CVE-2002-0912
CVSS5.0
发布时间 :2002-10-04 00:00:00
修订时间 :2008-09-05 16:29:17
NMCOS    

[原文]in.uucpd UUCP server in Debian GNU/Linux 2.2, and possibly other operating systems, does not properly terminate long strings, which allows remote attackers to cause a denial of service, possibly due to a buffer overflow.


[CNNVD]Debian in.uucpd远程缓冲区溢出漏洞(CNNVD-200210-182)

        
        in.uucpd是一款验证代理,设计用于实现Unix-to-Unix Copy Protocol (UUCP)。
        in.uucpd对用户提交的数据缺少正确的处理,可导致远程攻击者进行拒绝服务攻击。
        in.uucpd对用户提供的超长字符串数据没有正确的截断,允许用户对守护程序进行拒绝服务攻击,在守护程序崩溃后,需要手工启动服务才能恢复正常功能。
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:debian:debian_linux:2.2::powerpc
cpe:/o:debian:debian_linux:2.2::arm
cpe:/o:debian:debian_linux:2.2::ia-32
cpe:/o:debian:debian_linux:2.2::68k
cpe:/o:debian:debian_linux:2.2::sparc
cpe:/o:debian:debian_linux:2.2::alpha

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0912
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0912
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200210-182
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/4910
(VENDOR_ADVISORY)  BID  4910
http://www.iss.net/security_center/static/9230.php
(VENDOR_ADVISORY)  XF  debian-in-uucpd-dos(9230)
http://www.debian.org/security/2002/dsa-129
(VENDOR_ADVISORY)  DEBIAN  DSA-129

- 漏洞信息

Debian in.uucpd远程缓冲区溢出漏洞
中危 边界条件错误
2002-10-04 00:00:00 2005-10-20 00:00:00
远程  
        
        in.uucpd是一款验证代理,设计用于实现Unix-to-Unix Copy Protocol (UUCP)。
        in.uucpd对用户提交的数据缺少正确的处理,可导致远程攻击者进行拒绝服务攻击。
        in.uucpd对用户提供的超长字符串数据没有正确的截断,允许用户对守护程序进行拒绝服务攻击,在守护程序崩溃后,需要手工启动服务才能恢复正常功能。
        

- 公告与补丁

        厂商补丁:
        Debian
        ------
        Debian已经为此发布了一个安全公告(DSA-129-1)以及相应补丁:
        DSA-129-1:in.uucpd string truncation problem
        链接:
        http://www.debian.org/security/2002/dsa-129

        补丁下载:
        Source archives:
        
        http://security.debian.org/dists/stable/updates/main/source/uucp_1.06.1-11potato3.diff.gz

        
        http://security.debian.org/dists/stable/updates/main/source/uucp_1.06.1-11potato3.dsc

        
        http://security.debian.org/dists/stable/updates/main/source/uucp_1.06.1.orig.tar.gz

        Alpha architecture:
        
        http://security.debian.org/dists/stable/updates/main/binary-alpha/uucp_1.06.1-11potato3_alpha.deb

        ARM architecture:
        
        http://security.debian.org/dists/stable/updates/main/binary-arm/uucp_1.06.1-11potato3_arm.deb

        Intel IA-32 architecture:
        
        http://security.debian.org/dists/stable/updates/main/binary-i386/uucp_1.06.1-11potato3_i386.deb

        Motorola 680x0 architecture:
        
        http://security.debian.org/dists/stable/updates/main/binary-m68k/uucp_1.06.1-11potato3_m68k.deb

        PowerPC architecture:
        
        http://security.debia

        补丁安装方法:
        1. 手工安装补丁包:
         首先,使用下面的命令来下载补丁软件:
         # wget url (url是补丁下载链接地址)
         然后,使用下面的命令来安装补丁:
         # dpkg -i file.deb (file是相应的补丁名)
        2. 使用apt-get自动安装补丁包:
         首先,使用下面的命令更新内部数据库:
         # apt-get update
        
         然后,使用下面的命令安装更新软件包:
         # apt-get upgrade

- 漏洞信息

14455
Debian Linux in.uucpd Long String DoS
Denial of Service
Loss of Availability

- 漏洞描述

Unknown or Incomplete

- 时间线

2002-05-27 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Debian IN.UUCP Remote Buffer Overflow Vulnerability
Boundary Condition Error 4910
Yes No
2002-06-01 12:00:00 2009-07-11 01:56:00
Vulnerability discovery credited to Matthew Grant <grantma@anathoth.gen.nz>.

- 受影响的程序版本

Debian Linux 2.2 sparc
Debian Linux 2.2 powerpc
Debian Linux 2.2 IA-32
Debian Linux 2.2 arm
Debian Linux 2.2 alpha
Debian Linux 2.2 68k

- 漏洞讨论

in.uucpd is an authentication agent designed to work with the Unix-to-Unix Copy Protocol (UUCP).

It has been reported that in.uucpd does not properly truncate strings under some circumstances. This problem could result in a buffer overflow that could allow a user to deny service to the daemon. Following the crash of the daemon, a manual restart of the service would be required to resume service.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com &lt;mailto:vuldb@securityfocus.com&gt;.

- 解决方案

Vendor fixes available:


Debian Linux 2.2 alpha

Debian Linux 2.2 IA-32

Debian Linux 2.2 sparc

Debian Linux 2.2 arm

Debian Linux 2.2 68k

Debian Linux 2.2 powerpc

- 相关参考

     

     

    关于SCAP中文社区

    SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

    版权声明

    CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站