CVE-2006-0300
CVSS5.1
发布时间 :2006-02-23 19:02:00
修订时间 :2011-03-07 21:29:44
NMCOPS    

[原文]Buffer overflow in tar 1.14 through 1.15.90 allows user-assisted attackers to cause a denial of service (application crash) and possibly execute code via unspecified vectors involving PAX extended headers.


[CNNVD]GNU tar工具无效头部结构缓冲区溢出漏洞(CNNVD-200602-370)

        GNU tar可创建和解压tar文档,并进行各种管理。
        tar工具在处理无效头部结构时存在缓冲区溢出漏洞,可能允许攻击者执行任意代码。

- CVSS (基础分值)

CVSS分值: 5.1 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: HIGH [漏洞利用存在特定的访问条件]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:gnu:tar:1.15GNU tar 1.15
cpe:/a:gnu:tar:1.15.1GNU tar 1.15.1
cpe:/a:gnu:tar:1.14.1GNU tar 1.14.1
cpe:/a:gnu:tar:1.14GNU tar 1.14
cpe:/a:gnu:tar:1.15.90GNU tar 1.15.90

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:9295Buffer overflow in tar 1.14 through 1.15.90 allows user-assisted attackers to cause a denial of service (application crash) and possibly exe...
oval:org.mitre.oval:def:6094Security Vulnerability in GNU tar May Lead to Arbitrary Code Execution or Denial of Service (DoS)
oval:org.mitre.oval:def:5993Security Vulnerability in GNU tar May Lead to Arbitrary Code Execution or Denial of Service (DoS)
oval:org.mitre.oval:def:5978Security Vulnerability in GNU tar May Lead to Arbitrary Code Execution or Denial of Service (DoS)
oval:org.mitre.oval:def:5252Security Vulnerability in GNU tar May Lead to Arbitrary Code Execution or Denial of Service (DoS)
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0300
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-0300
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200602-370
(官方数据源) CNNVD

- 其它链接及资源

http://www.us-cert.gov/cas/techalerts/TA07-109A.html
(UNKNOWN)  CERT  TA07-109A
http://www.us-cert.gov/cas/techalerts/TA07-072A.html
(UNKNOWN)  CERT  TA07-072A
http://wwwnew.mandriva.com/security/advisories?name=MDKSA-2006:046
(VENDOR_ADVISORY)  MANDRIVA  MDKSA-2006:046
http://www.osvdb.org/23371
(PATCH)  OSVDB  23371
http://secunia.com/advisories/18999
(VENDOR_ADVISORY)  SECUNIA  18999
http://secunia.com/advisories/18976
(VENDOR_ADVISORY)  SECUNIA  18976
http://xforce.iss.net/xforce/xfdb/24855
(UNKNOWN)  XF  gnu-tar-pax-headers-bo(24855)
http://www.vupen.com/english/advisories/2008/2518
(UNKNOWN)  VUPEN  ADV-2008-2518
http://www.vupen.com/english/advisories/2007/1470
(UNKNOWN)  VUPEN  ADV-2007-1470
http://www.vupen.com/english/advisories/2007/0930
(UNKNOWN)  VUPEN  ADV-2007-0930
http://www.vupen.com/english/advisories/2006/0684
(UNKNOWN)  VUPEN  ADV-2006-0684
http://www.ubuntulinux.org/support/documentation/usn/usn-257-1
(VENDOR_ADVISORY)  UBUNTU  USN-257-1
http://www.trustix.org/errata/2006/0010
(VENDOR_ADVISORY)  TRUSTIX  2006-0010
http://www.securityfocus.com/bid/16764
(UNKNOWN)  BID  16764
http://www.securityfocus.com/archive/1/archive/1/430299/100/0/threaded
(UNKNOWN)  FEDORA  FLSA:183571-2
http://www.redhat.com/support/errata/RHSA-2006-0232.html
(UNKNOWN)  REDHAT  RHSA-2006:0232
http://www.openpkg.org/security/OpenPKG-SA-2006.006-tar.html
(UNKNOWN)  OPENPKG  OpenPKG-SA-2006.006
http://www.novell.com/linux/security/advisories/2006_05_sr.html
(UNKNOWN)  SUSE  SUSE-SR:2006:005
http://www.gentoo.org/security/en/glsa/glsa-200603-06.xml
(UNKNOWN)  GENTOO  GLSA-200603-06
http://www.debian.org/security/2006/dsa-987
(UNKNOWN)  DEBIAN  DSA-987
http://sunsolve.sun.com/search/document.do?assetkey=1-26-241646-1
(UNKNOWN)  SUNALERT  241646
http://securitytracker.com/id?1015705
(UNKNOWN)  SECTRACK  1015705
http://secunia.com/advisories/19236
(UNKNOWN)  SECUNIA  19236
http://secunia.com/advisories/19152
(UNKNOWN)  SECUNIA  19152
http://secunia.com/advisories/19130
(UNKNOWN)  SECUNIA  19130
http://secunia.com/advisories/19093
(UNKNOWN)  SECUNIA  19093
http://secunia.com/advisories/19016
(UNKNOWN)  SECUNIA  19016
http://secunia.com/advisories/18973
(VENDOR_ADVISORY)  SECUNIA  18973
http://lists.gnu.org/archive/html/bug-tar/2006-02/msg00051.html
(UNKNOWN)  MLIST  [Bug-tar] 20060220 tar 1.15.90 released
http://securityreason.com/securityalert/543
(UNKNOWN)  SREASON  543
http://securityreason.com/securityalert/480
(UNKNOWN)  SREASON  480
http://secunia.com/advisories/24966
(UNKNOWN)  SECUNIA  24966
http://secunia.com/advisories/24479
(UNKNOWN)  SECUNIA  24479
http://secunia.com/advisories/20042
(UNKNOWN)  SECUNIA  20042
http://lists.apple.com/archives/security-announce/2007/Mar/msg00002.html
(UNKNOWN)  APPLE  APPLE-SA-2007-03-13
http://lists.apple.com/archives/Security-announce/2007/Apr/msg00001.html
(UNKNOWN)  APPLE  APPLE-SA-2007-04-19
http://docs.info.apple.com/article.html?artnum=305391
(UNKNOWN)  CONFIRM  http://docs.info.apple.com/article.html?artnum=305391
http://docs.info.apple.com/article.html?artnum=305214
(UNKNOWN)  CONFIRM  http://docs.info.apple.com/article.html?artnum=305214

- 漏洞信息

GNU tar工具无效头部结构缓冲区溢出漏洞
中危 缓冲区溢出
2006-02-23 00:00:00 2006-08-28 00:00:00
远程  
        GNU tar可创建和解压tar文档,并进行各种管理。
        tar工具在处理无效头部结构时存在缓冲区溢出漏洞,可能允许攻击者执行任意代码。

- 公告与补丁

        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        http://www.gnu.org

- 漏洞信息 (F44169)

Ubuntu Security Notice 257-1 (PacketStormID:F44169)
2006-02-26 00:00:00
Ubuntu  security.ubuntu.com
advisory,arbitrary
linux,ubuntu
CVE-2006-0300
[点击下载]

Ubuntu Security Notice USN-257-1 - Jim Meyering discovered that tar did not properly verify the validity of certain header fields in a GNU tar archive. By tricking an user into processing a specially crafted tar archive, this could be exploited to execute arbitrary code with the privileges of the user.

===========================================================
Ubuntu Security Notice USN-257-1	  February 23, 2006
tar vulnerability
CVE-2006-0300
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 5.04 (Hoary Hedgehog)
Ubuntu 5.10 (Breezy Badger)

The following packages are affected:

tar

The problem can be corrected by upgrading the affected package to
version 1.14-2ubuntu0.1 (for Ubuntu 5.04), or 1.15.1-2ubuntu0.1 (for
Ubuntu 5.10).  In general, a standard system upgrade is sufficient to
effect the necessary changes.

Details follow:

Jim Meyering discovered that tar did not properly verify the validity
of certain header fields in a GNU tar archive. By tricking an user
into processing a specially crafted tar archive, this could be
exploited to execute arbitrary code with the privileges of the user.

The tar version in Ubuntu 4.10 is not affected by this vulnerability.


Updated packages for Ubuntu 5.04:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.14-2ubuntu0.1.diff.gz
      Size/MD5:    21395 1f8f561b862e0eaa1d3d76ab5b0805cc
    http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.14-2ubuntu0.1.dsc
      Size/MD5:      568 1ac96d117355d0c6501bcfc0603d7f35
    http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.14.orig.tar.gz
      Size/MD5:  1485633 3094544702b1affa32d969f0b6459663

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.14-2ubuntu0.1_amd64.deb
      Size/MD5:   374144 92a29882b472aae37c4f241a2b3d70b7

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.14-2ubuntu0.1_i386.deb
      Size/MD5:   366426 bd8a627f95eea1d4dd38da1b8cb755a2

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.14-2ubuntu0.1_powerpc.deb
      Size/MD5:   377108 8d1b6600f06a051dc7236e8e65c2032f

Updated packages for Ubuntu 5.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.1-2ubuntu0.1.diff.gz
      Size/MD5:    28928 e545480fd691241448cd885504e50393
    http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.1-2ubuntu0.1.dsc
      Size/MD5:      576 c9d9bf92c8460d314cb3320666b01294
    http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.1.orig.tar.gz
      Size/MD5:  2204322 d87021366fe6488e9dc398fcdcb6ed7d

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.1-2ubuntu0.1_amd64.deb
      Size/MD5:   531590 9f7a550698b0a138f4d92ec06ecfec96

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.1-2ubuntu0.1_i386.deb
      Size/MD5:   519510 fd362a5872f6924e491e2caf7639162b

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.1-2ubuntu0.1_powerpc.deb
      Size/MD5:   533538 c8148419548837909a81da6983af2964
    

- 漏洞信息

23371
GNU tar PAX Extended Headers Handling Overflow
Local Access Required, Remote / Network Access Input Manipulation
Loss of Integrity

- 漏洞描述

A remote overflow exists in GNU Tar. GNU Tar fails to properly handle PAX extended headers resulting in a buffer overflow. With a specially crafted .tar archive, an attacker can cause arbitrary command execution when the victim lists the tar contents or extracts the archive.

- 时间线

2006-02-22 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 1.15.90 (alpha) or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

GNU Tar Invalid Headers Buffer Overflow Vulnerability
Boundary Condition Error 16764
Yes No
2006-02-22 12:00:00 2009-04-30 03:56:00
Discovered by Jim Meyering.

- 受影响的程序版本

Ubuntu Ubuntu Linux 5.10 powerpc
Ubuntu Ubuntu Linux 5.10 i386
Ubuntu Ubuntu Linux 5.10 amd64
Ubuntu Ubuntu Linux 5.0 4 powerpc
Ubuntu Ubuntu Linux 5.0 4 i386
Ubuntu Ubuntu Linux 5.0 4 amd64
Trustix Secure Linux 3.0
Trustix Secure Linux 2.2
Trustix Secure Enterprise Linux 2.0
Sun Solaris 9_x86
Sun Solaris 9
Sun Solaris 10.0_x86
Sun Solaris 10.0
Sun OpenSolaris build snv_80
Sun OpenSolaris build snv_68
Sun OpenSolaris build snv_67
Sun OpenSolaris build snv_64
Sun OpenSolaris build snv_59
Sun OpenSolaris build snv_39
Sun OpenSolaris build snv_36
Sun OpenSolaris build snv_22
Sun OpenSolaris build snv_19
Sun OpenSolaris build snv_13
Sun OpenSolaris build snv_02
Sun OpenSolaris build snv_01
S.u.S.E. Linux Professional 10.0 OSS
S.u.S.E. Linux Professional 9.3 x86_64
S.u.S.E. Linux Professional 9.3
S.u.S.E. Linux Personal 10.0 OSS
S.u.S.E. Linux Personal 9.3 x86_64
S.u.S.E. Linux Personal 9.3
RedHat Linux 9.0 i386
RedHat Linux 7.3 i386
RedHat Enterprise Linux WS 4
RedHat Enterprise Linux ES 4
RedHat Desktop 4.0
Red Hat Fedora Core3
Red Hat Fedora Core2
Red Hat Fedora Core1
Red Hat Enterprise Linux AS 4
OpenPKG OpenPKG 2.5
OpenPKG OpenPKG 2.4
OpenPKG OpenPKG 2.3
OpenPKG OpenPKG Current
GNU tar 1.15.90
GNU tar 1.15.1
GNU tar 1.14.90
GNU tar 1.15
GNU tar 1.14
Gentoo Linux
Debian Linux 3.1 sparc
Debian Linux 3.1 s/390
Debian Linux 3.1 ppc
Debian Linux 3.1 mipsel
Debian Linux 3.1 mips
Debian Linux 3.1 m68k
Debian Linux 3.1 ia-64
Debian Linux 3.1 ia-32
Debian Linux 3.1 hppa
Debian Linux 3.1 arm
Debian Linux 3.1 amd64
Debian Linux 3.1 alpha
Debian Linux 3.1
Avaya S8710 R2.0.1
Avaya S8710 R2.0.0
Avaya S8700 R2.0.1
Avaya S8700 R2.0.0
Avaya S8500 R2.0.1
Avaya S8500 R2.0.0
Avaya S8300 R2.0.1
Avaya S8300 R2.0.0
Avaya Interactive Response 3.0
Avaya Interactive Response 2.0
Apple Mac OS X Server 10.4.9
Apple Mac OS X Server 10.4.8
Apple Mac OS X Server 10.4.7
Apple Mac OS X Server 10.4.6
Apple Mac OS X Server 10.4.5
Apple Mac OS X Server 10.4.4
Apple Mac OS X Server 10.4.3
Apple Mac OS X Server 10.4.2
Apple Mac OS X Server 10.4.1
Apple Mac OS X Server 10.4
Apple Mac OS X 10.4.9
Apple Mac OS X 10.4.8
Apple Mac OS X 10.4.7
Apple Mac OS X 10.4.6
Apple Mac OS X 10.4.5
Apple Mac OS X 10.4.4
Apple Mac OS X 10.4.3
Apple Mac OS X 10.4.2
Apple Mac OS X 10.4.1
Apple Mac OS X 10.4
Sun OpenSolaris build snv_81

- 不受影响的程序版本

Sun OpenSolaris build snv_81

- 漏洞讨论

GNU Tar is prone to a buffer overflow when handling invalid headers. Successful exploitation could potentially lead to arbitrary code execution, but this has not been confirmed.

Tar 1.14 through 1.15.90 are affected; other versions may also be vulnerable.

- 漏洞利用

Currently we are not aware of any working exploits. If you feel we are in error or if you are aware of more recent information, please mail us at: vuldb@securityfocus.com.

- 解决方案

Patches are available from various vendors. Please see the referenced advisories for details.


Sun Solaris 10.0

GNU tar 1.14

Sun Solaris 9

Sun Solaris 9_x86

GNU tar 1.15.1

Apple Mac OS X 10.4

Apple Mac OS X Server 10.4

Apple Mac OS X Server 10.4.1

Apple Mac OS X 10.4.2

Apple Mac OS X Server 10.4.3

Apple Mac OS X 10.4.3

Apple Mac OS X Server 10.4.4

Apple Mac OS X 10.4.4

Apple Mac OS X Server 10.4.5

Apple Mac OS X 10.4.5

Apple Mac OS X Server 10.4.6

Apple Mac OS X Server 10.4.7

Apple Mac OS X 10.4.7

Apple Mac OS X 10.4.8

Apple Mac OS X Server 10.4.8

Apple Mac OS X Server 10.4.9

Apple Mac OS X 10.4.9

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站