信息来源:绿盟科技
发布日期:2006-08-25
更新日期:2006-08-28
受影响系统:
Streamripper Streamripper 1.61.25
Streamripper Streamripper 1.61.24
不受影响系统:
Streamripper Streamripper 1.61.26
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 19707
CVE(CAN) ID: CVE-2006-3124
StreamRipper能够将网上的MP3流媒体保存到硬盘中,特别适合录制网络MP3广播。
StreamRipper在处理服务器返回的某些HTTP头字段时存在缓冲区溢出,远程攻击者可能利用此漏洞在用户机器上执行任意指令。
如果用户受骗访问了攻击设置的恶意服务器的话就可能触发这个漏洞,导致执行任意指令。
<*来源:Ulf Harnhammer (
ulfh@update.uu.se)
链接:
http://secunia.com/advisories/21579/
http://www.debian.org/security/2005/dsa-1158
*>
建议:
--------------------------------------------------------------------------------
厂商补丁:
Debian
------
Debian已经为此发布了一个安全公告(DSA-1158-1)以及相应补丁:
DSA-1158-1:New streamripper packages fix arbitrary code execution
链接:
http://www.debian.org/security/2005/dsa-1158
补丁下载:
Source archives:
http://security.debian.org/pool/ ... _1.61.7-1sarge1.dsc
Size/MD5 checksum: 684 81c2011992a47019464e689e62a0e2fc
http://security.debian.org/pool/ ... 1.7-1sarge1.diff.gz
Size/MD5 checksum: 2748 a55c6752bf1f5cd184516e018f7b1d5b
http://security.debian.org/pool/ ... _1.61.7.orig.tar.gz
Size/MD5 checksum: 245448 87e16d42fb7625525eafe769edd2e9b3
Alpha architecture:
http://security.debian.org/pool/ ... 7-1sarge1_alpha.deb
Size/MD5 checksum: 62730 a11cd910042103cd75a229468e786a25
AMD64 architecture:
http://security.debian.org/pool/ ... 7-1sarge1_amd64.deb
Size/MD5 checksum: 55886 93a8ab72c2a969b8eee99c9e105d8ad1
ARM architecture:
http://security.debian.org/pool/ ... 1.7-1sarge1_arm.deb
Size/MD5 checksum: 51734 3d19a4711f9373be5630e1024f515ddc
Intel IA-32 architecture:
http://security.debian.org/pool/ ... .7-1sarge1_i386.deb
Size/MD5 checksum: 51694 cb59ef062ca1ca0c74a5b7359d2b5acd
Intel IA-64 architecture:
http://security.debian.org/pool/ ... .7-1sarge1_ia64.deb
Size/MD5 checksum: 68218 ff13f983398a4694350916f4d44a817c
HP Precision architecture:
http://security.debian.org/pool/ ... .7-1sarge1_hppa.deb
Size/MD5 checksum: 57016 aad39a310b38f131840929345cf50d6b
Motorola 680x0 architecture:
http://security.debian.org/pool/ ... .7-1sarge1_m68k.deb
Size/MD5 checksum: 47922 a19ab1dd7fb150ae73fce92e519ab94e
Big endian MIPS architecture:
http://security.debian.org/pool/ ... .7-1sarge1_mips.deb
Size/MD5 checksum: 57088 b90697a7aecf7c2d838bdfae4af1ccc5
Little endian MIPS architecture:
http://security.debian.org/pool/ ... -1sarge1_mipsel.deb
Size/MD5 checksum: 57490 0f1fbaeeec94a7f4c4d1340e68d611bb
PowerPC architecture:
http://security.debian.org/pool/ ... 1sarge1_powerpc.deb
Size/MD5 checksum: 55912 b2590326f71ddb6f9bf44fc933b28c50
IBM S/390 architecture:
http://security.debian.org/pool/ ... .7-1sarge1_s390.deb
Size/MD5 checksum: 55456 60afcd68f13f131040c68cde36f4464a
Sun Sparc architecture:
http://security.debian.org/pool/ ... 7-1sarge1_sparc.deb
Size/MD5 checksum: 51266 73736226d97be58202e1619518e3ae25
补丁安装方法:
1. 手工安装补丁包:
首先,使用下面的命令来下载补丁软件:
# wget url (url是补丁下载链接地址)
然后,使用下面的命令来安装补丁:
# dpkg -i file.deb (file是相应的补丁名)
2. 使用apt-get自动安装补丁包:
首先,使用下面的命令更新内部数据库:
# apt-get update
然后,使用下面的命令安装更新软件包:
# apt-get upgrade
Streamripper
------------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://sourceforge.net/project/showfiles.php?group_id=6172
