Bug 364431 (CVE-2007-5690)
| Summary: | CVE-2007-5690 zaptel buffer overflow in sethdlc(-new).c | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Tomas Hoger <thoger> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED NOTABUG | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | jeff |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5690 | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2007-11-04 11:26:21 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Tomas Hoger
2007-11-02 18:57:56 UTC
Problem is that strcpy is used to copy user-supplied command line argument to fixed sized buffer. Size of the input is not checked. This applies to both sethdlc and sethdlc-new. Obvious way to reproduce: $ sethdlc `perl -e 'print "A"x1024;'` However, this issue does not seem to have security impact in Fedora. Tools are not installed setuid/setgid. It may also be called from ifup-hdlc script, but then arguments are taken from root-controlled configuration file. So I do not see any trust boundary being crossed. Jeff, can you please comment? Are you aware of any way for this tools being called with some untrusted input / arguments? I'm unaware of how this could be exploited by anyone that doesn't already have root access. However, Digium has a patch in SVN that should fix the problem, and I've built new Zaptel packages with the patch applied: http://buildsys.fedoraproject.org/build-status/job.psp?uid=36880 https://admin.fedoraproject.org/updates/F7/pending/zaptel-1.4.6-1.fc7 https://admin.fedoraproject.org/updates/F8/pending/zaptel-1.4.6-1.fc8 http://koji.fedoraproject.org/koji/taskinfo?taskID=225106 Jeff, thanks for your feedback and for promptly building updated packages to address this bug, even though it has no security impact. Upstream Asterisk developers also do not consider this being a security issue: This advisory is a response to a false security vulnerability published in several places on the Internet. Had Asterisk's developers been notified prior to its publication, there would be no need for this. There is a potential for a buffer overflow in the sethdlc application; however, running this application requires root access to the server, which means that exploiting this vulnerability gains the attacker no more advantage than what he already has. As such, this is a bug, not a security vulnerability. Source: http://downloads.digium.com/pub/asa/AST-2007-024.html zaptel-1.4.6-1.fc8 has been pushed to the Fedora 8 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update zaptel' zaptel-1.4.6-1.fc7 has been pushed to the Fedora 7 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update zaptel' zaptel-1.4.6-1.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report. zaptel-1.4.6-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report. |