Ncompress长文件名缓冲区溢出漏洞

漏洞信息详情

Ncompress长文件名缓冲区溢出漏洞

• CNNVD编号：CNNVD-200412-095
• 危害等级： 高危
  
  
• CVE编号：
  CVE-2001-1413
  
• 漏洞类型：
  
  
  缓冲区溢出
  
• 发布时间：
  
  2004-12-23
  
• 威胁类型：
  
  
  远程
  
• 更新时间：
  
  2005-10-20
  
• 厂        商：
  
  ncompress
• 漏洞来源：
  Pavel Kankovsky di…

ncompress 4.2.4及其以前的版本的comprexx函数存在基于堆栈的缓冲区溢出漏洞。使用于跨安全边界的情况下时（比如FTP服务器），远程攻击者借助超长文件名参数执行任意代码。

Gentoo Linux has released advisory GLSA 200410-08 to address this issue. Users of affected packages are urged to execute the following commands with superuser privileges:
emerge sync
emerge -pv “>=app-arch/ncompress-4.2.4-r1”
emerge “>=app-arch/ncompress-4.2.4-r1”
Please see the referenced advisory for further information.
RedHat has released advisory RHSA-2004:536-05 to address this issue in RedHat Enterprise Linux operating systems. Please see the referenced advisory for further information.
Avaya has made an advisory available (ASA-2005-015) dealing with this issue for various products. In all cases Avaya recommends that ncompress be removed from their affected software, as it is not required for execution. All Avaya hardware affected by this issue will have the vulnerable packages removed from future versions. For more information, please see the referenced security advisory.

来源:US-CERT Vulnerability Note: VU#176363
名称: VU#176363
链接:http://www.kb.cert.org/vuls/id/176363

来源: REDHAT
名称: RHSA-2004:536
链接:http://www.redhat.com/support/errata/RHSA-2004-536.html

来源: GENTOO
名称: GLSA-200410-08
链接:http://security.gentoo.org/glsa/glsa-200410-08.xml

来源: XF
名称: ncompress-filename-bo(10619)
链接:http://xforce.iss.net/xforce/xfdb/10619

来源: VULN-DEV
名称: 20010621 New bugs, old bugs
链接:http://seclists.org/lists/vuln-dev/2001/Nov/0202.html