Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
For bugs related to Red Hat Enterprise Linux 2.1 product line. For Red Hat Enterprise Linux 6 and above, please visit Red Hat JIRA https://issues.redhat.com/secure/CreateIssue!default.jspa?pid=12332745 to report new issues.

Bug 231071

Summary: CVE-2007-1217 Overflow in CAPI subsystem
Product: Red Hat Enterprise Linux 2.1 Reporter: Marcel Holtmann <holtmann>
Component: kernelAssignee: Don Howard <dhoward>
Status: CLOSED ERRATA QA Contact: Martin Jenner <mjenner>
Severity: medium Docs Contact:
Priority: medium    
Version: 2.1CC: anton, jlieskov, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: ia64   
OS: Linux   
Whiteboard: impact=moderate,source=vendorsec,reported=20070213,public=20070126
Fixed In Version: RHSA-2007-0673 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-08-08 18:54:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
BZ 230563 RHEL 2.1AS ia64 patch, only compilation tested, need to test with real hardware
none
CVS repository patch, adds CONFIG_CAPI_TRACE option
none
CVS repository patch, adds CONFIG_CAPI_TRACE option none

Description Marcel Holtmann 2007-03-05 22:18:31 UTC 
The bufprint routine used by capi_cmsg2str does an unbounded vsprintf into a
8192 byte buffer, perhaps hoping it's big enough.

If the content of that vsprintf can be controlled by remote peers, this may lead
to a remote security hole for daemons using CAPI (pppd-capi-plugin,
asterisk-chan-capi, capi4hylafax, ...). Or a DoS.

If the content of that vsprintf can be controlled by local users making use of a
system service (such as sending a fax, making a phone call, ...) that uses CAPI,
this is a privilege escalation or remote authenticated user security hole, or a DoS.
Comment 3 Radovan Augustin 2007-04-06 10:59:23 UTC 
Created attachment 151863 [details]
BZ 230563 RHEL 2.1AS ia64 patch, only compilation tested, need to test with real hardware
Comment 4 Radovan Augustin 2007-04-06 11:00:27 UTC 
Created attachment 151865 [details]
CVS repository patch, adds CONFIG_CAPI_TRACE option
Comment 5 Radovan Augustin 2007-04-06 11:00:34 UTC 
Created attachment 151866 [details]
CVS repository patch, adds CONFIG_CAPI_TRACE option
Comment 6 Don Howard 2007-07-07 06:36:19 UTC 
A patch addressing this issue has been included in kernel-2.4.18-e.65.
Comment 9 Red Hat Bugzilla 2007-08-08 18:54:33 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2007-0673.html
Comment 10 Jan Lieskovsky 2007-11-29 14:05:41 UTC 
*** Bug 402761 has been marked as a duplicate of this bug. ***