CVE-2004-0687
CVSS7.5
发布时间 :2004-10-20 00:00:00
修订时间 :2016-10-17 22:47:52
NMCOS    

[原文]Multiple stack-based buffer overflows in (1) xpmParseColors in parse.c, (2) ParseAndPutPixels in create.c, and (3) ParsePixels in parse.c for libXpm before 6.8.1 allow remote attackers to execute arbitrary code via a malformed XPM image file.


[CNNVD]LibXpm图象解码多个缓冲区溢出漏洞(CNNVD-200410-068)

        
        libXpm是一款对XPM进行解码的库系统。
        libXpm多处不正确检查边界缓冲区长度,远程攻击者可以利用这个漏洞可能以用户进程权限执行任意指令。
        问题一是xpmParseColors (parse.c)中的堆栈缓冲区溢出:
        XPMv1和XPMv2/3解析代码中不安全使用strcat(),可导致缓冲区溢出。
        第二个问题是xpmParseColors (parse.c)中分配colorTable存在整数溢出问题,问题存在于如下:
        colorTable = (XpmColor *) XpmCalloc(ncolors, sizeof(XpmColor));
        ncolors可来自不可信的XPM文件。
        第三个问题是ParseAndPutPixels (create.c)读取象素时存在堆栈缓冲区溢出。
        构建恶意的XPM文件,诱使用户访问可导致以用户进程权限执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:x.org:x11r6:6.7.0
cpe:/a:xfree86_project:x11r6:4.1.12
cpe:/o:openbsd:openbsd:3.4OpenBSD 3.4
cpe:/a:xfree86_project:x11r6:4.1.11
cpe:/a:xfree86_project:x11r6:4.0.3
cpe:/a:xfree86_project:x11r6:4.2.0
cpe:/o:suse:suse_linux:9.0::x86_64
cpe:/a:xfree86_project:x11r6:4.2.1
cpe:/a:xfree86_project:x11r6:4.3.0
cpe:/a:x.org:x11r6:6.8
cpe:/a:xfree86_project:x11r6:4.0.1
cpe:/a:xfree86_project:x11r6:4.1.0
cpe:/o:openbsd:openbsd:3.5OpenBSD 3.5
cpe:/a:xfree86_project:x11r6:4.2.1::errata
cpe:/o:suse:suse_linux:8.1SuSE SuSE Linux 8.1
cpe:/o:suse:suse_linux:9.0SuSE SuSE Linux 9.0
cpe:/a:xfree86_project:x11r6:4.0.2.11
cpe:/a:xfree86_project:x11r6:3.3.6
cpe:/a:xfree86_project:x11r6:4.0
cpe:/o:suse:suse_linux:8::enterprise_server
cpe:/o:suse:suse_linux:9.0::enterprise_server
cpe:/o:suse:suse_linux:8.2SuSE SuSE Linux 8.2
cpe:/o:suse:suse_linux:9.1SuSE SuSE Linux 9.1

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:9187Multiple stack-based buffer overflows in (1) xpmParseColors in parse.c, (2) ParseAndPutPixels in create.c, and (3) ParsePixels in parse.c fo...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0687
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0687
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200410-068
(官方数据源) CNNVD

- 其它链接及资源

http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000924
(UNKNOWN)  CONECTIVA  CLA-2005:924
http://ftp.x.org/pub/X11R6.8.0/patches/README.xorg-CAN-2004-0687-0688.patch
(UNKNOWN)  CONFIRM  http://ftp.x.org/pub/X11R6.8.0/patches/README.xorg-CAN-2004-0687-0688.patch
http://lists.apple.com/archives/security-announce/2005/May/msg00001.html
(UNKNOWN)  APPLE  APPLE-SA-2005-05-03
http://marc.info/?l=bugtraq&m=109530851323415&w=2
(UNKNOWN)  BUGTRAQ  20040915 CESA-2004-004: libXpm
http://scary.beasts.org/security/CESA-2004-003.txt
(UNKNOWN)  MISC  http://scary.beasts.org/security/CESA-2004-003.txt
http://sunsolve.sun.com/search/document.do?assetkey=1-26-57653-1
(UNKNOWN)  SUNALERT  57653
http://www.debian.org/security/2004/dsa-560
(UNKNOWN)  DEBIAN  DSA-560
http://www.gentoo.org/security/en/glsa/glsa-200409-34.xml
(UNKNOWN)  GENTOO  GLSA-200409-34
http://www.gentoo.org/security/en/glsa/glsa-200502-07.xml
(UNKNOWN)  GENTOO  GLSA-200502-07
http://www.kb.cert.org/vuls/id/882750
(UNKNOWN)  CERT-VN  VU#882750
http://www.mandriva.com/security/advisories?name=MDKSA-2004:098
(UNKNOWN)  MANDRAKE  MDKSA-2004:098
http://www.novell.com/linux/security/advisories/2004_34_xfree86_libs_xshared.html
(UNKNOWN)  SUSE  SUSE-SA:2004:034
http://www.redhat.com/archives/fedora-legacy-announce/2006-January/msg00001.html
(UNKNOWN)  FEDORA  FLSA-2006:152803
http://www.redhat.com/support/errata/RHSA-2004-537.html
(UNKNOWN)  REDHAT  RHSA-2004:537
http://www.redhat.com/support/errata/RHSA-2005-004.html
(UNKNOWN)  REDHAT  RHSA-2005:004
http://www.securityfocus.com/archive/1/archive/1/434715/100/0/threaded
(UNKNOWN)  HP  SSRT4848
http://www.securityfocus.com/bid/11196
(VENDOR_ADVISORY)  BID  11196
http://www.ubuntulinux.org/support/documentation/usn/usn-27-1
(UNKNOWN)  UBUNTU  USN-27-1
http://www.us-cert.gov/cas/techalerts/TA05-136A.html
(UNKNOWN)  CERT  TA05-136A
http://www.vupen.com/english/advisories/2006/1914
(UNKNOWN)  VUPEN  ADV-2006-1914
http://xforce.iss.net/xforce/xfdb/17414
(VENDOR_ADVISORY)  XF  libxpm-multiple-stack-bo(17414)

- 漏洞信息

LibXpm图象解码多个缓冲区溢出漏洞
高危 边界条件错误
2004-10-20 00:00:00 2009-08-30 00:00:00
远程  
        
        libXpm是一款对XPM进行解码的库系统。
        libXpm多处不正确检查边界缓冲区长度,远程攻击者可以利用这个漏洞可能以用户进程权限执行任意指令。
        问题一是xpmParseColors (parse.c)中的堆栈缓冲区溢出:
        XPMv1和XPMv2/3解析代码中不安全使用strcat(),可导致缓冲区溢出。
        第二个问题是xpmParseColors (parse.c)中分配colorTable存在整数溢出问题,问题存在于如下:
        colorTable = (XpmColor *) XpmCalloc(ncolors, sizeof(XpmColor));
        ncolors可来自不可信的XPM文件。
        第三个问题是ParseAndPutPixels (create.c)读取象素时存在堆栈缓冲区溢出。
        构建恶意的XPM文件,诱使用户访问可导致以用户进程权限执行任意指令。
        

- 公告与补丁

        厂商补丁:
        Debian
        ------
        
        http://www.debian.org/security/2004/dsa-548

        MandrakeSoft
        ------------
        MandrakeSoft已经为此发布了一个安全公告(MDKSA-2004:099)以及相应补丁:
        MDKSA-2004:099:Updated XFree86 packages fix libXpm overflow vulnerabilities
        链接:
        http://www.linux-mandrake.com/en/security/2004/2004-099.php

        补丁下载:
        Updated Packages:
        Mandrakelinux 10.0:
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/RPMS/libxfree86-4.3-32.2.100mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/RPMS/libxfree86-devel-4.3-32.2.100mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/RPMS/libxfree86-static-devel-4.3-32.2.100mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/RPMS/XFree86-100dpi-fonts-4.3-32.2.100mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/RPMS/XFree86-4.3-32.2.100mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/RPMS/XFree86-75dpi-fonts-4.3-32.2.100mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/RPMS/XFree86-cyrillic-fonts-4.3-32.2.100mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/RPMS/XFree86-doc-4.3-32.2.100mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/RPMS/XFree86-glide-module-4.3-32.2.100mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/RPMS/XFree86-server-4.3-32.2.100mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/RPMS/XFree86-xfs-4.3-32.2.100mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/RPMS/XFree86-Xnest-4.3-32.2.100mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/RPMS/XFree86-Xvfb-4.3-32.2.100mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/SRPMS/XFree86-4.3-32.2.100mdk.src.rpm
        Mandrakelinux 10.0/AMD64:
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/amd64/10.0/SRPMS/XFree86-4.3-32.2.100mdk.src.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/amd64/10.0/RPMS/XFree86-4.3-32.2.100mdk.amd64.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/amd64/10.0/RPMS/lib64xfree86-4.3-32.2.100mdk.amd64.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/amd64/10.0/RPMS/lib64xfree86-devel-4.3-32.2.100mdk.amd64.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/amd64/10.0/RPMS/lib64xfree86-static-devel-4.3-32.2.100mdk.amd64.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/amd64/10.0/RPMS/XFree86-100dpi-fonts-4.3-32.2.100mdk.amd64.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/amd64/10.0/RPMS/XFree86-75dpi-fonts-4.3-32.2.100mdk.amd64.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/amd64/10.0/RPMS/XFree86-cyrillic-fonts-4.3-32.2.100mdk.amd64.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/amd64/10.0/RPMS/XFree86-doc-4.3-32.2.100mdk.amd64.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/amd64/10.0/RPMS/XFree86-server-4.3-32.2.100mdk.amd64.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/amd64/10.0/RPMS/XFree86-xfs-4.3-32.2.100mdk.amd64.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/amd64/10.0/RPMS/XFree86-Xnest-4.3-32.2.100mdk.amd64.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/amd64/10.0/RPMS/XFree86-Xvfb-4.3-32.2.100mdk.amd64.rpm
        Corporate Server 2.1:
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/corporate/2.1/RPMS/XFree86-100dpi-fonts-4.2.1-6.10.C21mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/corporate/2.1/RPMS/XFree86-4.2.1-6.10.C21mdk.i586.rpm
        

- 漏洞信息

10027
libXpm ParsePixels Function Stack Overflow
Local Access Required Input Manipulation
Loss of Integrity
Exploit Unknown

- 漏洞描述

A local overflow exists in libXpm. The ParsePixels function fails to validate user-supplied input resulting in a stack overflow. With a specially crafted request, a malicious user can cause arbitrary code execution resulting in a loss of integrity.

- 时间线

2004-09-15 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 6.8.1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

libXpm Image Decoding Multiple Remote Buffer Overflow Vulnerabilities
Boundary Condition Error 11196
Yes No
2004-09-15 12:00:00 2008-07-02 07:00:00
Discovery is credited to Chris Evans <chris@scary.beasts.org>.

- 受影响的程序版本

XFree86 X11R6 4.3 .0
XFree86 X11R6 4.2.1 Errata
XFree86 X11R6 4.2.1
+ Immunix Immunix OS 7.3
+ MandrakeSoft Corporate Server 2.1 x86_64
+ MandrakeSoft Corporate Server 2.1
+ Mandriva Linux Mandrake 9.0
+ RedHat Linux 7.3
+ Slackware Linux 8.1
XFree86 X11R6 4.2 .0
+ Conectiva Linux Enterprise Edition 1.0
+ S.u.S.E. Linux 8.0 i386
+ S.u.S.E. Linux 8.0
+ Turbolinux Turbolinux Server 8.0
+ Turbolinux Turbolinux Workstation 8.0
XFree86 X11R6 4.1 .0
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0
+ Red Hat Enterprise Linux AS 2.1
+ RedHat Advanced Workstation for the Itanium Processor 2.1
+ RedHat Enterprise Linux ES 2.1
+ RedHat Enterprise Linux WS 2.1
+ RedHat Linux 7.2 i386
+ RedHat Linux 7.1 i386
+ Turbolinux Turbolinux Server 7.0
+ Turbolinux Turbolinux Workstation 7.0
XFree86 X11R6 4.1 -12
- Caldera OpenLinux Server 3.1.1
- Caldera OpenLinux Server 3.1.1
- Caldera OpenLinux Workstation 3.1.1
XFree86 X11R6 4.1 -11
+ Caldera OpenLinux Server 3.1.1
+ Caldera OpenLinux Server 3.1.1
+ Caldera OpenLinux Workstation 3.1.1
XFree86 X11R6 4.0.3
+ RedHat Linux 7.1
XFree86 X11R6 4.0.2 -11
+ Caldera OpenLinux Server 3.1
+ Caldera OpenLinux Workstation 3.1
XFree86 X11R6 4.0.1
XFree86 X11R6 4.0
XFree86 X11R6 3.3.6
+ Debian Linux 2.2
+ Red Hat Linux 6.2
X.org X11R6 6.8
X.org X11R6 6.7 .0
+ Mandriva Linux Mandrake 10.1 x86_64
+ Mandriva Linux Mandrake 10.1
+ SCO Unixware 7.1.4
+ SCO Unixware 7.1.3 up
+ SCO Unixware 7.1.3
+ SCO Unixware 7.1.1
Ubuntu Ubuntu Linux 4.1 ppc
Ubuntu Ubuntu Linux 4.1 ia64
Ubuntu Ubuntu Linux 4.1 ia32
Turbolinux Turbolinux Workstation 8.0
Turbolinux Turbolinux Workstation 7.0
Turbolinux Turbolinux Server 10.0
Turbolinux Turbolinux Server 8.0
Turbolinux Turbolinux Server 7.0
Turbolinux Turbolinux Desktop 10.0
Turbolinux Home
SuSE SUSE Linux Enterprise Server 8
+ Linux kernel 2.4.21
+ Linux kernel 2.4.19
Sun Solaris 9_x86 Update 2
Sun Solaris 9_x86
Sun Solaris 9
Sun Solaris 8_x86
Sun Solaris 8_sparc
Sun Solaris 7.0_x86
Sun Solaris 7.0
Sun Java Desktop System (JDS) 2.0
Sun Java Desktop System (JDS) 2003
S.u.S.E. Linux Personal 9.2
S.u.S.E. Linux Personal 9.1
S.u.S.E. Linux Personal 9.0 x86_64
S.u.S.E. Linux Personal 9.0
S.u.S.E. Linux Personal 8.2
S.u.S.E. Linux Enterprise Server 9
S.u.S.E. Linux 8.1
S.u.S.E. Linux 8.0 i386
S.u.S.E. Linux 8.0
RedHat Network Satellite (for RHEL 4) 4.2
RedHat Linux 9.0 i386
RedHat Linux 7.3 i686
RedHat Linux 7.3 i386
RedHat Linux 7.3
RedHat Enterprise Linux WS 3
RedHat Enterprise Linux ES 3
RedHat Desktop 3.0
Red Hat Red Hat Network Satellite Server 4.2
Red Hat Network Satellite (for RHEL 3) 4.2
Red Hat Fedora Core2
Red Hat Fedora Core1
Red Hat Enterprise Linux AS 3
OpenBSD OpenBSD 3.5
OpenBSD OpenBSD 3.4
OpenBSD OpenBSD -current
Open Group Open Motif 2.2.2 -205
Open Group Open Motif 1.2
Lesstif Lesstif 0.93.94
+ Ubuntu Ubuntu Linux 4.1 ppc
+ Ubuntu Ubuntu Linux 4.1 ia64
+ Ubuntu Ubuntu Linux 4.1 ia32
Lesstif Lesstif 0.93.91
Lesstif Lesstif 0.93.40
Lesstif Lesstif 0.93.36
Lesstif Lesstif 0.93.34
Lesstif Lesstif 0.93.18
Lesstif Lesstif 0.93.12
Lesstif Lesstif 0.93
IBM AIX 5.3 L
IBM AIX 5.2.2
IBM AIX 5.2 L
IBM AIX 5.1 L
IBM AIX 5.2
IBM AIX 5.1
HP Tru64 5.1 B-2 PK4 (BL25)
HP Tru64 5.1 B-2 PK4
HP Tru64 5.1 B PK3 (BL24)
HP Tru64 5.1 B PK3
HP Tru64 5.1 A PK6 (BL24)
HP Tru64 5.1 A PK6
HP Tru64 4.0 G PK4 (BL22)
HP Tru64 4.0 G PK4
HP Tru64 4.0 F PK8 (BL22)
HP Tru64 4.0 F PK8
HP HP-UX 11.23
HP HP-UX 11.11
HP HP-UX 11.0
HP HP-UX B.11.23
HP HP-UX B.11.11
HP HP-UX B.11.11
HP HP-UX B.11.00
Gentoo Linux
Conectiva Linux 10.0
Conectiva Linux 9.0
Avaya Network Routing
Avaya Modular Messaging (MSS) 2.0
Avaya Modular Messaging (MSS) 1.1
Avaya MN100
Avaya Intuity LX
Avaya Integrated Management
Avaya CVLAN
Avaya CMS Server 11.0
Avaya CMS Server 9.0
Avaya CMS Server 8.0
Apple Mac OS X Server 10.3.9
Apple Mac OS X Server 10.3.8
Apple Mac OS X Server 10.3.7
Apple Mac OS X Server 10.3.6
Apple Mac OS X Server 10.3.5
Apple Mac OS X Server 10.3.4
Apple Mac OS X Server 10.3.3
Apple Mac OS X Server 10.3.2
Apple Mac OS X Server 10.3.1
Apple Mac OS X Server 10.3
Apple Mac OS X 10.3.9
Apple Mac OS X 10.3.8
Apple Mac OS X 10.3.7
Apple Mac OS X 10.3.6
Apple Mac OS X 10.3.5
Apple Mac OS X 10.3.4
Apple Mac OS X 10.3.3
Apple Mac OS X 10.3.2
Apple Mac OS X 10.3.1
Apple Mac OS X 10.3
X.org X11R6 6.8.1
Open Group Open Motif 2.2.4 -0.1
Open Group Open Motif 2.2.3
+ Gentoo Linux
Lesstif Lesstif 0.93.96

- 不受影响的程序版本

X.org X11R6 6.8.1
Open Group Open Motif 2.2.4 -0.1
Open Group Open Motif 2.2.3
+ Gentoo Linux
Lesstif Lesstif 0.93.96

- 漏洞讨论

Multiple vulnerabilities are reported to exist in the libXpm. These issues may be triggered when the library handles malformed XPM images. The vulnerabilities occur because the software fails to perform sufficient boundary checks. A successful attack may allow for unauthorized access to a vulnerable computer.

An attacker can exploit these issues by crafting a malicious XPM file and having unsuspecting users view the file through an application that uses the affected library.

libXpm shipped with X.org X11R6 6.8.0 is reported vulnerable.

This BID will be divided and updated as more information becomes available.

- 漏洞利用

Currently we are not aware of any working exploits. If you feel we are in error or if you are aware of more recent information, please mail us at: vuldb@securityfocus.com.

- 解决方案

This issue is reported fixed in X.org X11R6 6.8.1. A patch has also been made available for X.org X11R6 6.8.0.

Please see the referenced advisories for more information.


OpenBSD OpenBSD 3.5

Sun Solaris 8_sparc

OpenBSD OpenBSD 3.4

IBM AIX 5.1

IBM AIX 5.2

Red Hat Fedora Core2

Sun Java Desktop System (JDS) 2003
  • Sun patch-9367

  • Sun patch-9400
    To install, select:-> Launch -> Applications -> System Tools -> Online Update


Lesstif Lesstif 0.93

Lesstif Lesstif 0.93.12

Lesstif Lesstif 0.93.18

Lesstif Lesstif 0.93.34

Lesstif Lesstif 0.93.36

Lesstif Lesstif 0.93.91

Lesstif Lesstif 0.93.94

Apple Mac OS X Server 10.3.9

Sun Java Desktop System (JDS) 2.0
  • Sun patch-9367

  • Sun patch-9400
    To install, select:-> Launch -> Applications -> System Tools -> Online Update


XFree86 X11R6 4.1 .0

XFree86 X11R6 4.2 .0

XFree86 X11R6 4.2.1

IBM AIX 5.2 L

IBM AIX 5.2.2

IBM AIX 5.3 L

X.org X11R6 6.7 .0

X.org X11R6 6.8

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站