Bug 423111 (CVE-2005-0504)

Summary: CVE-2005-0504 Buffer overflow in moxa driver
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: kreilly
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://groups.google.com/group/linux.kernel/browse_thread/thread/5b03f3db6e7687e4/a3df0329c383391f?hl=en&lnk=gst&q=overflow#a3df0329c383391f
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-12-21 17:11:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 423131, 423141    
Bug Blocks:    
Attachments:
Description Flags
RH patch none

Description Jan Lieskovsky 2007-12-13 10:46:08 UTC 
Description of problem:

Dann Frazier has reported this issue to the lkml:

"Hey, I noticed that the moxa input checking security bug described by
CVE-2005-0504 appears to remain unfixed upstream.

The issue is described here:
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0504

Debian has been shipping the following patch from Andres Salomon. I
tried contacting the listed maintainer a few months ago but received
no response."

Version-Release number of selected component (if applicable):
Comment 1 Jan Lieskovsky 2007-12-13 10:49:59 UTC 
Alan Cox said to the above issue: 

"        case MOXA_LOAD_BIOS:
        case MOXA_FIND_BOARD:
        case MOXA_LOAD_C320B:
        case MOXA_LOAD_CODE:
                if (!capable(CAP_SYS_RAWIO))
                        return -EPERM;
                break;

At the point you abuse these calls you can already just load arbitary
data from userspace anyway." 

-> This means once we have the "if (!capable(CAP_SYS_RAWIO))" check
in the kernel code, we are sane. The problem is, this permission check 
is missing in the code of the RHEL4 kernel code. 

In RHEL-4 the code looks like the following:

There the code looks like the following:
 
         case MOXA_LOAD_BIOS:
         case MOXA_FIND_BOARD:
         case MOXA_LOAD_C320B:
         case MOXA_LOAD_CODE:
                 break;
         }

-> so we are still vulnerable to the original issue reported by Dann Frazier
in RHEL-4.
Comment 5 Jan Lieskovsky 2008-06-06 13:50:24 UTC 
Created attachment 308530 [details]
RH patch
Comment 6 Vincent Danen 2010-12-21 17:11:47 UTC 
This was addressed via:

Red Hat Enterprise Linux version 2.1 (RHSA-2005:529)
Red Hat Linux Advanced Workstation 2.1 (RHSA-2005:551)
Red Hat Enterprise Linux version 3 (RHSA-2005:663)
Red Hat Enterprise Linux version 4 (RHSA-2008:0237)