CVE-2005-4889
CVSS7.2
发布时间 :2010-06-08 14:30:09
修订时间 :2010-09-17 00:38:41
NMCOP    

[原文]lib/fsm.c in RPM before 4.4.3 does not properly reset the metadata of an executable file during deletion of the file in an RPM package removal, which might allow local users to gain privileges by creating a hard link to a vulnerable (1) setuid or (2) setgid file, a related issue to CVE-2010-2059.


[CNNVD]RPM 'lib/fsm.c'权限许可和访问控制漏洞(CNNVD-201006-075)

        在软件包升级删除RPM包时,RPM的lib/fsm.c没有正确的重置可执行文件的元数据,本地用户可以通过创建易受攻击的(1)setuid或(2)setgid文件的hard链接,获取特权。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-264 [权限、特权与访问控制]

- CPE (受影响的平台与产品)

cpe:/a:rpm:rpm:2.0.11RPM RPM Package Manager 2.0.11
cpe:/a:rpm:rpm:2.3.8RPM RPM Package Manager 2.3.9
cpe:/a:rpm:rpm:1.4.2%2FaRPM RPM Package Manager 1.4.2/a
cpe:/a:rpm:rpm:2.3.9RPM RPM Package Manager 2.3.9
cpe:/a:rpm:rpm:3.0RPM RPM Package Manager 3.0
cpe:/a:rpm:rpm:2.0.10RPM RPM Package Manager 2.0.10
cpe:/a:rpm:rpm:2.1.2RPM RPM Package Manager 2.1.2
cpe:/a:rpm:rpm:1.4RPM RPM Package Manager 1.4
cpe:/a:rpm:rpm:2.0.4RPM RPM Package Manager 2.0.4
cpe:/a:rpm:rpm:4.3.3RPM RPM Package Manager 4.3
cpe:/a:rpm:rpm:4.1RPM RPM Package Manager 4.1
cpe:/a:rpm:rpm:2.1.1RPM RPM Package Manager 2.1.1
cpe:/a:rpm:rpm:3.0.4RPM RPM Package Manager 3.0.4
cpe:/a:rpm:rpm:3.0.2RPM RPM Package Manager 3.0.2
cpe:/a:rpm:rpm:1.4.6RPM RPM Package Manager 1.4.6
cpe:/a:rpm:rpm:2.3.3RPM RPM Package Manager 2.3.3
cpe:/a:rpm:rpm:3.0.3RPM RPM Package Manager 3.0.3
cpe:/a:rpm:rpm:2.5.6RPM RPM Package Manager 2.5.6
cpe:/a:rpm:rpm:2.0.8RPM RPM Package Manager 2.0.8
cpe:/a:rpm:rpm:2.5.5RPM RPM Package Manager 2.5.5
cpe:/a:rpm:rpm:2.3.2RPM RPM Package Manager 2.3.2
cpe:/a:rpm:rpm:3.0.6RPM RPM Package Manager 3.0.6
cpe:/a:rpm:rpm:2.6.7RPM RPM Package Manager 2.4.7
cpe:/a:rpm:rpm:1.4.4RPM RPM Package Manager 1.4.4
cpe:/a:rpm:rpm:4.4.2.1RPM RPM Package Manager 4.4.2.1
cpe:/a:rpm:rpm:2.4.9RPM RPM Package Manager 2.4.9
cpe:/a:rpm:rpm:2.4.8RPM RPM Package Manager 2.4.8
cpe:/a:rpm:rpm:2.2.8RPM RPM Package Manager 2.2.8
cpe:/a:rpm:rpm:2.2.2RPM RPM Package Manager 2.2.2
cpe:/a:rpm:rpm:1.3RPM RPM Package Manager 1.3
cpe:/a:rpm:rpm:2.0.6RPM RPM Package Manager 2.0.6
cpe:/a:rpm:rpm:2.3RPM RPM Package Manager 2.3
cpe:/a:rpm:rpm:1.4.3RPM RPM Package Manager 1.4.3
cpe:/a:rpm:rpm:1.4.5RPM RPM Package Manager 1.4.5
cpe:/a:rpm:rpm:2.2.10RPM RPM Package Manager 2.2.10
cpe:/a:rpm:rpm:2.4.12RPM RPM Package Manager 2.4.12
cpe:/a:rpm:rpm:2.0RPM RPM Package Manager 2.0
cpe:/a:rpm:rpm:2.2.4RPM RPM Package Manager 2.2.4
cpe:/a:rpm:rpm:2.3.6RPM RPM Package Manager 2.3.6
cpe:/a:rpm:rpm:2.5RPM RPM Package Manager 2.5
cpe:/a:rpm:rpm:2.2.3.10RPM RPM Package Manager 2.3.10
cpe:/a:rpm:rpm:2.0.2RPM RPM Package Manager 2.0.2
cpe:/a:rpm:rpm:2.4.6RPM RPM Package Manager 2.4.6
cpe:/a:rpm:rpm:2.4.1RPM RPM Package Manager 2.4.1
cpe:/a:rpm:rpm:2.4.4RPM RPM Package Manager 2.4.4
cpe:/a:rpm:rpm:2.2.1RPM RPM Package Manager 2.2.1
cpe:/a:rpm:rpm:4.0.2RPM RPM Package Manager 4.0.2
cpe:/a:rpm:rpm:3.0.5RPM RPM Package Manager 3.0.5
cpe:/a:rpm:rpm:2.4.2RPM RPM Package Manager 2.4.2
cpe:/a:rpm:rpm:2.3.4RPM RPM Package Manager 2.3.4
cpe:/a:rpm:rpm:2.4.3RPM RPM Package Manager 2.4.3
cpe:/a:rpm:rpm:2.2.3RPM RPM Package Manager 2.2.3
cpe:/a:rpm:rpm:2.0.9RPM RPM Package Manager 2.0.9
cpe:/a:rpm:rpm:1.2RPM RPM Package Manager 1.2
cpe:/a:rpm:rpm:2.2.11RPM RPM Package Manager 2.2.11
cpe:/a:rpm:rpm:4.0.4RPM RPM Package Manager 4.0.4
cpe:/a:rpm:rpm:2.4.5RPM RPM Package Manager 2.4.5
cpe:/a:rpm:rpm:2.2.7RPM RPM Package Manager 2.2.7
cpe:/a:rpm:rpm:2.3.5RPM RPM Package Manager 2.3.5
cpe:/a:rpm:rpm:2.1RPM RPM Package Manager 2.1
cpe:/a:rpm:rpm:2.0.7RPM RPM Package Manager 2.0.7
cpe:/a:rpm:rpm:2.5.1RPM RPM Package Manager 2.5.1
cpe:/a:rpm:rpm:2.5.2RPM RPM Package Manager 2.5.2
cpe:/a:rpm:rpm:2.0.1RPM RPM Package Manager 2.0.1
cpe:/a:rpm:rpm:2.2.5RPM RPM Package Manager 2.2.5
cpe:/a:rpm:rpm:2.2.6RPM RPM Package Manager 2.2.6
cpe:/a:rpm:rpm:2.3.1RPM RPM Package Manager 2.3.1
cpe:/a:rpm:rpm:4.0.3RPM RPM Package Manager 4.0.3
cpe:/a:rpm:rpm:1.4.2RPM RPM Package Manager 1.4.2
cpe:/a:rpm:rpm:1.4.7RPM RPM Package Manager 1.4.7
cpe:/a:rpm:rpm:1.3.1RPM RPM Package Manager 1.3.1
cpe:/a:rpm:rpm:2.0.5RPM RPM Package Manager 2.0.5
cpe:/a:rpm:rpm:4.4.2.2RPM RPM Package Manager 4.4.2.2
cpe:/a:rpm:rpm:2.3.7RPM RPM Package Manager 2.3.7
cpe:/a:rpm:rpm:2.2RPM RPM Package Manager 2.2
cpe:/a:rpm:rpm:3.0.1RPM RPM Package Manager 3.0.1
cpe:/a:rpm:rpm:2..4.10
cpe:/a:rpm:rpm:4.0.1RPM RPM Package Manager 4.0.1
cpe:/a:rpm:rpm:2.2.3.11RPM RPM Package Manager 2.3.11
cpe:/a:rpm:rpm:4.0.RPM RPM Package Manager 4.0
cpe:/a:rpm:rpm:2.5.4RPM RPM Package Manager 2.5.4
cpe:/a:rpm:rpm:2.2.9RPM RPM Package Manager 2.2.9
cpe:/a:rpm:rpm:4.4.2.3RPM RPM Package Manager 4.4.2.3
cpe:/a:rpm:rpm:2.4.11RPM RPM Package Manager 2..11
cpe:/a:rpm:rpm:4.4.2.
cpe:/a:rpm:rpm:2.5.3RPM RPM Package Manager 2.5.3
cpe:/a:rpm:rpm:2.0.3RPM RPM Package Manager 2.0.3

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4889
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-4889
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-201006-075
(官方数据源) CNNVD

- 其它链接及资源

http://distrib-coffee.ipsl.jussieu.fr/pub/mirrors/rpm/files/rpm/rpm-4.4/rpm-4.4.3.tar.gz
(PATCH)  CONFIRM  http://distrib-coffee.ipsl.jussieu.fr/pub/mirrors/rpm/files/rpm/rpm-4.4/rpm-4.4.3.tar.gz
https://bugzilla.redhat.com/show_bug.cgi?id=598775
(UNKNOWN)  CONFIRM  https://bugzilla.redhat.com/show_bug.cgi?id=598775
https://bugzilla.redhat.com/show_bug.cgi?id=125517
(UNKNOWN)  CONFIRM  https://bugzilla.redhat.com/show_bug.cgi?id=125517
http://xforce.iss.net/xforce/xfdb/59426
(UNKNOWN)  XF  rpm-setgid-privilege-escalation(59426)
http://www.mandriva.com/security/advisories?name=MDVSA-2010:180
(UNKNOWN)  MANDRIVA  MDVSA-2010:180

- 漏洞信息

RPM 'lib/fsm.c'权限许可和访问控制漏洞
高危 权限许可和访问控制
2010-06-10 00:00:00 2010-06-17 00:00:00
本地  
        在软件包升级删除RPM包时,RPM的lib/fsm.c没有正确的重置可执行文件的元数据,本地用户可以通过创建易受攻击的(1)setuid或(2)setgid文件的hard链接,获取特权。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        http://distrib-coffee.ipsl.jussieu.fr/pub/mirrors/rpm/files/rpm/rpm-4.4/rpm-4.4.3.tar.gz
        

- 漏洞信息 (F93811)

Mandriva Linux Security Advisory 2010-180 (PacketStormID:F93811)
2010-09-14 00:00:00
Mandriva  mandriva.com
advisory,local
linux,mandriva
CVE-2005-4889,CVE-2010-2059
[点击下载]

Mandriva Linux Security Advisory 2010-180 - lib/fsm.c in RPM 4.8.0 and unspecified 4.7.x and 4.6.x versions, and RPM before 4.4.3, does not properly reset the metadata of an executable file during replacement of the file in an RPM package upgrade, which might allow local users to gain privileges by creating a hard link to a vulnerable setgid file. The updated packages have been patched to correct this issue.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2010:180
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : rpm
 Date    : September 13, 2010
 Affected: 2009.0, Corporate 4.0, Enterprise Server 5.0
 _______________________________________________________________________

 Problem Description:

 A vulnerability has been found and corrected in rpm:
 
 lib/fsm.c in RPM 4.8.0 and unspecified 4.7.x and 4.6.x versions, and
 RPM before 4.4.3, does not properly reset the metadata of an executable
 file during replacement of the file in an RPM package upgrade, which
 might allow local users to gain privileges by creating a hard link
 to a vulnerable (1) setuid or (2) setgid file (CVE-2010-2059).
 
 The updated packages have been patched to correct this issue.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4889
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2059
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2009.0:
 fa15345f1bf67d79a08dcad06a3b335f  2009.0/i586/libpopt0-1.10.8-32.1mdv2009.0.i586.rpm
 e085756e7cbb462ad9e075c8aad25132  2009.0/i586/libpopt-devel-1.10.8-32.1mdv2009.0.i586.rpm
 34e473060df48dad0efc80f6c6c9b3c8  2009.0/i586/librpm4.4-4.4.2.3-20.1mnb2.i586.rpm
 8a4d91bd5b5cb7d06ac806a77b11a940  2009.0/i586/librpm-devel-4.4.2.3-20.1mnb2.i586.rpm
 0a4e5395fc3b3786999918e21360359b  2009.0/i586/popt-data-1.10.8-32.1mdv2009.0.i586.rpm
 d41d2589155531cfee87a091f9f89539  2009.0/i586/python-rpm-4.4.2.3-20.1mnb2.i586.rpm
 724452dc5531f53a72d1ae8d91303617  2009.0/i586/rpm-4.4.2.3-20.1mnb2.i586.rpm
 b7adacc04471296f7b5b9fc342ec2d68  2009.0/i586/rpm-build-4.4.2.3-20.1mnb2.i586.rpm 
 967e30ebc67369e0b21bb5c7f399e30d  2009.0/SRPMS/rpm-4.4.2.3-20.1mnb2.src.rpm

 Mandriva Linux 2009.0/X86_64:
 98232ad6b8baeb0f6a50f22bb46a4ce3  2009.0/x86_64/lib64popt0-1.10.8-32.1mdv2009.0.x86_64.rpm
 b5d31c766354288891124a6a8b0dbc19  2009.0/x86_64/lib64popt-devel-1.10.8-32.1mdv2009.0.x86_64.rpm
 96a8cac433cfed95a2741173768ad8f6  2009.0/x86_64/lib64rpm4.4-4.4.2.3-20.1mnb2.x86_64.rpm
 0c0927ae1fc9a626a466588b779d262e  2009.0/x86_64/lib64rpm-devel-4.4.2.3-20.1mnb2.x86_64.rpm
 90ad635496f675505bc3834ca8c60822  2009.0/x86_64/popt-data-1.10.8-32.1mdv2009.0.x86_64.rpm
 063b6e9e3c0fc8887a7be8e481fa277e  2009.0/x86_64/python-rpm-4.4.2.3-20.1mnb2.x86_64.rpm
 3bef4cab40149ccb2aa038c1b32e5f2a  2009.0/x86_64/rpm-4.4.2.3-20.1mnb2.x86_64.rpm
 0b655d3af90e7d1eb2d4e59b0e160f5c  2009.0/x86_64/rpm-build-4.4.2.3-20.1mnb2.x86_64.rpm 
 967e30ebc67369e0b21bb5c7f399e30d  2009.0/SRPMS/rpm-4.4.2.3-20.1mnb2.src.rpm

 Corporate 4.0:
 cd4f97d9f90c54f76bdb54bba0fc5a0f  corporate/4.0/i586/libpopt0-1.10.2-4.2.20060mlcs4.i586.rpm
 0f3da3fa186fbe5c313aa0acdafd8ffa  corporate/4.0/i586/libpopt0-devel-1.10.2-4.2.20060mlcs4.i586.rpm
 217a7fe6dffe2e51909d92a8ab06713a  corporate/4.0/i586/librpm4.4-4.4.2-4.2.20060mlcs4.i586.rpm
 54bc36df51e6c68121890dd2029e1c94  corporate/4.0/i586/librpm4.4-devel-4.4.2-4.2.20060mlcs4.i586.rpm
 85cbc98e200727d0f08002890ba72c1f  corporate/4.0/i586/popt-data-1.10.2-4.2.20060mlcs4.i586.rpm
 b1dc2b338a5c30ff598a1b094caf0c0d  corporate/4.0/i586/python-rpm-4.4.2-4.2.20060mlcs4.i586.rpm
 d697e6586174e9f1cae798dce607ba86  corporate/4.0/i586/rpm-4.4.2-4.2.20060mlcs4.i586.rpm
 083b4e31320c505fdde4dbb486135ae6  corporate/4.0/i586/rpm-build-4.4.2-4.2.20060mlcs4.i586.rpm 
 9e2fb6a22e148e3c943c8bf80e053301  corporate/4.0/SRPMS/rpm-4.4.2-4.2.20060mlcs4.src.rpm

 Corporate 4.0/X86_64:
 e1f2ea23bc539080ce9ae48dfff7aa3b  corporate/4.0/x86_64/lib64popt0-1.10.2-4.2.20060mlcs4.x86_64.rpm
 9c70d54050efa44b588c5ccd31149f22  corporate/4.0/x86_64/lib64popt0-devel-1.10.2-4.2.20060mlcs4.x86_64.rpm
 9a61e76e1b9422e60e35f9bf0f4e981a  corporate/4.0/x86_64/lib64rpm4.4-4.4.2-4.2.20060mlcs4.x86_64.rpm
 d7026b2dce06e9f20979704748c7eea6  corporate/4.0/x86_64/lib64rpm4.4-devel-4.4.2-4.2.20060mlcs4.x86_64.rpm
 9ceb6720eb17b55a24d3e50a1d1ed9aa  corporate/4.0/x86_64/popt-data-1.10.2-4.2.20060mlcs4.x86_64.rpm
 645f0acdc04c25aef2735c9d32be1303  corporate/4.0/x86_64/python-rpm-4.4.2-4.2.20060mlcs4.x86_64.rpm
 6a83c09532087105fe8858af533983b3  corporate/4.0/x86_64/rpm-4.4.2-4.2.20060mlcs4.x86_64.rpm
 b829957c44af2803e7f30672ad2a85d3  corporate/4.0/x86_64/rpm-build-4.4.2-4.2.20060mlcs4.x86_64.rpm 
 9e2fb6a22e148e3c943c8bf80e053301  corporate/4.0/SRPMS/rpm-4.4.2-4.2.20060mlcs4.src.rpm

 Mandriva Enterprise Server 5:
 f776747005a841776744111f0a8a8e08  mes5/i586/libpopt0-1.10.8-32.1mdvmes5.1.i586.rpm
 3c0093f3024fb86fa7eb2ee671bd7a3f  mes5/i586/libpopt-devel-1.10.8-32.1mdvmes5.1.i586.rpm
 04c8b6b32a75bdbfe7cfdf753de5d346  mes5/i586/librpm4.4-4.4.2.3-20.1mnb2.i586.rpm
 605883a0b22cee54d863e9c1c8ef6e8d  mes5/i586/librpm-devel-4.4.2.3-20.1mnb2.i586.rpm
 7e09701bff28a534e57c5ce7b32ba0de  mes5/i586/popt-data-1.10.8-32.1mdvmes5.1.i586.rpm
 0303ca138c2028160b520dd23c9a7ebb  mes5/i586/python-rpm-4.4.2.3-20.1mnb2.i586.rpm
 e7186039a1963f2e683b139ffe4f2b25  mes5/i586/rpm-4.4.2.3-20.1mnb2.i586.rpm
 d30b3740649fea15761383f02798b4a1  mes5/i586/rpm-build-4.4.2.3-20.1mnb2.i586.rpm 
 830a5096583811ccaa2bcf472162ef58  mes5/SRPMS/rpm-4.4.2.3-20.1mnb2.src.rpm

 Mandriva Enterprise Server 5/X86_64:
 066fccad93ad654c2261cf798039a14d  mes5/x86_64/lib64popt0-1.10.8-32.1mdvmes5.1.x86_64.rpm
 ce023ecbd55217cc0bc525e8a49d0ca1  mes5/x86_64/lib64popt-devel-1.10.8-32.1mdvmes5.1.x86_64.rpm
 842fc3b631936e6bcc757abab94bd43e  mes5/x86_64/lib64rpm4.4-4.4.2.3-20.1mnb2.x86_64.rpm
 65242d3af33eec8a60dc65e927acba23  mes5/x86_64/lib64rpm-devel-4.4.2.3-20.1mnb2.x86_64.rpm
 9abca8b6c1a0b2dcd5b8470ea58a1a0a  mes5/x86_64/popt-data-1.10.8-32.1mdvmes5.1.x86_64.rpm
 bb7bd25a8af5a4a8f65d22f93325bf41  mes5/x86_64/python-rpm-4.4.2.3-20.1mnb2.x86_64.rpm
 a92833fc3446f532b502c1eca510c397  mes5/x86_64/rpm-4.4.2.3-20.1mnb2.x86_64.rpm
 bc45add2a88207c52f306569d7a5a5db  mes5/x86_64/rpm-build-4.4.2.3-20.1mnb2.x86_64.rpm 
 830a5096583811ccaa2bcf472162ef58  mes5/SRPMS/rpm-4.4.2.3-20.1mnb2.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFMjXFDmqjQ0CJFipgRAiQMAKCA/tEwPO/XEgxl5kmGzr+7ggbW8wCgr7eb
7DGZPpGWmV7PfAeWrRymf9I=
=m5rf
-----END PGP SIGNATURE-----
    

- 漏洞信息

65143
Red Hat Package Manager (RPM) Package Upgrade SetUID/SetGID Weakness
Local Access Required Other
Loss of Integrity Patch / RCS
Exploit Unknown Vendor Verified

- 漏洞描述

- 时间线

2010-06-02 Unknow
Unknow 2010-06-02

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Red Hat has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站