首页 -> 安全研究
安全研究
安全漏洞
NewsX NNTP SysLog本地格式串溢出漏洞
发布日期:2002-07-15
更新日期:2002-07-22
受影响系统:
newsx newsx 1.4 pl6描述:
- FreeBSD 4.6
BUGTRAQ ID: 5240
CVE(CAN) ID: CVE-2002-1789
NewsX NNTP客户端是一款用于访问Internet News服务器的程序。
NewsX NNTP客户端对用户提交的输入缺少正确的检查,本地攻击者可以利用这个漏洞进行格式串溢出攻击。
NewsX NNTP客户端中的syslog函数对用户提交数据缺少正确的检查,本地攻击者可以提交恶意格式字符串导致写内存任意位置,当NNTP客户端如果以setuid/setgid属性安装时,精心构建格式串数据可能导致攻击者以NNTP进程的权限在系统上执行任意指令。
目前还不清楚是否可以远程利用这个漏洞。
<*来源:zillion (zillion@snosoft.com)
*>
建议:
临时解决方法:
如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁:
* 暂时没有合适的临时解决方法。
厂商补丁:
newsx
-----
diff -urN /usr/ports/news/newsx.orig/Makefile /usr/ports/news/newsx/Makefile
--- /usr/ports/news/newsx.orig/Makefile Sun Jul 7 22:00:46 2002
+++ /usr/ports/news/newsx/Makefile Mon Jul 15 21:51:29 2002
@@ -6,10 +6,10 @@
#
PORTNAME= newsx
-PORTVERSION= 1.4.6
+PORTVERSION= 1.4.8
CATEGORIES= news
MASTER_SITES= ftp://ftp.kvaleberg.com/pub/
-DISTNAME= ${PORTNAME}-${PORTVERSION:S/.6/pl6/}
+DISTNAME= ${PORTNAME}-${PORTVERSION:S/.8/pl6/}
MAINTAINER= thierry@pompo.net
diff -urN /usr/ports/news/newsx.orig/files/patch-configure.in /usr/ports/news/newsx/files/patch-configure.in
--- /usr/ports/news/newsx.orig/files/patch-configure.in Thu Jan 31 21:55:12 2002
+++ /usr/ports/news/newsx/files/patch-configure.in Mon Jul 15 21:47:42 2002
@@ -1,5 +1,14 @@
--- configure.in.orig Tue Jan 29 20:15:19 2002
-+++ configure.in Thu Jan 31 01:05:04 2002
++++ configure.in Mon Jul 15 21:46:55 2002
+@@ -167,7 +167,7 @@
+ dnl
+ AC_INIT(FAQ)
+
+-AM_INIT_AUTOMAKE(newsx, 1.4pl6)
++AM_INIT_AUTOMAKE(newsx, 1.4pl8)
+ AM_CONFIG_HEADER(config.h)
+ dnl Only most recent year required:
+ COPYRIGHT="Copyright 2002 Egil Kvaleberg <egil@kvaleberg.no>"
@@ -189,7 +189,7 @@
dnl Default list of locations to visit in search of the
dnl news configuration file
diff -urN /usr/ports/news/newsx.orig/files/patch-src_logmsg.c /usr/ports/news/newsx/files/patch-src_logmsg.c
--- /usr/ports/news/newsx.orig/files/patch-src_logmsg.c Thu Jan 1 01:00:00 1970
+++ /usr/ports/news/newsx/files/patch-src_logmsg.c Mon Jul 15 21:40:27 2002
@@ -0,0 +1,74 @@
+--- src/logmsg.c.orig Wed Feb 14 07:55:40 2001
++++ src/logmsg.c Mon Jul 15 21:38:30 2002
+@@ -1,4 +1,4 @@
+-/* VER 079 TAB P $Id: logmsg.c,v 1.10.2.1 2001/02/14 06:55:40 egil Exp $
++/* VER 080 TAB P $Id: logmsg.c,v 1.10.2.1 2001/02/14 06:55:40 egil Exp $
+ *
+ * handle error messages and such...
+ *
+@@ -60,9 +60,9 @@
+ /*
+ * try to make a surrogate
+ * we assume that on those architectures where this trick
+- * doesn't work there we will surely have stdarg.h or varargs.h
++ * doesn't work there we will surely be stdarg.h or varargs.h
+ */
+-#define vsprintf(buf, fmt, ap) sprintf(buf, fmt, arg1, arg2, arg3, arg4)
++#define vsnprintf(buf,siz,fmt,ap) snprintf(buf,siz,fmt, arg1,arg2,arg3,arg4)
+ #define vfprintf(file, fmt, ap) fprintf(file, fmt, arg1, arg2, arg3, arg4)
+ #endif
+
+@@ -156,7 +156,7 @@
+ #endif
+ {
+ int e;
+- char buf[BUFSIZ]; /* BUG: do we risk overwriting it? */
++ char buf[BUFSIZ];
+
+ #if HAVE_VPRINTF
+ va_list ap;
+@@ -176,34 +176,33 @@
+ case L_ERRno:
+ case L_ERR:
+ e = errno;
+- vsprintf(buf, fmt, ap);
+- if (type == L_ERRno) {
+- sprintf(buf + strlen (buf), ": %s", str_error(e));
+- }
+- strcat(buf, "\n");
++ vsnprintf(buf, sizeof(buf), fmt, ap);
+ #if HAVE_SYSLOG_H
+ if (!debug_opt) {
+- syslog(LOG_ERR, buf);
++ syslog(LOG_ERR, "%s%s%s\n", buf,
++ ((type==L_ERRno) ? ": ":""),
++ ((type==L_ERRno) ? str_error(e):""));
+ } else
+ #endif
+ {
+ clean_line();
+- fprintf(stderr, "%s: %s", pname, buf);
++ fprintf(stderr, "%s: %s%s%s\n", pname, buf,
++ ((type==L_ERRno) ? ": ":""),
++ ((type==L_ERRno) ? str_error(e):""));
+ fflush(stderr);
+ }
+ break;
+
+ case L_INFO:
+- vsprintf(buf, fmt, ap);
+- strcat(buf, "\n");
++ vsnprintf(buf, sizeof(buf), fmt, ap);
+ #if HAVE_SYSLOG_H
+ if (!debug_opt) {
+- syslog(LOG_INFO, buf);
++ syslog(LOG_INFO, "%s\n", buf);
+ } else
+ #endif
+ {
+ clean_line();
+- fprintf(stderr, "%s", buf);
++ fprintf(stderr, "%s\n", buf);
+ fflush(stderr);
+ fflush(stderr);
+ }
+ break;
浏览次数:3135
严重程度:0(网友投票)
绿盟科技给您安全的保障