Vendor Status Note JVNCIAC-O-129

CDE dtlogin の XDMCP の処理に含まれる脆弱性

概要

Common Desktop Environment (CDE) の dtlogin には、X Display Manager Control Protocol (XDMCP) の処理にメモリを二重に解放してしまう脆弱性があります。

想定される影響

遠隔から第三者が root 権限を取得する可能性があります。

ベンダ情報

ベンダリンク更新日
日本ヒューレット・パッカードセキュリティ報告: HPSBUX01038
SSRT4721 HP-UX dtlogin unauthorized privileged access, Denial of Service (DoS)
IBMIBM SECURITY ADVISORY MSS-OAR-E01-2004:0545.1
dtlogin improperly handles some XDMCP requests
Sun MicroystemsSun Alert ID: 57539
Security Vulnerability Involving the Common Desktop Environment (CDE) dtlogin(1X) Command When Parsing XDMCP Requests
Sun Alert ID: 101478
Security Vulnerability Involving the Common Desktop Environment (CDE) dtlogin(1X) Command When Parsing XDMCP Requests (CERT VU#179804)
参考情報

  1. CIAC Bulletin O-129
    Common Desktop Environment (CDE) dtlogin XDMCP parser Vulnerability
  2. CIAC Bulletin P-258
    Security Vulnerability Involving the Common Desktop Environment (CDE) dtlogin(1X) Command
  3. US-CERT Vulnerability Note VU#179804
    Common Desktop Environment (CDE) dtlogin XDMCP parser improperly deallocates memory
  4. ISS X-Force Database: cde-dtlogin-double-free(15581)
    Common Desktop Environment dtlogin utility double-free
JPCERT 緊急報告
JPCERT REPORTJPCERT-WR-2004-1801 ( 2004-05-12 )
JPCERT-WR-2004-1901 ( 2004-05-19 )
JPCERT-WR-2005-2901 ( 2005-07-27 )
CIAC BulletinO-129 Common Desktop Environment (CDE) dtlogin XDMCP parser Vulnerability ( 2004-04-28 )
CVE2004-0368 [CVE+] VU#179804,XF15581
PGP署名JVNCIAC-O-129.html.sig
登録日02:01 2004/05/12
更新日14:15 2005/07/31

Copyright(C) 2002-2009 Keio Univ. All rights reserved.