安全研究
安全漏洞
Pine Message/External-Body Type属性缓冲区溢出漏洞
发布日期:2003-09-10
更新日期:2003-09-18
受影响系统:
University of Washington Pine 4.56不受影响系统:
University of Washington Pine 4.53
University of Washington Pine 4.52
University of Washington Pine 4.44
University of Washington Pine 4.30
University of Washington Pine 4.21
University of Washington Pine 4.20
University of Washington Pine 4.10
University of Washington Pine 4.0.4
University of Washington Pine 4.0.2
University of Washington Pine 3.98
University of Washington Pine 4.33
- Conectiva Linux 7.0
- Conectiva Linux 6.0
- Conectiva Linux 5.1
- Conectiva Linux 5.0
- FreeBSD 4.4
- FreeBSD 4.3
- FreeBSD 4.2
- RedHat Linux 7.1
- Slackware Linux 7.1
- Slackware Linux 7.0
- SuSE Linux 7.3
- SuSE Linux 7.2
- SuSE Linux 7.1
University of Washington Pine 4.58描述:
BUGTRAQ ID: 8588
CVE(CAN) ID: CVE-2003-0720
Pine是一款开放源代码的EMAIL客户端。
Pine当处理"message/external body type"属性时存在缓冲区溢出问题,远程攻击者可以利用这个漏洞构建恶意邮件,诱使用户访问,以用户进程权限在系统上执行任意指令。
当Pine解析"message/external-body type"属性的name/value对的时候,没有正确检查属性的最长长度,可允许恶意攻击者构建畸形EMAIL来覆盖控制的结构,导致任意指令执行。
问题存在于如下代码中:
headers.h:
#define SIZEOF_20KBUF (20480)
上面声明了20db字符数组:
pine.c:
char tmp_20k_buf[SIZEOF_20KBUF];
tmp_20k_buf[]数组存储在.bss段中,并使用字符指针'd'引用,漏洞出现在mailview.c中的display_parameters()函数中:
d = tmp_20k_buf;
if(parmlist = rfc2231_newparmlist(params)){
while(rfc2231_list_params(parmlist) && d < tmp_20k_buf + 10000){
sprintf(d, "%-*s: %s\n", longest, parmlist->attrib,
parmlist->value ? strsquish(tmp_20k_buf + 11000,
parmlist->value, 100)
: "");
d += strlen(d);
}
从'd'开始,代码在属性字符串参数的左边填充空格,然后显示属性name/value对,如:
Access-Type: ftp
URL: ftp://localhost/pub/interesting.ps
如果攻击者构建的EMAIL提供任意属性名超过20db长度,就可以导致缓冲区溢出,精心构建提交数据可能以用户权限在系统上执行任意指令。
<*来源:iDEFENSE Security Advisory (labs@idefense.com)
链接:http://www.idefense.com/advisory/09.10.03.txt
https://www.redhat.com/support/errata/RHSA-2003-273.html
http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000738
*>
建议:
厂商补丁:
Conectiva
---------
Conectiva已经为此发布了一个安全公告(CLA-2003:738)以及相应补丁:
CLA-2003:738:pine
链接:http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000738
补丁下载:
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/pine-4.50L-1U70_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/pine-4.50L-1U70_2cl.src.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/pine-4.50L-1U80_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/SRPMS/pine-4.50L-1U80_2cl.src.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/pine-4.53L-22751U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/SRPMS/pine-4.53L-22751U90_1cl.src.rpm
RedHat
------
RedHat已经为此发布了一个安全公告(RHSA-2003:273-01)以及相应补丁:
RHSA-2003:273-01:Updated pine packages fix vulnerabilities
链接:https://www.redhat.com/support/errata/RHSA-2003-273.html
补丁下载:
Red Hat Linux 7.1:
SRPMS:
ftp://updates.redhat.com/7.1/en/os/SRPMS/pine-4.44-19.71.0.src.rpm
i386:
ftp://updates.redhat.com/7.1/en/os/i386/pine-4.44-19.71.0.i386.rpm
Red Hat Linux 7.2:
SRPMS:
ftp://updates.redhat.com/7.2/en/os/SRPMS/pine-4.44-19.72.0.src.rpm
i386:
ftp://updates.redhat.com/7.2/en/os/i386/pine-4.44-19.72.0.i386.rpm
ia64:
ftp://updates.redhat.com/7.2/en/os/ia64/pine-4.44-19.72.0.ia64.rpm
Red Hat Linux 7.3:
SRPMS:
ftp://updates.redhat.com/7.3/en/os/SRPMS/pine-4.44-19.73.0.src.rpm
i386:
ftp://updates.redhat.com/7.3/en/os/i386/pine-4.44-19.73.0.i386.rpm
Red Hat Linux 8.0:
SRPMS:
ftp://updates.redhat.com/8.0/en/os/SRPMS/pine-4.44-19.80.0.src.rpm
i386:
ftp://updates.redhat.com/8.0/en/os/i386/pine-4.44-19.80.0.i386.rpm
Red Hat Linux 9:
SRPMS:
ftp://updates.redhat.com/9/en/os/SRPMS/pine-4.44-19.90.0.src.rpm
i386:
ftp://updates.redhat.com/9/en/os/i386/pine-4.44-19.90.0.i386.rpm
S.u.S.E.
--------
S.u.S.E.已经为此发布了一个安全公告(SuSE-SA:2003:037)以及相应补丁:
SuSE-SA:2003:037:pine
链接:
补丁下载:
Intel i386 Platform:
SuSE-8.2:
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/pine-4.53-109.i586.rpm
c3d94808af56ac9fcc77bec85733bc47
patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/pine-4.53-109.i586.patch.rpm
fff680da5c283d2d50a44419976881a8
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/pine-4.53-109.src.rpm
327935d468b4cd7794dde00168a901c3
SuSE-8.1:
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/pine-4.44-283.i586.rpm
63bc3f723537b18a274404c9b30ea784
patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/pine-4.44-283.i586.patch.rpm
1d4711753488a274c8cf168b24c91acf
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/pine-4.44-283.src.rpm
9617c79c854c2b800df476aa515ae351
SuSE-8.0:
ftp://ftp.suse.com/pub/suse/i386/update/8.0/n1/pine-4.44-281.i386.rpm
edea9fbbf85a9f922d2b2aa8bf4a14e8
patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.0/n1/pine-4.44-281.i386.patch.rpm
18c95a919fb8767f3cff10218ce6c08c
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/pine-4.44-281.src.rpm
6bf6b39feed23892faceaa78fd13b751
SuSE-7.3:
ftp://ftp.suse.com/pub/suse/i386/update/7.3/n1/pine-4.33-280.i386.rpm
65d24983aa99d276e75ccd557eee557b
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/pine-4.33-280.src.rpm
b0ecee1170d1fdec3b22e98d0941071a
SuSE-7.2:
ftp://ftp.suse.com/pub/suse/i386/update/7.2/n1/pine-4.33-279.i386.rpm
574ae6efcf81a53a26d5d19b763f96ab
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/pine-4.33-279.src.rpm
14fbade46db5dbc9c9893cf507d57e4a
Sparc Platform:
SuSE-7.3:
ftp://ftp.suse.com/pub/suse/sparc/update/7.3/n1/pine-4.33-101.sparc.rpm
4e90502bfc4ca5b49c20f8a10cb9d473
source rpm(s):
ftp://ftp.suse.com/pub/suse/sparc/update/7.3/zq1/pine-4.33-101.src.rpm
c600432ad453999aa329b836490842df
PPC Power PC Platform:
SuSE-7.3:
ftp://ftp.suse.com/pub/suse/ppc/update/7.3/n1/pine-4.33-153.ppc.rpm
0c4323f70d9cc8b95d35f4356351990c
source rpm(s):
ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/pine-4.33-153.src.rpm
6f6987ad3110ff3bf0bd5edb08ee935a
University of Washington
------------------------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载使用PINE 4.58版本:
http://www.washington.edu/pine/getpine/
浏览次数:3484
严重程度:0(网友投票)
绿盟科技给您安全的保障