Vulnerabilidad en La implementación de asn1 en (a) el núcleo Linux (CVE-2008-1673)
Gravedad CVSS v2.0:
ALTA
Tipo:
CWE-119
Restricción de operaciones inapropiada dentro de los límites del búfer de la memoria
Fecha de publicación:
10/06/2008
Última modificación:
09/04/2025
Descripción
La implementación de asn1 en (a) el núcleo Linux 2.4 versiones anteriores a 2.4.36.6 y 2.6 versiones anteriores a 2.6.25.5, tal como lo utilizado en los módulos cifs y ip_nat_snmp_basic; y (b) el paquete gxsnmp; no valida apropiadamente la longitud de valores durante la decodificación de datos ASN.1 BER, lo cual permite a atacantes remotos provocar una denegación de servicio (caída) o ejecutar código de su elección a través de (1) una longitud superior a la de trabajo del búfer, lo cual puede llevar a un desbordamiento no especificado; (2) una longitud oid a cero, lo cual puede llevar a un error off-by-one; o (3) una longitud indefinida de codificación primitiva.<br />
<br />
Impacto
Puntuación base 2.0
10.00
Gravedad 2.0
ALTA
Productos y versiones vulnerables
| CPE | Desde | Hasta |
|---|---|---|
| cpe:2.3:o:debian:debian_linux:4.0:*:*:*:*:*:*:* | ||
| cpe:2.3:o:debian:debian_linux:4.0:*:alpha:*:*:*:*:* | ||
| cpe:2.3:o:debian:debian_linux:4.0:*:amd64:*:*:*:*:* | ||
| cpe:2.3:o:debian:debian_linux:4.0:*:arm:*:*:*:*:* | ||
| cpe:2.3:o:debian:debian_linux:4.0:*:hppa:*:*:*:*:* | ||
| cpe:2.3:o:debian:debian_linux:4.0:*:ia-32:*:*:*:*:* | ||
| cpe:2.3:o:debian:debian_linux:4.0:*:ia-64:*:*:*:*:* | ||
| cpe:2.3:o:debian:debian_linux:4.0:*:m68k:*:*:*:*:* | ||
| cpe:2.3:o:debian:debian_linux:4.0:*:mips:*:*:*:*:* | ||
| cpe:2.3:o:debian:debian_linux:4.0:*:mipsel:*:*:*:*:* | ||
| cpe:2.3:o:debian:debian_linux:4.0:*:powerpc:*:*:*:*:* | ||
| cpe:2.3:o:debian:debian_linux:4.0:*:s-390:*:*:*:*:* | ||
| cpe:2.3:o:debian:debian_linux:4.0:*:sparc:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:2.4.0:*:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:2.4.0:test1:*:*:*:*:*:* |
Para consultar la lista completa de nombres de CPE con productos y versiones, ver esta página
Referencias a soluciones, herramientas e información
- http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.25.y.git%3Ba%3Dcommit%3Bh%3D33afb8403f361919aa5c8fe1d0a4f5ddbfbbea3c
- http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba%3Dcommit%3Bh%3Dddb2c43594f22843e9f3153da151deaba1a834c5
- http://kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4.36.6
- http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.25.5
- http://lists.opensuse.org/opensuse-security-announce/2008-07/msg00007.html
- http://lists.opensuse.org/opensuse-security-announce/2008-07/msg00012.html
- http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00000.html
- http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00001.html
- http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00003.html
- http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00008.html
- http://lists.opensuse.org/opensuse-security-announce/2008-11/msg00001.html
- http://secunia.com/advisories/30000
- http://secunia.com/advisories/30580
- http://secunia.com/advisories/30644
- http://secunia.com/advisories/30658
- http://secunia.com/advisories/30982
- http://secunia.com/advisories/31107
- http://secunia.com/advisories/31836
- http://secunia.com/advisories/32103
- http://secunia.com/advisories/32104
- http://secunia.com/advisories/32370
- http://secunia.com/advisories/32759
- http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0189
- http://www.debian.org/security/2008/dsa-1592
- http://www.mandriva.com/security/advisories?name=MDVSA-2008%3A113
- http://www.mandriva.com/security/advisories?name=MDVSA-2008%3A174
- http://www.securityfocus.com/archive/1/493300/100/0/threaded
- http://www.securityfocus.com/bid/29589
- http://www.securitytracker.com/id?1020210=
- http://www.ubuntu.com/usn/usn-625-1
- http://www.vupen.com/english/advisories/2008/1770
- https://bugzilla.redhat.com/show_bug.cgi?id=443962
- https://exchange.xforce.ibmcloud.com/vulnerabilities/42921
- https://www.redhat.com/archives/fedora-package-announce/2008-June/msg00587.html
- http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.25.y.git%3Ba%3Dcommit%3Bh%3D33afb8403f361919aa5c8fe1d0a4f5ddbfbbea3c
- http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba%3Dcommit%3Bh%3Dddb2c43594f22843e9f3153da151deaba1a834c5
- http://kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4.36.6
- http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.25.5
- http://lists.opensuse.org/opensuse-security-announce/2008-07/msg00007.html
- http://lists.opensuse.org/opensuse-security-announce/2008-07/msg00012.html
- http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00000.html
- http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00001.html
- http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00003.html
- http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00008.html
- http://lists.opensuse.org/opensuse-security-announce/2008-11/msg00001.html
- http://secunia.com/advisories/30000
- http://secunia.com/advisories/30580
- http://secunia.com/advisories/30644
- http://secunia.com/advisories/30658
- http://secunia.com/advisories/30982
- http://secunia.com/advisories/31107
- http://secunia.com/advisories/31836
- http://secunia.com/advisories/32103
- http://secunia.com/advisories/32104
- http://secunia.com/advisories/32370
- http://secunia.com/advisories/32759
- http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0189
- http://www.debian.org/security/2008/dsa-1592
- http://www.mandriva.com/security/advisories?name=MDVSA-2008%3A113
- http://www.mandriva.com/security/advisories?name=MDVSA-2008%3A174
- http://www.securityfocus.com/archive/1/493300/100/0/threaded
- http://www.securityfocus.com/bid/29589
- http://www.securitytracker.com/id?1020210=
- http://www.ubuntu.com/usn/usn-625-1
- http://www.vupen.com/english/advisories/2008/1770
- https://bugzilla.redhat.com/show_bug.cgi?id=443962
- https://exchange.xforce.ibmcloud.com/vulnerabilities/42921
- https://www.redhat.com/archives/fedora-package-announce/2008-June/msg00587.html