安全研究

安全漏洞
Pine rfc2231_get_param()远程整数溢出漏洞

发布日期:2003-09-10
更新日期:2003-09-18

受影响系统:
University of Washington Pine 4.56
University of Washington Pine 4.53
University of Washington Pine 4.52
University of Washington Pine 4.44
University of Washington Pine 4.30
University of Washington Pine 4.21
University of Washington Pine 4.20
University of Washington Pine 4.10
University of Washington Pine 4.0.4
University of Washington Pine 4.0.2
University of Washington Pine 3.98
University of Washington Pine 4.33
    - Conectiva Linux 7.0
    - Conectiva Linux 6.0
    - Conectiva Linux 5.1
    - Conectiva Linux 5.0
    - FreeBSD 4.4
    - FreeBSD 4.3
    - FreeBSD 4.2
    - RedHat Linux 7.1
    - Slackware Linux 7.1
    - Slackware Linux 7.0
    - SuSE Linux 7.3
    - SuSE Linux 7.2
    - SuSE Linux 7.1
不受影响系统:
University of Washington Pine 4.58
描述:
BUGTRAQ  ID: 8589
CVE(CAN) ID: CVE-2003-0721

Pine是一款开放源代码的EMAIL客户端。

Pine包含的rfc2231_get_param()函数存在整数溢出问题,远程攻击者可以利用这个漏洞构建恶意邮件,诱使用户访问,以用户进程权限在系统上执行任意指令。

问题存在于strings.c文件中的rfc2231_get_param()函数,其中声明了64字节大小的字符数组:

#define RFC2231_MAX 64
...
char *pieces[RFC2231_MAX];

and indexed by the signed integer variable 'n':

if(n < RFC2231_MAX){
    pieces[n] = parms->value;

变量'n'可由攻击者控制,并且可以设置成负值绕过安全检查,通过存储汇编代码在parms->value结构中并覆盖64字节数组,就可能覆盖堆栈中的指令指针,以用户权限在系统上执行任意指令。

<*来源:iDEFENSE Security Advisory (labs@idefense.com
  
  链接:http://www.idefense.com/advisory/09.10.03.txt
        https://www.redhat.com/support/errata/RHSA-2003-273.html
                http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000738
*>

建议:
厂商补丁:

Conectiva
---------
Conectiva已经为此发布了一个安全公告(CLA-2003:738)以及相应补丁:
CLA-2003:738:pine
链接:http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000738

补丁下载:

ftp://atualizacoes.conectiva.com.br/7.0/RPMS/pine-4.50L-1U70_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/pine-4.50L-1U70_2cl.src.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/pine-4.50L-1U80_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/SRPMS/pine-4.50L-1U80_2cl.src.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/pine-4.53L-22751U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/SRPMS/pine-4.53L-22751U90_1cl.src.rpm

RedHat
------
RedHat已经为此发布了一个安全公告(RHSA-2003:273-01)以及相应补丁:
RHSA-2003:273-01:Updated pine packages fix vulnerabilities
链接:https://www.redhat.com/support/errata/RHSA-2003-273.html

补丁下载:

Red Hat Linux 7.1:

SRPMS:
ftp://updates.redhat.com/7.1/en/os/SRPMS/pine-4.44-19.71.0.src.rpm

i386:
ftp://updates.redhat.com/7.1/en/os/i386/pine-4.44-19.71.0.i386.rpm

Red Hat Linux 7.2:

SRPMS:
ftp://updates.redhat.com/7.2/en/os/SRPMS/pine-4.44-19.72.0.src.rpm

i386:
ftp://updates.redhat.com/7.2/en/os/i386/pine-4.44-19.72.0.i386.rpm

ia64:
ftp://updates.redhat.com/7.2/en/os/ia64/pine-4.44-19.72.0.ia64.rpm

Red Hat Linux 7.3:

SRPMS:
ftp://updates.redhat.com/7.3/en/os/SRPMS/pine-4.44-19.73.0.src.rpm

i386:
ftp://updates.redhat.com/7.3/en/os/i386/pine-4.44-19.73.0.i386.rpm

Red Hat Linux 8.0:

SRPMS:
ftp://updates.redhat.com/8.0/en/os/SRPMS/pine-4.44-19.80.0.src.rpm

i386:
ftp://updates.redhat.com/8.0/en/os/i386/pine-4.44-19.80.0.i386.rpm

Red Hat Linux 9:

SRPMS:
ftp://updates.redhat.com/9/en/os/SRPMS/pine-4.44-19.90.0.src.rpm

i386:
ftp://updates.redhat.com/9/en/os/i386/pine-4.44-19.90.0.i386.rpm

S.u.S.E.
--------
S.u.S.E.已经为此发布了一个安全公告(SuSE-SA:2003:037)以及相应补丁:
SuSE-SA:2003:037:pine
链接:

补丁下载:

Intel i386 Platform:

    SuSE-8.2:
    ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/pine-4.53-109.i586.rpm
      c3d94808af56ac9fcc77bec85733bc47
    patch rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/pine-4.53-109.i586.patch.rpm
      fff680da5c283d2d50a44419976881a8
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/pine-4.53-109.src.rpm
      327935d468b4cd7794dde00168a901c3

    SuSE-8.1:
    ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/pine-4.44-283.i586.rpm
      63bc3f723537b18a274404c9b30ea784
    patch rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/pine-4.44-283.i586.patch.rpm
      1d4711753488a274c8cf168b24c91acf
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/pine-4.44-283.src.rpm
      9617c79c854c2b800df476aa515ae351

    SuSE-8.0:
    ftp://ftp.suse.com/pub/suse/i386/update/8.0/n1/pine-4.44-281.i386.rpm
      edea9fbbf85a9f922d2b2aa8bf4a14e8
    patch rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/8.0/n1/pine-4.44-281.i386.patch.rpm
      18c95a919fb8767f3cff10218ce6c08c
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/pine-4.44-281.src.rpm
      6bf6b39feed23892faceaa78fd13b751

    SuSE-7.3:
    ftp://ftp.suse.com/pub/suse/i386/update/7.3/n1/pine-4.33-280.i386.rpm
      65d24983aa99d276e75ccd557eee557b
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/pine-4.33-280.src.rpm
      b0ecee1170d1fdec3b22e98d0941071a

    SuSE-7.2:
    ftp://ftp.suse.com/pub/suse/i386/update/7.2/n1/pine-4.33-279.i386.rpm
      574ae6efcf81a53a26d5d19b763f96ab
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/pine-4.33-279.src.rpm
      14fbade46db5dbc9c9893cf507d57e4a




    Sparc Platform:

    SuSE-7.3:
    ftp://ftp.suse.com/pub/suse/sparc/update/7.3/n1/pine-4.33-101.sparc.rpm
      4e90502bfc4ca5b49c20f8a10cb9d473
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/sparc/update/7.3/zq1/pine-4.33-101.src.rpm
      c600432ad453999aa329b836490842df




    PPC Power PC Platform:

    SuSE-7.3:
    ftp://ftp.suse.com/pub/suse/ppc/update/7.3/n1/pine-4.33-153.ppc.rpm
      0c4323f70d9cc8b95d35f4356351990c
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/pine-4.33-153.src.rpm
      6f6987ad3110ff3bf0bd5edb08ee935a

University of Washington
------------------------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载使用PINE 4.58版本:

http://www.washington.edu/pine/getpine/

浏览次数:3806
严重程度:0(网友投票)
本安全漏洞由绿盟科技翻译整理,版权所有,未经许可,不得转载
绿盟科技给您安全的保障