CVE-2004-2395
CVSS2.1
发布时间 :2004-12-31 00:00:00
修订时间 :2008-09-05 16:44:00
NMCO    

[原文]Memory leak in passwd 0.68 allows local users to cause a denial of service (memory consumption) via a large number of failed read attempts from the password buffer.


[CNNVD]Mandrake Linux passwd未明安全漏洞(CNNVD-200412-383)

        
        Mandrake Linux是一款开放源代码操作系统。
        Mandrake Linux的passwd实现存在问题,可能导致安全级别降低,用户不能登录等问题。
        根据报告,Mandrake Linux通过stdin提供给passwd的密码比预想的要少一字符,目前还不清楚是否会在交互提示状况下发生。这可导致用户密码存储不正确或用户不能登录。
        另外PAM不正确初始化和"safe and proper""操作存在一定问题。
        

- CVSS (基础分值)

CVSS分值: 2.1 [轻微(LOW)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:mandrakesoft:mandrake_linux:9.2::amd64
cpe:/o:mandrakesoft:mandrake_linux:9.2MandrakeSoft Mandrake Linux 9.2
cpe:/o:mandrakesoft:mandrake_linux:9.0MandrakeSoft Mandrake Linux 9.0
cpe:/a:mandrakesoft:mandrake_multi_network_firewall:8.2MandrakeSoft Mandrake Multi Network Firewall 8.2
cpe:/o:mandrakesoft:mandrake_linux:9.1::ppc
cpe:/o:mandrakesoft:mandrake_linux:10.0MandrakeSoft Mandrake Linux 10.0
cpe:/o:mandrakesoft:mandrake_linux_corporate_server:2.1::x86_64
cpe:/o:mandrakesoft:mandrake_linux:8.2::ppc
cpe:/o:mandrakesoft:mandrake_linux:8.2MandrakeSoft Mandrake Linux 8.2
cpe:/o:mandrakesoft:mandrake_linux_corporate_server:2.1MandrakeSoft Mandrake Linux Corporate Server 2.1
cpe:/o:mandrakesoft:mandrake_linux:9.1MandrakeSoft Mandrake Linux 9.1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2395
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-2395
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200412-383
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/xforce/xfdb/16180
(PATCH)  XF  passwd-memory-leak(16180)
http://www.securityfocus.com/bid/10370
(PATCH)  BID  10370
http://www.mandriva.com/security/advisories?name=MDKSA-2004:045
(VENDOR_ADVISORY)  MANDRAKE  MDKSA-2004:045
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=120060
(VENDOR_ADVISORY)  MISC  http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=120060

- 漏洞信息

Mandrake Linux passwd未明安全漏洞
低危 未知
2004-12-31 00:00:00 2005-10-20 00:00:00
本地  
        
        Mandrake Linux是一款开放源代码操作系统。
        Mandrake Linux的passwd实现存在问题,可能导致安全级别降低,用户不能登录等问题。
        根据报告,Mandrake Linux通过stdin提供给passwd的密码比预想的要少一字符,目前还不清楚是否会在交互提示状况下发生。这可导致用户密码存储不正确或用户不能登录。
        另外PAM不正确初始化和"safe and proper""操作存在一定问题。
        

- 公告与补丁

        厂商补丁:
        MandrakeSoft
        ------------
        MandrakeSoft已经为此发布了一个安全公告(MDKSA-2004:045)以及相应补丁:
        MDKSA-2004:045:Updated passwd packages fix vulnerabilities
        链接:
        http://www.linux-mandrake.com/en/security/2004/2004-045.php

        补丁下载:
        Updated Packages:
        Mandrakelinux 10.0:
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/RPMS/passwd-0.68-2.2.100mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/10.0/SRPMS/passwd-0.68-2.2.100mdk.src.rpm
        Mandrakelinux 10.0/AMD64:
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/amd64/10.0/RPMS/passwd-0.68-2.2.100mdk.amd64.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/amd64/10.0/SRPMS/passwd-0.68-2.2.100mdk.src.rpm
        Corporate Server 2.1:
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/corporate/2.1/RPMS/passwd-0.67-5.2.C21mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/corporate/2.1/SRPMS/passwd-0.67-5.2.C21mdk.src.rpm
        Corporate Server 2.1/x86_64:
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/x86_64/corporate/2.1/RPMS/passwd-0.67-5.2.C21mdk.x86_64.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/x86_64/corporate/2.1/SRPMS/passwd-0.67-5.2.C21mdk.src.rpm
        Mandrakelinux 9.1:
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.1/RPMS/passwd-0.68-2.2.91mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.1/SRPMS/passwd-0.68-2.2.91mdk.src.rpm
        Mandrakelinux 9.1/PPC:
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/9.1/RPMS/passwd-0.68-2.2.91mdk.ppc.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/9.1/SRPMS/passwd-0.68-2.2.91mdk.src.rpm
        Mandrakelinux 9.2:
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.2/RPMS/passwd-0.68-2.2.92mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.2/SRPMS/passwd-0.68-2.2.92mdk.src.rpm
        Mandrakelinux 9.2/AMD64:
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/amd64/9.2/RPMS/passwd-0.68-2.2.92mdk.amd64.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/amd64/9.2/SRPMS/passwd-0.68-2.2.92mdk.src.rpm
        Multi Network Firewall 8.2:
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/mnf8.2/RPMS/passwd-0.64.1-9.2.M82mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/mnf8.2/SRPMS/passwd-0.64.1-9.2.M82mdk.src.rpm
        _______________________________________________________________________
        To upgrade automatically use MandrakeUpdate or urpmi. The verification
        of md5 checksums and GPG signatures is performed automatically for you.
        A list of FTP mirrors can be obtained from:
        
        http://www.mandrakesecure.net/en/ftp.php

        上述升级软件还可以在下列地址中的任意一个镜像ftp服务器上下载:
        
        http://www.mandrakesecure.net/en/ftp.php

- 漏洞信息

19790
Linux passwd Failed Read Attempt Local DoS
Denial of Service
Loss of Availability
Vendor Verified

- 漏洞描述

Unknown or Incomplete

- 时间线

2004-05-17 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站