GNU Anubis Multiple Remote Buffer Overflow and Format String Vulnerabilities
BID:9772
Info
GNU Anubis Multiple Remote Buffer Overflow and Format String Vulnerabilities
| Bugtraq ID: | 9772 |
| Class: | Unknown |
| CVE: |
CVE-2004-0353 CVE-2004-0354 |
| Remote: | Yes |
| Local: | No |
| Published: | Mar 01 2004 12:00AM |
| Updated: | Jul 12 2009 03:06AM |
| Credit: | Discovery of these vulnerabilities has been credited to Ulf Härnhammar <[email protected]>. |
| Vulnerable: |
GNU Anubis 3.9.93 GNU Anubis 3.9.92 GNU Anubis 3.6.2 GNU Anubis 3.6.1 GNU Anubis 3.6 .0 |
| Not Vulnerable: | |
Discussion
GNU Anubis Multiple Remote Buffer Overflow and Format String Vulnerabilities
GNU Anubis has been reported prone to multiple buffer overflow and format string vulnerabilities. It has been conjectured that a remote attacker may potentially exploit these vulnerabilities to have arbitrary code executed in the context of the Anubis software. The buffer overflow vulnerabilities exist in the 'auth_ident' function in 'auth.c'. The format string vulnerabilities are reported to affect the 'info' function in 'log.c', the 'anubis_error' function in 'errs.c' and the 'ssl_error' function in 'ssl.c'.
These vulnerabilities have been reported to exist in GNU Anubis versions 3.6.0, 3.6.1, 3.6.2, 3.9.92, and 3.9.93. It is possible that other versions are affected as well.
These issues are undergiong further analysis, they will be divided into separate BIDs as analysis is completed.
GNU Anubis has been reported prone to multiple buffer overflow and format string vulnerabilities. It has been conjectured that a remote attacker may potentially exploit these vulnerabilities to have arbitrary code executed in the context of the Anubis software. The buffer overflow vulnerabilities exist in the 'auth_ident' function in 'auth.c'. The format string vulnerabilities are reported to affect the 'info' function in 'log.c', the 'anubis_error' function in 'errs.c' and the 'ssl_error' function in 'ssl.c'.
These vulnerabilities have been reported to exist in GNU Anubis versions 3.6.0, 3.6.1, 3.6.2, 3.9.92, and 3.9.93. It is possible that other versions are affected as well.
These issues are undergiong further analysis, they will be divided into separate BIDs as analysis is completed.
Exploit / POC
Solution / Fix
GNU Anubis Multiple Remote Buffer Overflow and Format String Vulnerabilities
Solution:
The vendor has released patches to address these issues:
GNU Anubis 3.6.2
GNU Anubis 3.9.93
Solution:
The vendor has released patches to address these issues:
GNU Anubis 3.6.2
-
GNU anubis-3.6.2-securityfixes.patch
http://savannah.gnu.org/patch/download.php?item_id=2699&item_file_id=2 801
GNU Anubis 3.9.93
-
GNU anubis-3.9.93-securityfixes.patch
http://savannah.gnu.org/patch/download.php?item_id=2700&item_file_id=2 802
References
GNU Anubis Multiple Remote Buffer Overflow and Format String Vulnerabilities
References:
References:
- [bug-anubis] Important security update (Sergey Poznyakoff)
- Anubis Homepage (GNU)
- GNU Homepage (GNU)
- GNU Anubis buffer overflows and format string bugs (Ulf =?iso-8859-1?b?SORybmhhbW1hcg==?=