CVE-2005-0100
CVSS7.5
发布时间 :2005-02-07 00:00:00
修订时间 :2016-10-17 23:07:48
NMCOPS    

[原文]Format string vulnerability in the movemail utility in (1) Emacs 20.x, 21.3, and possibly other versions, and (2) XEmacs 21.4 and earlier, allows remote malicious POP3 servers to execute arbitrary code via crafted packets.


[CNNVD]Emacs Movemail POP3远程格式化字符串漏洞(CNNVD-200502-007)

        Emacs即Editor MACroS(巨集编辑器),是一种纯文字编辑器。
        (1)Emacs 20.x、21.3和可能的其他版本以及(2)XEmacs 21.4和更早版本中的movemail实用程序中的格式化字符串漏洞,可让远程恶意POP3服务器通过制作的数据包执行任意代码。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:gnu:emacs:20.0GNU Emacs 20.0
cpe:/a:gnu:xemacs:21.4GNU XEmacs 21.4
cpe:/a:gnu:emacs:21.3GNU Emacs 21.3

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:9408Format string vulnerability in the movemail utility in (1) Emacs 20.x, 21.3, and possibly other versions, and (2) XEmacs 21.4 and earlier, a...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0100
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0100
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200502-007
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=110780416112719&w=2
(UNKNOWN)  BUGTRAQ  20050207 [USN-76-1] Emacs vulnerability
http://www.debian.org/security/2005/dsa-670
(VENDOR_ADVISORY)  DEBIAN  DSA-670
http://www.debian.org/security/2005/dsa-671
(VENDOR_ADVISORY)  DEBIAN  DSA-671
http://www.debian.org/security/2005/dsa-685
(VENDOR_ADVISORY)  DEBIAN  DSA-685
http://www.mandriva.com/security/advisories?name=MDKSA-2005:038
(UNKNOWN)  MANDRAKE  MDKSA-2005:038
http://www.redhat.com/support/errata/RHSA-2005-110.html
(VENDOR_ADVISORY)  REDHAT  RHSA-2005:110
http://www.redhat.com/support/errata/RHSA-2005-112.html
(VENDOR_ADVISORY)  REDHAT  RHSA-2005:112
http://www.redhat.com/support/errata/RHSA-2005-133.html
(VENDOR_ADVISORY)  REDHAT  RHSA-2005:133
http://www.securityfocus.com/archive/1/archive/1/433928/30/5010/threaded
(UNKNOWN)  FEDORA  FLSA-2006:152898
http://www.securityfocus.com/bid/12462
(UNKNOWN)  BID  12462
http://xforce.iss.net/xforce/xfdb/19246
(VENDOR_ADVISORY)  XF  xemacs-movemail-format-string(19246)

- 漏洞信息

Emacs Movemail POP3远程格式化字符串漏洞
高危 格式化字符串
2005-02-07 00:00:00 2005-10-20 00:00:00
远程  
        Emacs即Editor MACroS(巨集编辑器),是一种纯文字编辑器。
        (1)Emacs 20.x、21.3和可能的其他版本以及(2)XEmacs 21.4和更早版本中的movemail实用程序中的格式化字符串漏洞,可让远程恶意POP3服务器通过制作的数据包执行任意代码。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        GNU Emacs 20.0
        Debian emacs20-el_20.7-13.3_all.deb
        Debian GNU/Linux 3.0 alias woody
        http://security.debian.org/pool/updates/main/e/emacs20/emacs20-el_20.7 -13.3_all.deb
        Debian emacs20_20.7-13.3_alpha.deb
        Debian GNU/Linux 3.0 alias woody
        http://security.debian.org/pool/updates/main/e/emacs20/emacs20_20.7-13 .3_alpha.deb
        Debian emacs20_20.7-13.3_arm.deb
        Debian GNU/Linux 3.0 alias woody
        http://security.debian.org/pool/updates/main/e/emacs20/emacs20_20.7-13 .3_arm.deb
        Debian emacs20_20.7-13.3_hppa.deb
        Debian GNU/Linux 3.0 alias woody
        http://security.debian.org/pool/updates/main/e/emacs20/emacs20_20.7-13 .3_hppa.deb
        Debian emacs20_20.7-13.3_i386.deb
        Debian GNU/Linux 3.0 alias woody
        http://security.debian.org/pool/updates/main/e/emacs20/emacs20_20.7-13 .3_i386.deb
        Debian emacs20_20.7-13.3_ia64.deb
        Debian GNU/Linux 3.0 alias woody
        http://security.debian.org/pool/updates/main/e/emacs20/emacs20_20.7-13 .3_ia64.deb
        Debian emacs20_20.7-13.3_m68k.deb
        Debian GNU/Linux 3.0 alias woody
        http://security.debian.org/pool/updates/main/e/emacs20/emacs20_20.7-13 .3_m68k.deb
        Debian emacs20_20.7-13.3_mips.deb
        Debian GNU/Linux 3.0 alias woody
        http://security.debian.org/pool/updates/main/e/emacs20/emacs20_20.7-13 .3_mips.deb
        Debian emacs20_20.7-13.3_mipsel.deb
        Debian GNU/Linux 3.0 alias woody
        http://security.debian.org/pool/updates/main/e/emacs20/emacs20_20.7-13 .3_mipsel.deb
        Debian emacs20_20.7-13.3_powerpc.deb
        Debian GNU/Linux 3.0 alias woody
        http://security.debian.org/pool/updates/main/e/emacs20/emacs20_20.7-13 .3_powerpc.deb
        Debian emacs20_20.7-13.3_s390.deb
        Debian GNU/Linux 3.0 alias woody
        http://security.debian.org/pool/updates/main/e/emacs20/emacs20_20.7-13 .3_s390.deb
        Debian emacs20_20.7-13.3_sparc.deb
        Debian GNU/Linux 3.0 alias woody
        http://security.debian.org/pool/updates/main/e/emacs20/emacs20_20.7-13 .3_sparc.deb
        GNU Emacs 21.3
        Mandrake emacs-21.3-15.1.101mdk.i586.rpm
        Mandrake Linux 10.1
        http://www.mandrakesecure.net/en/ftp.php
        Mandrake emacs-21.3-15.1.101mdk.x86_64.rpm
        Mandrake Linux 10.1/x86_64
        http://www.mandrakesecure.net/en/ftp.php
        Mandrake emacs-21.3-9.1.100mdk.amd64.rpm
        Mandrake Linux 10.0/AMD64
        http://www.mandrakesecure.net/en/ftp.php
        Mandrake emacs-21.3-9.1.100mdk.i586.rpm
        Mandrake Linux 10.0
        http://www.mandrakesecure.net/en/ftp.php
        Mandrake emacs-21.3-9.1.C30mdk.i586.rpm
        Mandrake Corporate Server 3.0
        http://www.mandrakesecure.net/en/ftp.php
        Mandrake emacs-21.3-9.1.C30mdk.x86_64.rpm
        Mandrake Corporate Server 3.0/x86_64
        http://www.mandrakesecure.net/en/ftp.php
        Mandrake emacs-doc-21.3-15.1.101mdk.i586.rpm
        Mandrake Linux 10.1
        http://www.mandrakesecure.net/en/ftp.php
        Mandrake emacs-doc-21.3-15.1.101mdk.x86_64.rpm
        Mandrake Linux 10.1/x86_64
        http://www.mandrakesecure.net/en/ftp.php
        Mandrake emacs-el-21.3-15.1.101mdk.i586.rpm
        Mandrake Linux 10.1
        http://www.mandrakesecure.net/en/ftp.php
        Mandrake emacs-el-21.3-15.1.101mdk.x86_64.rpm
        Mandrake Linux 10.1/x86_64
        http://www.mandrakesecure.net/en/ftp.php
        Mandrake emacs-el-21.3-9.1.100mdk.amd64.rpm
        Mandrake Linux 10.0/AMD64
        http://www.mandrakesecure.net/en/ftp.php
        Mandrake emacs-el-21.3-9.1.100mdk.i586.rpm
        Mandrake Linux 10.0
        http://www.mandrakesecure.net/en/ftp.php
        Mandrake emacs-el-21.3-9.1.C30mdk.i586.rpm
        Mandrake Corporate Server 3.0
        http://www.mandrakesecure.net/en/ftp.php
        Mandrake emacs-el-21.3-9.1.C30mdk.x86_64.rpm
        Mandrake Corporate Server 3.0/x86_64
        http://www.mandrakesecure.net/en/ftp.php
        Mandrake emacs-leim-21.3-15.1.101mdk.i586.rpm
        Mandrake Linux 10.1
        http://www.mandrakesecure.net/en/ftp.php
        Mandrake emacs-leim-21.3-15.1.101mdk.x86_64.rpm
        Mandrake Linux 10.1/x86_64
        http://www.mandrakesecure.net/en/ftp.php
        Mandrake emacs-leim-21.3-9.1.100mdk.amd64.rpm
        Mandrake Linux 10.0/AMD64
        http://www.mandrakesecure.net/en/ftp.php
        Mandrake emacs-leim-21.3-9.1.100mdk.i586.rpm
        Mandrake Linux 10.0
        http://www.mandrakesecure.net/en/ftp.php
        Mandrake emacs-leim-21.3-9.1.C30mdk.i586.rpm
        Mandrake Corporate Server 3.0
        http://www.mandrakesecure.net/en/ftp.php
        Mandrake emacs-leim-21.3-9.1.C30mdk.x86_64.rpm
        Mandrake Corporate Server 3.0/x86_64
        http://www.mandrakesecure.net/en/ftp.php
        Mandrake emacs-nox-21.3-15.1.101mdk.i586.rpm
        Mandrake Linux 10.1
        http://www.mandrakesecure.net/en/ftp.php
        Mandrake emacs-nox-21.3-15.1.101mdk.x86_64.rpm
        Mandrake Linux 10.1/x86_64
        http://www.mandrakesecure.net/en/ftp.php
        Mandrake emacs-nox-21.3-9.1.100mdk.amd64.rpm
        Mandrake Linux 10.0/AMD64
        http://www.mandrakesecure.net/en/ftp.php
        Mandrake emacs-nox-21.3-9.1.100mdk.i586.rpm
        Mandrake Linux 10.0
        http://www.mandrakesecure.net/en/ftp.php
        Mandrake emacs-nox-21.3-9.1.C30mdk.i586.rpm
        Mandrake Corporate Server 3.0
        http://www.mandrakesecure.net/en/ftp.php
        Mandrake emacs-nox-21.3-9.1.C30mdk.x86_64.rpm
        Mandrake Corporate Server 3.0/x86_64
        http://www.mandrakesecure.net/en/ftp.php
        Mandrake emacs-X11-21.3-15.1.101mdk.i586.rpm
        Mandrake Linux 10.1
        http://www.mandrakesecure.net/en/ftp.php
        Mandrake emacs-X11-21.3-15.1.101mdk.x86_64.rpm
        Mandrake Linux 10.1/x86_64
        http://www.mandrakesecure.net/en/ftp.php
        Mandrake emacs-X11-21.3-9.1.100mdk.amd64.rpm
        Mandrake Linux 10.0/AMD64
        http://www.mandrakesecure.net/en/ftp.php
        

- 漏洞信息 (F36084)

Ubuntu Security Notice 76-1 (PacketStormID:F36084)
2005-02-22 00:00:00
Ubuntu  ubuntu.com
advisory,overflow,arbitrary
linux,ubuntu
CVE-2005-0100
[点击下载]

Ubuntu Security Notice USN-76-1 - Max Vozeler discovered a format string vulnerability in the movemail utility of Emacs. By sending specially crafted packets, a malicious POP3 server could cause a buffer overflow, which could be exploited to execute arbitrary code with the privileges of the user and the mail group.

===========================================================
Ubuntu Security Notice USN-76-1		  February 07, 2005
emacs21 vulnerability
CAN-2005-0100
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)

The following packages are affected:

emacs21-bin-common

The problem can be corrected by upgrading the affected package to
version 21.3+1-5ubuntu4.2. In general, a standard system upgrade is
sufficient to effect the necessary changes.

Details follow:

Max Vozeler discovered a format string vulnerability in the "movemail"
utility of Emacs. By sending specially crafted packets, a malicious
POP3 server could cause a buffer overflow, which could have been
exploited to execute arbitrary code with the privileges of the user
and the "mail" group (since "movemail" is installed as "setgid mail").

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/e/emacs21/emacs21_21.3+1-5ubuntu4.2.diff.gz
      Size/MD5:   220180 bc57787061b02474dfd803ddbc08e771
    http://security.ubuntu.com/ubuntu/pool/main/e/emacs21/emacs21_21.3+1-5ubuntu4.2.dsc
      Size/MD5:      801 f9c6262e8114deeba4430fee03cb7847
    http://security.ubuntu.com/ubuntu/pool/main/e/emacs21/emacs21_21.3+1.orig.tar.gz
      Size/MD5: 18112871 83259d856459b473bf7fb6b6cfead0d2

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/e/emacs21/emacs21-common_21.3+1-5ubuntu4.2_all.deb
      Size/MD5: 10984378 550a747169ae12ba65f568379137dccb
    http://security.ubuntu.com/ubuntu/pool/main/e/emacs21/emacs21-el_21.3+1-5ubuntu4.2_all.deb
      Size/MD5:  7149862 b01a5203171f92f03b55c67fcf52dc67

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/e/emacs21/emacs21-bin-common_21.3+1-5ubuntu4.2_amd64.deb
      Size/MD5:   148576 4c04484d1dead472dff48afa013bd749
    http://security.ubuntu.com/ubuntu/pool/universe/e/emacs21/emacs21-nox_21.3+1-5ubuntu4.2_amd64.deb
      Size/MD5:  1940154 e05b39ee168bb8480b178cf9e953bdb2
    http://security.ubuntu.com/ubuntu/pool/main/e/emacs21/emacs21_21.3+1-5ubuntu4.2_amd64.deb
      Size/MD5:  2158448 c166427b672d77108eb951019b7e3d72

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/e/emacs21/emacs21-bin-common_21.3+1-5ubuntu4.2_i386.deb
      Size/MD5:   131160 07d9fe77aa1807cf6fe0d4eeb1fe8838
    http://security.ubuntu.com/ubuntu/pool/universe/e/emacs21/emacs21-nox_21.3+1-5ubuntu4.2_i386.deb
      Size/MD5:  1794792 c2795d591670c1c7db8fc57088840935
    http://security.ubuntu.com/ubuntu/pool/main/e/emacs21/emacs21_21.3+1-5ubuntu4.2_i386.deb
      Size/MD5:  1978432 f5085f2d945c08dc5230cecde8236946

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/e/emacs21/emacs21-bin-common_21.3+1-5ubuntu4.2_powerpc.deb
      Size/MD5:   144576 16a77927200e2ae8eb01b7c78062a38e
    http://security.ubuntu.com/ubuntu/pool/universe/e/emacs21/emacs21-nox_21.3+1-5ubuntu4.2_powerpc.deb
      Size/MD5:  1881976 c48d5ce477a7092e7518a446f77caab5
    http://security.ubuntu.com/ubuntu/pool/main/e/emacs21/emacs21_21.3+1-5ubuntu4.2_powerpc.deb
      Size/MD5:  2087044 8d32d0c234217ac394b89066b0669934
    

- 漏洞信息

13588
GNU Emacs movemail popmail() Format String
Remote / Network Access, Local / Remote, Context Dependent Input Manipulation
Loss of Integrity
Exploit Unknown Vendor Verified

- 漏洞描述

A remote overflow exists in GNU Emacs. The movemail function fails to adequately check responses from POP3 Servers in popmail() resulting in a format string overflow. With a specially crafted response, an attacker with a malicious POP3 Server can gain remote access with privilege of the logged on user and the effective group ID of the mail group resulting in a loss of integrity.

- 时间线

2005-02-07 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 21.4 or higher, as it has been reported to fix this vulnerability. An upgrade is required as the fix has been applied to the CVS tree rather than as a patch kit.

- 相关参考

- 漏洞作者

- 漏洞信息

Emacs Movemail POP3 Remote Format String Vulnerability
Input Validation Error 12462
Yes No
2005-02-07 12:00:00 2006-11-30 04:59:00
Discovery is credited to Max Vozeler.

- 受影响的程序版本

XEmacs Development Team XEmacs 21.4.15
+ Red Hat Fedora Core3
+ Red Hat Fedora Core2
XEmacs Development Team XEmacs 21.4.6
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0
XEmacs Development Team XEmacs 21.2.42
XEmacs Development Team XEmacs 21.1.10
+ Caldera OpenLinux 2.3
XEmacs Development Team XEmacs 2.1.13
XEmacs Development Team XEmacs 2.1.13
SuSE SUSE Linux Enterprise Server 8
+ Linux kernel 2.4.21
+ Linux kernel 2.4.19
SuSE SUSE Linux Enterprise Server 7
+ Linux kernel 2.4.19
SGI ProPack 3.0
S.u.S.E. Novell Linux Desktop 9.0
S.u.S.E. Linux Personal 9.2 x86_64
S.u.S.E. Linux Personal 9.2
S.u.S.E. Linux Personal 9.1 x86_64
S.u.S.E. Linux Personal 9.1
S.u.S.E. Linux Personal 9.0 x86_64
S.u.S.E. Linux Personal 9.0
S.u.S.E. Linux Personal 8.2
S.u.S.E. Linux Enterprise Server 9
S.u.S.E. Linux Desktop 1.0
S.u.S.E. Linux Database Server 0
S.u.S.E. Linux Connectivity Server
S.u.S.E. Linux 8.1
S.u.S.E. Linux 8.0 i386
S.u.S.E. Linux 8.0
RedHat Linux 9.0 i386
RedHat Linux 7.3 i386
Red Hat Fedora Core3
Red Hat Fedora Core2
Red Hat Fedora Core1
Mandriva Linux Mandrake 10.1 x86_64
Mandriva Linux Mandrake 10.1
Mandriva Linux Mandrake 10.0 AMD64
Mandriva Linux Mandrake 10.0
MandrakeSoft Corporate Server 3.0 x86_64
MandrakeSoft Corporate Server 3.0
MandrakeSoft Corporate Server 2.1 x86_64
MandrakeSoft Corporate Server 2.1
GNU Emacs 21.3
+ Ubuntu Ubuntu Linux 4.1 ppc
+ Ubuntu Ubuntu Linux 4.1 ia64
+ Ubuntu Ubuntu Linux 4.1 ia32
GNU Emacs 20.0
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
Debian Linux 3.0 sparc
Debian Linux 3.0 s/390
Debian Linux 3.0 ppc
Debian Linux 3.0 mipsel
Debian Linux 3.0 mips
Debian Linux 3.0 m68k
Debian Linux 3.0 ia-64
Debian Linux 3.0 ia-32
Debian Linux 3.0 hppa
Debian Linux 3.0 arm
Debian Linux 3.0 alpha
Debian Linux 3.0

- 漏洞讨论

The movemail utility of Emacs is reported prone to a remote format-string vulnerability. This issue arises because the application fails to sanitize user-supplied data before passing it as the format specifier to a formatted-printing function.

A remote attacker may leverage this issue to write to arbitrary process memory, facilitating code execution. Any code execution would take place with setgid mail privileges.

- 漏洞利用


Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com

- 解决方案

Please see the referenced advisories for more information.


GNU Emacs 20.0

GNU Emacs 21.3

XEmacs Development Team XEmacs 21.4.15

XEmacs Development Team XEmacs 21.4.6

SGI ProPack 3.0

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站