Bug 722393 (CVE-2009-4067)
| Summary: | CVE-2009-4067 kernel: usb: buffer overflow in auerswald_probe() | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Eugene Teo (Security Response) <eteo> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | anton, arozansk, bhu, davej, dhoward, dzickus, fhrbata, jkacur, kernel-mgr, kmcmartin, lgoncalv, lwang, plougher, pmatouse, rt-maint, sforsber, tcallawa, vgoyal, williams, xiaohm |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-05-04 07:04:47 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 722394, 722395, 722396, 748675 | ||
| Bug Blocks: | 722385 | ||
|
Description
Eugene Teo (Security Response)
2011-07-15 07:38:20 UTC
Statement: This issue did not affect the Linux kernel as shipped with Red Hat Enterprise Linux 6 and Red Hat Enterprise MRG as the affected code has been removed. It was addressed in Red Hat Enterprise Linux 5 via https://rhn.redhat.com/errata/RHSA-2011-1386.html. Red Hat Enterprise Linux 4 is now in Production 3 of the maintenance life-cycle, https://access.redhat.com/support/policy/updates/errata/, therefore the fix for this issue is not currently planned to be included in the future updates. This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2011:1386 https://rhn.redhat.com/errata/RHSA-2011-1386.html Created kernel tracking bugs for this issue Affects: fedora-all [bug 748675] (In reply to comment #8) > This issue has been addressed in following products: > > Red Hat Enterprise Linux 5 > > Via RHSA-2011:1386 https://rhn.redhat.com/errata/RHSA-2011-1386.html Can you please attach the content of the patch here or point to me the commit which contains this fix? Thanks. (In reply to comment #10) > (In reply to comment #8) > > This issue has been addressed in following products: > > > > Red Hat Enterprise Linux 5 > > > > Via RHSA-2011:1386 https://rhn.redhat.com/errata/RHSA-2011-1386.html > > Can you please attach the content of the patch here or point to me the commit > which contains this fix? > > Thanks. This was not fixed upstream as it was removed in 2.6.27. This issue is Red Hat Enterprise Linux 5 specific. Thanks. diff --git a/drivers/usb/misc/auerswald.c b/drivers/usb/misc/auerswald.c
index 1fef36e..9aeb632 100644
--- a/drivers/usb/misc/auerswald.c
+++ b/drivers/usb/misc/auerswald.c
@@ -1950,13 +1950,15 @@ static int auerswald_probe (struct usb_interface *intf,
/* Try to get a suitable textual description of the device */
/* Device name:*/
- ret = usb_string( cp->usbdev, AUSI_DEVICE, cp->dev_desc, AUSI_DLEN-1);
+ /* Save room for serial and subscriber prefixes */
+ ret = usb_string( cp->usbdev, AUSI_DEVICE, cp->dev_desc, AUSI_DLEN-1-6-2);
if (ret >= 0) {
u += ret;
/* Append Serial Number */
memcpy(&cp->dev_desc[u], ",Ser# ", 6);
u += 6;
- ret = usb_string( cp->usbdev, AUSI_SERIALNR, &cp->dev_desc[u], AUSI_DLEN-u-1);
+ /* save room for subscriber prefix */
+ ret = usb_string( cp->usbdev, AUSI_SERIALNR, &cp->dev_desc[u], AUSI_DLEN-u-1-2);
if (ret >= 0) {
u += ret;
/* Append subscriber number */
|