Bug 783318 (CVE-2012-0065)

Summary: CVE-2012-0065 usbmuxd 1.0.7 receive_packet() Buffer Overflow Vulnerability
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: bnocera, cfergeau, pbrobinson
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-10-04 18:55:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 783523    
Bug Blocks: 783319    

Description Kurt Seifried 2012-01-19 23:40:48 UTC 
From secunia:

rigan has reported a vulnerability in usbmuxd, which potentially can be
exploited by malicious people with physical access to compromise a
vulnerable system.

The vulnerability is caused due to a boundary error within the
"receive_packet()" function (libusbmuxd/libusbmuxd.c) when processing a
property list containing an overly long "SerialNumber" field, which can
be exploited to cause a heap-based buffer overflow.

Successful exploitation may allow the execution of arbitrary code, but
requires that the attacker is able to connect a malicious USB device.

https://secunia.com/advisories/47545/
https://bugs.gentoo.org/show_bug.cgi?id=399409

source code commit:
http://git.marcansoft.com/?p=usbmuxd.git;a=commitdiff;h=f794991993af56a74795891b4ff9da506bc893e6

This vulnerability requires physical access so a USB device can be plugged in, setting priority to low despite a CVSS2 score of 4.6.
Comment 1 Vincent Danen 2012-01-20 17:41:52 UTC 
The receive_packet() function was first introduced on May 25 2010 via:

http://cgit.sukimashita.com/usbmuxd.git/commit/?id=00c3c56e38f10d0f20145d5735b2fc0fd926555d

and:

http://cgit.sukimashita.com/usbmuxd.git/commit/?id=6cb505257ff848aa7ead80b60b575effc3a915fa

(the latter introduced plist-based support, which is the commit that introduced the flaw)

This code is not present in usbmuxd 1.0.2, it looks like it would have been first included (judging by release dates) in 1.0.5:

http://cgit.sukimashita.com/usbmuxd.git/tag/?id=v1.0.5

Statement:

Not vulnerable. This issue did not affect the versions of usbmuxd as shipped with Red Hat Enterprise Linux 6.
Comment 2 Vincent Danen 2012-01-20 17:43:20 UTC 
Created usbmuxd tracking bugs for this issue

Affects: fedora-all [bug 783523]
Comment 3 Peter Robinson 2012-02-02 13:19:35 UTC 
I plan to add this patch as shipped in Debian 
http://patch-tracker.debian.org/patch/series/view/usbmuxd/1.0.7-2/90-cve-2012-0065.patch