CVE-2005-2801
CVSS5.0
发布时间 :2005-09-06 13:03:00
修订时间 :2016-11-07 21:59:17
NMCOS    

[原文]xattr.c in the ext2 and ext3 file system code for Linux kernel 2.6 does not properly compare the name_index fields when sharing xattr blocks, which could prevent default ACLs from being applied.


[CNNVD]Linux Kernel EXT2/EXT3文件系统访问控制绕过漏洞(CNNVD-200509-040)

        Linux Kernel是开放源码操作系统Linux所使用的内核。
        Linux Kernel在ext2和ext3文件系统上处理扩展属性的方式存在漏洞。在某些情况下,可能无法实现访问控制列表,导致信息泄漏、非授权执行程序,或非授权修改数据。这个漏洞不影响标准Unix权限。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:10495xattr.c in the ext2 and ext3 file system code for Linux kernel 2.6 does not properly compare the name_index fields when sharing xattr blocks...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2801
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2801
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200509-040
(官方数据源) CNNVD

- 其它链接及资源

http://acl.bestbits.at/pipermail/acl-devel/2005-February/001848.html
(UNKNOWN)  MLIST  [Acl-Devel] 20050205 [FIX] Long-standing xattr sharing bug
http://lists.debian.org/debian-kernel/2005/08/msg00238.html
(PATCH)  MLIST  [debian-kernel] 20050809 Re: ACL patches in Debian 2.4 series kernel.
http://www.debian.org/security/2005/dsa-921
(UNKNOWN)  DEBIAN  DSA-921
http://www.debian.org/security/2005/dsa-922
(UNKNOWN)  DEBIAN  DSA-922
http://www.novell.com/linux/security/advisories/2005_18_kernel.html
(VENDOR_ADVISORY)  SUSE  SUSE-SA:2005:018
http://www.redhat.com/support/errata/RHSA-2005-514.html
(UNKNOWN)  REDHAT  RHSA-2005:514
http://www.redhat.com/support/errata/RHSA-2006-0144.html
(UNKNOWN)  REDHAT  RHSA-2006:0144
http://www.securityfocus.com/archive/1/archive/1/427980/100/0/threaded
(UNKNOWN)  FEDORA  FLSA:157459-3
http://www.securityfocus.com/bid/14793
(UNKNOWN)  BID  14793

- 漏洞信息

Linux Kernel EXT2/EXT3文件系统访问控制绕过漏洞
中危 设计错误
2005-09-06 00:00:00 2005-10-20 00:00:00
本地  
        Linux Kernel是开放源码操作系统Linux所使用的内核。
        Linux Kernel在ext2和ext3文件系统上处理扩展属性的方式存在漏洞。在某些情况下,可能无法实现访问控制列表,导致信息泄漏、非授权执行程序,或非授权修改数据。这个漏洞不影响标准Unix权限。

- 公告与补丁

         目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        http://www.kernel.org/

- 漏洞信息

19314
Linux Kernel ext2/ext3 xattr.c name_index Error ACL Failure

- 漏洞描述

Unknown or Incomplete

- 时间线

2005-03-24 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Linux Kernel EXT2/EXT3 File System Access Control Bypass Vulnerability
Design Error 14793
No Yes
2005-09-09 12:00:00 2009-07-12 05:06:00
The discoverer of this issue is currently unknown.

- 受影响的程序版本

RedHat Enterprise Linux WS 4
RedHat Enterprise Linux WS 3
RedHat Enterprise Linux ES 4
RedHat Enterprise Linux ES 3
RedHat Desktop 4.0
RedHat Desktop 3.0
Red Hat Enterprise Linux AS 4
Red Hat Enterprise Linux AS 3
Mandriva Linux Mandrake 10.1 x86_64
Mandriva Linux Mandrake 10.1
MandrakeSoft Multi Network Firewall 2.0
MandrakeSoft Corporate Server 3.0 x86_64
MandrakeSoft Corporate Server 3.0
Linux kernel 2.6.10
+ Red Hat Fedora Core3
+ Red Hat Fedora Core2
+ Trustix Secure Linux 3.0
+ Ubuntu Ubuntu Linux 5.0 4 powerpc
+ Ubuntu Ubuntu Linux 5.0 4 i386
+ Ubuntu Ubuntu Linux 5.0 4 amd64
Linux kernel 2.6.8
+ S.u.S.E. Linux Personal 9.2 x86_64
+ S.u.S.E. Linux Personal 9.2
+ Ubuntu Ubuntu Linux 4.1 ppc
+ Ubuntu Ubuntu Linux 4.1 ia64
+ Ubuntu Ubuntu Linux 4.1 ia32
Linux kernel 2.6.3
Debian Linux 3.1 sparc
Debian Linux 3.1 s/390
Debian Linux 3.1 ppc
Debian Linux 3.1 mipsel
Debian Linux 3.1 mips
Debian Linux 3.1 m68k
Debian Linux 3.1 ia-64
Debian Linux 3.1 ia-32
Debian Linux 3.1 hppa
Debian Linux 3.1 arm
Debian Linux 3.1 amd64
Debian Linux 3.1 alpha
Debian Linux 3.1

- 漏洞讨论

Linux Kernel is prone to an access-control bypass when using the EXT2/EXT3 filesystems.

If successful, an attacker may modify or corrupt data, access sensitive information, and execute arbitrary code.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com

- 解决方案


Please see the references for more information and vendor advisories.

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com


Linux kernel 2.6.10

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站