CVE-2006-0459
CVSS7.5
发布时间 :2006-03-29 18:02:00
修订时间 :2011-03-07 21:30:04
NMCOS    

[原文]flex.skl in Will Estes and John Millaway Fast Lexical Analyzer Generator (flex) before 2.5.33 does not allocate enough memory for grammars containing (1) REJECT statements or (2) trailing context rules, which causes flex to generate code that contains a buffer overflow that might allow context-dependent attackers to execute arbitrary code.


[CNNVD]Flex创建代码缓冲区溢出漏洞(CNNVD-200603-493)

        flex是一种用来生成代码扫描器的工具。
        flex在处理文件的某个选项时存在问题,本地攻击者可能利用此漏洞导致权限提升。
        在源文件"gen.c"的第930行:
        *YY_G(yy_state_ptr)++ = yy_current_state;
        如果用户输入包含有特定字符的话,代码就会以循环结束。也就是说,循环所覆盖的内存量完全取决于用户输入。
        yy_state_ptr指向的缓冲区大小是固定的(16K字节或4096个指针的空间)。如果用户输入的令牌中包含的字符多于4096个的话,就会溢出缓冲区。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-119 [内存缓冲区边界内操作的限制不恰当]

- CPE (受影响的平台与产品)

cpe:/a:will_estes_and_john_millaway:flex:2.5.32
cpe:/a:will_estes_and_john_millaway:flex:2.5.30

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0459
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-0459
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200603-493
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/xforce/xfdb/24995
(PATCH)  XF  flex-bypass-security(24995)
http://www.us.debian.org/security/2006/dsa-1020
(VENDOR_ADVISORY)  DEBIAN  DSA-1020
http://www.securityfocus.com/bid/16896
(PATCH)  BID  16896
http://www.osvdb.org/23440
(PATCH)  OSVDB  23440
http://secunia.com/advisories/19424
(VENDOR_ADVISORY)  SECUNIA  19424
http://secunia.com/advisories/19071
(VENDOR_ADVISORY)  SECUNIA  19071
http://www.vupen.com/english/advisories/2006/0770
(UNKNOWN)  VUPEN  ADV-2006-0770
http://www.ubuntulinux.org/support/documentation/usn/usn-260-1
(UNKNOWN)  UBUNTU  USN-260-1
http://www.gentoo.org/security/en/glsa/glsa-200603-07.xml
(UNKNOWN)  GENTOO  GLSA-200603-07
http://sourceforge.net/mailarchive/forum.php?thread_name=20060223020346.GA11231%40tabitha.home.tldz.org&forum_name=flex-announce
(UNKNOWN)  MLIST  [flex-announce] 20060222 flex 2.5.33 released
http://securityreason.com/securityalert/570
(UNKNOWN)  SREASON  570
http://secunia.com/advisories/19228
(VENDOR_ADVISORY)  SECUNIA  19228
http://secunia.com/advisories/19126
(VENDOR_ADVISORY)  SECUNIA  19126
http://prdownloads.sourceforge.net/flex/flex-2.5.33.tar.bz2?download
(UNKNOWN)  CONFIRM  http://prdownloads.sourceforge.net/flex/flex-2.5.33.tar.bz2?download

- 漏洞信息

Flex创建代码缓冲区溢出漏洞
高危 缓冲区溢出
2006-03-29 00:00:00 2006-03-30 00:00:00
远程  
        flex是一种用来生成代码扫描器的工具。
        flex在处理文件的某个选项时存在问题,本地攻击者可能利用此漏洞导致权限提升。
        在源文件"gen.c"的第930行:
        *YY_G(yy_state_ptr)++ = yy_current_state;
        如果用户输入包含有特定字符的话,代码就会以循环结束。也就是说,循环所覆盖的内存量完全取决于用户输入。
        yy_state_ptr指向的缓冲区大小是固定的(16K字节或4096个指针的空间)。如果用户输入的令牌中包含的字符多于4096个的话,就会溢出缓冲区。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        http://prdownloads.sourceforge.net/flex/flex-2.5.33.tar.gz

- 漏洞信息

23440
Fast Lexical Analyzer Generator (Flex) Multiple Lexicographical Scanners Overflow
Location Unknown Input Manipulation, Attack Type Unknown
Loss of Integrity, Impact Unknown
Exploit Unknown

- 漏洞描述

Fast Lexical Analyzer Generator (Flex) contains a flaw that may allow arbitrary code execution. The issue is due to a buffer overflow in a particular class of lexicographical scanners generated by flex. It is unclear if there are additional vulnerabilities.

- 时间线

2006-02-22 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 2.5.33 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Flex Code Generation Buffer Overflow Vulnerability
Boundary Condition Error 16896
Yes No
2006-03-01 12:00:00 2007-01-02 05:52:00
Chris Moore discovered this issue.

- 受影响的程序版本

Ubuntu Ubuntu Linux 5.10 powerpc
Ubuntu Ubuntu Linux 5.10 i386
Ubuntu Ubuntu Linux 5.10 amd64
Ubuntu Ubuntu Linux 5.0 4 powerpc
Ubuntu Ubuntu Linux 5.0 4 i386
Ubuntu Ubuntu Linux 5.0 4 amd64
Ubuntu Ubuntu Linux 4.1 ppc
Ubuntu Ubuntu Linux 4.1 ia64
Ubuntu Ubuntu Linux 4.1 ia32
GNU Flex 2.5.32
GNU Flex 2.5.31
GNU Flex 2.5.30
Gentoo Linux
Debian Linux 3.1 sparc
Debian Linux 3.1 s/390
Debian Linux 3.1 ppc
Debian Linux 3.1 mipsel
Debian Linux 3.1 mips
Debian Linux 3.1 m68k
Debian Linux 3.1 ia-64
Debian Linux 3.1 ia-32
Debian Linux 3.1 hppa
Debian Linux 3.1 arm
Debian Linux 3.1 amd64
Debian Linux 3.1 alpha
Debian Linux 3.1
GNU Flex 2.5.33

- 不受影响的程序版本

GNU Flex 2.5.33

- 漏洞讨论

Flex is prone to a buffer-overflow vulnerability. This issue is due to a failure in the application to do proper bounds checking on user-supplied data before using it in finite-sized memory buffers.

An attacker can exploit this issue to execute arbitrary code in the context of the user running the affected application. This may facilitate a compromise of the underlying computer.

Flex versions 2.5.31 and prior are vulnerable.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com

- 解决方案

The vendor has released version 2.5.33. to address this issue.

Please see the referenced vendor advisories for further information.


GNU Flex 2.5.30

GNU Flex 2.5.31

GNU Flex 2.5.32

Ubuntu Ubuntu Linux 4.1 ia32

Ubuntu Ubuntu Linux 4.1 ia64

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站