漏洞信息详情
Linux eCryptfs工具parse_tag_3_packet()函数堆溢出漏洞
- CNNVD编号:CNNVD-200907-458
- 危害等级: 高危
- CVE编号: CVE-2009-2407
- 漏洞类型: 缓冲区溢出
- 发布时间: 2009-07-31
- 威胁类型: 本地
- 更新时间: 2009-11-18
- 厂 商: linux
- 漏洞来源: Ramon de Carvalho ...
漏洞简介
eCryptfs是Linux平台下的企业级加密文件系统 。
eCryptfs的密钥管理代码中的parse_tag_3_packet函数没有检查tag 3报文所包含的加密密钥大小是否大于ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES就将其拷贝到了new_auth_tok结构中,这可能触发堆溢出漏洞 。
fs/ecryptfs/keystore.c
--
static int
parse_tag_3_packet(struct ecryptfs_crypt_stat *crypt_stat,
unsigned char *data, struct list_head *auth_tok_list,
struct ecryptfs_auth_tok **new_auth_tok,
size_t *packet_size, size_t max_packet_size)
{
size_t body_size;
struct ecryptfs_auth_tok_list_item *auth_tok_list_item;
size_t length_size;
int rc = 0;
...
/* Released: wipe_auth_tok_list called in ecryptfs_parse_packet_set or
* at end of function upon failure */
auth_tok_list_item =
kmem_cache_zalloc(ecryptfs_auth_tok_list_item_cache, GFP_KERNEL);
if (!auth_tok_list_item) {
printk(KERN_ERR Unable to allocate memory\n);
rc = -ENOMEM;
goto out;
}
(*new_auth_tok) = auth_tok_list_item->auth_tok;
rc = ecryptfs_parse_packet_length(data[(*packet_size)], body_size,
length_size);
if (rc) {
printk(KERN_WARNING Error parsing packet length; rc = [\\%d]\n,
rc);
goto out_free;
}
...
(*new_auth_tok)->session_key.encrypted_key_size =
(body_size - (ECRYPTFS_SALT_SIZE + 5));
if (unlikely(data[(*packet_size)++] != 0x04)) {
printk(KERN_WARNING Unknown version number [\\%d]\n,
data[(*packet_size) - 1]);
rc = -EINVAL;
goto out_free;
}
...
/* Friendly reminder:
* (*new_auth_tok)->session_key.encrypted_key_size =
* (body_size - (ECRYPTFS_SALT_SIZE + 5)); */
memcpy((*new_auth_tok)->session_key.encrypted_key,
data[(*packet_size)],
(*new_auth_tok)->session_key.encrypted_key_size);
(*packet_size) +=
(*new_auth_tok)->session_key.encrypted_key_size;
...
--
漏洞公告
目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
Ubuntu Ubuntu Linux 8.10 powerpc
Ubuntu linux-doc-2.6.27_2.6.27-14.37_all.deb
http://security.ubuntu.com/ubuntu/pool/main/l/linux/linux-doc-2.6.27_2 .6.27-14.37_all.deb
Ubuntu linux-headers-2.6.27-14_2.6.27-14.37_all.deb
http://security.ubuntu.com/ubuntu/pool/main/l/linux/linux-headers-2.6. 27-14_2.6.27-14.37_all.deb
Ubuntu linux-source-2.6.27_2.6.27-14.37_all.deb
http://security.ubuntu.com/ubuntu/pool/main/l/linux/linux-source-2.6.2 7_2.6.27-14.37_all.deb
Debian Linux 5.0 alpha
Debian linux-doc-2.6.26_2.6.26-17lenny1_all.deb
http://security.debian.org/pool/updates/main/l/linux-2.6/linux-doc-2.6 .26_2.6.26-17lenny1_all.deb
Debian linux-headers-2.6.26-2-all-alpha_2.6.26-17lenny1_alpha.deb
http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers -2.6.26-2-all-alpha_2.6.26-17lenny1_alpha.deb
Debian linux-headers-2.6.26-2-all_2.6.26-17lenny1_alpha.deb
http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers -2.6.26-2-all_2.6.26-17lenny1_alpha.deb
Debian linux-headers-2.6.26-2-alpha-generic_2.6.26-17lenny1_alpha.deb
http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers -2.6.26-2-alpha-generic_2.6.26-17lenny1_alpha.deb
Debian linux-headers-2.6.26-2-alpha-legacy_2.6.26-17lenny1_alpha.deb
http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers -2.6.26-2-alpha-legacy_2.6.26-17lenny1_alpha.deb
Debian linux-headers-2.6.26-2-alpha-smp_2.6.26-17lenny1_alpha.deb
http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers -2.6.26-2-alpha-smp_2.6.26-17lenny1_alpha.deb
Debian linux-headers-2.6.26-2-common_2.6.26-17lenny1_alpha.deb
http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers -2.6.26-2-common_2.6.26-17lenny1_alpha.deb
Debian linux-image-2.6.26-2-alpha-generic_2.6.26-17lenny1_alpha.deb
http://security.debian.org/pool/updates/main/l/linux-2.6/linux-image-2 .6.26-2-alpha-generic_2.6.26-17lenny1_alpha.deb
Debian linux-image-2.6.26-2-alpha-legacy_2.6.26-17lenny1_alpha.deb
http://security.debian.org/pool/updates/main/l/linux-2.6/linux-image-2 .6.26-2-alpha-legacy_2.6.26-17lenny1_alpha.deb
Debian linux-image-2.6.26-2-alpha-smp_2.6.26-17lenny1_alpha.deb
http://security.debian.org/pool/updates/main/l/linux-2.6/linux-image-2 .6.26-2-alpha-smp_2.6.26-17lenny1_alpha.deb
Debian linux-libc-dev_2.6.26-17lenny1_alpha.deb
http://security.debian.org/pool/updates/main/l/linux-2.6/linux-libc-de v_2.6.26-17lenny1_alpha.deb
Debian linux-manual-2.6.26_2.6.26-17lenny1_all.deb
http://security.debian.org/pool/updates/main/l/linux-2.6/linux-manual- 2.6.26_2.6.26-17lenny1_all.deb
Debian linux-patch-debian-2.6.26_2.6.26-17lenny1_all.deb
http://security.debian.org/pool/updates/main/l/linux-2.6/linux-patch-d ebian-2.6.26_2.6.26-17lenny1_all.deb
Debian linux-source-2.6.26_2.6.26-17lenny1_all.deb
http://security.debian.org/pool/updates/main/l/linux-2.6/linux-source- 2.6.26_2.6.26-17lenny1_all.deb
Debian linux-support-2.6.26-2_2.6.26-17lenny1_all.deb
http://security.debian.org/pool/updates/main/l/linux-2.6/linux-support -2.6.26-2_2.6.26-17lenny1_all.deb
Debian linux-tree-2.6.26_2.6.26-17lenny1_all.deb
http://security.debian.org/pool/updates/main/l/linux-2.6/linux-tree-2. 6.26_2.6.26-17lenny1_all.deb
Ubuntu Ubuntu Linux 9.04 sparc
Ubuntu linux-doc-2.6.28_2.6.28-14.47_all.deb
http://security.ubuntu.com/ubuntu/pool/main/l/linux/linux-doc-2.6.28_2 .6.28-14.47_all.deb
Ubuntu linux-headers-2.6.28-14_2.6.28-14.47_all.deb
http://security.ubuntu.com/ubuntu/pool/main/l/linux/linux-headers-2.6. 28-14_2.6.28-14.47_all.deb
Ubuntu linux-source-2.6.28_2.6.28-14.47_all.deb
http://security.ubuntu.com/ubuntu/pool/main/l/linux/linux-source-2.6.2 8_2.6.28-14.47_all.deb
Ubuntu Ubuntu Linux 8.10 sparc
Ubuntu linux-doc-2.6.27_2.6.27-14.37_all.deb
http://security.ubuntu.com/ubuntu/pool/main/l/linux/linux-doc-2.6.27_2 .6.27-14.37_all.deb
Ubuntu linux-headers-2.6.27-14_2.6.27-14.37_all.deb
http://security.ubuntu.com/ubuntu/pool/main/l/linux/linux-headers-2.6. 27-14_2.6.27-14.37_all.deb
Ubuntu linux-source-2.6.27_2
参考网址
来源: VUPEN
名称: ADV-2009-2041
链接:http://www.vupen.com/english/advisories/2009/2041
来源: BID
名称: 35850
链接:http://www.securityfocus.com/bid/35850
来源: DEBIAN
名称: DSA-1844
链接:http://www.debian.org/security/2009/dsa-1844
来源: SECUNIA
名称: 36051
链接:http://secunia.com/advisories/36051
来源: SECUNIA
名称: 36045
链接:http://secunia.com/advisories/36045
来源: SECUNIA
名称: 35985
链接:http://secunia.com/advisories/35985
来源: FEDORA
名称: FEDORA-2009-8144
链接:https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00223.HTML
来源: FEDORA
名称: FEDORA-2009-8264
链接:https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00166.HTML
来源: UBUNTU
名称: USN-807-1
链接:http://www.ubuntu.com/usn/usn-807-1
来源: BUGTRAQ
名称: 20090728 [RISE-2009003] Linux eCryptfs parse_tag_3_packet Encrypted Key Buffer Overflow Vulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/505337/100/0/threaded
来源: REDHAT
名称: RHSA-2009:1193
链接:http://www.redhat.com/support/errata/RHSA-2009-1193.HTML
来源: www.kernel.org
链接:http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.30.4
来源: DEBIAN
名称: DSA-1845
链接:http://www.debian.org/security/2009/dsa-1845
来源: SECUNIA
名称: 36131
链接:http://secunia.com/advisories/36131
来源: SECUNIA
名称: 36116
链接:http://secunia.com/advisories/36116
来源: SECUNIA
名称: 36054
链接:http://secunia.com/advisories/36054
来源: MISC
链接:http://risesecurity.org/advisories/RISE-2009003.txt
来源: SUSE
名称: SUSE-SR:2009:015
链接:http://lists.opensuse.org/opensuse-security-announce/2009-09/msg00001.HTML
来源: git.kernel.org
链接:http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=f151cd2c54ddc7714e2f740681350476cda03a28
受影响实体
- Linux Linux_kernel:2.6.23
- Linux Linux_kernel:2.6.23.1
- Linux Linux_kernel:2.6.23.2
- Linux Linux_kernel:2.6.23.3
- Linux Linux_kernel:2.6.23.4
补丁
暂无
评论