漏洞信息详情
GKrellM Newsticker远程命令执行漏洞
- CNNVD编号:CNNVD-200305-030
- 危害等级: 高危
![图片[1]-GKrellM Newsticker远程命令执行漏洞-一一网](https://www.proyy.com/skycj/data/images/2021-05-16/bbdd3e8868c10d22861b2275d65f4500.png)
- CVE编号:
CVE-2003-0205
- 漏洞类型:
输入验证
- 发布时间:
2003-04-23
- 威胁类型:
远程
- 更新时间:
2005-10-20
- 厂 商:
gkrellm_newsticker - 漏洞来源:
Brian Campbell -
漏洞简介
gkrellm-newsticker是gkrellm系统监视程序的插件。
newsticker在查看\’\’ticker\’\’标题时对SHELL元字符缺少正确过滤,远程攻击者可以利用这个漏洞构建恶意标题,诱使用户访问,可能以用户进程权限在系统上执行任意命令。
当用户使用newsticker点击URI提供的\’\’ticker\’\’标题时,由于软件对特殊SHELL字符缺少充分过滤,攻击者提供恶意的标题,当用户点击时,可在客户端机器上执行任意SHELL命令。
漏洞公告
临时解决方法:
如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
* Brian Campbell提供如下第三方补丁:
diff -ur gkrellm-newsticker-0.3.orig/newsticker.c gkrellm-newsticker-0.3/newsticker.c
— gkrellm-newsticker-0.3.orig/newsticker.c Sun Jan 20 21:02:40 2002
+++ gkrellm-newsticker-0.3/newsticker.c Sat Apr 5 09:37:18 2003
@@ -292,7 +292,12 @@
pt = strchr(pt, ‘>’);
pt++;
pt2 = strstr(buf, “”);
– nt->link = g_strndup(pt, (pt2 – pt));
+ /* Can’t handle multiple lines properly, but at least make some
+ * effort. */
+ if (pt2)
+ nt->link = g_strndup(pt, (pt2 – pt));
+ else
+ nt->link = g_strdup(pt);
flag++;
continue;
}
@@ -306,10 +311,20 @@
pt = strchr(pt, ‘>’);
pt++;
pt2 = strstr(buf, “”);
– if (flag == 2)
– nt->headline = g_strndup(pt, (pt2 – pt));
– else
– nt->headline = g_strconcat(nt->headline, ” — “, g_strndup(pt, (pt2 – pt)), NULL);
+ /* Again, let’s not fail completely when the element spans more
+ * than one line. */
+ if (pt2)
+ {
+ if (flag == 2)
+ nt->headline = g_strndup(pt, (pt2 – pt));
+ else
+ nt->headline = g_strconcat(nt->headline, ” — “, g_strndup(pt, (pt2 – pt)), NULL);
+ } else {
+ if (flag == 2)
+ nt->headline = g_strdup(pt);
+ else
+ nt->headline = g_strconcat(nt->headline, ” — “, g_strdup(pt), NULL);
+ }
flag++;
if (flag > (num_headlines+1))
break;
@@ -474,10 +489,36 @@
return FALSE;
}
+/* Make a URI suitable for use in a shell command. */
+static gchar *escape_uri(gchar *uri)
+{
+ gchar *cur, *result, *resultcur;
+ int count = 1;
+
+ for (cur = uri; *cur; cur++)
+ count += (*cur == ‘\”) ? 3 : 1;
+
+ result = g_malloc(count);
+ for (cur = uri, resultcur = result; *cur; cur++)
+ {
+ if (*cur == ‘\”)
+ {
+ *resultcur++ = ‘%’;
+ *resultcur++ = ‘2’;
+ *resultcur++ = ‘7’;
+ }
+ else
+ *resultcur++ = *cur;
+ }
+ *resultcur = ‘\0’;
+
+ return result;
+}
static gint panel_click_event(GtkWidget *widget, GdkEventButton *ev)
{
gchar *command;
+ gchar *link;
GList *list;
Newsticker *nt;
@@ -490,7 +531,9 @@
{
if ((ev->button == 1) && (strcmp(nt->link, “NULL”)))
{
– command = g_strdup_printf(browser, nt->link);
+ link = escape_uri(nt->link);
+ command = g_strdup_printf(browser, link);
+ g_free(link);
command = g_strconcat(command, ” &”, NULL);
system(command);
g_free(command);
厂商补丁:
Debian
——
Source archives:
http://security.debian.org/pool/updates/main/g/gkrellm-newsticker/gkrellm-newsticker_0.3-3.1.dsc” target=”_blank”>
http://security.debian.org/pool/updates/main/g/gkrellm-newsticker/gkrellm-newsticker_0.3-3.1.dsc
Size/MD5 checksum: 736 48df0aef0622167773057cd7bf0fd17f
http://security.debian.org/pool/updates/main/g/gkrellm-newsticker/gkrellm-newsticker_0.3-3.1.diff.gz” target=”_blank”>
http://security.debian.org/pool/updates/main/g/gkrellm-newsticker/gkrellm-newsticker_0.3-3.1.diff.gz
Size/MD5 checksum: 2468 bc17c9c128b8a2550f7812dae9f4b163
http://security.debian.org/pool/updates/main/g/gkrellm-newsticker/gkrellm-newsticker_0.3.orig.tar.gz” target=”_blank”>
http://security.debian.org/pool/updates/main/g/gkrellm-newsticker/gkrellm-newsticker_0.3.orig.tar.gz
Size/MD5 checksum: 25849 41a647c4671f6801ed9b3a3de7d414ca
Alpha architecture:
http://security.debian.org/pool/updates/main/g/gkrellm-newsticker/gkrellm-newsticker_0.3-3.1_alpha.deb” target=”_blank”>
http://security.debian.org/pool/updates/main/g/gkrellm-newsticker/gkrellm-newsticker_0.3-3.1_alpha.deb
Size/MD5 checksum: 43506 47726e8c350b581bbf453f5d5c231dbd
ARM architecture:
http://security.debian.org/pool/updates/main/g/gkrellm-newsticker/gkrellm-newsticker_0.3-3.1_arm.deb” target=”_blank”>
http://security.debian.org/pool/updates/main/g/gkrellm-newsticker/gkrellm-newsticker_0.3-3.1_arm.deb
Size/MD5 checksum: 37756 addfe4f87f35f0243a83b0e5e9286646
Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/g/gkrellm-newsticker/gkrellm-newsticker_0.3-3.1_i386.deb” target=”_blank”>
http://security.debian.org/pool/updates/main/g/gkrellm-newsticker/gkrellm-newsticker_0.3-3.1_i386.deb
Size/MD5 checksum: 36030 48cc15c0da005d6b53757dfcee318dd0
Intel IA-64 architecture:
http://security.debian.org/pool/updates/main/g/gkrellm-newsticker/gkrellm-newsticker_0.3-3.1_ia64.deb” target=”_blank”>
http://security.debian.org/pool/updates/main/g/gkrellm-newsticker/gkrellm-newsticker_0.3-3.1_ia64.deb
Size/MD5 checksum: 47160 f195d6caee4c186ed2ee6921eb454daa
HP Precision architecture:
http://security.debian.org/pool/updates/main/g/gkrellm-newsticker/gkrellm-newsticker_0.3-3.1_hppa.deb” target=”_blank”>
http://security.debian.org/pool/updates/main/g/gkrellm-newsticker/gkrellm-newsticker_0.3-3.1_hppa.deb
Size/MD5 checksum: 43974 5140d9e63e1647ff314c0c4044ddd4d3
Motorola 680×0 architecture:
http://security.debian.org/pool/updates/main/g/gkrellm-newsticker/gkrellm-newsticker_0.3-3.1_m68k.deb” target=”_blank”>
http://security.debian.org/pool/updates/main/g/gkrellm-newsticker/gkrellm-newsticker_0.3-3.1_m68k.deb
Size/MD5 checksum: 42164 3a2f0b85e3c7d6ee741c121f719c33ad
Big endian MIPS architecture:
http://security.debian.org/pool/updates/main/g/gkrellm-newsticker/gkrellm-newsticker_0.3-3.1_mips.deb” target=”_blank”>
http://security.debian.org/pool/updates/main/g/gkrellm-newsticker/gkrellm-newsticker_0.3-3.1_mips.deb
Size/MD5 checksum: 36786 84ba4b61bd0c3c32459829a27ed1b010
Little endian MIPS architecture:
http://security.debian.org/pool/updates/main/g/gkrellm-newsticker/gkrellm-newsticker_0.3-3.1_mipsel.deb” target=”_blank”>
http://security.debian.org/pool/updates/main/g/gkrellm-newsticker/gkrellm-newsticker_0.3-3.1_mipsel.deb
Size/MD5 checksum: 35532 ead6c8290f38890b11188406c990180d
PowerPC architecture:
http://security.debian.org/pool/updates/main/g/gkrellm-newsticker/gkrellm-newsticker_0.3-3.1_powerpc.deb” target=”_blank”>
http://security.debian.org/pool/updates/main/g/gkrellm-newsticker/gkrellm-newsticker_0.3-3.1_powerpc.deb
Size/MD5 checksum: 41210 cb1ee388ea55ce2d4e5e7d7f2af1cf52
IBM S/390 architecture:
http://security.debian.org/pool/updates/main/g/gkrellm-newsticker/gkrellm-newsticker_0.3-3.1_s390.deb” target=”_blank”>
http://security.debian.org/pool/updates/main/g/gkrellm-newsticker/gkrellm-newsticker_0.3-3.1_s390.deb
Size/MD5 checksum: 42644 1c1bc26dcf280c12df5785c6ba6afe24
Sun Sparc architecture:
http://security.debian.org/pool/updates/main/g/gkrellm-newsticker/gkrellm-newsticker_0.3-3.1_sparc.deb” target=”_b
来源: DEBIAN
名称: DSA-294
链接:http://www.debian.org/security/2003/dsa-294
来源: BUGTRAQ
名称: 20030423 Security problems in gkrellm-newsticker
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=105111327000755&w=2
![[桜井宁宁]COS和泉纱雾超可爱写真福利集-一一网](https://www.proyy.com/skycj/data/images/2020-12-13/4d3cf227a85d7e79f5d6b4efb6bde3e8.jpg)
![[桜井宁宁] 爆乳奶牛少女cos写真-一一网](https://www.proyy.com/skycj/data/images/2020-12-13/d40483e126fcf567894e89c65eaca655.jpg)
