JasPer 1.900.1拒绝服务漏洞

CNNVD-ID编号	CNNVD-200810-016
CVE编号	CVE-2008-3521
发布时间	2008-10-02
更新时间	2009-03-26
漏洞类型	后置链接
漏洞来源	Marc Espie and Christian Weisgerber
危险等级	高危
威胁类型	本地
厂商	jasper_project

漏洞介绍

JasPer的libjasper/base/jas_stream.c的jas_stream_tmpfile函数中存在竞争条件，本地用户通过创建适当的tmp.XXXXXXXXXX临时文件，引起Jasper退出以造成拒绝服务 (程序退出)。

漏洞补丁

目前厂商已经发布了升级补丁以修复这个安全问题，补丁下载链接：

MandrakeSoft Linux Mandrake 2008.1 x86_64

Mandriva ghostscript-8.61-60.2mdv2008.1.x86_64.rpm

http://www.mandriva.com/en/download/

Mandriva ghostscript-common-8.61-60.2mdv2008.1.x86_64.rpm

http://www.mandriva.com/en/download/

Mandriva ghostscript-doc-8.61-60.2mdv2008.1.x86_64.rpm

http://www.mandriva.com/en/download/

Mandriva ghostscript-dvipdf-8.61-60.2mdv2008.1.x86_64.rpm

http://www.mandriva.com/en/download/

Mandriva ghostscript-module-X-8.61-60.2mdv2008.1.x86_64.rpm

http://www.mandriva.com/en/download/

Mandriva ghostscript-X-8.61-60.2mdv2008.1.x86_64.rpm

http://www.mandriva.com/en/download/

Mandriva jasper-1.900.1-3.1mdv2008.1.x86_64.rpm

http://www.mandriva.com/en/download/

Mandriva lib64gs8-8.61-60.2mdv2008.1.x86_64.rpm

http://www.mandriva.com/en/download/

Mandriva lib64gs8-devel-8.61-60.2mdv2008.1.x86_64.rpm

http://www.mandriva.com/en/download/

Mandriva lib64ijs1-0.35-60.2mdv2008.1.x86_64.rpm

http://www.mandriva.com/en/download/

Mandriva lib64ijs1-devel-0.35-60.2mdv2008.1.x86_64.rpm

http://www.mandriva.com/en/download/

Mandriva lib64jasper1-1.900.1-3.1mdv2008.1.x86_64.rpm

http://www.mandriva.com/en/download/

Mandriva lib64jasper1-devel-1.900.1-3.1mdv2008.1.x86_64.rpm

http://www.mandriva.com/en/download/

Mandriva lib64jasper1-static-devel-1.900.1-3.1mdv2008.1.x86_64.rpm

http://www.mandriva.com/en/download/

Ubuntu Ubuntu Linux 7.10 powerpc

Ubuntu libjasper-dev_1.900.1-3ubuntu0.7.10.1_powerpc.deb

http://security.ubuntu.com/ubuntu/pool/main/j/jasper/libjasper-dev_1.9 00.1-3ubuntu0.7.10.1_powerpc.deb

Ubuntu libjasper-runtime_1.900.1-3ubuntu0.7.10.1_powerpc.deb

http://security.ubuntu.com/ubuntu/pool/universe/j/jasper/libjasper-run time_1.900.1-3ubuntu0.7.10.1_powerpc.deb

Ubuntu libjasper1_1.900.1-3ubuntu0.7.10.1_powerpc.deb

http://security.ubuntu.com/ubuntu/pool/main/j/jasper/libjasper1_1.900. 1-3ubuntu0.7.10.1_powerpc.deb

MandrakeSoft Linux Mandrake 2008.1

Mandriva ghostscript-8.61-60.2mdv2008.1.i586.rpm

http://www.mandriva.com/en/download/

Mandriva ghostscript-common-8.61-60.2mdv2008.1.i586.rpm

http://www.mandriva.com/en/download/

Mandriva ghostscript-doc-8.61-60.2mdv2008.1.i586.rpm

http://www.mandriva.com/en/download/

Mandriva ghostscript-dvipdf-8.61-60.2mdv2008.1.i586.rpm

http://www.mandriva.com/en/download/

Mandriva ghostscript-module-X-8.61-60.2mdv2008.1.i586.rpm

http://www.mandriva.com/en/download/

Mandriva ghostscript-X-8.61-60.2mdv2008.1.i586.rpm

http://www.mandriva.com/en/download/

Mandriva jasper-1.900.1-3.1mdv2008.1.i586.rpm

http://www.mandriva.com/en/download/

Mandriva libgs8-8.61-60.2mdv2008.1.i586.rpm

http://www.mandriva.com/en/download/

Mandriva libgs8-devel-8.61-60.2mdv2008.1.i586.rpm

http://www.mandriva.com/en/download/

Mandriva libijs1-0.35-60.2mdv2008.1.i586.rpm

http://www.mandriva.com/en/download/

Mandriva libijs1-devel-0.35-60.2mdv2008.1.i586.rpm

http://www.mandriva.com/en/download/

Mandriva libjasper1-1.900.1-3.1mdv2008.1.i586.rpm

http://www.mandriva.com/en/download/

Mandriva libjasper1-devel-1.900.1-3.1mdv2008.1.i586.rpm

http://www.mandriva.com/en/download/

Mandriva libjasper1-static-devel-1.900.1-3.1mdv2008.1.i586.rpm

http://www.mandriva.com/en/download/

MandrakeSoft Linux Mandrake 2009.1 x86_64

Mandriva ghostscript-8.64-65.1mdv2009.1.x86_64.rpm

http://www.mandriva.com/en/download/

Mandriva ghostscript-common-8.64-65.1mdv2009.1.x86_64.rpm

http://www.mandriva.com/en/download/

Mandriva ghostscript-doc-8.64-65.1mdv2009.1.x86_64.rpm

http://www.mandriva.com/en/download/

Mandriva ghostscript-dvipdf-8.64-65.1mdv2009.1.x86_64.rpm

http://www.mandriva.com/en/download/

Mandriva ghostscript-module-X-8.64-65.1mdv2009.1.x86_64.rpm

http://www.mandriva.com/en/download/

Mandriva ghostscript-X-8.64-65.1mdv2009.1.x86_64.rpm

http://www.mandriva.com/en/download/

Mandriva jasper-1.900.1-5.1mdv2009.1.x86_64.rpm

http://www.mandriva.com/en/download/

Mandriva lib64gs8-8.64-65.1mdv2009.1.x86_64.rpm

http://www.mandriva.com/en/download/

Mandriva lib64gs8-devel-8.64-65.1mdv2009.1.x86_64.rpm

http://www.mandriva.com/e

参考网址

来源: bugzilla.redhat.com

链接：https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-3521
来源: XF

名称: jasper-jasstreamtmpfile-symlink(45622)

链接：http://xforce.iss.net/xforce/xfdb/45622
来源: UBUNTU

名称: USN-742-1

链接：http://www.ubuntu.com/usn/USN-742-1
来源: BID

名称: 31470

链接：http://www.securityfocus.com/bid/31470
来源: MANDRIVA

名称: MDVSA-2009:164

链接：http://www.mandriva.com/security/advisories?name=MDVSA-2009:164
来源: MANDRIVA

名称: MDVSA-2009:142

链接：http://www.mandriva.com/security/advisories?name=MDVSA-2009:142
来源: SECUNIA

名称: 34391

链接：http://secunia.com/advisories/34391
来源: bugs.gentoo.org

链接：http://bugs.gentoo.org/show_bug.cgi?id=222819

受影响实体

Jasper_project Jasper:1.900.1

信息来源

http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200810-016

行业资讯-文章归档问答-问答归档