CVE-2003-0774
CVSS7.5
发布时间 :2003-09-22 00:00:00
修订时间 :2008-09-10 15:20:25
NMCOPS    

[原文]saned in sane-backends 1.0.7 and earlier does not quickly handle connection drops, which allows remote attackers to cause a denial of service (segmentation fault) when invalid memory is accessed.


[CNNVD]SANE配线内存泄露漏洞(CNNVD-200309-027)

        sane-backends 1.0.7及其早期版本的saned不能快速处理连接终止。远程攻击者在无效内存被访问时导致服务拒绝(分段故障)。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:sane:sane:1.0.8
cpe:/a:sane:sane-backend:1.0.10
cpe:/a:sane:sane:1.0.7_beta2
cpe:/a:sane:sane:1.0.7
cpe:/a:sane:sane:1.0.6
cpe:/a:sane:sane:1.0.9
cpe:/a:sane:sane:1.0.5
cpe:/a:sane:sane:1.0.2
cpe:/a:sane:sane:1.0.3
cpe:/a:sane:sane:1.0.1
cpe:/a:sane:sane:1.0.4
cpe:/a:sane:sane:1.0.7_beta1
cpe:/a:sane:sane:1.0.0

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0774
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0774
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200309-027
(官方数据源) CNNVD

- 其它链接及资源

http://www.redhat.com/support/errata/RHSA-2003-278.html
(VENDOR_ADVISORY)  REDHAT  RHSA-2003:278
http://www.debian.org/security/2003/dsa-379
(VENDOR_ADVISORY)  DEBIAN  DSA-379
http://www.redhat.com/support/errata/RHSA-2003-285.html
(UNKNOWN)  REDHAT  RHSA-2003:285
http://www.novell.com/linux/security/advisories/2003_046_sane.html
(UNKNOWN)  SUSE  SuSE-SA:2003:046
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2004-005.0/CSSA-2004-005.0.txt
(UNKNOWN)  SCO  CSSA-2004-005.0
http://www.securityfocus.com/bid/8593
(UNKNOWN)  BID  8593
http://www.mandriva.com/security/advisories?name=MDKSA-2003:099
(UNKNOWN)  MANDRAKE  MDKSA-2003:099

- 漏洞信息

SANE配线内存泄露漏洞
高危 边界条件错误
2003-09-22 00:00:00 2005-10-20 00:00:00
远程  
        sane-backends 1.0.7及其早期版本的saned不能快速处理连接终止。远程攻击者在无效内存被访问时导致服务拒绝(分段故障)。

- 公告与补丁

        The Sane project has released a new version to address this issue.
        SuSE Linux has released a security advisory (SuSE-SA:2003:046) and fixes to address this issue. Users who are potentially affected by this vulnerability are advised to apply appropriate fixes as soon as possible. Please see the referenced advisory for additional details regarding the application of applicable fixes. Fixes are linked below.
        Red Hat has released an advisory (RHSA-2003:278-01) to address this issue. Affected users are advised to apply the fixes as soon as possible. Further details regarding obtaining and applying relevant fixes is available in the referenced advisory.
        Debian has released security advisory DSA 379-1 to address these issues. See referenced advisory for additional details.
        Red Hat has released advisory RHSA-2003:285-03 to address this issue.
        Mandrake has released an advisory (MDKSA-2003:099) to address this issue. Please see the attached advisory for details on obtaining and applying fixes.
        Conectiva Linux has released an advisory (CLA-2003:769) to address this issue. Please see the attached advisory for details on obtaining and applying fixes.
        SGI has released an advisory (20031002-01-U) pertaining to their ProPack Linux distribution. The advisory has been released in response to a number of RHSA advisories, and includes a patch (Patch 10027) containing updated RPM packages relating to 22 different BIDS.
        Patch 10027 can be obtained via the following link:
        http://support.sgi.com/
        For information regarding how to obtain individual RPM packages included in Patch 10027, please see the attached advisory.
        SCO has released an advisory (CSSA-2004-005.0) and fixes to address this issue for OpenLinux. See the referenced advisory for links to fixes.
        SANE SANE 1.0 .0
        
        SANE SANE 1.0.1
        
        SANE sane-backend 1.0.10
        
        SANE SANE 1.0.2
        
        SANE SANE 1.0.3
        
        SANE SANE 1.0.4
        
        SANE SANE 1.0.5
        
        SANE SANE 1.0.6
        
        SANE SANE 1.0.7 -beta2
        
        SANE SANE 1.0.7
        

  •         Debian libsane-dev_1.0.7-4_alpha.

- 漏洞信息 (F31627)

dsa-379.txt (PacketStormID:F31627)
2003-09-13 00:00:00
Debian,Alexander Hvostov,Julien Blache,Aurelien Jarno  debian.org
advisory,remote,denial of service
linux,debian
CVE-2003-0773,CVE-2003-0774
[点击下载]

Debian Security Advisory DSA 379-1 - Several security related problems have been discovered in the sane-backends package that allows a remote attacker to cause a denial of service.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 379-1                     security@debian.org
http://www.debian.org/security/                             Martin Schulze
September 11th, 2003                    http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : sane-backends
Vulnerability  : several vulnerabilities
Problem-Type   : remote
Debian-specific: no
CVE references : CAN-2003-0773 CAN-2003-0774 CAN-2003-0775 CAN-2003-0776 CAN-20
03-0777 CAN-2003-0778

Alexander Hvostov, Julien Blache and Aurelien Jarno discovered several
security-related problems in the sane-backends package, which contains
an API library for scanners including a scanning daemon (in the
package libsane) that can be remotely exploited.  Thes problems allow
a remote attacker to cause a segfault fault and/or consume arbitrary
amounts of memory.  The attack is successful, even if the attacker's
computer isn't listed in saned.conf.

You are only vulnerable if you actually run saned e.g. in xinetd or
inetd.  If the entries in the configuration file of xinetd or inetd
respectively are commented out or do not exist, you are safe.

Try "telnet localhost 6566" on the server that may run saned.  If you
get "connection refused" saned is not running and you are safe.

The Common Vulnerabilities and Exposures project identifies the
following problems:

CAN-2003-0773:

   saned checks the identity (IP address) of the remote host only
   after the first communication took place (SANE_NET_INIT).  So
   everyone can send that RPC, even if the remote host is not allowed
   to scan (not listed in saned.conf).

CAN-2003-0774:

   saned lacks error checking nearly everywhere in the code. So
   connection drops are detected very late. If the drop of the
   connection isn't detected, the access to the internal wire buffer
   leaves the limits of the allocated memory. So random memory "after"
   the wire buffer is read which will be followed by a segmentation
   fault.

CAN-2003-0775:

   If saned expects strings, it mallocs the memory necessary to store
   the complete string after it receives the size of the string. If
   the connection was dropped before transmitting the size, malloc
   will reserve an arbitrary size of memory. Depending on that size
   and the amount of memory available either malloc fails (->saned
   quits nicely) or a huge amount of memory is allocated. Swapping and
   and OOM measures may occur depending on the kernel.

CAN-2003-0776:

   saned doesn't check the validity of the RPC numbers it gets before
   getting the parameters.

CAN-2003-0777:

   If debug messages are enabled and a connection is dropped,
   non-null-terminated strings may be printed and segamentation faults
   may occur.

CAN-2003-0778:

   It's possible to allocate an arbitrary amount of memory on the
   server running saned even if the connection isn't dropped.  At the
   moment this can not easily be fixed according to the author.
   Better limit the total amount of memory saned may use (ulimit).

For the stable distribution (woody) this problem has been
fixed in version 1.0.7-4.

For the unstable distribution (sid) this problem has been fixed in
version 1.0.11-1 and later.

We recommend that you upgrade your libsane packages.


Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.0 alias woody
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/s/sane-backends/sane-backends_
1.0.7-4.dsc
      Size/MD5 checksum:      650 fce2bccda1eca4e4185deee5681f738f
    http://security.debian.org/pool/updates/main/s/sane-backends/sane-backends_
1.0.7-4.diff.gz
      Size/MD5 checksum:    27898 56454dddbb589c56c5404c3228c0e4e8
    http://security.debian.org/pool/updates/main/s/sane-backends/sane-backends_
1.0.7.orig.tar.gz
      Size/MD5 checksum:  1867577 6010d68d8a8c29d1dcbf0c6d5005770b

  Alpha architecture:

    http://security.debian.org/pool/updates/main/s/sane-backends/libsane_1.0.7-
4_alpha.deb
      Size/MD5 checksum:  1797436 3cc566a8518565d305f8d81d3fa6d766
    http://security.debian.org/pool/updates/main/s/sane-backends/libsane-dev_1.
0.7-4_alpha.deb
      Size/MD5 checksum:  5560004 5b99bc14cb5207a656ed0f11b9f43d05

  ARM architecture:

    http://security.debian.org/pool/updates/main/s/sane-backends/libsane_1.0.7-
4_arm.deb
      Size/MD5 checksum:  1590972 2a1255e8be662d9415096eec2cc33d8e
    http://security.debian.org/pool/updates/main/s/sane-backends/libsane-dev_1.
0.7-4_arm.deb
      Size/MD5 checksum:  4750680 20fba2388a627f9504cbc621873e2d7a

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/s/sane-backends/libsane_1.0.7-
4_i386.deb
      Size/MD5 checksum:  1451240 c0726d631d9426eaecd8aaa2667eb801
    http://security.debian.org/pool/updates/main/s/sane-backends/libsane-dev_1.
0.7-4_i386.deb
      Size/MD5 checksum:  4524636 37934f30ed8726f7f39791cfb2760bb5

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/s/sane-backends/libsane_1.0.7-
4_ia64.deb
      Size/MD5 checksum:  2240324 3efa00ae110d3dae825b39685d24ff93
    http://security.debian.org/pool/updates/main/s/sane-backends/libsane-dev_1.
0.7-4_ia64.deb
      Size/MD5 checksum:  4892446 9ce7e0ff7db5e7bebe6b9c5497d9c855

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/s/sane-backends/libsane_1.0.7-
4_hppa.deb
      Size/MD5 checksum:  1762866 7a2d25d300f2aef6972c656f1cf0918e
    http://security.debian.org/pool/updates/main/s/sane-backends/libsane-dev_1.
0.7-4_hppa.deb
      Size/MD5 checksum:  5099552 d529ee8a61cd316ae2d19d1ecf2ae249

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/s/sane-backends/libsane_1.0.7-
4_m68k.deb
      Size/MD5 checksum:  1447178 b499ce366fc07a291b00edcacdf2312d
    http://security.debian.org/pool/updates/main/s/sane-backends/libsane-dev_1.
0.7-4_m68k.deb
      Size/MD5 checksum:  4410546 40a8fb70043f6f84e0cd7a02d1428b31

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/s/sane-backends/libsane_1.0.7-
4_mips.deb
      Size/MD5 checksum:  1488654 f9e09f27924d704d35dec4ab2b42c84d
    http://security.debian.org/pool/updates/main/s/sane-backends/libsane-dev_1.
0.7-4_mips.deb
      Size/MD5 checksum:  4859694 08ec5fdf4c847800d82935fbe782179f

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/s/sane-backends/libsane_1.0.7-
4_mipsel.deb
      Size/MD5 checksum:  1490928 87a4f046310a9e76917fa16df8271c3d
    http://security.debian.org/pool/updates/main/s/sane-backends/libsane-dev_1.
0.7-4_mipsel.deb
      Size/MD5 checksum:  4624290 314367f2ea0ef4328a1a904236452528

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/s/sane-backends/libsane_1.0.7-
4_powerpc.deb
      Size/MD5 checksum:  1597728 b9b3588129d046d76b1bde2f20d51e4a
    http://security.debian.org/pool/updates/main/s/sane-backends/libsane-dev_1.
0.7-4_powerpc.deb
      Size/MD5 checksum:  4913074 6e7d5fcf31ccff0be85b9b6855a117b4

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/s/sane-backends/libsane_1.0.7-
4_s390.deb
      Size/MD5 checksum:  1492610 c80c5467c124f57da1a0ec0d78be75b0
    http://security.debian.org/pool/updates/main/s/sane-backends/libsane-dev_1.
0.7-4_s390.deb
      Size/MD5 checksum:  4566136 68d3e765375e43ea891a5a9f39fdc40a

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/s/sane-backends/libsane_1.0.7-
4_sparc.deb
      Size/MD5 checksum:  1584884 b84ac77275bd2910851e0f4f35d22a4d
    http://security.debian.org/pool/updates/main/s/sane-backends/libsane-dev_1.
0.7-4_sparc.deb
      Size/MD5 checksum:  4770392 d64709c90f73c1f9259f96a54e5bcb45


  These files will probably be moved into the stable distribution on
  its next revision.

- -----------------------------------------------------------------------------
----
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/ma
in
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/YDdGW5ql+IAeqTIRAnkkAJ9STIHOorHmz0sE7KFg4HPxJaTxbwCePcOL
1yIdA3J/3/B6AOPjaUJTjL4=
=A4Bj
-----END PGP SIGNATURE-----
    

- 漏洞信息

11776
sane-backends saned Connection Mishandling DoS
Denial of Service
Loss of Availability

- 漏洞描述

Unknown or Incomplete

- 时间线

2003-09-11 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

SANE Internal Wire Memory Disclosure Vulnerability
Boundary Condition Error 8594
Yes No
2003-02-09 12:00:00 2009-07-11 11:56:00
Discovery is credited to Alexander Hvostov, Julien Blache, and Aurelien Jarno.

- 受影响的程序版本

SGI ProPack 2.3
SGI ProPack 2.2.1
SANE sane-backend 1.0.10
SANE SANE 1.0.9
SANE SANE 1.0.8
+ S.u.S.E. Linux 8.1
SANE SANE 1.0.7 -beta2
SANE SANE 1.0.7 -beta1
SANE SANE 1.0.7
+ Caldera OpenLinux Server 3.1.1
+ Caldera OpenLinux Workstation 3.1.1
+ S.u.S.E. Linux 8.0
SANE SANE 1.0.6
SANE SANE 1.0.5
+ Red Hat Enterprise Linux AS 2.1 IA64
+ Red Hat Enterprise Linux AS 2.1
+ RedHat Advanced Workstation for the Itanium Processor 2.1
+ RedHat Enterprise Linux ES 2.1 IA64
+ RedHat Enterprise Linux ES 2.1
+ RedHat Enterprise Linux WS 2.1 IA64
+ RedHat Enterprise Linux WS 2.1
+ RedHat Linux 7.2 ia64
+ RedHat Linux 7.2 i386
+ S.u.S.E. Linux 7.3 sparc
+ S.u.S.E. Linux 7.3 ppc
+ S.u.S.E. Linux 7.3
SANE SANE 1.0.4
SANE SANE 1.0.3
+ RedHat Linux 7.1 ia64
+ RedHat Linux 7.1 i386
+ RedHat Linux 7.1 alpha
+ RedHat Linux 7.0 i386
+ RedHat Linux 7.0 alpha
SANE SANE 1.0.2
SANE SANE 1.0.1
SANE SANE 1.0 .0
RedHat sane-devel-1.0.3-10.pseries.rpm
+ RedHat Linux 7.1 pseries
RedHat sane-devel-1.0.3-10.iseries.rpm
+ RedHat Linux 7.1 iseries
RedHat sane-devel-1.0.3-10.i386.rpm
+ RedHat Linux 7.1 i386
RedHat sane-backends-devel-1.0.8-5.i386.rpm
+ RedHat Linux 8.0 i386
RedHat sane-backends-devel-1.0.7-6.i386.rpm
+ RedHat Linux 7.3 i386
RedHat sane-backends-devel-1.0.5-4.ia64.rpm
+ RedHat Linux 7.2 ia64
RedHat sane-backends-devel-1.0.5-4.i386.rpm
+ RedHat Linux 7.2 i386
RedHat sane-backends-1.0.8-5.i386.rpm
+ RedHat Linux 8.0 i386
RedHat sane-backends-1.0.7-6.i386.rpm
+ RedHat Linux 7.3 i386
RedHat sane-backends-1.0.5-4.ia64.rpm
+ RedHat Linux 7.2 ia64
RedHat sane-backends-1.0.5-4.i386.rpm
+ RedHat Linux 7.2 i386
RedHat sane-1.0.3-10.pseries.rpm
+ RedHat Linux 7.1 pseries
RedHat sane-1.0.3-10.iseries.rpm
+ RedHat Linux 7.1 iseries
RedHat sane-1.0.3-10.i386.rpm
+ RedHat Linux 7.1 i386
SANE sane-backend 1.0.11

- 不受影响的程序版本

SANE sane-backend 1.0.11

- 漏洞讨论

SANE is prone to a vulnerability that could expose sensitive information. This could be an issue if saned is running as a service, through a super-server such as inetd or xinetd.

When a connection drop is undetected, access to an internal buffer will escape the bounds of the memory allocated for the buffer. Prior to a segmentation fault, random memory adjacent to the allocated buffer will be read, potentially exposing sensitive memory. saned will also crash as a side-effect, but will be restarted by the super-server.

This issue could potentially be exploited to execute arbitrary code if memory can be corrupted with user-supplied input, though this has not been confirmed.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com &lt;mailto:vuldb@securityfocus.com&gt;.

- 解决方案

The Sane project has released a new version to address this issue.

SuSE Linux has released a security advisory (SuSE-SA:2003:046) and fixes to address this issue. Users who are potentially affected by this vulnerability are advised to apply appropriate fixes as soon as possible. Please see the referenced advisory for additional details regarding the application of applicable fixes. Fixes are linked below.

Red Hat has released an advisory (RHSA-2003:278-01) to address this issue. Affected users are advised to apply the fixes as soon as possible. Further details regarding obtaining and applying relevant fixes is available in the referenced advisory.

Debian has released security advisory DSA 379-1 to address these issues. See referenced advisory for additional details.

Red Hat has released advisory RHSA-2003:285-03 to address this issue.

Mandrake has released an advisory (MDKSA-2003:099) to address this issue. Please see the attached advisory for details on obtaining and applying fixes.

Conectiva Linux has released an advisory (CLA-2003:769) to address this issue. Please see the attached advisory for details on obtaining and applying fixes.

SGI has released an advisory (20031002-01-U) pertaining to their ProPack Linux distribution. The advisory has been released in response to a number of RHSA advisories, and includes a patch (Patch 10027) containing updated RPM packages relating to 22 different BIDS.

Patch 10027 can be obtained via the following link:
http://support.sgi.com/

For information regarding how to obtain individual RPM packages included in Patch 10027, please see the attached advisory.

SCO has released an advisory (CSSA-2004-005.0) and fixes to address this issue for OpenLinux. See the referenced advisory for links to fixes.


SANE SANE 1.0 .0

SANE SANE 1.0.1

SANE sane-backend 1.0.10

SANE SANE 1.0.2

SANE SANE 1.0.3

SANE SANE 1.0.4

SANE SANE 1.0.5

SANE SANE 1.0.6

SANE SANE 1.0.7 -beta2

SANE SANE 1.0.7

SANE SANE 1.0.7 -beta1

SANE SANE 1.0.8

SANE SANE 1.0.9

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站