首页 -> 安全研究
安全研究
安全漏洞
Libextractor本地堆溢出漏洞
发布日期:2006-05-17
更新日期:2006-06-02
受影响系统:
libextractor libextractor 0.5.13不受影响系统:
libextractor libextractor 0.5.14描述:
BUGTRAQ ID: 18021
CVE(CAN) ID: CVE-2006-2458
libextractor函数库允许搜索不同文件格式的元数据。
libextractor中存在两个堆溢出漏洞,本地攻击者可能利用此漏洞在机器上执行任意指令。
具体如下:
--------------------------------
A] asfextractor堆溢出
--------------------------------
在启动插件时会分配demux_asf_t结构,然后执行对asf_read_header的调用,读取处理GUID_ASF_STREAM_PROPERTIES和CODEC_TYPE_AUDIO所需的所有输入文件头。在这里名为total_size的32位数字所指定的任意数量数据从ASF文件拷贝到了1024*2字节的wavex缓冲区中。total_size的值是从相同文件读取的,没有对大小执行任意检查,因此可能导致堆溢出。
src/plugins/asfextractor.c:
static int asf_read_header(demux_asf_t *this) {
...
total_size = get_le32(this);
stream_data_size = get_le32(this);
stream_id = get_le16(this); /* stream id */
get_le32(this);
if (type == CODEC_TYPE_AUDIO) {
ext_uint8_t buffer[6];
readBuf (this, (ext_uint8_t *) this->wavex, total_size);
...
-------------------------------
B] qtextractor堆溢出
-------------------------------
插件在处理QT/MOV文件时也存在堆溢出漏洞。在parse_trak_atom函数中使用了攻击者所提供的特定数量的字节分配缓冲区,然后使用了相同输入文件其他数量的数据调用memcpy。
src/plugins/qtextractor.c:
static qt_error parse_trak_atom (qt_trak *trak,
unsigned char *trak_atom) {
...
trak->stsd_size = current_atom_size;
trak->stsd = realloc (trak->stsd, current_atom_size);
memset (trak->stsd, 0, trak->stsd_size);
/* awful, awful hack to support a certain type of stsd atom that
* contains more than 1 video description atom */
if (BE_32(&trak_atom[i + 8]) == 1) {
/* normal case */
memcpy (trak->stsd, &trak_atom[i], current_atom_size);
hack_adjust = 0;
} else {
/* pathological case; take this route until a more definite
* solution is found: jump over the first atom video
* description atom */
/* copy the first 12 bytes since those remain the same */
memcpy (trak->stsd, &trak_atom[i], 12);
/* skip to the second atom and copy it */
hack_adjust = BE_32(&trak_atom[i + 0x0C]);
memcpy(trak->stsd + 12, &trak_atom[i + 0x0C + hack_adjust],
BE_32(&trak_atom[i + 0x0C + hack_adjust]));
...
<*来源:Luigi Auriemma (aluigi@pivx.com)
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=114790153314065&w=2
http://www.debian.org/security/2006/dsa-1081
http://security.gentoo.org/glsa/glsa-200605-14.xml
*>
建议:
厂商补丁:
Debian
------
Debian已经为此发布了一个安全公告(DSA-1081-1)以及相应补丁:
DSA-1081-1:New libextractor packages fix arbitrary code execution
链接:http://www.debian.org/security/2005/dsa-1081
补丁下载:
Source archives:
http://security.debian.org/pool/updates/main/libe/libextractor/libextractor_0.4.2-2sarge5.dsc
Size/MD5 checksum: 778 c3215a74f69c129ed235db8b5fe178e6
http://security.debian.org/pool/updates/main/libe/libextractor/libextractor_0.4.2-2sarge5.diff.gz
Size/MD5 checksum: 7079 d2037e9f74bef85bf4a73f852ddfafad
http://security.debian.org/pool/updates/main/libe/libextractor/libextractor_0.4.2.orig.tar.gz
Size/MD5 checksum: 5887095 d99e1b13a017d39700e376a0edbf7ba2
Alpha architecture:
http://security.debian.org/pool/updates/main/libe/libextractor/extract_0.4.2-2sarge5_alpha.deb
Size/MD5 checksum: 19598 815bb87bcc9d5e143513c8adff67b338
http://security.debian.org/pool/updates/main/libe/libextractor/libextractor1_0.4.2-2sarge5_alpha.deb
Size/MD5 checksum: 5804952 22c415c2aee20ed8007a2d0662bebad6
http://security.debian.org/pool/updates/main/libe/libextractor/libextractor1-dev_0.4.2-2sarge5_alpha.deb
Size/MD5 checksum: 19384 2f3a45d22e6a52721ed57543f199313f
AMD64 architecture:
http://security.debian.org/pool/updates/main/libe/libextractor/extract_0.4.2-2sarge5_amd64.deb
Size/MD5 checksum: 18270 1a47010ad219b069f264a8024fd72aed
http://security.debian.org/pool/updates/main/libe/libextractor/libextractor1_0.4.2-2sarge5_amd64.deb
Size/MD5 checksum: 5641542 efb4ac008ec794d8d17d1eb214ad3542
http://security.debian.org/pool/updates/main/libe/libextractor/libextractor1-dev_0.4.2-2sarge5_amd64.deb
Size/MD5 checksum: 17548 d6763b38aca5065486aa3c45f49dd2e0
ARM architecture:
http://security.debian.org/pool/updates/main/libe/libextractor/extract_0.4.2-2sarge5_arm.deb
Size/MD5 checksum: 17648 7e52bda1ca202ea165cf305092d063f7
http://security.debian.org/pool/updates/main/libe/libextractor/libextractor1_0.4.2-2sarge5_arm.deb
Size/MD5 checksum: 5710838 71d5589d4a0c3815a0b24474fb44af68
http://security.debian.org/pool/updates/main/libe/libextractor/libextractor1-dev_0.4.2-2sarge5_arm.deb
Size/MD5 checksum: 16964 0bc00d8fa937e1958c4db72f01566732
Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/libe/libextractor/extract_0.4.2-2sarge5_i386.deb
Size/MD5 checksum: 17788 09bb0f12aa606fb48b7574305ccd8abc
http://security.debian.org/pool/updates/main/libe/libextractor/libextractor1_0.4.2-2sarge5_i386.deb
Size/MD5 checksum: 5713332 234c03f92ed071fdc69844e04523514c
http://security.debian.org/pool/updates/main/libe/libextractor/libextractor1-dev_0.4.2-2sarge5_i386.deb
Size/MD5 checksum: 16706 5c5744dc49991cf0789a33f8a43557e1
Intel IA-64 architecture:
http://security.debian.org/pool/updates/main/libe/libextractor/extract_0.4.2-2sarge5_ia64.deb
Size/MD5 checksum: 20578 ade1344228270f2a2faede7e2507913c
http://security.debian.org/pool/updates/main/libe/libextractor/libextractor1_0.4.2-2sarge5_ia64.deb
Size/MD5 checksum: 5905588 d1d4a949aecc95d5a3715a5e1bcc4b70
http://security.debian.org/pool/updates/main/libe/libextractor/libextractor1-dev_0.4.2-2sarge5_ia64.deb
Size/MD5 checksum: 19328 6aa6ab7c949e0dd8771b8961f97fbe4b
HP Precision architecture:
http://security.debian.org/pool/updates/main/libe/libextractor/extract_0.4.2-2sarge5_hppa.deb
Size/MD5 checksum: 18728 fbd85db9bf81bd503cd9101d782e7610
http://security.debian.org/pool/updates/main/libe/libextractor/libextractor1_0.4.2-2sarge5_hppa.deb
Size/MD5 checksum: 5687480 0ead195a721a06e0361b33da33e2cb6c
http://security.debian.org/pool/updates/main/libe/libextractor/libextractor1-dev_0.4.2-2sarge5_hppa.deb
Size/MD5 checksum: 17880 9cd7927dece9ba96f162cb4a3e94b62c
Motorola 680x0 architecture:
http://security.debian.org/pool/updates/main/libe/libextractor/extract_0.4.2-2sarge5_m68k.deb
Size/MD5 checksum: 17366 c5b4f3d26088cd7e20bddf43607ad460
http://security.debian.org/pool/updates/main/libe/libextractor/libextractor1_0.4.2-2sarge5_m68k.deb
Size/MD5 checksum: 5708448 2be9420e48bda34ee4b7ca60a08007d3
http://security.debian.org/pool/updates/main/libe/libextractor/libextractor1-dev_0.4.2-2sarge5_m68k.deb
Size/MD5 checksum: 16574 5ef21edcb2b7be36a3e5bb13355a60bf
Big endian MIPS architecture:
http://security.debian.org/pool/updates/main/libe/libextractor/extract_0.4.2-2sarge5_mips.deb
Size/MD5 checksum: 18586 d024ee53f3337ec967a0b660c2a8d781
http://security.debian.org/pool/updates/main/libe/libextractor/libextractor1_0.4.2-2sarge5_mips.deb
Size/MD5 checksum: 5729374 80e33bbc9f3347e296d34bdfce142a90
http://security.debian.org/pool/updates/main/libe/libextractor/libextractor1-dev_0.4.2-2sarge5_mips.deb
Size/MD5 checksum: 17882 563942bd2a628afbc5a2475d5e9de5ec
Little endian MIPS architecture:
http://security.debian.org/pool/updates/main/libe/libextractor/extract_0.4.2-2sarge5_mipsel.deb
Size/MD5 checksum: 18640 acb9a3bca9d8ded8a1a58762be94d1b6
http://security.debian.org/pool/updates/main/libe/libextractor/libextractor1_0.4.2-2sarge5_mipsel.deb
Size/MD5 checksum: 5727126 0e0346025b7ab811d9157fe5b6742499
http://security.debian.org/pool/updates/main/libe/libextractor/libextractor1-dev_0.4.2-2sarge5_mipsel.deb
Size/MD5 checksum: 17918 61e23eb764acadc7af516a77451e0fb9
PowerPC architecture:
http://security.debian.org/pool/updates/main/libe/libextractor/extract_0.4.2-2sarge5_powerpc.deb
Size/MD5 checksum: 19770 7acbd573f6316a70ae546ea67aa90d96
http://security.debian.org/pool/updates/main/libe/libextractor/libextractor1_0.4.2-2sarge5_powerpc.deb
Size/MD5 checksum: 5678108 1837c793ee66dd1808b2fa45e97c5a5a
http://security.debian.org/pool/updates/main/libe/libextractor/libextractor1-dev_0.4.2-2sarge5_powerpc.deb
Size/MD5 checksum: 17740 4977aa16ee70428ed20b8bca1822c7d4
IBM S/390 architecture:
http://security.debian.org/pool/updates/main/libe/libextractor/extract_0.4.2-2sarge5_s390.deb
Size/MD5 checksum: 18154 6aa5dffe5d0e7ad9c7b0393e58317756
http://security.debian.org/pool/updates/main/libe/libextractor/libextractor1_0.4.2-2sarge5_s390.deb
Size/MD5 checksum: 5768262 83c28645ee0719728be1436d5d61e697
http://security.debian.org/pool/updates/main/libe/libextractor/libextractor1-dev_0.4.2-2sarge5_s390.deb
Size/MD5 checksum: 18100 181d2897f6e9b3c058ac78c8b5ae82a1
Sun Sparc architecture:
http://security.debian.org/pool/updates/main/libe/libextractor/extract_0.4.2-2sarge5_sparc.deb
Size/MD5 checksum: 17660 3c84b9981ee26f04e2a77d9b338c78b1
http://security.debian.org/pool/updates/main/libe/libextractor/libextractor1_0.4.2-2sarge5_sparc.deb
Size/MD5 checksum: 5752372 f24a5dcbd614ee91b7c8951586be1c7b
http://security.debian.org/pool/updates/main/libe/libextractor/libextractor1-dev_0.4.2-2sarge5_sparc.deb
Size/MD5 checksum: 16872 e12a3b7c42006fce3418ceafb9ea3618
补丁安装方法:
1. 手工安装补丁包:
首先,使用下面的命令来下载补丁软件:
# wget url (url是补丁下载链接地址)
然后,使用下面的命令来安装补丁:
# dpkg -i file.deb (file是相应的补丁名)
2. 使用apt-get自动安装补丁包:
首先,使用下面的命令更新内部数据库:
# apt-get update
然后,使用下面的命令安装更新软件包:
# apt-get upgrade
Gentoo
------
Gentoo已经为此发布了一个安全公告(GLSA-200605-14)以及相应补丁:
GLSA-200605-14:libextractor: Two heap-based buffer overflows
链接:http://security.gentoo.org/glsa/glsa-200605-14.xml
所有libextractor用户都应升级到最新版本:
# emerge --sync
# emerge --ask --oneshot --verbose ">=media-libs/libextractor-0.5.14"
libextractor
------------
http://www.debian.org/security/2006/dsa-1081
浏览次数:3939
严重程度:0(网友投票)
绿盟科技给您安全的保障