Debians sikkerhedsbulletin

DSA-098-1 libgtop -- formatstrengssårbarhed og bufferoverløb

Rapporteret den:
9. jan 2002
Berørte pakker:
libgtop
Sårbar:
Ja
Referencer i sikkerhedsdatabaser:
I Mitres CVE-ordbog: CVE-2001-0927, CVE-2001-0928.
Yderligere oplysninger:

To forskellige problemer er blevet fundet i libgtop-daemon:

  • Laboratoriet intexxia har fundet et formatstrengsproblem i logningskoden i libgtop_daemon. Der var to logningsfunktioner som blev kaldt når en klient skulle autoriseres, hvilket kunne udnyttes af en fjernbruger.
  • Flavio Veloso fandt et bufferoverløb i funktionen som autoriserer klienter

Da libgtop_daemon kører som brugeren nobody kunne begge fejl benyttes til at få adgang som brugeren nobody, til et system som kører libgtop_daemon.

Begge problemer er blevet rettet i version 1.0.6-1.1 og vi anbefaler at du omgående opgraderer din libgtop-daemon-pakke.

Rettet i:

Debian GNU/Linux 2.2 (potato)

Kildekode:
http://security.debian.org/dists/stable/updates/main/source/libgtop_1.0.6-1.1.diff.gz
http://security.debian.org/dists/stable/updates/main/source/libgtop_1.0.6-1.1.dsc
http://security.debian.org/dists/stable/updates/main/source/libgtop_1.0.6.orig.tar.gz
Alpha:
http://security.debian.org/dists/stable/updates/main/binary-alpha/libgtop-daemon_1.0.6-1.1_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/libgtop-dev_1.0.6-1.1_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/libgtop1_1.0.6-1.1_alpha.deb
ARM:
http://security.debian.org/dists/stable/updates/main/binary-arm/libgtop-daemon_1.0.6-1.1_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/libgtop-dev_1.0.6-1.1_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/libgtop1_1.0.6-1.1_arm.deb
Intel IA-32:
http://security.debian.org/dists/stable/updates/main/binary-i386/libgtop-daemon_1.0.6-1.1_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/libgtop-dev_1.0.6-1.1_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/libgtop1_1.0.6-1.1_i386.deb
Motorola 680x0:
http://security.debian.org/dists/stable/updates/main/binary-m68k/libgtop-daemon_1.0.6-1.1_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/libgtop-dev_1.0.6-1.1_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/libgtop1_1.0.6-1.1_m68k.deb
PowerPC:
http://security.debian.org/dists/stable/updates/main/binary-powerpc/libgtop-daemon_1.0.6-1.1_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/libgtop-dev_1.0.6-1.1_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/libgtop1_1.0.6-1.1_powerpc.deb
Sun Sparc:
http://security.debian.org/dists/stable/updates/main/binary-sparc/libgtop-daemon_1.0.6-1.1_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/libgtop-dev_1.0.6-1.1_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/libgtop1_1.0.6-1.1_sparc.deb

MD5-kontrolsummer for de listede filer findes i den originale sikkerhedsbulletin.