5 checksum: 998522 83c7e2d7474f2bc623d3fa19db556c94
http://security.debian.org/pool/updates/main/c/curl/libcurl3-dev_7.13.2-2sarge4_m68k.deb
Size/MD5 checksum: 1211958 a3e925c82c058b01971a781462d56fe9
http://security.debian.org/pool/updates/main/c/curl/libcurl3-gssapi_7.13.2-2sarge4_m68k.deb
Size/MD5 checksum: 108658 c59d11114a8209e7fec2b5fd608e3864
Big endian MIPS architecture:
http://security.debian.org/pool/updates/main/c/curl/curl_7.13.2-2sarge4_mips.deb
Size/MD5 checksum: 149912 722a66107541a6d2ae823f46b1459743
http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.13.2-2sarge4_mips.deb
Size/MD5 checksum: 237422 08c3c48899e33babbc9bc8f3d8b8d97d
http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.13.2-2sarge4_mips.deb
Size/MD5 checksum: 1007542 26b4bee9ab3ece84e1a2ef5bc0cfa815
http://security.debian.org/pool/updates/main/c/curl/libcurl3-dev_7.13.2-2sarge4_mips.deb
Size/MD5 checksum: 1246952 ab4a46b14f124baad25a1c15e5f84f5d
http://security.debian.org/pool/updates/main/c/curl/libcurl3-gssapi_7.13.2-2sarge4_mips.deb
Size/MD5 checksum: 118446 76a1ed48d045c6eec4ac3a9246adf369
Little endian MIPS architecture:
http://security.debian.org/pool/updates/main/c/curl/curl_7.13.2-2sarge4_mipsel.deb
Size/MD5 checksum: 150000 68e58cb1e4a76411d44f0cc28bed3dac
http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.13.2-2sarge4_mipsel.deb
Size/MD5 checksum: 237988 53b75c49f88e29ea3b0615a33d1d179f
http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.13.2-2sarge4_mipsel.deb
Size/MD5 checksum: 1010926 a31f246e13a31e422d6abd4637e7d79f
http://security.debian.org/pool/updates/main/c/curl/libcurl3-dev_7.13.2-2sarge4_mipsel.deb
Size/MD5 checksum: 1247194 ae4a7ceb8e33c0f6d6e0ea017c1fd5a7
http://security.debian.org/pool/updates/main/c/curl/libcurl3-gssapi_7.13.2-2sarge4_mipsel.deb
Size/MD5 checksum: 118908 499638c1e407f837d438eb3ee25b71c5
PowerPC architecture:
http://security.debian.org/pool/updates/main/c/curl/curl_7.13.2-2sarge4_powerpc.deb
Size/MD5 checksum: 150630 9d498e220cf3f1ea0bed9eba37895994
http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.13.2-2sarge4_powerpc.deb
Size/MD5 checksum: 243434 e115acf14a63f9c2a19d42b1963ca7a0
http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.13.2-2sarge4_powerpc.deb
Size/MD5 checksum: 1640952 fa15696dc540f1615672417c997761b3
http://security.debian.org/pool/updates/main/c/curl/libcurl3-dev_7.13.2-2sarge4_powerpc.deb
Size/MD5 checksum: 1245276 db89abb638e975cdbcc0381b4123ea10
http://security.debian.org/pool/updates/main/c/curl/libcurl3-gssapi_7.13.2-2sarge4_powerpc.deb
Size/MD5 checksum: 124126 78380f53d3d3656f87ea7d407e0ecd37
IBM S/390 architecture:
http://security.debian.org/pool/updates/main/c/curl/curl_7.13.2-2sarge4_s390.deb
Size/MD5 checksum: 148600 4660101e4a8bd44eb68ef9ea80d95502
http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.13.2-2sarge4_s390.deb
Size/MD5 checksum: 246602 de14f2625c352dc0f96981759b7ae94d
http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.13.2-2sarge4_s390.deb
Size/MD5 checksum: 1025394 ea2821337cbbefffa7833cc8f2f73aae
http://security.debian.org/pool/updates/main/c/curl/libcurl3-dev_7.13.2-2sarge4_s390.deb
Size/MD5 checksum: 1240726 1942bd69e7d06c8fa4f0aefda94a2b54
http://security.debian.org/pool/updates/main/c/curl/libcurl3-gssapi_7.13.2-2sarge4_s390.deb
Size/MD5 checksum: 127424 a7412a250bd42c0cfe74d054a76e4352
Sun Sparc architecture:
http://security.debian.org/pool/updates/main/c/curl/curl_7.13.2-2sarge4_sparc.deb
Size/MD5 checksum: 147624 92c2113d31613a17dad62bf4585bb96d
http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.13.2-2sarge4_sparc.deb
Size/MD5 checksum: 236962 defcd15ad18e2110105685aa592c36cb
http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.13.2-2sarge4_sparc.deb
Size/MD5 checksum: 996594 515599851d6c7bc75edd4bd2a85e1b22
http://security.debian.org/pool/updates/main/c/curl/libcurl3-dev_7.13.2-2sarge4_sparc.deb
Size/MD5 checksum: 1232322 4680ad497ca64e90d3a8cfc10f134ca7
http://security.debian.org/pool/updates/main/c/curl/libcurl3-gssapi_7.13.2-2sarge4_sparc.deb
Size/MD5 checksum: 117968 8b50fcf2af77f3f5b075797c3f5db265
补丁安装方法:
1. 手工安装补丁包:
首先,使用下面的命令来下载补丁软件:
# wget url (url是补丁下载链接地址)
然后,使用下面的命令来安装补丁:
# dpkg -i file.deb (file是相应的补丁名)
2. 使用apt-get自动安装补丁包:
首先,使用下面的命令更新内部数据库:
# apt-get update
然后,使用下面的命令安装更新软件包:
# apt-get upgrade
浏览次数:5053
严重程度:0(网友投票)
绿盟科技给您安全的保障