Ranjivost prepisivanja spremnika otkrivena je i ispravljena u radu paketa bash. Udaljeni napadač bi mogao iskoristiti propust za rušenje aplikacije tj. DoS napad.
Paket:
bash 3.x
Operacijski sustavi:
Mandriva Linux 2011
Problem:
preljev međuspremnika
Iskorištavanje:
udaljeno
Posljedica:
uskraćivanje usluga (DoS)
Rješenje:
programska zakrpa proizvođača
CVE:
CVE-2012-3410
Izvorni ID preporuke:
MDVSA-2012:128
Izvor:
Mandriva
Problem:
Ranjivost se javlja zbog nepravilnosi u obradi imena "/dev/fd" datoteka.
Posljedica:
Udaljeni zlonamjerni korisnik bi mogao iskoristiti propust za rušenje aplikacije, ukoliko podmetne posebno oblikovanu Bash skriptu.
Rješenje:
Svim se korisnicima, u svrhu zaštite, savjetuje instalacija nadogradnji.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2012:128
http://www.mandriva.com/security/
_______________________________________________________________________
Package : bash
Date : August 9, 2012
Affected: 2011.
_______________________________________________________________________
Problem Description:
A vulnerability was found and corrected in bash:
A stack-based buffer overflow flaw was found in the way bash, the
GNU Bourne Again shell, expanded certain /dev/fd file names when
checking file names ('test' command) and evaluating /dev/fd file
names in conditinal command expressions. A remote attacker could
provide a specially-crafted Bash script that, when executed, would
cause the bash executable to crash (CVE-2012-3410).
Additionally the official patches 011 to 037 for bash-4.2 has been
applied which resolves other issues found, including the CVE-2012-3410
vulnerability.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3410
ftp://ftp.gnu.org/gnu/bash/bash-4.2-patches/bash42-011
ftp://ftp.gnu.org/gnu/bash/bash-4.2-patches/bash42-012
ftp://ftp.gnu.org/gnu/bash/bash-4.2-patches/bash42-013
ftp://ftp.gnu.org/gnu/bash/bash-4.2-patches/bash42-014
ftp://ftp.gnu.org/gnu/bash/bash-4.2-patches/bash42-015
ftp://ftp.gnu.org/gnu/bash/bash-4.2-patches/bash42-016
ftp://ftp.gnu.org/gnu/bash/bash-4.2-patches/bash42-017
ftp://ftp.gnu.org/gnu/bash/bash-4.2-patches/bash42-018
ftp://ftp.gnu.org/gnu/bash/bash-4.2-patches/bash42-019
ftp://ftp.gnu.org/gnu/bash/bash-4.2-patches/bash42-020
ftp://ftp.gnu.org/gnu/bash/bash-4.2-patches/bash42-021
ftp://ftp.gnu.org/gnu/bash/bash-4.2-patches/bash42-022
ftp://ftp.gnu.org/gnu/bash/bash-4.2-patches/bash42-023
ftp://ftp.gnu.org/gnu/bash/bash-4.2-patches/bash42-024
ftp://ftp.gnu.org/gnu/bash/bash-4.2-patches/bash42-025
ftp://ftp.gnu.org/gnu/bash/bash-4.2-patches/bash42-026
ftp://ftp.gnu.org/gnu/bash/bash-4.2-patches/bash42-027
ftp://ftp.gnu.org/gnu/bash/bash-4.2-patches/bash42-028
ftp://ftp.gnu.org/gnu/bash/bash-4.2-patches/bash42-029
ftp://ftp.gnu.org/gnu/bash/bash-4.2-patches/bash42-030
ftp://ftp.gnu.org/gnu/bash/bash-4.2-patches/bash42-031
ftp://ftp.gnu.org/gnu/bash/bash-4.2-patches/bash42-032
ftp://ftp.gnu.org/gnu/bash/bash-4.2-patches/bash42-033
ftp://ftp.gnu.org/gnu/bash/bash-4.2-patches/bash42-034
ftp://ftp.gnu.org/gnu/bash/bash-4.2-patches/bash42-035
ftp://ftp.gnu.org/gnu/bash/bash-4.2-patches/bash42-036
ftp://ftp.gnu.org/gnu/bash/bash-4.2-patches/bash42-037
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2011:
e855aeda31d44a58bcc5690c3fb32498 2011/i586/bash-4.2-9.1-mdv2011.0.i586.rpm
78bbd74e7af07ce4be8f07901a05e05e 2011/i586/bash-doc-4.2-9.1-mdv2011.0.i586.rpm
dedc630238e16c08a0748d4ab0ecf4e8 2011/SRPMS/bash-4.2-9.1.src.rpm
Mandriva Linux 2011/X86_64:
af9fdfc0bfb3e393f363a25c136ed3f0
2011/x86_64/bash-4.2-9.1-mdv2011.0.x86_64.rpm
7aba42d877ae9c60cc7ac1c82425f500
2011/x86_64/bash-doc-4.2-9.1-mdv2011.0.x86_64.rpm
dedc630238e16c08a0748d4ab0ecf4e8 2011/SRPMS/bash-4.2-9.1.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iD8DBQFQI58WmqjQ0CJFipgRAlxnAKDZTuwrtKBg7lTqWVw6W2jMoD1aBACglBV9
Jde58aJNBfunTIh0ejx4sLc=
=AkQf
-----END PGP SIGNATURE-----
Posljednje sigurnosne preporuke