RootSSV:4348libspf2 DNS TXT记录处理堆溢出漏洞
0.911 High
EPSS
Percentile
98.9%
BUGTRAQ ID: 31881
CVE(CAN) ID: CVE-2008-2469
libspf2是用于实现Sender Policy Framework的库,允许邮件系统检查SPF记录并确认邮件已经过域名授权。
libspf2库的Spf_dns_resolv.c文件中的SPF_dns_resolv_lookup函数存在堆溢出漏洞,如果用户解析了带有特制长度字段的超长DNS TXT记录的话,就可能触发这个溢出,导致执行任意代码。
DNS TXT记录中包含有两个长度字段,首先是记录的整体长度字段,其次是范围为0到255的子长度字段,用于描述记录中特定字符串的长度。这两个值之间没有任何联系,DNS服务器也没有强制任何过滤检查。在接收到DNS TXT记录时,外部的记录长度值是所要分配的内存数量,但拷贝的是内部的长度,这就可能会触发溢出。
以下是LibSPF2中的漏洞代码段:
Spf_dns_resolv.c#SPF_dns_resolv_lookup():
case ns_t_txt:
if ( rdlen > 1 )
{
u_char *src, *dst;
size_t len;
if ( SPF_dns_rr_buf_realloc( spfrr, cnt, rdlen ) != SPF_E_SUCCESS ) // allocate rdlen bytes at spf->rr[cn]->txt
return spfrr;
dst = spfrr->rr[cnt]->txt;
len = 0;
src = (u_char *)rdata;
while ( rdlen > 0 )
{
len = *src; // get a second length from the attacker controlled datastream — some value from 0 to 255, unbound to rdlen
src++;
memcpy( dst, src, len ); // copy that second length to rdlen byte buffer.
dst += len;
src += len;
rdlen -= len + 1;
}
*dst = ‘\0′;
Wayne Schlitt libspf2 <1.2.8
Debian
Debian已经为此发布了一个安全公告(DSA-1659-1)以及相应补丁:
DSA-1659-1:New libspf2 packages fix potential remote code execution
链接:<a href=“http://www.debian.org/security/2008/dsa-1659” target=“_blank”>http://www.debian.org/security/2008/dsa-1659</a>
补丁下载:
Source archives:
<a href=“http://security.debian.org/pool/updates/main/libs/libspf2/libspf2_1.2.5.orig.tar.gz” target=“_blank”>http://security.debian.org/pool/updates/main/libs/libspf2/libspf2_1.2.5.orig.tar.gz</a>
Size/MD5 checksum: 518107 5e81bbc41c1394e466eb06dd514f97d7
<a href=“http://security.debian.org/pool/updates/main/libs/libspf2/libspf2_1.2.5-4+etch1.dsc” target=“_blank”>http://security.debian.org/pool/updates/main/libs/libspf2/libspf2_1.2.5-4+etch1.dsc</a>
Size/MD5 checksum: 618 d7f758e290960445754d76595dd14a6b
<a href=“http://security.debian.org/pool/updates/main/libs/libspf2/libspf2_1.2.5-4+etch1.diff.gz” target=“_blank”>http://security.debian.org/pool/updates/main/libs/libspf2/libspf2_1.2.5-4+etch1.diff.gz</a>
Size/MD5 checksum: 15086 d93480ad8a520e40d2f7aa5622c350bb
alpha architecture (DEC Alpha)
<a href=“http://security.debian.org/pool/updates/main/libs/libspf2/libspf2-2_1.2.5-4+etch1_alpha.deb” target=“_blank”>http://security.debian.org/pool/updates/main/libs/libspf2/libspf2-2_1.2.5-4+etch1_alpha.deb</a>
Size/MD5 checksum: 58480 8a6fafec1a9e27c32e8c3545673ae64e
<a href=“http://security.debian.org/pool/updates/main/libs/libspf2/spfquery_1.2.5-4+etch1_alpha.deb” target=“_blank”>http://security.debian.org/pool/updates/main/libs/libspf2/spfquery_1.2.5-4+etch1_alpha.deb</a>
Size/MD5 checksum: 21638 a5dbe0b61a0913d6e352aba1e10bc21a
<a href=“http://security.debian.org/pool/updates/main/libs/libspf2/libspf2-dev_1.2.5-4+etch1_alpha.deb” target=“_blank”>http://security.debian.org/pool/updates/main/libs/libspf2/libspf2-dev_1.2.5-4+etch1_alpha.deb</a>
Size/MD5 checksum: 94420 68a4b698b96bea705889da070034e739
amd64 architecture (AMD x86_64 (AMD64))
<a href=“http://security.debian.org/pool/updates/main/libs/libspf2/libspf2-2_1.2.5-4+etch1_amd64.deb” target=“_blank”>http://security.debian.org/pool/updates/main/libs/libspf2/libspf2-2_1.2.5-4+etch1_amd64.deb</a>
Size/MD5 checksum: 54420 c5d934e0674fe954c9a2fc4a37fcabf6
<a href=“http://security.debian.org/pool/updates/main/libs/libspf2/libspf2-dev_1.2.5-4+etch1_amd64.deb” target=“_blank”>http://security.debian.org/pool/updates/main/libs/libspf2/libspf2-dev_1.2.5-4+etch1_amd64.deb</a>
Size/MD5 checksum: 77296 5f93e9d3dedd674339dcafe2d2227d94
<a href=“http://security.debian.org/pool/updates/main/libs/libspf2/spfquery_1.2.5-4+etch1_amd64.deb” target=“_blank”>http://security.debian.org/pool/updates/main/libs/libspf2/spfquery_1.2.5-4+etch1_amd64.deb</a>
Size/MD5 checksum: 20714 ac938c60372fae2b580f93f9aa9fc617
arm architecture (ARM)
<a href=“http://security.debian.org/pool/updates/main/libs/libspf2/libspf2-2_1.2.5-4+etch1_arm.deb” target=“_blank”>http://security.debian.org/pool/updates/main/libs/libspf2/libspf2-2_1.2.5-4+etch1_arm.deb</a>
Size/MD5 checksum: 49590 ddf2d07c5b4e7cf2092b34e615b795bb
<a href=“http://security.debian.org/pool/updates/main/libs/libspf2/spfquery_1.2.5-4+etch1_arm.deb” target=“_blank”>http://security.debian.org/pool/updates/main/libs/libspf2/spfquery_1.2.5-4+etch1_arm.deb</a>
Size/MD5 checksum: 19686 c08f86305ba1af22cd47b77ab220cd31
<a href=“http://security.debian.org/pool/updates/main/libs/libspf2/libspf2-dev_1.2.5-4+etch1_arm.deb” target=“_blank”>http://security.debian.org/pool/updates/main/libs/libspf2/libspf2-dev_1.2.5-4+etch1_arm.deb</a>
Size/MD5 checksum: 69614 98d710d66a462fa3d29f45764d055e70
hppa architecture (HP PA RISC)
<a href=“http://security.debian.org/pool/updates/main/libs/libspf2/libspf2-2_1.2.5-4+etch1_hppa.deb” target=“_blank”>http://security.debian.org/pool/updates/main/libs/libspf2/libspf2-2_1.2.5-4+etch1_hppa.deb</a>
Size/MD5 checksum: 55920 f20a075769b29a4265f6272f629accd2
<a href=“http://security.debian.org/pool/updates/main/libs/libspf2/spfquery_1.2.5-4+etch1_hppa.deb” target=“_blank”>http://security.debian.org/pool/updates/main/libs/libspf2/spfquery_1.2.5-4+etch1_hppa.deb</a>
Size/MD5 checksum: 20900 20282048aa118078480fe82c4ef0d4ab
<a href=“http://security.debian.org/pool/updates/main/libs/libspf2/libspf2-dev_1.2.5-4+etch1_hppa.deb” target=“_blank”>http://security.debian.org/pool/updates/main/libs/libspf2/libspf2-dev_1.2.5-4+etch1_hppa.deb</a>
Size/MD5 checksum: 82492 a791b2a33f2a62da7dfbfa5abf89a5e2
i386 architecture (Intel ia32)
<a href=“http://security.debian.org/pool/updates/main/libs/libspf2/spfquery_1.2.5-4+etch1_i386.deb” target=“_blank”>http://security.debian.org/pool/updates/main/libs/libspf2/spfquery_1.2.5-4+etch1_i386.deb</a>
Size/MD5 checksum: 20016 d4a5f4f8946431c3f005afef02d77b50
<a href=“http://security.debian.org/pool/updates/main/libs/libspf2/libspf2-dev_1.2.5-4+etch1_i386.deb” target=“_blank”>http://security.debian.org/pool/updates/main/libs/libspf2/libspf2-dev_1.2.5-4+etch1_i386.deb</a>
Size/MD5 checksum: 71986 1631211512ce5efa9c65a493e5057a1d
<a href=“http://security.debian.org/pool/updates/main/libs/libspf2/libspf2-2_1.2.5-4+etch1_i386.deb” target=“_blank”>http://security.debian.org/pool/updates/main/libs/libspf2/libspf2-2_1.2.5-4+etch1_i386.deb</a>
Size/MD5 checksum: 51338 442bf4a790e6d019ac0347f23c5c6261
ia64 architecture (Intel ia64)
<a href=“http://security.debian.org/pool/updates/main/libs/libspf2/libspf2-2_1.2.5-4+etch1_ia64.deb” target=“_blank”>http://security.debian.org/pool/updates/main/libs/libspf2/libspf2-2_1.2.5-4+etch1_ia64.deb</a>
Size/MD5 checksum: 69090 d1c4ae22765a0e1a76ecff237e6a3d07
<a href=“http://security.debian.org/pool/updates/main/libs/libspf2/spfquery_1.2.5-4+etch1_ia64.deb” target=“_blank”>http://security.debian.org/pool/updates/main/libs/libspf2/spfquery_1.2.5-4+etch1_ia64.deb</a>
Size/MD5 checksum: 25436 958e093744c1346c8d3dd892f21eae3c
<a href=“http://security.debian.org/pool/updates/main/libs/libspf2/libspf2-dev_1.2.5-4+etch1_ia64.deb” target=“_blank”>http://security.debian.org/pool/updates/main/libs/libspf2/libspf2-dev_1.2.5-4+etch1_ia64.deb</a>
Size/MD5 checksum: 98240 b120aed22d59d06065cf0a50210587fa
mipsel architecture (MIPS (Little Endian))
<a href=“http://security.debian.org/pool/updates/main/libs/libspf2/spfquery_1.2.5-4+etch1_mipsel.deb” target=“_blank”>http://security.debian.org/pool/updates/main/libs/libspf2/spfquery_1.2.5-4+etch1_mipsel.deb</a>
Size/MD5 checksum: 20012 0a435fb1e50a6453ee28c9f6d82b261c
<a href=“http://security.debian.org/pool/updates/main/libs/libspf2/libspf2-2_1.2.5-4+etch1_mipsel.deb” target=“_blank”>http://security.debian.org/pool/updates/main/libs/libspf2/libspf2-2_1.2.5-4+etch1_mipsel.deb</a>
Size/MD5 checksum: 50382 3ee99a4143a7b8bf4a4f64b66bb75783
<a href=“http://security.debian.org/pool/updates/main/libs/libspf2/libspf2-dev_1.2.5-4+etch1_mipsel.deb” target=“_blank”>http://security.debian.org/pool/updates/main/libs/libspf2/libspf2-dev_1.2.5-4+etch1_mipsel.deb</a>
Size/MD5 checksum: 81984 49611db8926324ba12a0827981e13de7
powerpc architecture (PowerPC)
<a href=“http://security.debian.org/pool/updates/main/libs/libspf2/libspf2-dev_1.2.5-4+etch1_powerpc.deb” target=“_blank”>http://security.debian.org/pool/updates/main/libs/libspf2/libspf2-dev_1.2.5-4+etch1_powerpc.deb</a>
Size/MD5 checksum: 78872 4da7bfd68eea0826569173888d247908
<a href=“http://security.debian.org/pool/updates/main/libs/libspf2/spfquery_1.2.5-4+etch1_powerpc.deb” target=“_blank”>http://security.debian.org/pool/updates/main/libs/libspf2/spfquery_1.2.5-4+etch1_powerpc.deb</a>
Size/MD5 checksum: 23486 fb3f2d541f6635c50f4053f95022ea6c
<a href=“http://security.debian.org/pool/updates/main/libs/libspf2/libspf2-2_1.2.5-4+etch1_powerpc.deb” target=“_blank”>http://security.debian.org/pool/updates/main/libs/libspf2/libspf2-2_1.2.5-4+etch1_powerpc.deb</a>
Size/MD5 checksum: 53426 dcd7b8835c7ad6087d7a5654656b6917
s390 architecture (IBM S/390)
<a href=“http://security.debian.org/pool/updates/main/libs/libspf2/libspf2-2_1.2.5-4+etch1_s390.deb” target=“_blank”>http://security.debian.org/pool/updates/main/libs/libspf2/libspf2-2_1.2.5-4+etch1_s390.deb</a>
Size/MD5 checksum: 54666 f0ebb010161d40c2b76f1d99db88f0be
<a href=“http://security.debian.org/pool/updates/main/libs/libspf2/spfquery_1.2.5-4+etch1_s390.deb” target=“_blank”>http://security.debian.org/pool/updates/main/libs/libspf2/spfquery_1.2.5-4+etch1_s390.deb</a>
Size/MD5 checksum: 20580 41c4ec7139349a449b7d0abc56eb6778
<a href=“http://security.debian.org/pool/updates/main/libs/libspf2/libspf2-dev_1.2.5-4+etch1_s390.deb” target=“_blank”>http://security.debian.org/pool/updates/main/libs/libspf2/libspf2-dev_1.2.5-4+etch1_s390.deb</a>
Size/MD5 checksum: 77086 eb6e7ca0f8516f82d695d3655fcd3c3b
sparc architecture (Sun SPARC/UltraSPARC)
<a href=“http://security.debian.org/pool/updates/main/libs/libspf2/spfquery_1.2.5-4+etch1_sparc.deb” target=“_blank”>http://security.debian.org/pool/updates/main/libs/libspf2/spfquery_1.2.5-4+etch1_sparc.deb</a>
Size/MD5 checksum: 19662 4cd9803e1e7aa0963ba149ae17cb22a6
<a href=“http://security.debian.org/pool/updates/main/libs/libspf2/libspf2-dev_1.2.5-4+etch1_sparc.deb” target=“_blank”>http://security.debian.org/pool/updates/main/libs/libspf2/libspf2-dev_1.2.5-4+etch1_sparc.deb</a>
Size/MD5 checksum: 71830 b2001b910ceb4390ad427660ea8135b7
<a href=“http://security.debian.org/pool/updates/main/libs/libspf2/libspf2-2_1.2.5-4+etch1_sparc.deb” target=“_blank”>http://security.debian.org/pool/updates/main/libs/libspf2/libspf2-2_1.2.5-4+etch1_sparc.deb</a>
Size/MD5 checksum: 49884 5efdeefe2a79ed210776647dd5a4e951
补丁安装方法:
- 手工安装补丁包:
首先,使用下面的命令来下载补丁软件:
wget url (url是补丁下载链接地址)
然后,使用下面的命令来安装补丁:
dpkg -i file.deb (file是相应的补丁名)
-
使用apt-get自动安装补丁包:
首先,使用下面的命令更新内部数据库:
apt-get update
然后,使用下面的命令安装更新软件包:
apt-get upgrade
Wayne Schlitt
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
<a href=“http://www.libspf2.org/spf/libspf2-1.2.8.tar.gz” target=“_blank”>http://www.libspf2.org/spf/libspf2-1.2.8.tar.gz</a>
http://www.sebug.net/exploit/4959/
Related
