Bug 423111 (CVE-2005-0504)
Summary: | CVE-2005-0504 Buffer overflow in moxa driver | ||||||
---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> | ||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
Status: | CLOSED ERRATA | QA Contact: | |||||
Severity: | high | Docs Contact: | |||||
Priority: | high | ||||||
Version: | unspecified | CC: | kreilly | ||||
Target Milestone: | --- | Keywords: | Security | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
URL: | http://groups.google.com/group/linux.kernel/browse_thread/thread/5b03f3db6e7687e4/a3df0329c383391f?hl=en&lnk=gst&q=overflow#a3df0329c383391f | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2010-12-21 17:11:47 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | 423131, 423141 | ||||||
Bug Blocks: | |||||||
Attachments: |
|
Description
Jan Lieskovsky
2007-12-13 10:46:08 UTC
Alan Cox said to the above issue: " case MOXA_LOAD_BIOS: case MOXA_FIND_BOARD: case MOXA_LOAD_C320B: case MOXA_LOAD_CODE: if (!capable(CAP_SYS_RAWIO)) return -EPERM; break; At the point you abuse these calls you can already just load arbitary data from userspace anyway." -> This means once we have the "if (!capable(CAP_SYS_RAWIO))" check in the kernel code, we are sane. The problem is, this permission check is missing in the code of the RHEL4 kernel code. In RHEL-4 the code looks like the following: There the code looks like the following: case MOXA_LOAD_BIOS: case MOXA_FIND_BOARD: case MOXA_LOAD_C320B: case MOXA_LOAD_CODE: break; } -> so we are still vulnerable to the original issue reported by Dann Frazier in RHEL-4. Created attachment 308530 [details]
RH patch
This was addressed via: Red Hat Enterprise Linux version 2.1 (RHSA-2005:529) Red Hat Linux Advanced Workstation 2.1 (RHSA-2005:551) Red Hat Enterprise Linux version 3 (RHSA-2005:663) Red Hat Enterprise Linux version 4 (RHSA-2008:0237) |