漏洞信息详情
FreeBSD strfmon()函数多个整数溢出漏洞
- CNNVD编号:CNNVD-200803-450
- 危害等级: 高危
- CVE编号: CVE-2008-1391
- 漏洞类型: 数字错误
- 发布时间: 2008-03-27
- 威胁类型: 远程
- 更新时间: 2009-01-06
- 厂 商: netbsd
- 漏洞来源: Maksymilian Arciem...
漏洞简介
FreeBSD就是一种运行在Intel平台上、可以自由使用的开放源码Unix类系统。
FreeBSD的strfmon()函数使用了GET_NUMBER()宏,该宏没有检查整数溢出便将其值作为参数传送给了memmove()和memset()函数。
在strfmon()函数的源码中:
- ---strfmon()-start---
ssize_t
strfmon(char * __restrict s, size_t maxsize, const char * __restrict format,
...)
{
va_list ap;
char *dst; /* output destination pointer */
const char *fmt; /* current format poistion pointer */
struct lconv *lc; /* pointer to lconv structure */
char *asciivalue; /* formatted double pointer */
int flags; /* formatting options */
int pad_char; /* padding character */
int pad_size; /* pad size */
int width; /* field width */
int left_prec; /* left precision */
int right_prec; /* right precision */
double value; /* just value */
char space_char = \'\' \'\'; /* space after currency */
char cs_precedes, /* values gathered from struct lconv */
sep_by_space,
sign_posn,
*signstr,
*currency_symbol;
char *tmpptr; /* temporary vars */
int sverrno;
va_start(ap, format);
lc = localeconv();
dst = s;
fmt = format;
asciivalue = NULL;
currency_symbol = NULL;
pad_size = 0;
while (*fmt) {
/* pass nonformating characters AS IS */
if (*fmt != \'\'\\%\'\')
goto literal;
/* \'\'\\%\'\' found ! */
/* \"\\%\\%\" mean just \'\'\\%\'\' */
if (*(fmt+1) == \'\'\\%\'\') {
fmt++;
literal:
PRINT(*fmt++);
continue;
}
/* set up initial values */
flags = (NEED_GROUPING|LOCALE_POSN);
pad_char = \'\' \'\'; /* padding character is \"space\" */
left_prec = -1; /* no left precision specified */
right_prec = -1; /* no right precision specified */
width = -1; /* no width specified */
value = 0; /* we have no value to print now */
/* Flags */
while (1) {
switch (*++fmt) {
case \'\'=\'\': /* fill character */
pad_char = *++fmt;
if (pad_char == \'\'\0\'\')
goto format_error;
continue;
case \'\'^\'\': /* not group currency */
flags &= ~(NEED_GROUPING);
continue;
case \'\'+\'\': /* use locale defined signs */
if (flags & SIGN_POSN_USED)
goto format_error;
flags |= (SIGN_POSN_USED|LOCALE_POSN);
continue;
case \'\'(\'\': /* enclose negatives with () */
if (flags & SIGN_POSN_USED)
goto format_error;
flags |= (SIGN_POSN_USED|PARENTH_POSN);
continue;
case \'\'!\'\': /* suppress currency symbol */
flags |= SUPRESS_CURR_SYMBOL;
continue;
case \'\'-\'\': /* alignment (left) */
flags |= LEFT_JUSTIFY;
continue;
default:
break;
}
break;
}
/* field Width */
if (isdigit((unsigned char)*fmt)) {
GET_NUMBER(width);
/* Do we have enough space to put number with
* required width ?
*/
if (dst + width >= s + maxsize)
goto e2big_error;
}
/* Left precision */
if (*fmt == \'\'#\'\') {
if (!isdigit((unsigned char)*++fmt))
goto format_error;
GET_NUMBER(left_prec);
}
/* Right precision */
if (*fmt == \'\'.\'\') {
if (!isdigit((unsigned char)*++fmt))
goto format_error;
GET_NUMBER(right_prec);
}
/* Conversion Charact
漏洞公告
目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/stdlib/strfmon.c
参考网址
来源: US-CERT : TA08-350A
名称: TA08-350A
链接:http://www.us-cert.gov/cas/techalerts/TA08-350A.HTML
来源: VUPEN
名称: ADV-2008-3444
链接:http://www.frsirt.com/english/advisories/2008/3444
来源:support.CMS.zone.ci/e/tags/htag.php?tag=Apple target=_blank class=infotextkey>Apple.com
链接:http://support.CMS.zone.ci/e/tags/htag.php?tag=Apple target=_blank class=infotextkey>Apple.com/kb/HT3338
来源: SREASON
名称: 3770
链接:http://securityreason.com/securityalert/3770
来源: SREASONRES
名称: 20080325 *BSD libc (strfmon) Multiple vulnerabilities
链接:http://securityreason.com/achievement_securityalert/53
来源: SECUNIA
名称: 33179
链接:http://secunia.com/advisories/33179
来源: CMS.zone.ci/e/tags/htag.php?tag=Apple target=_blank class=infotextkey>Apple
名称: CMS.zone.ci/e/tags/htag.php?tag=Apple target=_blank class=infotextkey>Apple-SA-2008-12-15
链接:http://lists.CMS.zone.ci/e/tags/htag.php?tag=Apple target=_blank class=infotextkey>Apple.com/archives/security-announce//2008//Dec/msg00000.HTML
来源: XF
名称: bsd-strfmon-overflow(41504)
链接:http://xforce.iss.net/xforce/xfdb/41504
来源: SECTRACK
名称: 1019722
链接:http://www.securitytracker.com/id?1019722
来源: BID
名称: 28479
链接:http://www.securityfocus.com/bid/28479
来源: BUGTRAQ
名称: 20080327 [securityreason] *BSD libc (strfmon) Multiple vulnerabilities
链接:http://www.securityfocus.com/archive/1/archive/1/490158/100/0/threaded
来源: SECUNIA
名称: 29574
链接:http://secunia.com/advisories/29574
受影响实体
- Netbsd Netbsd:4.0
补丁
- libnss-files-udeb_2.7-18lenny4_alpha.udeb
- libc6.1-prof_2.7-18lenny4_alpha.deb
- libc6.1-udeb_2.7-18lenny4_alpha.udeb
- libc6-dbg_2.7-18lenny4_amd64.deb
- nscd_2.7-18lenny4_amd64.deb
评论