Bug 475446 (CVE-2008-5396)
Summary: | CVE-2008-5396 zaptel: Array index error in multiple zaptel drivers | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED NOTABUG | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | jeff |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://bugs.digium.com/view.php?id=13954 | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2009-01-20 18:44:56 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Jan Lieskovsky
2008-12-09 09:31:51 UTC
This issue affects all versions of the zaptel package, as shipped with Fedora releases of 8, 9 and 10. This issue affects the version of the zaptel package, as shipped with Fedora Extra Packages for Enterprise Linux 5 (EPEL 5) project. Please update the packages. There looks to be an array index overflow problem in the upstream tor2 patch. Have brought forward upstream with this issue in: http://bugs.digium.com/view.php?id=13954#96700 (In reply to comment #4) > There looks to be an array index overflow problem in the upstream tor2 patch. > Have brought forward upstream with this issue in: > > http://bugs.digium.com/view.php?id=13954#96700 The issue has been addressed in upstream: http://svn.digium.com/view/dahdi?view=rev&revision=5590 I'm bit confused here. Affected files are indeed part of the zaptel SRPM, but according to the build logs, they are not built or shipped in any of the (binary) RPMS. The code does not seem to be part of the upstream kernel, and Fedora does no longer permit shipping kernel modules packages. Can anyone clarify this? This looks like notabug for Fedora. Yes, Fedora only ships the userspace libraries. The zaptel/dadhi modules are not in the upstream kernel and Fedora prohibits kernel modules shipped outside of the kernel RPM. I'd agree this is notabug. Jeffrey, thanks for quick confirmation! Closing. |