Bug 392101 - (CVE-2007-6063) CVE-2007-6063 Linux Kernel isdn_net_setcfg buffer overflow
CVE-2007-6063 Linux Kernel isdn_net_setcfg buffer overflow
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,reported=20071120,sou...
: Security
Depends On: 392111 392121 392131 392151 392161 456360 456361
Blocks:
  Show dependency treegraph
 
Reported: 2007-11-20 07:50 EST by Jan Lieskovsky
Modified: 2011-09-29 17:27 EDT (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-09-29 17:27:13 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Proposed backported patch for RHEL-3.9 (1.77 KB, patch)
2008-07-23 01:22 EDT, Eugene Teo (Security Response)
no flags Details | Diff
Proposed backported patch for RHEL-2.1 (1.78 KB, patch)
2008-07-23 01:46 EDT, Eugene Teo (Security Response)
no flags Details | Diff

  None (edit)
Description Jan Lieskovsky 2007-11-20 07:50:18 EST
Description of problem:

The Linux kernel is prone to an buffer overflow vulnerability. This
issue is due to a design error in the 'isdn_net_setcfg()' function.
There is a buffer overflow vulnerability in function isdn_net_setcfg().

At line 1413, in drivers/isdn/i4l/isdn_common.c the 'cfg' is read from
user-space. so the 'cfg' is user-controlled. At line 1415, function
isdn_net_setcfg() is invoked. The '&cfg' is passed to isdn_net_setcfg()
as an argument.

At line 2805 in drivers/isdn/il4/isdn_net.c, function strcpy() is invoked. The
size of argument lp->msn is 32 and cfg->eaz is 256. Because the data of '*cfg'
is user-controlled (so cfg->eaz is user-controlled), it's possible to overrun 
destination string lp->msn by string cfg->eaz. When the length of string
'cfg->eaz' is greater than 32, a buffer overflow will occur.

This issue is public via:

http://bugzilla.kernel.org/show_bug.cgi?id=9416
Comment 11 Eugene Teo (Security Response) 2008-07-23 01:22:09 EDT
Created attachment 312419 [details]
Proposed backported patch for RHEL-3.9
Comment 12 Eugene Teo (Security Response) 2008-07-23 01:46:18 EDT
Created attachment 312420 [details]
Proposed backported patch for RHEL-2.1

Note You need to log in before you can comment on or make changes to this bug.