CVE-2004-0080
CVSS5.0
发布时间 :2004-03-03 00:00:00
修订时间 :2016-10-17 22:40:45
NMCOS    

[原文]The login program in util-linux 2.11 and earlier uses a pointer after it has been freed and reallocated, which could cause login to leak sensitive data.


[CNNVD]Util-Linux Login程序信息泄露漏洞(CNNVD-200403-027)

        
        util-linux包包含各种低层系统工具实现Linux基本功能。
        util-linux包含的login程序存在安全问题,远程攻击者可以利用这个漏洞获得部分敏感数据信息。
        在部分条件下,login程序会使用释放的和重分配的指针,这可导致泄露敏感信息,目前没有详细漏洞细节提供。
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0080
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0080
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200403-027
(官方数据源) CNNVD

- 其它链接及资源

ftp://patches.sgi.com/support/free/security/advisories/20040201-01-U.asc
(UNKNOWN)  SGI  20040201-01-U
ftp://patches.sgi.com/support/free/security/advisories/20040406-01-U
(UNKNOWN)  SGI  20040406-01-U
http://marc.info/?l=bugtraq&m=108077689801698&w=2
(UNKNOWN)  BUGTRAQ  20040331 OpenLinux: util-linux could leak sensitive data
http://marc.info/?l=bugtraq&m=108144719532385&w=2
(UNKNOWN)  BUGTRAQ  20040408 LNSA-#2004-0010: login may leak sensitive data
http://security.gentoo.org/glsa/glsa-200404-06.xml
(UNKNOWN)  GENTOO  GLSA-200404-06
http://www.kb.cert.org/vuls/id/801526
(UNKNOWN)  CERT-VN  VU#801526
http://www.redhat.com/support/errata/RHSA-2004-056.html
(VENDOR_ADVISORY)  REDHAT  RHSA-2004:056
http://www.securityfocus.com/bid/9558
(VENDOR_ADVISORY)  BID  9558
http://xforce.iss.net/xforce/xfdb/15016
(UNKNOWN)  XF  utillinux-information-leak(15016)

- 漏洞信息

Util-Linux Login程序信息泄露漏洞
中危 设计错误
2004-03-03 00:00:00 2005-05-13 00:00:00
远程  
        
        util-linux包包含各种低层系统工具实现Linux基本功能。
        util-linux包含的login程序存在安全问题,远程攻击者可以利用这个漏洞获得部分敏感数据信息。
        在部分条件下,login程序会使用释放的和重分配的指针,这可导致泄露敏感信息,目前没有详细漏洞细节提供。
        

- 公告与补丁

        厂商补丁:
        RedHat
        ------
        RedHat已经为此发布了一个安全公告(RHSA-2004:056-05)以及相应补丁:
        RHSA-2004:056-05:Updated util-linux packages fix information leak
        链接:https://www.redhat.com/support/errata/RHSA-2004-056.html
        Red Hat Enterprise Linux AS (v. 2.1)
        --------------------------------------------------------------------------------
        
        SRPMS:
        util-linux-2.11f-20.4.src.rpm 00bd8ff344c54363b75ce441b0a19495
        
        i386:
        util-linux-2.11f-20.4.i386.rpm 6ce893d86080bbb506116766cbf4348a
        
        ia64:
        util-linux-2.11f-20.4.ia64.rpm e6cde0a5bd6d89dd8660a3fe83da5a9b
        
        Red Hat Enterprise Linux ES (v. 2.1)
        --------------------------------------------------------------------------------
        
        SRPMS:
        util-linux-2.11f-20.4.src.rpm 00bd8ff344c54363b75ce441b0a19495
        
        i386:
        util-linux-2.11f-20.4.i386.rpm 6ce893d86080bbb506116766cbf4348a
        
        Red Hat Enterprise Linux WS (v. 2.1)
        --------------------------------------------------------------------------------
        
        SRPMS:
        util-linux-2.11f-20.4.src.rpm 00bd8ff344c54363b75ce441b0a19495
        
        i386:
        util-linux-2.11f-20.4.i386.rpm 6ce893d86080bbb506116766cbf4348a
        
        Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor
        --------------------------------------------------------------------------------
        
        SRPMS:
        util-linux-2.11f-20.4.src.rpm 00bd8ff344c54363b75ce441b0a19495
        
        ia64:
        util-linux-2.11f-20.4.ia64.rpm e6cde0a5bd6d89dd8660a3fe83da5a9b
        用户可以使用up2date命令进行升级。
        SGI
        ---
        SGI已经为此发布了一个安全公告(20040201-01-U)以及相应补丁:
        20040201-01-U:SGI Advanced Linux Environment security update #10
        链接:ftp://patches.sgi.com/support/free/security/advisories/20040201-01-U
        SGI ProPack 2.3:
        SGI Patch patch10050.tar.gz
        ftp://patches.sgi.com/support/free/security/patches/ProPack/2.3/patch10050.tar.gz

- 漏洞信息

3796
Red Hat Linux util-linux Login Program Information Leakage
Local Access Required Information Disclosure
Loss of Confidentiality
Exploit Unknown

- 漏洞描述

Red Hat Linux contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when by a flaw in the login program, which can disclose information in freed memory resulting in a loss of confidentiality.

- 时间线

2004-02-03 2004-01-19
Unknow Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Red Hat has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Util-Linux Login Program Information Leakage Vulnerability
Design Error 9558
Yes No
2004-02-03 12:00:00 2009-07-12 02:06:00
Discovery credited to Matthew Lee.

- 受影响的程序版本

SGI ProPack 2.4
SGI ProPack 2.3
SCO OpenLinux Workstation 3.1.1
SCO OpenLinux Server 3.1.1
RedHat Linux 7.2 i386
RedHat Enterprise Linux WS 2.1 IA64
RedHat Enterprise Linux WS 2.1
RedHat Enterprise Linux ES 2.1 IA64
RedHat Enterprise Linux ES 2.1
Red Hat Enterprise Linux AS 2.1 IA64
Red Hat Enterprise Linux AS 2.1
Netwosix Netwosix Linux 1.1
Netwosix Netwosix Linux 1.0

- 漏洞讨论

A problem has been identified in the handling of information by the login component of the util-linux package. Because of this, an attacker may be able to gain access to sensitive information.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 解决方案

Netwosix has released an advisory (NLSA-#2004-0010) to address this issue in Netwosix version 1.0 and 1.1. Please see the referenced advisory for more information. Fix is available below.

SGI has released an advisory 20040202-01-U to address this and other issues in SGI ProPack 2.4. Please see the referenced advisory for more information. Fixes are available below.

Red Hat has made fixes for this issue available. See referenced advisory RHSA-2004:056-05 for additional details.

SGI has released an advisory 20040201-01-U with a patch to address this and other issues. Please see the referenced advisory for more information.

Fedora Legacy Update Advisory FLSA:1256 has been released to address this issue in Red Hat Linux.

SCO OpenLinux advisory CSSA-2004-016.0 and fixes have been released dealing with this issue.

Gentoo Linux has released GLSA 200404-06 advisory as well as fix information dealing with this issue. It has been recommended that the following action be taken to upgrade the vulnerable application:

All util-linux users should upgrade to version 2.12 or later:

# emerge sync

# emerge -pv ">=sys-apps/util-linux-2.12"
# emerge ">=sys-apps/util-linux-2.12"

Please see the referenced Gentoo advisory for more information.

Silicon Graphics has released advisory 20040406-01-U for Service Pack 2.4 dealing with this issue as well as others. Please see the referenced advisory for more information and details on obtaining fixes.


Netwosix Netwosix Linux 1.0

Netwosix Netwosix Linux 1.1

SGI ProPack 2.3

SGI ProPack 2.4

SCO OpenLinux Workstation 3.1.1

SCO OpenLinux Server 3.1.1

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站