漏洞信息详情
XLoadImage压缩图像命令执行漏洞
- CNNVD编号:CNNVD-200503-042
- 危害等级: 高危
- CVE编号: CVE-2005-0638
- 漏洞类型: 输入验证
- 发布时间: 2005-03-02
- 威胁类型: 远程
- 更新时间: 2005-10-20
- 厂 商: suse
- 漏洞来源: Tavis Ormandy is c...
漏洞简介
远程攻击者可以借助xloadimage 4.1-r2之前版本和xli 1.17之前版本,通过压缩图像文件名中的shell元字符执行任意命令,而这些元字符在调用gunzip指令时没有正确引用。
漏洞公告
目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接: xli xli 1.17 Debian xli_1.17.0-11woody1_alpha.deb Debian GNU/Linux 3.0 alias woody http://security.debian.org/pool/updates/main/x/xli/xli_1.17.0-11woody1 _alpha.deb Debian xli_1.17.0-11woody1_arm.deb Debian GNU/Linux 3.0 alias woody http://security.debian.org/pool/updates/main/x/xli/xli_1.17.0-11woody1 _arm.deb Debian xli_1.17.0-11woody1_hppa.deb Debian GNU/Linux 3.0 alias woody http://security.debian.org/pool/updates/main/x/xli/xli_1.17.0-11woody1 _hppa.deb Debian xli_1.17.0-11woody1_i386.deb Debian GNU/Linux 3.0 alias woody http://security.debian.org/pool/updates/main/x/xli/xli_1.17.0-11woody1 _i386.deb Debian xli_1.17.0-11woody1_ia64.deb Debian GNU/Linux 3.0 alias woody http://security.debian.org/pool/updates/main/x/xli/xli_1.17.0-11woody1 _ia64.deb Debian xli_1.17.0-11woody1_m68k.deb Debian GNU/Linux 3.0 alias woody http://security.debian.org/pool/updates/main/x/xli/xli_1.17.0-11woody1 _m68k.deb Debian xli_1.17.0-11woody1_mips.deb Debian GNU/Linux 3.0 alias woody http://security.debian.org/pool/updates/main/x/xli/xli_1.17.0-11woody1 _mips.deb Debian xli_1.17.0-11woody1_mipsel.deb Debian GNU/Linux 3.0 alias woody http://security.debian.org/pool/updates/main/x/xli/xli_1.17.0-11woody1 _mipsel.deb Debian xli_1.17.0-11woody1_powerpc.deb Debian GNU/Linux 3.0 alias woody http://security.debian.org/pool/updates/main/x/xli/xli_1.17.0-11woody1 _powerpc.deb Debian xli_1.17.0-11woody1_s390.deb Debian GNU/Linux 3.0 alias woody http://security.debian.org/pool/updates/main/x/xli/xli_1.17.0-11woody1 _s390.deb Debian xli_1.17.0-11woody1_sparc.deb Debian GNU/Linux 3.0 alias woody http://security.debian.org/pool/updates/main/x/xli/xli_1.17.0-11woody1 _sparc.deb Mandriva xli-1.17.0-4.1.C21mdk.i586.rpm Mandrake Corporate Server 2.1 http://www1.mandrivalinux.com/en/ftp.php3 Mandriva xli-1.17.0-4.1.C21mdk.x86_64.rpm Mandrake Corporate Server 2.1/x86_64 http://www1.mandrivalinux.com/en/ftp.php3 Mandriva xli-1.17.0-8.1.101mdk.i586.rpm Mandrake Linux 10.1 http://www1.mandrivalinux.com/en/ftp.php3 Mandriva xli-1.17.0-8.1.101mdk.x86_64.rpm Mandrake Linux 10.1/x86_64 http://www1.mandrivalinux.com/en/ftp.php3 Mandriva xli-1.17.0-8.1.102mdk.i586.rpm Mandrake Linux 10.2 http://www1.mandrivalinux.com/en/ftp.php3 Mandriva xli-1.17.0-8.1.102mdk.x86_64.rpm Mandrake Linux 10.2/x86_64 http://www1.mandrivalinux.com/en/ftp.php3 Mandriva xli-1.17.0-8.2.C30mdk.i586.rpm Mandrake Corporate Server 3.0 http://www1.mandrivalinux.com/en/ftp.php3 Mandriva xli-1.17.0-8.2.C30mdk.x86_64.rpm Mandrake Corporate Server 3.0/x86_64 http://www1.mandrivalinux.com/en/ftp.php3 xloadimage xloadimage 4.1 Fedora xloadimage-4.1-34.FC2.i386.rpm RedHat Fedora Core 2 http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/ Fedora xloadimage-4.1-34.FC2.x86_64.rpm RedHat Fedora Core 2 http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/ Fedora xloadimage-4.1-34.FC3.i386.rpm RedHat Fedora Core 3 http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/ Fedora xloadimage-4.1-34.FC3.x86_64.rpm RedHat Fedora Core 3 http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/ Fedora xloadimage-debuginfo-4.1-34.FC2.i386.rpm RedHat Fedora Core 2 http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/ Fedora xloadimage-debuginfo-4.1-34.FC2.x86_64.rpm RedHat Fedora Core 2 http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/ Fedora xloadimage-debuginfo-4.1-34.FC3.i386.rpm RedHat Fedora Core 3 http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/ Fedora xloadimage-debuginfo-4.1-34.FC3.x86_64.rpm RedHat Fedora Core 3 http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/ RedHat xloadimage-4.1-21.2.legacy.i386.rpm Red Hat Linux 7.3: http://download.fedoralegacy.org/redhat/7.3/updates/i386/xloadimage-4. 1-21.2.legacy.i386.rpm RedHat xloadimage-4.1-27.2.legacy.i386.rpm Red Hat Linux 9: http://download.fedoralegacy.org/redhat/9/updates/i386/xloadimage-4.1- 27.2.legacy.i386.rpm RedHat xloadimage-4.1-29.2.legacy.i386.rpm Fedora Core 1: http://download.fedoralegacy.org/fedora/1/updates/i386/xloadimage-4.1- 29.2.legacy.i386.rpm RedHat xloadimage-4.1-34.FC2.2.legacy.i386.rpm Fedora Core 2: http://download.fedoralegacy.org/fedora/2/updates/i386/xloadimage-4.1- 34.FC2.2.legacy.i386.rpm TurboLinux xloadimage-4.1-22.i586.rpm ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Desktop/10/u pdates/RPMS/xloadimage-4.1-22.i586.rpm TurboLinux xloadimage-4.1-22.i586.rpm ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/up dates/RPMS/xloadimage-4.1-22.i586.rpm TurboLinux xloadimage-4.1-22.i586.rpm ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/7/upd ates/RPMS/xloadimage-4.1-22.i586.rpm TurboLinux xloadimage-4.1-22.i586.rpm ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/8/upd ates/RPMS/xloadimage-4.1-22.i586.rpm TurboLinux xloadimage-4.1-22.i586.rpm ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/ 7/updates/RPMS/xloadimage-4.1-22.i586.rpm TurboLinux xloadimage-4.1-22.i586.rpm ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/ 8/updates/RPMS/xloadimage-4.1-22.i586.rpm
参考网址
来源: SECUNIA 名称: 14459 链接:http://secunia.com/advisories/14459 来源: DEBIAN 名称: DSA-695 链接:http://www.debian.org/security/2005/dsa-695 来源: GENTOO 名称: GLSA-200503-05 链接:http://security.gentoo.org/glsa/glsa-200503-05.xml 来源: SECUNIA 名称: 14462 链接:http://secunia.com/advisories/14462 来源: bugs.gentoo.org 链接:http://bugs.gentoo.org/show_bug.cgi?id=79762 来源: BID 名称: 12712 链接:http://www.securityfocus.com/bid/12712 来源: FEDORA 名称: FLSA-2006:152923 链接:http://www.securityfocus.com/archive/1/archive/1/433935/30/5010/threaded 来源: REDHAT 名称: RHSA-2005:332 链接:http://www.redhat.com/support/errata/RHSA-2005-332.HTML 来源: OSVDB 名称: 14365 链接:http://www.osvdb.org/14365 来源: support.avaya.com 链接:http://support.avaya.com/elmodocs2/security/ASA-2005-134_RHSA-2005-332.pdf
受影响实体
- Suse Suse_linux:6.1:Alpha
- Suse Suse_linux:6.2
- Suse Suse_linux:6.3
- Suse Suse_linux:6.3:Ppc
- Suse Suse_linux:6.3:Alpha
补丁
暂无
评论