漏洞信息详情
jhead 'DoCommand()' 任意文件删除漏洞
- CNNVD编号:CNNVD-200810-341
- 危害等级: 低危
- CVE编号: CVE-2008-4640
- 漏洞类型: 输入验证
- 发布时间: 2008-10-21
- 威胁类型: 本地
- 更新时间: 2008-10-21
- 厂 商: sentex
- 漏洞来源: John Dong
漏洞简介
Matthias Wandel jhead中的jhead.c存在的DoCommand函数,本地用户可以借助涉及一个修改过的输入文件名的变量来删除任意文件。在该修改过的输入文件名中,最后的\"z\"字符被\"t\"字符所取代或者是最后的\"t\"字符被\"z\"字符所取代。
漏洞公告
目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
Matthias Wandel jhead 2.83
Matthias Wandel jhead-latest.tar.gz
http://www.sentex.net/~mwandel/jhead/jhead-latest.tar.gz
MandrakeSoft Linux Mandrake 2009.0 x86_64
Mandriva jhead-2.86-0.1mdv2009.0.x86_64.rpm
http://www.mandriva.com/en/download/
MandrakeSoft Linux Mandrake 2008.1 x86_64
Mandriva jhead-2.86-0.1mdv2008.1.x86_64.rpm
http://www.mandriva.com/en/download/
MandrakeSoft Linux Mandrake 2008.0 x86_64
Mandriva jhead-2.86-0.1mdv2008.0.x86_64.rpm
http://www.mandriva.com/en/download/
MandrakeSoft Linux Mandrake 2008.1
Mandriva jhead-2.86-0.1mdv2008.1.i586.rpm
http://www.mandriva.com/en/download/
Matthias Wandel jhead 2.84
Matthias Wandel jhead-latest.tar.gz
http://www.sentex.net/~mwandel/jhead/jhead-latest.tar.gz
MandrakeSoft Linux Mandrake 2008.0
Mandriva jhead-2.86-0.1mdv2008.0.i586.rpm
http://www.mandriva.com/en/download/
MandrakeSoft Linux Mandrake 2009.0
Mandriva jhead-2.86-0.1mdv2009.0.i586.rpm
http://www.mandriva.com/en/download/
参考网址
来源: bugs.launchpad.net
链接:https://bugs.launchpad.net/ubuntu/+source/jhead/+bug/271020
来源: BID
名称: 32506
链接:http://www.securityfocus.com/bid/32506
来源: MLIST
名称: [oss-security] 20081127 Re: CVE request: jhead
链接:http://www.openwall.com/lists/oss-security/2008/11/26/4
来源: MLIST
名称: [oss-security] 20081016 Re: CVE request: jhead
链接:http://www.openwall.com/lists/oss-security/2008/10/16/3
受影响实体
- Sentex Jhead:1.3
- Sentex Jhead:1.2
- Sentex Jhead:1.5
- Sentex Jhead:1.4
- Sentex Jhead:2.1
补丁
暂无
评论