漏洞信息详情

Linux eCryptfs工具parse_tag_11_packet函数栈溢出漏洞

• CNNVD编号：CNNVD-200907-457
• 危害等级： 中危
  
• CVE编号： CVE-2009-2406
• 漏洞类型： 缓冲区溢出
• 发布时间： 2009-07-31
• 威胁类型： 本地
• 更新时间： 2009-09-19
• 厂        商： linux
• 漏洞来源： Ramon de Carvalho ...

漏洞简介

eCryptfs是Linux平台下的企业级加密文件系统 。

eCryptfs的密钥管理代码中的parse_tag_11_packet函数没有检查tag 11报文所包含的文字数据大小(tag11_contents_size)是否大于max_contents_bytes就作为内存参数将其拷贝到了大小为ECRYPTFS_SIG_SIZE的栈缓冲区中，这可能触发栈溢出漏洞 。

fs/ecryptfs/keystore.c -- static int parse_tag_11_packet(unsigned char *data， unsigned char *contents， size_t max_contents_bytes， size_t *tag_11_contents_size， size_t *packet_size， size_t max_packet_size) { size_t body_size; size_t length_size; int rc = 0; ... rc = ecryptfs_parse_packet_length(＆data[(*packet_size)]， ＆body_size， ＆length_size); if (rc) { printk(KERN_WARNING Invalid tag 11 packet format＼n); goto out; } if (body_size ＜ 14) { printk(KERN_WARNING Invalid body size ([\\%td])＼n， body_size); rc = -EINVAL; goto out; } (*packet_size) += length_size; (*tag_11_contents_size) = (body_size - 14); if (unlikely((*packet_size) + body_size + 1 ＞ max_packet_size)) { printk(KERN_ERR Packet size exceeds max＼n); rc = -EINVAL; goto out; } if (data[(*packet_size)++] != 0x62) { printk(KERN_WARNING Unrecognizable packet＼n); rc = -EINVAL; goto out; } ... (*packet_size) += 12; /* Ignore filename and modification date */ memcpy(contents， ＆data[(*packet_size)]， (*tag_11_contents_size)); (*packet_size) += (*tag_11_contents_size); ... --

漏洞公告

目前厂商已经发布了升级补丁以修复这个安全问题，补丁下载链接：

Ubuntu Ubuntu Linux 8.10 powerpc

Ubuntu linux-doc-2.6.27_2.6.27-14.35_all.deb

http://security.ubuntu.com/ubuntu/pool/main/l/linux/linux-doc-2.6.27_2 .6.27-14.35_all.deb

Ubuntu linux-doc-2.6.27_2.6.27-14.37_all.deb

http://security.ubuntu.com/ubuntu/pool/main/l/linux/linux-doc-2.6.27_2 .6.27-14.37_all.deb

Ubuntu linux-headers-2.6.27-14_2.6.27-14.35_all.deb

http://security.ubuntu.com/ubuntu/pool/main/l/linux/linux-headers-2.6. 27-14_2.6.27-14.35_all.deb

Ubuntu linux-headers-2.6.27-14_2.6.27-14.37_all.deb

http://security.ubuntu.com/ubuntu/pool/main/l/linux/linux-headers-2.6. 27-14_2.6.27-14.37_all.deb

Ubuntu linux-source-2.6.27_2.6.27-14.35_all.deb

http://security.ubuntu.com/ubuntu/pool/main/l/linux/linux-source-2.6.2 7_2.6.27-14.35_all.deb

Ubuntu linux-source-2.6.27_2.6.27-14.37_all.deb

http://security.ubuntu.com/ubuntu/pool/main/l/linux/linux-source-2.6.2 7_2.6.27-14.37_all.deb

Debian Linux 5.0 alpha

Debian linux-doc-2.6.26_2.6.26-17lenny1_all.deb

http://security.debian.org/pool/updates/main/l/linux-2.6/linux-doc-2.6 .26_2.6.26-17lenny1_all.deb

Debian linux-headers-2.6.26-2-all-alpha_2.6.26-17lenny1_alpha.deb

http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers -2.6.26-2-all-alpha_2.6.26-17lenny1_alpha.deb

Debian linux-headers-2.6.26-2-all_2.6.26-17lenny1_alpha.deb

http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers -2.6.26-2-all_2.6.26-17lenny1_alpha.deb

Debian linux-headers-2.6.26-2-alpha-generic_2.6.26-17lenny1_alpha.deb

http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers -2.6.26-2-alpha-generic_2.6.26-17lenny1_alpha.deb

Debian linux-headers-2.6.26-2-alpha-legacy_2.6.26-17lenny1_alpha.deb

http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers -2.6.26-2-alpha-legacy_2.6.26-17lenny1_alpha.deb

Debian linux-headers-2.6.26-2-alpha-smp_2.6.26-17lenny1_alpha.deb

http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers -2.6.26-2-alpha-smp_2.6.26-17lenny1_alpha.deb

Debian linux-headers-2.6.26-2-common_2.6.26-17lenny1_alpha.deb

http://security.debian.org/pool/updates/main/l/linux-2.6/linux-headers -2.6.26-2-common_2.6.26-17lenny1_alpha.deb

Debian linux-image-2.6.26-2-alpha-generic_2.6.26-17lenny1_alpha.deb

http://security.debian.org/pool/updates/main/l/linux-2.6/linux-image-2 .6.26-2-alpha-generic_2.6.26-17lenny1_alpha.deb

Debian linux-image-2.6.26-2-alpha-legacy_2.6.26-17lenny1_alpha.deb

http://security.debian.org/pool/updates/main/l/linux-2.6/linux-image-2 .6.26-2-alpha-legacy_2.6.26-17lenny1_alpha.deb

Debian linux-image-2.6.26-2-alpha-smp_2.6.26-17lenny1_alpha.deb

http://security.debian.org/pool/updates/main/l/linux-2.6/linux-image-2 .6.26-2-alpha-smp_2.6.26-17lenny1_alpha.deb

Debian linux-libc-dev_2.6.26-17lenny1_alpha.deb

http://security.debian.org/pool/updates/main/l/linux-2.6/linux-libc-de v_2.6.26-17lenny1_alpha.deb

Debian linux-manual-2.6.26_2.6.26-17lenny1_all.deb

http://security.debian.org/pool/updates/main/l/linux-2.6/linux-manual- 2.6.26_2.6.26-17lenny1_all.deb

Debian linux-patch-debian-2.6.26_2.6.26-17lenny1_all.deb

http://security.debian.org/pool/updates/main/l/linux-2.6/linux-patch-d ebian-2.6.26_2.6.26-17lenny1_all.deb

Debian linux-source-2.6.26_2.6.26-17lenny1_all.deb

http://security.debian.org/pool/updates/main/l/linux-2.6/linux-source- 2.6.26_2.6.26-17lenny1_all.deb

Debian linux-support-2.6.26-2_2.6.26-17lenny1_all.deb

http://security.debian.org/pool/updates/main/l/linux-2.6/linux-support -2.6.26-2_2.6.26-17lenny1_all.deb

Debian linux-tree-2.6.26_2.6.26-17lenny1_all.deb

http://security.debian.org/pool/updates/main/l/linux-2.6/linux-tree-2. 6.26_2.6.26-17lenny1_all.deb

Debian Linux 4.0 amd64

Debian linux-doc-2.6.24_2.6.24-6~etchnhalf.8etch2_all.deb

http://security.debian.org/pool/updates/main/l/linux-2.6.24/linux-doc- 2.6.24_2.6.24-6~etchnhalf.8etch2_all.deb

Debian linux-headers-2.6.24-etchnhalf.1-all-amd64_2.6.24-6~etchnhalf.8etch2_amd64.deb

http://security.debian.org/pool/updates/main/l/linux-2.6.24/linux-head ers-2.6.24-etchnhalf.1-all-amd

参考网址

来源: VUPEN

名称: ADV-2009-2041

链接:http://www.vupen.com/english/advisories/2009/2041

来源: BID

名称: 35851

链接:http://www.securityfocus.com/bid/35851

来源: DEBIAN

名称: DSA-1845

链接:http://www.debian.org/security/2009/dsa-1845

来源: DEBIAN

名称: DSA-1844

链接:http://www.debian.org/security/2009/dsa-1844

来源: FEDORA

名称: FEDORA-2009-8144

链接:https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00223.HTML

来源: FEDORA

名称: FEDORA-2009-8264

链接:https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00166.HTML

来源: UBUNTU

名称: USN-807-1

链接:http://www.ubuntu.com/usn/usn-807-1

来源: SECTRACK

名称: 1022663

链接:http://www.securitytracker.com/id?1022663

来源: BUGTRAQ

名称: 20090728 [RISE-2009002] Linux eCryptfs parse_tag_11_packet Literal Data Buffer Overflow Vulnerability

链接:http://www.securityfocus.com/archive/1/archive/1/505334/100/0/threaded

来源: REDHAT

名称: RHSA-2009:1193

链接:http://www.redhat.com/support/errata/RHSA-2009-1193.HTML

来源: www.kernel.org

链接:http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.30.4

来源: SECUNIA

名称: 36131

链接:http://secunia.com/advisories/36131

来源: SECUNIA

名称: 36116

链接:http://secunia.com/advisories/36116

来源: SECUNIA

名称: 36054

链接:http://secunia.com/advisories/36054

来源: SECUNIA

名称: 36051

链接:http://secunia.com/advisories/36051

来源: SECUNIA

名称: 36045

链接:http://secunia.com/advisories/36045

来源: SECUNIA

名称: 35985

链接:http://secunia.com/advisories/35985

来源: MISC

链接:http://risesecurity.org/advisories/RISE-2009002.txt

来源: SUSE

名称: SUSE-SR:2009:015

链接:http://lists.opensuse.org/opensuse-security-announce/2009-09/msg00001.HTML

来源: git.kernel.org

链接:http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=6352a29305373ae6196491e6d4669f301e26492e

受影响实体

• Linux Linux_kernel:2.6.11.11  
• Linux Linux_kernel:2.6.11.10  
• Linux Linux_kernel:2.6.11.1  
• Linux Linux_kernel:2.6.11  
• Linux Linux_kernel:2.6.10  

补丁

暂无