漏洞信息详情
Linux系统LPRng远程格式化串溢出漏洞
- CNNVD编号:CNNVD-200012-136
- 危害等级: 超危
- CVE编号: CVE-2000-0917
- 漏洞类型: 未知
- 发布时间: 2000-09-25
- 威胁类型: 远程
- 更新时间: 2006-09-05
- 厂 商: trustix
- 漏洞来源: Chris Evans※ chris...
漏洞简介
LPRng是Berkeley lpr打印工具的一种实现。 某些Linux系统附带的LPRng程序存在一个格式化串溢出漏洞,远程攻击者可以利用此漏洞通过溢出攻击在主机上以root用户权限执行任意指令。 LPRng编程实现中有一个函数use_syslog(),此函数把用户的输入未加检查就作为一个格式化串传给syslog()函数。远程攻击者可以通过输入一个恶意的格式化串来破坏程序执行流程。在测试中,这个漏洞可被攻击者利用来从远程在主机上以root用户的权限执行任意指令。 有问题的代码部分在: /LPRng-3.6.22/src/common/errormsg.c, use_syslog() --- static void use_syslog(int kind, char *msg) ... # ifdef HAVE_OPENLOG /* use the openlog facility */ openlog(Name, LOG_PID | LOG_NOWAIT, SYSLOG_FACILITY ); syslog(kind, msg); closelog(); # else (void) syslog(SYSLOG_FACILITY | kind, msg); # endif /* HAVE_OPENLOG */ ...
漏洞公告
临时解决方法: 如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
* 修改源码,增加"%s"选项,如下所示:
syslog(kind, msg);
---> syslog(kind, "%s", msg);
(void) syslog(SYSLOG_FACILITY | kind, msg);
---> (void) syslog(SYSLOG_FACILITY | kind, "%s", msg);
然后重新编译。
* 您也可以停止此服务或在防火墙上过滤掉打印服务端口。 厂商补丁: Caldera ------- Caldera已经为此发布了一个安全公告(CSSA-2000-033.0)以及相应补丁:
CSSA-2000-033.0:format bug in LPRng
链接: http://www.caldera.com/support/security/advisories/CSSA-2000-033.0.txt
补丁下载:
OpenLinux Desktop 2.3
Location of Fixed Packages:
ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/
3ad5e8e8ab42d2ed1cce0627ca2a0f45 RPMS/LPRng-3.5.3-3.i386.rpm
61f4d3aef6757c68ba73cc1cc8bbcf27 RPMS/LPRng-doc-3.5.3-3.i386.rpm
ebd7e8ec09ef4d92397f608b1125ff82 RPMS/LPRng-doc-ps-3.5.3-3.i386.rpm
c53c9a83c0791030297b6079d7b9fcd9 RPMS/LPRng-lpd-3.5.3-3.i386.rpm
d266aed344873c9ff6aab2a409d760b4 SRPMS/LPRng-3.5.3-3.src.rpm
OpenLinux eServer 2.3 and OpenLinux eBuilder for ECential 3.0
Location of Fixed Packages:
ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/RPMS/
9cb7089adcadcf29ee2cb8268acc46c1 RPMS/LPRng-3.5.3-3.i386.rpm
77e9edbf336837a9957c3fc62167aee4 RPMS/LPRng-doc-3.5.3-3.i386.rpm
558a98c48558538bc15f86ca9a555e68 RPMS/LPRng-doc-ps-3.5.3-3.i386.rpm
62c39c60197447be1b4de85f81bcd5a0 RPMS/LPRng-lpd-3.5.3-3.i386.rpm
d266aed344873c9ff6aab2a409d760b4 SRPMS/LPRng-3.5.3-3.src.rpm
OpenLinux eDesktop 2.4
Location of Fixed Packages:
ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/
7ec1973e306bbcaa3e27b770b463e6fe RPMS/LPRng-3.5.3-3.i386.rpm
f373e0a2389c64e207b84293d2afc177 RPMS/LPRng-doc-3.5.3-3.i386.rpm
4560b0415dc7dbf7bde284173a49c6f6 RPMS/LPRng-doc-ps-3.5.3-3.i386.rpm
994f2204ba1e743725fe69cecb47dac5 RPMS/LPRng-lpd-3.5.3-3.i386.rpm
d266aed344873c9ff6aab2a409d760b4 SRPMS/LPRng-3.5.3-3.src.rpm
Caldera eServer 2.3:
Caldera RPM eDesktop 2.4 current LPRng-3.5.3-3.i386.rpm
ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/RPMS/LPRng-3.5.3-3.i386.rpm
Caldera RPM eServer 2.3/ eBuilder 3.0 current LPRng-3.5.3-3.i386.rpm
ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/RPMS/LPRng-3.5.3-3.i386.rpm
Caldera OpenLinux Desktop 2.3:
Caldera eDesktop 2.4:
Caldera OpenLinux eBuilder 3.0:
Caldera RPM eDesktop 2.4 current LPRng-3.5.3-3.i386.rpm
ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/RPMS/LPRng-3.5.3-3.i386.rpm
Caldera RPM eServer 2.3/ eBuilder 3.0 current LPRng-3.5.3-3.i386.rpm
ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/RPMS/LPRng-3.5.3-3.i386.rpm RedHat ------ RedHat已经为此发布了一个安全公告(RHSA-2000:065-04)以及相应补丁:
RHSA-2000:065-04:LPRng contains a critical string format bug
链接:https://www.redhat.com/support/errata/RHSA-2000-065.HTML
补丁下载:
Red Hat Linux 7.0:
i386:
ftp://updates.redhat.com/7.0/i386/LPRng-3.6.24-2.i386.rpm
sources:
ftp://updates.redhat.com/7.0/SRPMS/LPRng-3.6.24-2.src.rpm
可使用下列命令安装补丁:
rpm -Fvh [文件名]
参考网址
来源:CERT/CC Advisory: CA-2000-22 名称: CA-2000-22 链接:http://www.cert.org/advisories/CA-2000-22.HTML 来源: XF 名称: lprng-format-string 链接:http://xforce.iss.net/static/5287.php 来源: BID 名称: 1712 链接:http://www.securityfocus.com/bid/1712 来源: REDHAT 名称: RHSA-2000:065 链接:http://www.redhat.com/support/errata/RHSA-2000-065.HTML 来源: CALDERA 名称: CSSA-2000-033.0 链接:http://www.calderasystems.com/support/security/advisories/CSSA-2000-033.0.txt 来源: BUGTRAQ 名称: 20000925 Format strings: bug #2: LPRng 链接:http://archives.neohapsis.com/archives/bugtraq/2000-09/0293.HTML 来源: FREEBSD 名称: FreeBSD-SA-00:56 链接:ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:56.lprng.asc
受影响实体
- Trustix Secure_linux:1.0
- Trustix Secure_linux:1.1
补丁
暂无
![weinxin](http://zone.ci/zone_ci_images/zone.ci.png)
评论