A vulnerability was found in the Linux kernels driver for the RIO 500. The driver itself was not designed to allow for multiple RIO500 devices to be pluggged into the system.
The Rio 500 was an early generation portal MP3 digital audio player produced by Diamond Multimedia which used a USB connection to connect to the computer. According to upstream this driver is rarely used due to both the rarity of the hardware and that the userspace software migrated to libusb as a transport mechanism.
Created kernel tracking bugs for this issue:
Affects: fedora-all [bug 1743557]
This was fixed for Fedora with the 5.1.18 stable kernel updates.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
As the rio500 module will be auto-loaded when required, its use can be disabled by preventing the module from loading with the following instructions:
# echo "blacklist rio500" >> /etc/modprobe.d/rio-500.conf
# echo "install rio500 /bin/false" >> /etc/modprobe.d/rio-500.conf
The system will need to be restarted if the RIO500 modules are loaded. In most circumstances, the kernel modules will be unable to be unloaded while any devices or programs are using the USB device.
If the system requires this module to work correctly, this mitigation may not be suitable.
If you need further assistance, see KCS article https://access.redhat.com/solutions/41278 or contact Red Hat Global Support Services.