漏洞信息详情
QEMU VNC 'monitor.c' 安全密码漏洞
- CNNVD编号:CNNVD-200812-436
- 危害等级: 低危
- CVE编号: CVE-2008-5714
- 漏洞类型: 数字错误
- 发布时间: 2008-12-24
- 威胁类型: 远程
- 更新时间: 2009-05-16
- 厂 商: qemu
- 漏洞来源: Chris Webb
漏洞简介
QEMU是一套由Fabrice Bellard所编写的模拟处理器的自由软件。 Qemu 0.9.1版本的monitor.c中的Off-by-one错误,可能会使远程攻击者易于猜出VNC密码,这原本是设置为8位字符的但是最后被限制为7位。
漏洞公告
目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接: Debian Linux 5.0 ia-64 Debian kvm-source_72+dfsg-5~lenny3_all.deb http://security.debian.org/pool/updates/main/k/kvm/kvm-source_72+dfsg- 5~lenny3_all.deb Ubuntu Ubuntu Linux 8.04 LTS powerpc Ubuntu kvm-source_62+dfsg-0ubuntu8.1_all.deb http://security.ubuntu.com/ubuntu/pool/universe/k/kvm/kvm-source_62+df sg-0ubuntu8.1_all.deb Ubuntu kvm-source_62+dfsg-0ubuntu8.2_all.deb http://security.ubuntu.com/ubuntu/pool/universe/k/kvm/kvm-source_62+df sg-0ubuntu8.2_all.deb Ubuntu Ubuntu Linux 8.10 powerpc Ubuntu kvm-source_72+dfsg-1ubuntu6.1_all.deb http://security.ubuntu.com/ubuntu/pool/universe/k/kvm/kvm-source_72+df sg-1ubuntu6.1_all.deb Ubuntu Ubuntu Linux 8.10 i386 Ubuntu kvm-source_72+dfsg-1ubuntu6.1_all.deb http://security.ubuntu.com/ubuntu/pool/universe/k/kvm/kvm-source_72+df sg-1ubuntu6.1_all.deb Ubuntu kvm_72+dfsg-1ubuntu6.1_i386.deb http://security.ubuntu.com/ubuntu/pool/main/k/kvm/kvm_72+dfsg-1ubuntu6 .1_i386.deb Ubuntu Ubuntu Linux 8.04 LTS sparc Ubuntu kvm-source_62+dfsg-0ubuntu8.1_all.deb http://security.ubuntu.com/ubuntu/pool/universe/k/kvm/kvm-source_62+df sg-0ubuntu8.1_all.deb Ubuntu kvm-source_62+dfsg-0ubuntu8.2_all.deb http://security.ubuntu.com/ubuntu/pool/universe/k/kvm/kvm-source_62+df sg-0ubuntu8.2_all.deb Debian Linux 5.0 alpha Debian kvm-source_72+dfsg-5~lenny3_all.deb http://security.debian.org/pool/updates/main/k/kvm/kvm-source_72+dfsg- 5~lenny3_all.deb Debian Linux 5.0 ia-32 Debian kvm-source_72+dfsg-5~lenny3_all.deb http://security.debian.org/pool/updates/main/k/kvm/kvm-source_72+dfsg- 5~lenny3_all.deb Debian kvm_72+dfsg-5~lenny3_i386.deb http://security.debian.org/pool/updates/main/k/kvm/kvm_72+dfsg-5~lenny 3_i386.deb Ubuntu Ubuntu Linux 8.04 LTS amd64 Ubuntu kvm-source_62+dfsg-0ubuntu8.1_all.deb http://security.ubuntu.com/ubuntu/pool/universe/k/kvm/kvm-source_62+df sg-0ubuntu8.1_all.deb Ubuntu kvm-source_62+dfsg-0ubuntu8.2_all.deb http://security.ubuntu.com/ubuntu/pool/universe/k/kvm/kvm-source_62+df sg-0ubuntu8.2_all.deb Ubuntu kvm_62+dfsg-0ubuntu8.1_amd64.deb http://security.ubuntu.com/ubuntu/pool/main/k/kvm/kvm_62+dfsg-0ubuntu8 .1_amd64.deb Ubuntu kvm_62+dfsg-0ubuntu8.2_amd64.deb http://security.ubuntu.com/ubuntu/pool/main/k/kvm/kvm_62+dfsg-0ubuntu8 .2_amd64.deb Debian Linux 5.0 s/390 Debian kvm-source_72+dfsg-5~lenny3_all.deb http://security.debian.org/pool/updates/main/k/kvm/kvm-source_72+dfsg- 5~lenny3_all.deb Debian Linux 5.0 mipsel Debian kvm-source_72+dfsg-5~lenny3_all.deb http://security.debian.org/pool/updates/main/k/kvm/kvm-source_72+dfsg- 5~lenny3_all.deb Ubuntu Ubuntu Linux 8.04 LTS lpia Ubuntu kvm-source_62+dfsg-0ubuntu8.1_all.deb http://security.ubuntu.com/ubuntu/pool/universe/k/kvm/kvm-source_62+df sg-0ubuntu8.1_all.deb Ubuntu kvm-source_62+dfsg-0ubuntu8.2_all.deb http://security.ubuntu.com/ubuntu/pool/universe/k/kvm/kvm-source_62+df sg-0ubuntu8.2_all.deb Ubuntu Ubuntu Linux 8.10 lpia Ubuntu kvm-source_72+dfsg-1ubuntu6.1_all.deb http://security.ubuntu.com/ubuntu/pool/universe/k/kvm/kvm-source_72+df sg-1ubuntu6.1_all.deb Debian Linux 5.0 hppa Debian kvm-source_72+dfsg-5~lenny3_all.deb http://security.debian.org/pool/updates/main/k/kvm/kvm-source_72+dfsg- 5~lenny3_all.deb Ubuntu Ubuntu Linux 8.10 sparc Ubuntu kvm-source_72+dfsg-1ubuntu6.1_all.deb http://security.ubuntu.com/ubuntu/pool/universe/k/kvm/kvm-source_72+df sg-1ubuntu6.1_all.deb Debian Linux 5.0 m68k Debian kvm-source_72+dfsg-5~lenny3_all.deb http://security.debian.org/pool/updates/main/k/kvm/kvm-source_72+dfsg- 5~lenny3_all.deb MandrakeSoft Linux Mandrake 2009.0 Mandriva dkms-kqemu-1.4.0-0.pre1.0.1mdv2009.0.i586.rpm http://www.mandriva.com/en/download/ Mandriva kvm-74-3.1mdv2009.0.i586.rpm http://www.mandriva.com/en/download/ Mandriva qemu-0.9.1-0.r5137.1.1mdv2009.0.i586.rpm http://www.mandriva.com/en/download/ Mandriva qemu-img-0.9.1-0.r5137.1.1mdv2009.0.i586.rpm http://www.mandriva.com/en/download/ Debian Linux 5.0 arm Debian kvm-source_72+dfsg-5~lenny3_all.deb http://security.debian.org/pool/updates/main/k/kvm/kvm-source_72+dfsg- 5~lenny3_all.deb Debian Linux 5.0 armel Debian kvm-source_72+dfsg-5~lenny3_all.deb http://security.debian.org/pool/updates/main/k/kvm/kvm-source_72+dfsg- 5~lenny3_all.deb Debian Linux 5.0 Debian kvm-source_72+dfsg-5~lenny3_all.deb http://security.debian.org/pool/updates/main/k/kvm/kvm-source_72+dfsg- 5~lenny3_all.deb Ubuntu Ubuntu Linux 8.04 LTS i386 Ubuntu kvm-source_62+dfsg-0ubuntu8.1_all.deb http://security.ubuntu.com/ubuntu/pool/universe/k/kvm/kvm-source_62+df sg-0ubuntu8.1_all.deb Ubuntu kvm-source_62+dfsg-0ubuntu8.2_all.deb http://security.ubuntu.com/ubuntu/pool/universe/k/kvm/kvm-source_62+df sg-0ubuntu8.2_all.deb Ubuntu kvm_62+dfsg-0ubuntu8.1_i386.deb http://security.ubuntu.com/ubuntu/pool/main/k/kvm/kvm_62+dfsg-0ubuntu8 .1_i386.deb Ubuntu kvm_62+dfsg-0ubuntu8.2_i386.deb http://security.ubuntu.com/ubuntu/pool/main/k/kvm/kvm_62+dfsg-0ubuntu8 .2_i386.deb MandrakeSoft Linux Mandrake 2009.0 x86_64 Mandriva dkms-kqemu-1.4.0-0.pre1.0.1mdv2009.0.x86_64.rpm http://www.mandriva.com/en/download/ Mandriva kvm-74-3.1mdv2009.0.x86_64.rpm http://www.mandriva.com/en/download/ Mandriva qemu-0.9.1-0.r5137.1.1mdv2009.0.x86_64.rpm http://www.mandriva.com/en/download/ Mandriva qemu-img-0.9.1-0.r5137.1.1mdv2009.0.x86_64.rpm http://www.mandriva.com/en/download/ Debian Linux 5.0 amd64 Debian kvm-source_72+dfsg-5~lenny3_all.deb http://security.debian.org/pool/updates/main/k/kvm/kvm-source_72+dfsg- 5~lenny3_all.deb Debian kvm_72+dfsg-5~lenny3_amd64.deb http://security.debian.org/pool/updates/main/k/kvm/kvm_72+dfsg-5~lenny 3_amd64.deb Debian Linux 5.0 mips Debian kvm-source_72+dfsg-5~lenny3_all.deb http://security.debian.org/pool/updates/main/k/kvm/kvm-source_72+dfsg- 5~lenny3_all.deb Ubuntu Ubuntu Linux 8.10 amd64 Ubuntu kvm-source_72+dfsg-1ubuntu6.1_all.deb http://security.ubuntu.com/ubuntu/pool/universe/k/kvm/kvm-source_72+df sg-1ubuntu6.1_all.deb Ubuntu kvm_72+dfsg-1ubuntu6.1_amd64.deb http://security.ubuntu.com/ubuntu/pool/main/k/kvm/kvm_72+dfsg-1ubuntu6 .1_amd64.deb Debian Linux 5.0 powerpc Debian kvm-source_72+dfsg-5~lenny3_all.deb http://security.debian.org/pool/updates/main/k/kvm/kvm-source_72+dfsg- 5~lenny3_all.deb Debian Linux 5.0 sparc Debian kvm-source_72+dfsg-5~lenny3_all.deb http://security.debian.org/pool/updates/main/k/kvm/kvm-source_72+dfsg- 5~lenny3_all.deb
参考网址
来源: XF 名称: qemu-monitor-weak-security(47683) 链接:http://xforce.iss.net/xforce/xfdb/47683 来源: UBUNTU 名称: USN-776-1 链接:http://www.ubuntu.com/usn/usn-776-1 来源: BID 名称: 33020 链接:http://www.securityfocus.com/bid/33020 来源: svn.savannah.gnu.org 链接:http://svn.savannah.gnu.org/viewvc/trunk/monitor.c?root=qemu&r1=5966&r2=5965&pathrev=5966 来源: svn.savannah.gnu.org 链接:http://svn.savannah.gnu.org/viewvc/?view=rev&root=qemu&revision=5966 来源: SECUNIA 名称: 35062 链接:http://secunia.com/advisories/35062 来源: SECUNIA 名称: 34642 链接:http://secunia.com/advisories/34642 来源: SECUNIA 名称: 33568 链接:http://secunia.com/advisories/33568 来源: SUSE 名称: SUSE-SR:2009:008 链接:http://lists.opensuse.org/opensuse-security-announce/2009-04/msg00003.HTML 来源: SUSE 名称: SUSE-SR:2009:002 链接:http://lists.opensuse.org/opensuse-security-announce/2009-01/msg00004.HTML 来源: MLIST 名称: [qemu-devel] 20081210 Re: [RESEND] [PATCH v2] Fix off-by-one bug limiting VNC passwords to 7 chars 链接:http://lists.gnu.org/archive/HTML/qemu-devel/2008-12/msg00498.HTML 来源: MLIST 名称: [qemu-devel] 20081123 [PATCH] Fix off-by-one bug limiting VNC passwords to 7 chars 链接:http://lists.gnu.org/archive/HTML/qemu-devel/2008-11/msg01224.HTML
受影响实体
- Qemu Qemu:0.9.1
补丁
暂无
评论