Bug 364431 (CVE-2007-5690) - CVE-2007-5690 zaptel buffer overflow in sethdlc(-new).c
Summary: CVE-2007-5690 zaptel buffer overflow in sethdlc(-new).c
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2007-5690
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://nvd.nist.gov/nvd.cfm?cvename=C...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-11-02 18:57 UTC by Tomas Hoger
Modified: 2019-09-29 12:22 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-11-04 11:26:21 UTC
Embargoed:


Attachments (Terms of Use)

Description Tomas Hoger 2007-11-02 18:57:56 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2007-5690 to the following vulnerability:

Buffer overflow in sethdlc.c in the Asterisk Zaptel 1.4.5.1 might allow local users to gain privileges via a long device name (interface name) in the ifr_name field.

References:

http://www.securityfocus.com/archive/1/archive/1/482597/100/0/threaded
http://www.eleytt.com/advisories/eleytt_ZAPTEL.pdf
http://www.securityfocus.com/bid/26160
http://xforce.iss.net/xforce/xfdb/37335

Comment 1 Tomas Hoger 2007-11-02 19:06:57 UTC
Problem is that strcpy is used to copy user-supplied command line argument to
fixed sized buffer.  Size of the input is not checked.  This applies to both
sethdlc and sethdlc-new.

Obvious way to reproduce:

$ sethdlc `perl -e 'print "A"x1024;'`

However, this issue does not seem to have security impact in Fedora.  Tools are
not installed setuid/setgid.  It may also be called from ifup-hdlc script, but
then arguments are taken from root-controlled configuration file.  So I do not
see any trust boundary being crossed.

Jeff, can you please comment?  Are you aware of any way for this tools being
called with some untrusted input / arguments?


Comment 2 Jeffrey C. Ollie 2007-11-03 05:36:02 UTC
I'm unaware of how this could be exploited by anyone that doesn't already have
root access.  However, Digium has a patch in SVN that should fix the problem,
and I've built new Zaptel packages with the patch applied:

http://buildsys.fedoraproject.org/build-status/job.psp?uid=36880
https://admin.fedoraproject.org/updates/F7/pending/zaptel-1.4.6-1.fc7
https://admin.fedoraproject.org/updates/F8/pending/zaptel-1.4.6-1.fc8
http://koji.fedoraproject.org/koji/taskinfo?taskID=225106


Comment 3 Tomas Hoger 2007-11-04 11:26:21 UTC
Jeff, thanks for your feedback and for promptly building updated packages to
address this bug, even though it has no security impact.

Upstream Asterisk developers also do not consider this being a security issue:

  This advisory is a response to a false security vulnerability published in
  several places on the Internet. Had Asterisk's developers been notified
  prior to its publication, there would be no need for this.

  There is a potential for a buffer overflow in the sethdlc application;
  however, running this application requires root access to the server, which
  means that exploiting this vulnerability gains the attacker no more
  advantage than what he already has. As such, this is a bug, not a security
  vulnerability.

Source: http://downloads.digium.com/pub/asa/AST-2007-024.html


Comment 4 Fedora Update System 2007-11-06 16:11:35 UTC
zaptel-1.4.6-1.fc8 has been pushed to the Fedora 8 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update zaptel'

Comment 5 Fedora Update System 2007-11-09 23:50:59 UTC
zaptel-1.4.6-1.fc7 has been pushed to the Fedora 7 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update zaptel'

Comment 6 Fedora Update System 2007-11-20 17:51:12 UTC
zaptel-1.4.6-1.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 7 Fedora Update System 2007-11-20 17:54:39 UTC
zaptel-1.4.6-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.