Vulnerabilities > CVE-2009-4014 - Use of Externally-Controlled Format String vulnerability in Debian Lintian
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
Multiple format string vulnerabilities in Lintian 1.23.x through 1.23.28, 1.24.x through 1.24.2.1, and 2.x before 2.3.2 allow remote attackers to have an unspecified impact via vectors involving (1) check scripts and (2) the Lintian::Schedule module.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Format String Injection An attacker includes formatting characters in a string input field on the target application. Most applications assume that users will provide static text and may respond unpredictably to the presence of formatting character. For example, in certain functions of the C programming languages such as printf, the formatting character %s will print the contents of a memory location expecting this location to identify a string and the formatting character %n prints the number of DWORD written in the memory. An attacker can use this to read or write to memory locations or files, or simply to manipulate the value of the resulting text in unexpected ways. Reading or writing memory may result in program crashes and writing memory could result in the execution of arbitrary code if the attacker can write to the program stack.
- String Format Overflow in syslog() This attack targets the format string vulnerabilities in the syslog() function. An attacker would typically inject malicious input in the format string parameter of the syslog function. This is a common problem, and many public vulnerabilities and associated exploits have been posted.
Nessus
NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-891-1.NASL description Raphael Geissert discovered that lintian did not correctly validate certain filenames when processing input. If a user or an automated system were tricked into running lintian on a specially crafted set of files, a remote attacker could execute arbitrary code with user privileges. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 44327 published 2010-01-28 reporter Ubuntu Security Notice (C) 2010-2019 Canonical, Inc. / NASL script (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/44327 title Ubuntu 6.06 LTS / 8.04 LTS / 8.10 / 9.04 / 9.10 : lintian vulnerabilities (USN-891-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-891-1. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(44327); script_version("1.16"); script_cvs_date("Date: 2019/09/19 12:54:26"); script_cve_id("CVE-2009-4013", "CVE-2009-4014", "CVE-2009-4015"); script_xref(name:"USN", value:"891-1"); script_name(english:"Ubuntu 6.06 LTS / 8.04 LTS / 8.10 / 9.04 / 9.10 : lintian vulnerabilities (USN-891-1)"); script_summary(english:"Checks dpkg output for updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Ubuntu host is missing a security-related patch." ); script_set_attribute( attribute:"description", value: "Raphael Geissert discovered that lintian did not correctly validate certain filenames when processing input. If a user or an automated system were tricked into running lintian on a specially crafted set of files, a remote attacker could execute arbitrary code with user privileges. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://usn.ubuntu.com/891-1/" ); script_set_attribute( attribute:"solution", value:"Update the affected lintian package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_cwe_id(22, 89, 134); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:lintian"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:6.06:-:lts"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:8.04:-:lts"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:8.10"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:9.04"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:9.10"); script_set_attribute(attribute:"vuln_publication_date", value:"2010/02/02"); script_set_attribute(attribute:"patch_publication_date", value:"2010/01/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2010/01/28"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2010-2019 Canonical, Inc. / NASL script (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! preg(pattern:"^(6\.06|8\.04|8\.10|9\.04|9\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 6.06 / 8.04 / 8.10 / 9.04 / 9.10", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); flag = 0; if (ubuntu_check(osver:"6.06", pkgname:"lintian", pkgver:"1.23.16ubuntu2.1")) flag++; if (ubuntu_check(osver:"8.04", pkgname:"lintian", pkgver:"1.23.46ubuntu0.1")) flag++; if (ubuntu_check(osver:"8.10", pkgname:"lintian", pkgver:"1.24.3ubuntu0.1")) flag++; if (ubuntu_check(osver:"9.04", pkgname:"lintian", pkgver:"2.2.5ubuntu1.1")) flag++; if (ubuntu_check(osver:"9.10", pkgname:"lintian", pkgver:"2.2.17ubuntu1.1")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "lintian"); }NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1979.NASL description Multiple vulnerabilities have been discovered in lintian, a Debian package checker. The following Common Vulnerabilities and Exposures project ids have been assigned to identify them : - CVE-2009-4013: missing control files sanitation Control field names and values were not sanitised before using them in certain operations that could lead to directory traversals. Patch systems last seen 2020-06-01 modified 2020-06-02 plugin id 44843 published 2010-02-24 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/44843 title Debian DSA-1979-1 : lintian - multiple vulnerabilities
Seebug
| bulletinFamily | exploit |
| description | Bugraq ID: 37975 CVE ID:CVE-2009-4013 CVE-2009-4014 CVE-2009-4015 Debian Lintian是一款软件包检查程序。 Debian Lintian存在多个安全漏洞,本地攻击者可以利用这些漏洞执行任意代码或者提升特权或获得敏感信息。 CVE-2009-4013:控制文件过滤缺失 CNCVE ID:CNCVE-20094013 CNCVE-20094014 CNCVE-20094015 CNCVE-20094013 控制字段名称和值在使用前没有充分过滤,在部分操作下可导致目录遍历。 Patch systems控制文件在使用前没有充分过滤,在部分操作下可导致目录遍历。 攻击者可以利用这些漏洞覆盖任意文件或泄漏系统信息。 CVE-2009-4014:格式字符串漏洞 CNCVE ID:CNCVE-20094013 CNCVE-20094014 CNCVE-20094015 CNCVE-20094013 CNCVE-20094014 多个检查脚本和Lintian::Schedule模块使用用户提供的输入作为sprintf/printf格式串参数。 CVE-2009-4015:任意命令执行 CNCVE ID:CNCVE-20094013 CNCVE-20094014 CNCVE-20094015 CNCVE-20094013 CNCVE-20094014 CNCVE-20094015 文件名没有充分过滤就直接传递给部分命令作参数,允许以管道或SHELL命令集执行其他命令。 Debian lintian Debian linux用户可参考如下升级程序: Debian Linux 4.0 amd64 Debian lintian_1.23.28+etch1_all.deb http://security.debian.org/pool/updates/main/l/lintian/lintian_1.23.28 +etch1_all.deb Debian Linux 4.0 ia-32 Debian lintian_1.23.28+etch1_all.deb http://security.debian.org/pool/updates/main/l/lintian/lintian_1.23.28 +etch1_all.deb Debian Linux 4.0 arm Debian lintian_1.23.28+etch1_all.deb http://security.debian.org/pool/updates/main/l/lintian/lintian_1.23.28 +etch1_all.deb Debian Linux 5.0 hppa Debian lintian_1.24.2.1+lenny1_all.deb http://security.debian.org/pool/updates/main/l/lintian/lintian_1.24.2. 1+lenny1_all.deb Debian Linux 5.0 ia-64 Debian lintian_1.24.2.1+lenny1_all.deb http://security.debian.org/pool/updates/main/l/lintian/lintian_1.24.2. 1+lenny1_all.deb Debian Linux 4.0 hppa Debian lintian_1.23.28+etch1_all.deb http://security.debian.org/pool/updates/main/l/lintian/lintian_1.23.28 +etch1_all.deb Debian Linux 4.0 sparc Debian lintian_1.23.28+etch1_all.deb http://security.debian.org/pool/updates/main/l/lintian/lintian_1.23.28 +etch1_all.deb Debian Linux 4.0 s/390 Debian lintian_1.23.28+etch1_all.deb http://security.debian.org/pool/updates/main/l/lintian/lintian_1.23.28 +etch1_all.deb Debian Linux 5.0 m68k Debian lintian_1.24.2.1+lenny1_all.deb http://security.debian.org/pool/updates/main/l/lintian/lintian_1.24.2. 1+lenny1_all.deb Debian Linux 5.0 arm Debian lintian_1.24.2.1+lenny1_all.deb http://security.debian.org/pool/updates/main/l/lintian/lintian_1.24.2. 1+lenny1_all.deb Debian Linux 4.0 powerpc Debian lintian_1.23.28+etch1_all.deb http://security.debian.org/pool/updates/main/l/lintian/lintian_1.23.28 +etch1_all.deb Debian Linux 4.0 alpha Debian lintian_1.23.28+etch1_all.deb http://security.debian.org/pool/updates/main/l/lintian/lintian_1.23.28 +etch1_all.deb Debian Linux 4.0 armel Debian lintian_1.23.28+etch1_all.deb http://security.debian.org/pool/updates/main/l/lintian/lintian_1.23.28 +etch1_all.deb Debian Linux 5.0 armel Debian lintian_1.24.2.1+lenny1_all.deb http://security.debian.org/pool/updates/main/l/lintian/lintian_1.24.2. 1+lenny1_all.deb Debian Linux 4.0 m68k Debian lintian_1.23.28+etch1_all.deb http://security.debian.org/pool/updates/main/l/lintian/lintian_1.23.28 +etch1_all.deb Debian Linux 5.0 Debian lintian_1.24.2.1+lenny1_all.deb http://security.debian.org/pool/updates/main/l/lintian/lintian_1.24.2. 1+lenny1_all.deb Debian Linux 4.0 Debian lintian_1.23.28+etch1_all.deb http://security.debian.org/pool/updates/main/l/lintian/lintian_1.23.28 +etch1_all.deb Debian Linux 4.0 mipsel Debian lintian_1.23.28+etch1_all.deb http://security.debian.org/pool/updates/main/l/lintian/lintian_1.23.28 +etch1_all.deb Debian Linux 5.0 amd64 Debian lintian_1.24.2.1+lenny1_all.deb http://security.debian.org/pool/updates/main/l/lintian/lintian_1.24.2. 1+lenny1_all.deb Debian Linux 5.0 alpha Debian lintian_1.24.2.1+lenny1_all.deb http://security.debian.org/pool/updates/main/l/lintian/lintian_1.24.2. 1+lenny1_all.deb Debian Linux 5.0 ia-32 Debian lintian_1.24.2.1+lenny1_all.deb http://security.debian.org/pool/updates/main/l/lintian/lintian_1.24.2. 1+lenny1_all.deb Debian Linux 5.0 mips Debian lintian_1.24.2.1+lenny1_all.deb http://security.debian.org/pool/updates/main/l/lintian/lintian_1.24.2. 1+lenny1_all.deb Debian Linux 5.0 s/390 Debian lintian_1.24.2.1+lenny1_all.deb http://security.debian.org/pool/updates/main/l/lintian/lintian_1.24.2. 1+lenny1_all.deb Debian Linux 5.0 mipsel Debian lintian_1.24.2.1+lenny1_all.deb http://security.debian.org/pool/updates/main/l/lintian/lintian_1.24.2. 1+lenny1_all.deb Debian Linux 5.0 powerpc Debian lintian_1.24.2.1+lenny1_all.deb http://security.debian.org/pool/updates/main/l/lintian/lintian_1.24.2. 1+lenny1_all.deb Debian Linux 4.0 ia-64 Debian lintian_1.23.28+etch1_all.deb http://security.debian.org/pool/updates/main/l/lintian/lintian_1.23.28 +etch1_all.deb Debian Linux 4.0 mips Debian lintian_1.23.28+etch1_all.deb http://security.debian.org/pool/updates/main/l/lintian/lintian_1.23.28 +etch1_all.deb Debian Linux 5.0 sparc Debian lintian_1.24.2.1+lenny1_all.deb http://security.debian.org/pool/updates/main/l/lintian/lintian_1.24.2. 1+lenny1_all.deb |
| id | SSV:19044 |
| last seen | 2017-11-19 |
| modified | 2010-02-02 |
| published | 2010-02-02 |
| reporter | Root |
| title | Debian Lintian多个本地安全漏洞 |
References
- http://packages.qa.debian.org/l/lintian/news/20100128T015554Z.html
- http://www.securityfocus.com/bid/37975
- http://secunia.com/advisories/38375
- http://www.debian.org/security/2010/dsa-1979
- http://www.ubuntu.com/usn/USN-891-1
- http://secunia.com/advisories/38379
- http://packages.debian.org/changelogs/pool/main/l/lintian/lintian_2.3.2/changelog
- http://git.debian.org/?p=lintian/lintian.git%3Ba=commit%3Bh=fbe0c92b2ef7e360d13414bf40d6af5507d0c86d
- http://git.debian.org/?p=lintian/lintian.git%3Ba=commit%3Bh=c8d01f062b3e5137cf65196760b079a855c75e00