Debians sikkerhedsbulletin

DSA-085-1 nvi -- sårbarhed overfor format-streng

Rapporteret den:

20. okt 2001

Berørte pakker:

nvi, nvi-m17n

Sårbar:

Referencer i sikkerhedsdatabaser:

Der er pt. ingen tilgængelige eksterne sikkerhedsreferencer i andre databaser.

Yderligere oplysninger:

Takeshi Uno fandt en meget tåbelig format-streng-sårbarhed i alle versioner af nvi (i begge, den almindelige og den flersprogede version). Når et filnavn gemmes, vises det på skærmen. Rutinen som tager sig af dette, håndterede det ikke korrekt.

Problemet er rettet i version 1.79-16a.1 af nvi og version 1.79+19991117-2.3 af nvi-m17n i den stabile Debian GNU/Linux 2.2.

Selvom vi ikke tror at dette kunne give nogen adgang til en anden brugers konto, med mindre vedkommende er gået fra forstanden, så anbefaler vi at du opgraderer dine nvi-pakker.

Rettet i:

Debian GNU/Linux 2.2 (potato)

Kildekode:: http://security.debian.org/dists/stable/updates/main/source/nvi-m17n_1.79+19991117-2.3.diff.gz; http://security.debian.org/dists/stable/updates/main/source/nvi-m17n_1.79+19991117-2.3.dsc; http://security.debian.org/dists/stable/updates/main/source/nvi-m17n_1.79+19991117.orig.tar.gz; http://security.debian.org/dists/stable/updates/main/source/nvi_1.79-16a.1.diff.gz; http://security.debian.org/dists/stable/updates/main/source/nvi_1.79-16a.1.dsc; http://security.debian.org/dists/stable/updates/main/source/nvi_1.79.orig.tar.gz
Arkitekturuafhængig komponent:: http://security.debian.org/dists/stable/updates/main/binary-all/nvi-m17n-common_1.79+19991117-2.3_all.deb
Alpha:: http://security.debian.org/dists/stable/updates/main/binary-alpha/nvi-m17n-canna_1.79+19991117-2.3_alpha.deb; http://security.debian.org/dists/stable/updates/main/binary-alpha/nvi-m17n_1.79+19991117-2.3_alpha.deb; http://security.debian.org/dists/stable/updates/main/binary-alpha/nvi_1.79-16a.1_alpha.deb
ARM:: http://security.debian.org/dists/stable/updates/main/binary-arm/nvi-m17n-canna_1.79+19991117-2.3_arm.deb; http://security.debian.org/dists/stable/updates/main/binary-arm/nvi-m17n_1.79+19991117-2.3_arm.deb; http://security.debian.org/dists/stable/updates/main/binary-arm/nvi_1.79-16a.1_arm.deb
Intel ia32:: http://security.debian.org/dists/stable/updates/main/binary-i386/nvi-m17n-canna_1.79+19991117-2.3_i386.deb; http://security.debian.org/dists/stable/updates/main/binary-i386/nvi-m17n_1.79+19991117-2.3_i386.deb; http://security.debian.org/dists/stable/updates/main/binary-i386/nvi_1.79-16a.1_i386.deb
Motorola 680x0:: http://security.debian.org/dists/stable/updates/main/binary-m68k/nvi-m17n-canna_1.79+19991117-2.3_m68k.deb; http://security.debian.org/dists/stable/updates/main/binary-m68k/nvi-m17n_1.79+19991117-2.3_m68k.deb; http://security.debian.org/dists/stable/updates/main/binary-m68k/nvi_1.79-16a.1_m68k.deb
PowerPC:: http://security.debian.org/dists/stable/updates/main/binary-powerpc/nvi-m17n-canna_1.79+19991117-2.3_powerpc.deb; http://security.debian.org/dists/stable/updates/main/binary-powerpc/nvi-m17n_1.79+19991117-2.3_powerpc.deb; http://security.debian.org/dists/stable/updates/main/binary-powerpc/nvi_1.79-16a.1_powerpc.deb
Sun Sparc:: http://security.debian.org/dists/stable/updates/main/binary-sparc/nvi-m17n-canna_1.79+19991117-2.3_sparc.deb; http://security.debian.org/dists/stable/updates/main/binary-sparc/nvi-m17n_1.79+19991117-2.3_sparc.deb; http://security.debian.org/dists/stable/updates/main/binary-sparc/nvi_1.79-16a.1_sparc.deb

MD5-kontrolsummer for de listede filer findes i den originale sikkerhedsbulletin.