|
Python getaddrinfo函数远程缓冲区溢出漏洞(1) 受影响系统:
Python Software Foundation Python 2.2
Python Software Foundation Python 2.2.1
- Debian Linux 3.0
- Mandrake Linux Corporate Server 2.1
- Mandrake Linux 9.0
不受影响系统:
Python Software Foundation Python 2.2.2
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 9836
CVE(CAN) ID: CAN-2004-0150
Python是一种开放源代码的强大功能的脚本编程语言。
Python包含的'getaddrinfo'缺少充分边界缓冲区检查,远程攻击者可以利用这个漏洞以执行用户进程权限在系统上执行任意指令。
Python包含的'getaddrinfo'函数允许远程攻击者通过DNS提供IPv6地址,由于对提供的地址长度缺少充分边界检查,因此超长IPv6地址可发生缓冲区溢出,精心构建提交数据可能以执行用户进程权限在系统上执行任意指令。目前没有详细漏洞细节提供。
<*来源:Sebastian Schmidt
链接:http://www.debian.org/security/2002/dsa-458
*>
建议:
--------------------------------------------------------------------------------
厂商补丁:
Debian
------
Debian已经为此发布了一个安全公告(DSA-458-1)以及相应补丁:
DSA-458-1:New python2.2 packages fix buffer overflow
链接:http://www.debian.org/security/2002/dsa-458
补丁下载:
Source archives:
http://security.debian.org/pool/updates/main/p/python2.2/python2.2_2.2.1-4.3.dsc
Size/MD5 checksum: 1150 026cac287c887609b61eb9fa776d08e7
http://security.debian.org/pool/updates/main/p/python2.2/python2.2_2.2.1-4.3.diff.gz
Size/MD5 checksum: 92168 5490c5305412b26e913ef0c9d3942f92
http://security.debian.org/pool/updates/main/p/python2.2/python2.2_2.2.1.orig.tar.gz
Size/MD5 checksum: 6536167 88aa07574673ccfaf35904253c78fc7d
Architecture independent components:
http://security.debian.org/pool/updates/main/p/python2.2/idle-python2.2_2.2.1-4.3_all.deb
Size/MD5 checksum: 112800 2f7bbe87cd65fc46d692549fdc2ae27a
http://security.debian.org/pool/updates/main/p/python2.2/python2.2-doc_2.2.1-4.3_all.deb
Size/MD5 checksum: 1307068 dda8d059664d4b8ee062ac3e10b844a9
http://security.debian.org/pool/updates/main/p/python2.2/python2.2-elisp_2.2.1-4.3_all.deb
| 
