Bug 231069

Summary: CVE-2007-1217 Overflow in CAPI subsystem
Product: Red Hat Enterprise Linux 3 Reporter: Marcel Holtmann <holtmann>
Component: kernelAssignee: Don Howard <dhoward>
Status: CLOSED ERRATA QA Contact: Martin Jenner <mjenner>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.0CC: anton, jlieskov, jmarchan, lwang, petrides, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,source=vendorsec,reported=20070213,public=20070126
Fixed In Version: RHSA-2007-0671 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-08-16 09:34:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
patch for this BZ
none
CVS repository patch, adds CONFIG_CAPI_TRACE option
none
correct patch, only compilation tested, need to test with real hardware none

Description Marcel Holtmann 2007-03-05 22:16:38 UTC 
The bufprint routine used by capi_cmsg2str does an unbounded vsprintf into a
8192 byte buffer, perhaps hoping it's big enough.

If the content of that vsprintf can be controlled by remote peers, this may lead
to a remote security hole for daemons using CAPI (pppd-capi-plugin,
asterisk-chan-capi, capi4hylafax, ...). Or a DoS.

If the content of that vsprintf can be controlled by local users making use of a
system service (such as sending a fax, making a phone call, ...) that uses CAPI,
this is a privilege escalation or remote authenticated user security hole, or a DoS.
Comment 2 Ernie Petrides 2007-03-13 23:49:12 UTC 
Marcel, the exploit in bug 230563 comment #1 requires access to
/dev/capi20, which has permission 600 (and thus needs super-user
privileges).  If that is our only exposure, please close this as
NOTABUG.
Comment 5 Radovan Augustin 2007-03-26 13:52:13 UTC 
Created attachment 150897 [details]
patch for this BZ
Comment 6 Radovan Augustin 2007-03-26 13:53:10 UTC 
Created attachment 150899 [details]
CVS repository patch, adds CONFIG_CAPI_TRACE option
Comment 7 Radovan Augustin 2007-03-26 13:59:50 UTC 
Compilation is successful but not tested, because i do not have ISDN card available.
Comment 8 Radovan Augustin 2007-03-26 17:30:18 UTC 
Patch still contains errors, please do not test it now.
Comment 9 Radovan Augustin 2007-03-30 13:13:28 UTC 
Created attachment 151273 [details]
correct patch, only compilation tested, need to test with real hardware
Comment 13 Jerome Marchand 2007-07-26 07:51:32 UTC 
fixed in build 2.4.21-51.EL
Comment 16 Red Hat Bugzilla 2007-08-16 09:34:49 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2007-0671.html
Comment 17 Jan Lieskovsky 2007-11-29 14:08:05 UTC 
*** Bug 402771 has been marked as a duplicate of this bug. ***