NewsX NNTP SysLog存在格式字符串攻击漏洞发布时间:2002-07-18 更新时间:2002-07-18 严重程度:中 威胁程度:普通用户访问权限 错误类型:输入验证错误 利用方式:客户机模式 BUGTRAQ ID:5240 受影响系统 newsx newsx 1.4 pl6详细描述 NewsX NNTP客户端存在格式字符串攻击漏洞,远程攻击者可以利用伪造服务器应答进行攻击,成功攻击可以以NNTP客户端权限执行任意代码。 测试代码 无 解决方案 使用如下补丁: diff -urN /usr/ports/news/newsx.orig/Makefile /usr/ports/news/newsx/Makefile --- /usr/ports/news/newsx.orig/Makefile Sun Jul 7 22:00:46 2002 +++ /usr/ports/news/newsx/Makefile Mon Jul 15 21:51:29 2002 @@ -6,10 +6,10 @@ # PORTNAME= newsx -PORTVERSION= 1.4.6 +PORTVERSION= 1.4.8 CATEGORIES= news MASTER_SITES= ftp://ftp.kvaleberg.com/pub/ -DISTNAME= ${PORTNAME}-${PORTVERSION:S/.6/pl6/} +DISTNAME= ${PORTNAME}-${PORTVERSION:S/.8/pl6/} MAINTAINER= thierry@pompo.net diff -urN /usr/ports/news/newsx.orig/files/patch-configure.in /usr/ports/news/newsx/files/patch-configure.in --- /usr/ports/news/newsx.orig/files/patch-configure.in Thu Jan 31 21:55:12 2002 +++ /usr/ports/news/newsx/files/patch-configure.in Mon Jul 15 21:47:42 2002 @@ -1,5 +1,14 @@ --- configure.in.orig Tue Jan 29 20:15:19 2002 -+++ configure.in Thu Jan 31 01:05:04 2002 ++++ configure.in Mon Jul 15 21:46:55 2002 +@@ -167,7 +167,7 @@ + dnl + AC_INIT(FAQ) + +-AM_INIT_AUTOMAKE(newsx, 1.4pl6) ++AM_INIT_AUTOMAKE(newsx, 1.4pl8) + AM_CONFIG_HEADER(config.h) + dnl Only most recent year required: + COPYRIGHT="Copyright 2002 Egil Kvaleberg <egil@kvaleberg.no>" @@ -189,7 +189,7 @@ dnl Default list of locations to visit in search of the dnl news configuration file diff -urN /usr/ports/news/newsx.orig/files/patch-src_logmsg.c /usr/ports/news/newsx/files/patch-src_logmsg.c --- /usr/ports/news/newsx.orig/files/patch-src_logmsg.c Thu Jan 1 01:00:00 1970 +++ /usr/ports/news/newsx/files/patch-src_logmsg.c Mon Jul 15 21:40:27 2002 @@ -0,0 +1,74 @@ +--- src/logmsg.c.orig Wed Feb 14 07:55:40 2001 ++++ src/logmsg.c Mon Jul 15 21:38:30 2002 +@@ -1,4 +1,4 @@ +-/* VER 079 TAB P $Id: logmsg.c,v 1.10.2.1 2001/02/14 06:55:40 egil Exp $ ++/* VER 080 TAB P $Id: logmsg.c,v 1.10.2.1 2001/02/14 06:55:40 egil Exp $ + * + * handle error messages and such... + * +@@ -60,9 +60,9 @@ + /* + * try to make a surrogate + * we assume that on those architectures where this trick +- * doesn't work there we will surely have stdarg.h or varargs.h ++ * doesn't work there we will surely be stdarg.h or varargs.h + */ +-#define vsprintf(buf, fmt, ap) sprintf(buf, fmt, arg1, arg2, arg3, arg4) ++#define vsnprintf(buf,siz,fmt,ap) snprintf(buf,siz,fmt, arg1,arg2,arg3,arg4) + #define vfprintf(file, fmt, ap) fprintf(file, fmt, arg1, arg2, arg3, arg4) + #endif + +@@ -156,7 +156,7 @@ + #endif + { + int e; +- char buf[BUFSIZ]; /* BUG: do we risk overwriting it? */ ++ char buf[BUFSIZ]; + + #if HAVE_VPRINTF + va_list ap; +@@ -176,34 +176,33 @@ + case L_ERRno: + case L_ERR: + e = errno; +- vsprintf(buf, fmt, ap); +- if (type == L_ERRno) { +- sprintf(buf + strlen (buf), ": %s", str_error(e)); +- } +- strcat(buf, "\n"); ++ vsnprintf(buf, sizeof(buf), fmt, ap); + #if HAVE_SYSLOG_H + if (!debug_opt) { +- syslog(LOG_ERR, buf); ++ syslog(LOG_ERR, "%s%s%s\n", buf, ++ ((type==L_ERRno) ? ": ":""), ++ ((type==L_ERRno) ? str_error(e):"")); + } else + #endif + { + clean_line(); +- fprintf(stderr, "%s: %s", pname, buf); ++ fprintf(stderr, "%s: %s%s%s\n", pname, buf, ++ ((type==L_ERRno) ? ": ":""), ++ ((type==L_ERRno) ? str_error(e):"")); + fflush(stderr); + } + break; + + case L_INFO: +- vsprintf(buf, fmt, ap); +- strcat(buf, "\n"); ++ vsnprintf(buf, sizeof(buf), fmt, ap); + #if HAVE_SYSLOG_H + if (!debug_opt) { +- syslog(LOG_INFO, buf); ++ syslog(LOG_INFO, "%s\n", buf); + } else + #endif + { + clean_line(); +- fprintf(stderr, "%s", buf); ++ fprintf(stderr, "%s\n", buf); + fflush(stderr); + fflush(stderr); + } + break; --- 相关信息 <zillion@snosoft.com>. 参考:http://docs.freebsd.org/cgi/getmsg.cgi?fetch=45919+0+current/freebsd-security |
