This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 364431 - (CVE-2007-5690) CVE-2007-5690 zaptel buffer overflow in sethdlc(-new).c
CVE-2007-5690 zaptel buffer overflow in sethdlc(-new).c
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
http://nvd.nist.gov/nvd.cfm?cvename=C...
source=debian,reported=20071031,publi...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-11-02 14:57 EDT by Tomas Hoger
Modified: 2007-11-20 12:54 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-11-04 06:26:21 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2007-11-02 14:57:56 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2007-5690 to the following vulnerability:

Buffer overflow in sethdlc.c in the Asterisk Zaptel 1.4.5.1 might allow local users to gain privileges via a long device name (interface name) in the ifr_name field.

References:

http://www.securityfocus.com/archive/1/archive/1/482597/100/0/threaded
http://www.eleytt.com/advisories/eleytt_ZAPTEL.pdf
http://www.securityfocus.com/bid/26160
http://xforce.iss.net/xforce/xfdb/37335
Comment 1 Tomas Hoger 2007-11-02 15:06:57 EDT
Problem is that strcpy is used to copy user-supplied command line argument to
fixed sized buffer.  Size of the input is not checked.  This applies to both
sethdlc and sethdlc-new.

Obvious way to reproduce:

$ sethdlc `perl -e 'print "A"x1024;'`

However, this issue does not seem to have security impact in Fedora.  Tools are
not installed setuid/setgid.  It may also be called from ifup-hdlc script, but
then arguments are taken from root-controlled configuration file.  So I do not
see any trust boundary being crossed.

Jeff, can you please comment?  Are you aware of any way for this tools being
called with some untrusted input / arguments?
Comment 2 Jeffrey C. Ollie 2007-11-03 01:36:02 EDT
I'm unaware of how this could be exploited by anyone that doesn't already have
root access.  However, Digium has a patch in SVN that should fix the problem,
and I've built new Zaptel packages with the patch applied:

http://buildsys.fedoraproject.org/build-status/job.psp?uid=36880
https://admin.fedoraproject.org/updates/F7/pending/zaptel-1.4.6-1.fc7
https://admin.fedoraproject.org/updates/F8/pending/zaptel-1.4.6-1.fc8
http://koji.fedoraproject.org/koji/taskinfo?taskID=225106
Comment 3 Tomas Hoger 2007-11-04 06:26:21 EST
Jeff, thanks for your feedback and for promptly building updated packages to
address this bug, even though it has no security impact.

Upstream Asterisk developers also do not consider this being a security issue:

  This advisory is a response to a false security vulnerability published in
  several places on the Internet. Had Asterisk's developers been notified
  prior to its publication, there would be no need for this.

  There is a potential for a buffer overflow in the sethdlc application;
  however, running this application requires root access to the server, which
  means that exploiting this vulnerability gains the attacker no more
  advantage than what he already has. As such, this is a bug, not a security
  vulnerability.

Source: http://downloads.digium.com/pub/asa/AST-2007-024.html
Comment 4 Fedora Update System 2007-11-06 11:11:35 EST
zaptel-1.4.6-1.fc8 has been pushed to the Fedora 8 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update zaptel'
Comment 5 Fedora Update System 2007-11-09 18:50:59 EST
zaptel-1.4.6-1.fc7 has been pushed to the Fedora 7 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update zaptel'
Comment 6 Fedora Update System 2007-11-20 12:51:12 EST
zaptel-1.4.6-1.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2007-11-20 12:54:39 EST
zaptel-1.4.6-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.