发布时间 :2000-07-25 00:00:00
修订时间 :2008-09-10 15:05:32

[原文]Netscape Communicator 4.73 and earlier allows remote attackers to cause a denial of service or execute arbitrary commands via a JPEG image containing a comment with an illegal field length of 1.

[CNNVD]Netscape Communicator JPEG评论堆覆盖漏洞(CNNVD-200007-067)

        Netscape Communicator 4.73及其之前版本存在漏洞。远程攻击者借助JPEG图像导致服务拒绝或者执行任意命令。该图像包含带有长度为1的非法字段的注释。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:netscape:communicator:4.6Netscape Communicator 4.6
cpe:/a:netscape:communicator:4.08Netscape Communicator 4.08
cpe:/a:netscape:communicator:4.5Netscape Communicator 4.5
cpe:/a:netscape:communicator:4.73Netscape Communicator 4.73
cpe:/a:netscape:communicator:4.07Netscape Communicator 4.07
cpe:/a:netscape:communicator:4.06Netscape Communicator 4.06
cpe:/a:netscape:communicator:4.05Netscape Communicator 4.05
cpe:/a:netscape:communicator:4.72Netscape Communicator 4.72
cpe:/a:netscape:communicator:4.51Netscape Communicator 4.51
cpe:/a:netscape:communicator:4.0Netscape Communicator 4.0
cpe:/a:netscape:communicator:4.61Netscape Communicator 4.61
cpe:/a:netscape:communicator:4.5_betaNetscape Communicator 4.5 BETA
cpe:/a:netscape:communicator:4.7Netscape Communicator 4.7

- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(VENDOR_ADVISORY)  BUGTRAQ  20000724 JPEG COM Marker Processing Vulnerability in Netscape Browsers
(UNKNOWN)  BID  1503
(UNKNOWN)  SUSE  20000823 Security Hole in Netscape, Versions 4.x, possibly others
(UNKNOWN)  BUGTRAQ  20000810 Conectiva Linux Security Announcement - netscape
(UNKNOWN)  BUGTRAQ  20000801 MDKSA-2000:027-1 netscape update

- 漏洞信息

Netscape Communicator JPEG评论堆覆盖漏洞
中危 输入验证
2000-07-25 00:00:00 2005-05-16 00:00:00
        Netscape Communicator 4.73及其之前版本存在漏洞。远程攻击者借助JPEG图像导致服务拒绝或者执行任意命令。该图像包含带有长度为1的非法字段的注释。

- 公告与补丁

        Netscape Communicator 4.74 and Mozilla M16 are not vulnerable to this issue.
        NetBSD: See the advisory in the "Credit" section for upgrade instructions.
        If upgrading is not preferable, several patches are available (included in the following archives):
        7. Verification:
        MD5 sum Package Name -------------------------------------------------------------------------- 2520f9f234010f483d14ec524898ad29 5.2/SRPMS/netscape-4.74-0.5.2.src.rpm 2dd30f35857c05304e54253e7564634b 5.2/i386/netscape-common-4.74-0.5.2.i386.rpm 765fc5c8be9638560544379a3c7e1004 5.2/i386/netscape-communicator-4.74-0.5.2.i386.rpm d6ecb766f5d979e2787f239fefcce8fd 5.2/i386/netscape-navigator-4.74-0.5.2.i386.rpm 64999688cbd3b6be723c72d94dcb0f72 6.2/SRPMS/netscape-4.74-0.6.2.src.rpm e75ad6a500fa4ac0ef919f65aa8871bd 6.2/SRPMS/netscape-alpha-4.74-1.src.rpm 2796178bd0f400800d1fb5fccd39880b 6.2/alpha/netscape-common-4.74-1.alpha.rpm 2f2260eb8030751838f9d14a4eca71ae 6.2/alpha/netscape-communicator-4.74-1.alpha.rpm db641b2f9b63c3f986dece1ecc482d32 6.2/alpha/netscape-navigator-4.74-1.alpha.rpm 2f2f1be58b481030eb2da12dcd9a6a54 6.2/i386/netscape-common-4.74-0.6.2.i386.rpm 6b2045ecf408024a64962705c6395a1f 6.2/i386/netscape-communicator-4.74-0.6.2.i386.rpm 03b93972ba0f114d4be9ef50a2a21fa5 6.2/i386/netscape-navigator-4.74-0.6.2.i386.rpm
        These packages are GPG signed by Red Hat, Inc. for security. Our key is available at:
        You can verify each package with the following command: rpm --checksig
        If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: rpm --checksig --nogpg
        Debian has provided the following upgrades:
        Source archives:
         MD5 checksum: 99ab453006b123ade6b62d508052e8aa
         MD5 checksum: b6c8220d540580c62302e51bd310273c
         MD5 checksum: 291d418188dd0d859c842b8e511f40dd
         MD5 checksum: 834ccd2acc61052bf9b01f58c5adb767
         MD5 checksum: c9f71e888d9ce42d7317a7a8255a25f4
        Intel ia32 architecture:
         MD5 checksum: 401b63408d1477978fe16a855b9b2a14
         MD5 checksum: 763d8c075f0200d77ce1ad91af3d4c27
         MD5 checksum: d255e35d8365486b28a6e5c02bdf7e80
         MD5 checksum: a8b595e4ba544861109e91cf2f494d67
         MD5 checksum: 2c42207d48399b1d9ea757a1ee677414
         MD5 checksum: 3b67100464ed0aa6a22bef337c14798f
         MD5 checksum: f4ed466d94b761b3a5f252c859c1c38d
         MD5 checksum: 3e671e3bd853557df55915a395f57d39
         MD5 checksum: d46984adbf2703f26a5bbd1cff912967
         MD5 checksum: 3e7de9bb9c0c8c73519c3b7149de6af4
         MD5 checksum: a4f735e76fb26bc46a99edb557e41d43
         MD5 checksum: be2014f7b47913fc2d40dd3a2f7dc60f
         MD5 checksum: 4cae30606eb234d79c0469ad3e430ece
         MD5 checksum: e594f5e58bfab22b5c4333d6e648b8bc
         MD5 checksum: 2f5aadfe24499b6ed79d7c1810aedb70
         MD5 checksum: 2b1d1abed84ac00eef02de530ad95028
         MD5 checksum: b2335dabae4430a69773ba22b3d5100c
         MD5 checksum: 2397e4c0d8e556ea457b0095ad102d96
         MD5 checksum: 45f1df641dc6869f880ee32abc1c8eb2
         MD5 checksum: 5cb68c9bf8a895488c4a75145c48c915
        Mozilla Browser M15
        Netscape Communicator 4.07

- 漏洞信息 (20098)

Netscape Communicator 4.x JPEG-Comment Heap Overwrite Vulnerability (EDBID:20098)
multiple dos
2000-07-25 Verified
0 Solar Designer
N/A [点击下载]

Netscape Browsers use the Independent JPEG Group's decoder library to process JPEG encoded images. The library functions skip JPEG comments; however, the browser uses a custom function to process these comments and store them in memory. The comment includes a 2-byte "length" field which indicates how long the comment is - this value includes the 2-bytes of the "length" field. To determine the length of the comment string alone (for memory allocation), the function reads the value in the "length" field and subtracts two. The function then allocates the length of the comment + one byte for NULL termination. There is no error checking to ensure the "length" value is valid. This makes it possible to cause an overflow by creating an image with a comment "length" field containing the value 1. The memory allocation call of 0 bytes (1 minus 2 (length field) + 1 (null termination)) will succeed. The calculated comment size variable is declared unsigned, resulting in a large positive value (from 1 minus 2). The comment handling function goes into a loop to read the comment into memory, but since the calculated comment size is enormous this causes the function to read the entire JPEG stream, overwriting the heap. It is theoretically possible to exploit this to execute arbitrary code. The browser, mail and news readers are all vulnerable to this.		

- 漏洞信息

Netscape Communicator JPG Comment Overflow
Context Dependent Input Manipulation
Loss of Integrity Upgrade
Exploit Public Vendor Verified, Third-party Verified

- 漏洞描述

- 时间线

2000-07-25 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 4.74 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete