GNU gzip动态Huffman解压缩远程代码执行漏洞

漏洞起因
边界条件错误
危险等级

 
影响系统
GNU gzip 1.3.12
GNU gzip 1.3.5
GNU gzip 1.3.4
GNU gzip 1.3.3t
GNU gzip 1.3.3
GNU gzip 1.3.2
GNU gzip 1.3
GNU gzip 1.2.4 a
GNU gzip 1.2.4
 
不受影响系统
 
危害
远程攻击者可以利用该漏洞以应用程序权限执行任意指令。
 
攻击所需条件
攻击者必须构建恶意GZIP档,诱使用户解析。
 
漏洞信息
GNU gzip是一款文件压缩程序。
GNU gzip处理畸形压缩文件存在问题,如果用户或系统自动打开特殊构建的ZIP文件,攻击者可以使Gzip崩溃或以应用程序权限执行任意指令。
 
测试方法
 
厂商解决方案
用户可参考如下供应商提供的安全补丁:
Ubuntu Ubuntu Linux 9.10 sparc
Ubuntu gzip_1.3.12-8ubuntu1.1_sparc.deb
http://ports.ubuntu.com/pool/main/g/gzip/gzip_1.3.12-8ubuntu1.1_sparc. deb
Debian Linux 5.0 ia-64
Debian gzip-win32_1.3.12-6+lenny1_all.deb
http://security.debian.org/pool/updates/main/g/gzip/gzip-win32_1.3.12– 6+lenny1_all.deb
Debian gzip_1.3.12-6+lenny1_ia64.deb
http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.12-6+lenn y1_ia64.deb
Ubuntu Ubuntu Linux 8.04 LTS powerpc
Ubuntu gzip_1.3.12-3.2ubuntu0.1_powerpc.deb
http://ports.ubuntu.com/pool/main/g/gzip/gzip_1.3.12-3.2ubuntu0.1_powe rpc.deb
Ubuntu Ubuntu Linux 8.10 powerpc
Ubuntu gzip_1.3.12-6ubuntu2.8.10.1_powerpc.deb
http://ports.ubuntu.com/pool/main/g/gzip/gzip_1.3.12-6ubuntu2.8.10.1_p owerpc.deb
Ubuntu Ubuntu Linux 8.04 LTS sparc
Ubuntu gzip_1.3.12-3.2ubuntu0.1_sparc.deb
http://ports.ubuntu.com/pool/main/g/gzip/gzip_1.3.12-3.2ubuntu0.1_spar c.deb
Ubuntu Ubuntu Linux 9.10 powerpc
Ubuntu gzip_1.3.12-8ubuntu1.1_powerpc.deb
http://ports.ubuntu.com/pool/main/g/gzip/gzip_1.3.12-8ubuntu1.1_powerp c.deb
Ubuntu Ubuntu Linux 6.06 LTS sparc
Ubuntu gzip_1.3.5-12ubuntu0.3_sparc.deb
http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-12ubuntu 0.3_sparc.deb
Debian Linux 5.0 alpha
Debian gzip-win32_1.3.12-6+lenny1_all.deb
http://security.debian.org/pool/updates/main/g/gzip/gzip-win32_1.3.12– 6+lenny1_all.deb
Debian gzip_1.3.12-6+lenny1_alpha.deb
http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.12-6+lenn y1_alpha.deb
MandrakeSoft Linux Mandrake 2008.0 x86_64
Mandriva gzip-1.3.12-1.1mdv2008.0.x86_64.rpm
http://www.mandriva.com/en/download/
Ubuntu Ubuntu Linux 8.04 LTS amd64
Ubuntu gzip_1.3.12-3.2ubuntu0.1_amd64.deb
http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.12-3.2ubun tu0.1_amd64.deb
MandrakeSoft Linux Mandrake 2008.0
Mandriva gzip-1.3.12-1.1mdv2008.0.i586.rpm
http://www.mandriva.com/en/download/
Ubuntu Ubuntu Linux 9.10 lpia
Ubuntu gzip_1.3.12-8ubuntu1.1_lpia.deb
http://ports.ubuntu.com/pool/main/g/gzip/gzip_1.3.12-8ubuntu1.1_lpia.d eb
Debian Linux 5.0 mipsel
Debian gzip-win32_1.3.12-6+lenny1_all.deb
http://security.debian.org/pool/updates/main/g/gzip/gzip-win32_1.3.12– 6+lenny1_all.deb
Debian gzip_1.3.12-6+lenny1_mipsel.deb
http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.12-6+lenn y1_mipsel.deb
Ubuntu Ubuntu Linux 9.04 sparc
Ubuntu gzip_1.3.12-6ubuntu2.9.04.1_sparc.deb
http://ports.ubuntu.com/pool/main/g/gzip/gzip_1.3.12-6ubuntu2.9.04.1_s parc.deb
MandrakeSoft Linux Mandrake 2010.0
Mandriva gzip-1.3.12-5.1mdv2010.0.i586.rpm
http://www.mandriva.com/en/download/
Ubuntu Ubuntu Linux 9.04 powerpc
Ubuntu gzip_1.3.12-6ubuntu2.9.04.1_powerpc.deb
http://ports.ubuntu.com/pool/main/g/gzip/gzip_1.3.12-6ubuntu2.9.04.1_p owerpc.deb
Debian Linux 4.0 amd64
Debian gzip_1.3.5-15+etch1_amd64.deb
http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.5-15+etch 1_amd64.deb
Debian Linux 4.0 ia-32
Debian gzip_1.3.5-15+etch1_i386.deb
http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.5-15+etch 1_i386.deb
Debian Linux 4.0 hppa
Debian gzip_1.3.5-15+etch1_hppa.deb
http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.5-15+etch 1_hppa.deb
Ubuntu Ubuntu Linux 9.04 i386
Ubuntu gzip_1.3.12-6ubuntu2.9.04.1_i386.deb
http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.12-6ubuntu 2.9.04.1_i386.deb
Ubuntu Ubuntu Linux 9.04 lpia
Ubuntu gzip_1.3.12-6ubuntu2.9.04.1_lpia.deb
http://ports.ubuntu.com/pool/main/g/gzip/gzip_1.3.12-6ubuntu2.9.04.1_l pia.deb
Ubuntu Ubuntu Linux 8.10 sparc
Ubuntu gzip_1.3.12-6ubuntu2.8.10.1_sparc.deb
http://ports.ubuntu.com/pool/main/g/gzip/gzip_1.3.12-6ubuntu2.8.10.1_s parc.deb
Ubuntu Ubuntu Linux 9.10 i386
Ubuntu gzip_1.3.12-8ubuntu1.1_i386.deb
http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.12-8ubuntu 1.1_i386.deb
Debian Linux 5.0 armel
Debian gzip-win32_1.3.12-6+lenny1_all.deb
http://security.debian.org/pool/updates/main/g/gzip/gzip-win32_1.3.12– 6+lenny1_all.deb
Debian gzip_1.3.12-6+lenny1_armel.deb
http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.12-6+lenn y1_armel.deb
Debian Linux 5.0
Debian gzip-win32_1.3.12-6+lenny1_all.deb
http://security.debian.org/pool/updates/main/g/gzip/gzip-win32_1.3.12– 6+lenny1_all.deb
Ubuntu Ubuntu Linux 9.10 amd64
Ubuntu gzip_1.3.12-8ubuntu1.1_amd64.deb
http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.12-8ubuntu 1.1_amd64.deb
Debian Linux 4.0 mipsel
Debian gzip_1.3.5-15+etch1_mipsel.deb
http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.5-15+etch 1_mipsel.deb
MandrakeSoft Linux Mandrake 2009.0 x86_64
Mandriva gzip-1.3.12-3.1mdv2009.0.x86_64.rpm
http://www.mandriva.com/en/download/
Debian Linux 5.0 mips
Debian gzip-win32_1.3.12-6+lenny1_all.deb
http://security.debian.org/pool/updates/main/g/gzip/gzip-win32_1.3.12– 6+lenny1_all.deb
Ubuntu Ubuntu Linux 9.04 amd64
Ubuntu gzip_1.3.12-6ubuntu2.9.04.1_amd64.deb
http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.12-6ubuntu 2.9.04.1_amd64.deb
MandrakeSoft Linux Mandrake 2009.1
Mandriva gzip-1.3.12-4.1mdv2009.1.i586.rpm
http://www.mandriva.com/en/download/
Ubuntu Ubuntu Linux 8.10 amd64
Ubuntu gzip_1.3.12-6ubuntu2.8.10.1_amd64.deb
http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.12-6ubuntu 2.8.10.1_amd64.deb
Debian Linux 4.0 ia-64
Debian gzip_1.3.5-15+etch1_ia64.deb
http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.5-15+etch 1_ia64.deb
Debian Linux 5.0 sparc
Debian gzip-win32_1.3.12-6+lenny1_all.deb
http://security.debian.org/pool/updates/main/g/gzip/gzip-win32_1.3.12– 6+lenny1_all.deb
Debian gzip_1.3.12-6+lenny1_sparc.deb
http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.12-6+lenn y1_sparc.deb
Debian Linux 4.0 arm
Debian gzip_1.3.5-15+etch1_arm.deb
http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.5-15+etch 1_arm.deb
MandrakeSoft Linux Mandrake 2009.1 x86_64
Mandriva gzip-1.3.12-4.1mdv2009.1.x86_64.rpm
http://www.mandriva.com/en/download/
Debian Linux 4.0 powerpc
Debian gzip_1.3.5-15+etch1_powerpc.deb
http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.5-15+etch 1_powerpc.deb
Ubuntu Ubuntu Linux 8.10 i386
Ubuntu gzip_1.3.12-6ubuntu2.8.10.1_i386.deb
http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.12-6ubuntu 2.8.10.1_i386.deb
MandrakeSoft Enterprise Server 5 x86_64
Mandriva gzip-1.3.12-3.1mdvmes5.x86_64.rpm
http://www.mandriva.com/en/download/
Debian Linux 5.0 ia-32
Debian gzip-win32_1.3.12-6+lenny1_all.deb
http://security.debian.org/pool/updates/main/g/gzip/gzip-win32_1.3.12– 6+lenny1_all.deb
Debian gzip_1.3.12-6+lenny1_i386.deb
http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.12-6+lenn y1_i386.deb
Ubuntu Ubuntu Linux 6.06 LTS powerpc
Ubuntu gzip_1.3.5-12ubuntu0.3_powerpc.deb
http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-12ubuntu 0.3_powerpc.deb
MandrakeSoft Enterprise Server 5
Mandriva gzip-1.3.12-3.1mdvmes5.i586.rpm
http://www.mandriva.com/en/download/
Debian Linux 5.0 s/390
Debian gzip-win32_1.3.12-6+lenny1_all.deb
http://security.debian.org/pool/updates/main/g/gzip/gzip-win32_1.3.12– 6+lenny1_all.deb
Debian gzip_1.3.12-6+lenny1_s390.deb
http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.12-6+lenn y1_s390.deb
Ubuntu Ubuntu Linux 8.04 LTS lpia
Ubuntu gzip_1.3.12-3.2ubuntu0.1_lpia.deb
http://ports.ubuntu.com/pool/main/g/gzip/gzip_1.3.12-3.2ubuntu0.1_lpia .deb
Ubuntu Ubuntu Linux 6.06 LTS i386
Ubuntu gzip_1.3.5-12ubuntu0.3_i386.deb
http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-12ubuntu 0.3_i386.deb
Ubuntu Ubuntu Linux 8.10 lpia
Ubuntu gzip_1.3.12-6ubuntu2.8.10.1_lpia.deb
http://ports.ubuntu.com/pool/main/g/gzip/gzip_1.3.12-6ubuntu2.8.10.1_l pia.deb
Ubuntu Ubuntu Linux 6.06 LTS amd64
Ubuntu gzip_1.3.5-12ubuntu0.3_amd64.deb
http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.5-12ubuntu 0.3_amd64.deb
MandrakeSoft Linux Mandrake 2010.0 x86_64
Mandriva gzip-1.3.12-5.1mdv2010.0.x86_64.rpm
http://www.mandriva.com/en/download/
Debian Linux 5.0 hppa
Debian gzip-win32_1.3.12-6+lenny1_all.deb
http://security.debian.org/pool/updates/main/g/gzip/gzip-win32_1.3.12– 6+lenny1_all.deb
Debian gzip_1.3.12-6+lenny1_hppa.deb
http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.12-6+lenn y1_hppa.deb
Debian Linux 4.0 sparc
Debian gzip_1.3.5-15+etch1_sparc.deb
http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.5-15+etch 1_sparc.deb
Debian Linux 4.0 s/390
Debian gzip_1.3.5-15+etch1_s390.deb
http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.5-15+etch 1_s390.deb
Debian Linux 5.0 m68k
Debian gzip-win32_1.3.12-6+lenny1_all.deb
http://security.debian.org/pool/updates/main/g/gzip/gzip-win32_1.3.12– 6+lenny1_all.deb
Debian Linux 5.0 arm
Debian gzip-win32_1.3.12-6+lenny1_all.deb
http://security.debian.org/pool/updates/main/g/gzip/gzip-win32_1.3.12– 6+lenny1_all.deb
Debian gzip_1.3.12-6+lenny1_arm.deb
http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.12-6+lenn y1_arm.deb
MandrakeSoft Linux Mandrake 2009.0
Mandriva gzip-1.3.12-3.1mdv2009.0.i586.rpm
http://www.mandriva.com/en/download/
Debian Linux 4.0 alpha
Debian gzip_1.3.5-15+etch1_alpha.deb
http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.5-15+etch 1_alpha.deb
MandrakeSoft Corporate Server 4.0
Mandriva gzip-1.2.4a-15.4.20060mlcs4.i586.rpm
http://www.mandriva.com/en/download/
Ubuntu Ubuntu Linux 8.04 LTS i386
Ubuntu gzip_1.3.12-3.2ubuntu0.1_i386.deb
http://security.ubuntu.com/ubuntu/pool/main/g/gzip/gzip_1.3.12-3.2ubun tu0.1_i386.deb
Debian Linux 5.0 amd64
Debian gzip-win32_1.3.12-6+lenny1_all.deb
http://security.debian.org/pool/updates/main/g/gzip/gzip-win32_1.3.12– 6+lenny1_all.deb
Debian gzip_1.3.12-6+lenny1_amd64.deb
http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.12-6+lenn y1_amd64.deb
Debian Linux 5.0 powerpc
Debian gzip-win32_1.3.12-6+lenny1_all.deb
http://security.debian.org/pool/updates/main/g/gzip/gzip-win32_1.3.12– 6+lenny1_all.deb
Debian gzip_1.3.12-6+lenny1_powerpc.deb
http://security.debian.org/pool/updates/main/g/gzip/gzip_1.3.12-6+lenn y1_powerpc.deb
MandrakeSoft Corporate Server 4.0 x86_64
Mandriva gzip-1.2.4a-15.4.20060mlcs4.x86_64.rpm
http://www.mandriva.com/en/download/
 
漏洞提供者
Thiemo Nagel

发表评论?

0 条评论。

发表评论