CVE-2005-0757
CVSS2.1
发布时间 :2005-05-18 00:00:00
修订时间 :2010-08-21 00:26:57
NMCOS    

[原文]The xattr file system code, as backported in Red Hat Enterprise Linux 3 on 64-bit systems, does not properly handle certain offsets, which allows local users to cause a denial of service (system crash) via certain actions on an ext3 file system with extended attributes enabled.


[CNNVD]Linux Kernel 64 Bit EXT3文件系统扩展属性拒绝服务漏洞(CNNVD-200505-1107)

        xattr文件系统代码移植到Red Hat Enterprise Linux 3的64-bit系统上时,未正确处理某些偏移量,本地用户可以通过启用了扩展属性的ext3文件系统上的操作来发起拒绝服务攻击(系统崩溃)。

- CVSS (基础分值)

CVSS分值: 2.1 [轻微(LOW)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:redhat:enterprise_linux_desktop:3.0Red Hat Desktop 3.0
cpe:/o:redhat:enterprise_linux:3.0::workstation
cpe:/o:redhat:enterprise_linux:3.0::enterprise_server
cpe:/o:redhat:enterprise_linux:3.0::advanced_servers

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:11406The xattr file system code, as backported in Red Hat Enterprise Linux 3 on 64-bit systems, does not properly handle certain offsets, which a...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0757
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0757
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200505-1107
(官方数据源) CNNVD

- 其它链接及资源

http://www.redhat.com/support/errata/RHSA-2005-294.html
(VENDOR_ADVISORY)  REDHAT  RHSA-2005:294
http://www.securityfocus.com/bid/13680
(UNKNOWN)  BID  13680
http://www.debian.org/security/2005/dsa-922
(UNKNOWN)  DEBIAN  DSA-922
http://www.debian.org/security/2005/dsa-921
(UNKNOWN)  DEBIAN  DSA-921
http://secunia.com/advisories/18059
(UNKNOWN)  SECUNIA  18059
http://secunia.com/advisories/18056
(UNKNOWN)  SECUNIA  18056

- 漏洞信息

Linux Kernel 64 Bit EXT3文件系统扩展属性拒绝服务漏洞
低危 授权问题
2005-05-18 00:00:00 2005-10-20 00:00:00
本地  
        xattr文件系统代码移植到Red Hat Enterprise Linux 3的64-bit系统上时,未正确处理某些偏移量,本地用户可以通过启用了扩展属性的ext3文件系统上的操作来发起拒绝服务攻击(系统崩溃)。

- 公告与补丁

        暂无数据

- 漏洞信息

16687
Red Hat Linux xattr File System Local DoS
Denial of Service
Loss of Availability

- 漏洞描述

- 时间线

2005-05-18 Unknow
Unknow Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Linux Kernel 64 Bit EXT3 Filesystem Extended Attribute Denial Of Service Vulnerability
Failure to Handle Exceptional Conditions 13680
No Yes
2005-05-19 12:00:00 2009-07-12 02:56:00
This issue was announced in a vendor advisory.

- 受影响的程序版本

RedHat Enterprise Linux WS 3
RedHat Enterprise Linux ES 3
RedHat Desktop 3.0
Red Hat Enterprise Linux AS 3
Linux kernel 2.6.12 -rc4
Linux kernel 2.6.11 .8
Linux kernel 2.6.11 .7
Linux kernel 2.6.11 .6
Linux kernel 2.6.11 .5
Linux kernel 2.6.11 -rc4
Linux kernel 2.6.11 -rc3
Linux kernel 2.6.11 -rc2
Linux kernel 2.6.11
+ Red Hat Fedora Core4
Linux kernel 2.6.10 rc2
Linux kernel 2.6.10
+ Red Hat Fedora Core3
+ Red Hat Fedora Core2
+ Trustix Secure Linux 3.0
+ Ubuntu Ubuntu Linux 5.0 4 powerpc
+ Ubuntu Ubuntu Linux 5.0 4 i386
+ Ubuntu Ubuntu Linux 5.0 4 amd64
Linux kernel 2.6.9
Linux kernel 2.6.8 rc3
Linux kernel 2.6.8 rc2
Linux kernel 2.6.8 rc1
+ Ubuntu Ubuntu Linux 4.1 ppc
+ Ubuntu Ubuntu Linux 4.1 ia64
+ Ubuntu Ubuntu Linux 4.1 ia32
Linux kernel 2.6.8
+ S.u.S.E. Linux Personal 9.2 x86_64
+ S.u.S.E. Linux Personal 9.2
+ Ubuntu Ubuntu Linux 4.1 ppc
+ Ubuntu Ubuntu Linux 4.1 ia64
+ Ubuntu Ubuntu Linux 4.1 ia32
Linux kernel 2.6.7 rc1
Linux kernel 2.6.7
Linux kernel 2.6.6 rc1
Linux kernel 2.6.6
Linux kernel 2.6.5
+ S.u.S.E. Linux Enterprise Server 9
+ S.u.S.E. Linux Personal 9.1 x86_64
+ S.u.S.E. Linux Personal 9.1 x86_64
+ S.u.S.E. Linux Personal 9.1
+ S.u.S.E. Linux Personal 9.1
Linux kernel 2.6.4
Linux kernel 2.6.3
Linux kernel 2.6.2
Linux kernel 2.6.1 -rc2
Linux kernel 2.6.1 -rc1
Linux kernel 2.6.1
Linux kernel 2.6 .10
Linux kernel 2.6 -test9-CVS
Linux kernel 2.6 -test9
Linux kernel 2.6 -test8
Linux kernel 2.6 -test7
Linux kernel 2.6 -test6
Linux kernel 2.6 -test5
Linux kernel 2.6 -test4
Linux kernel 2.6 -test3
Linux kernel 2.6 -test2
Linux kernel 2.6 -test11
Linux kernel 2.6 -test10
Linux kernel 2.6 -test1
Linux kernel 2.6
Debian Linux 3.1 sparc
Debian Linux 3.1 s/390
Debian Linux 3.1 ppc
Debian Linux 3.1 mipsel
Debian Linux 3.1 mips
Debian Linux 3.1 m68k
Debian Linux 3.1 ia-64
Debian Linux 3.1 ia-32
Debian Linux 3.1 hppa
Debian Linux 3.1 arm
Debian Linux 3.1 amd64
Debian Linux 3.1 alpha
Debian Linux 3.1

- 漏洞讨论

The Linux Kernel is prone to a local denial of service vulnerability. Reports indicate the issue manifests on 64-bit platforms and is because of a flaw present in offset handling for the extended attribute file system code.

A local attacker may trigger this issue to crash the system kernel.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 解决方案

Red Hat has released advisory RHSA-2005:294-29 and fixes to address this is sue on Red Hat Linux Enterprise platforms. Customers who are affected by this issue are advised to apply the appropriate updates. Customers subscribed to the Red Hat Network may apply the appropriate fixes using the Red Hat Update Agent (up2date). Please see referenced advisory for additional information.

Debian advisory DSA 921-1 is available to address various issues affecting the Linux kernel. Please see the referenced advisory for more information.

Debian GNU/Linux has released advisory DSA 922-1, along with fixes to address multiple kernel issues. Please see the referenced advisory for further information.

---
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站