Bug 423111 - (CVE-2005-0504) CVE-2005-0504 Buffer overflow in moxa driver
CVE-2005-0504 Buffer overflow in moxa driver
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
http://groups.google.com/group/linux....
impact=important,public=20070430,repo...
: Security
Depends On: 423131 423141
Blocks:
  Show dependency treegraph
 
Reported: 2007-12-13 05:46 EST by Jan Lieskovsky
Modified: 2010-12-21 12:11 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-12-21 12:11:47 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
RH patch (1.46 KB, text/x-patch)
2008-06-06 09:50 EDT, Jan Lieskovsky
no flags Details

  None (edit)
Description Jan Lieskovsky 2007-12-13 05:46:08 EST
Description of problem:

Dann Frazier has reported this issue to the lkml:

"Hey, I noticed that the moxa input checking security bug described by
CVE-2005-0504 appears to remain unfixed upstream.

The issue is described here:
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0504

Debian has been shipping the following patch from Andres Salomon. I
tried contacting the listed maintainer a few months ago but received
no response."

Version-Release number of selected component (if applicable):
Comment 1 Jan Lieskovsky 2007-12-13 05:49:59 EST
Alan Cox said to the above issue: 

"        case MOXA_LOAD_BIOS:
        case MOXA_FIND_BOARD:
        case MOXA_LOAD_C320B:
        case MOXA_LOAD_CODE:
                if (!capable(CAP_SYS_RAWIO))
                        return -EPERM;
                break;

At the point you abuse these calls you can already just load arbitary
data from userspace anyway." 

-> This means once we have the "if (!capable(CAP_SYS_RAWIO))" check
in the kernel code, we are sane. The problem is, this permission check 
is missing in the code of the RHEL4 kernel code. 

In RHEL-4 the code looks like the following:

There the code looks like the following:
 
         case MOXA_LOAD_BIOS:
         case MOXA_FIND_BOARD:
         case MOXA_LOAD_C320B:
         case MOXA_LOAD_CODE:
                 break;
         }

-> so we are still vulnerable to the original issue reported by Dann Frazier
in RHEL-4. 
Comment 5 Jan Lieskovsky 2008-06-06 09:50:24 EDT
Created attachment 308530 [details]
RH patch
Comment 6 Vincent Danen 2010-12-21 12:11:47 EST
This was addressed via:

Red Hat Enterprise Linux version 2.1 (RHSA-2005:529)
Red Hat Linux Advanced Workstation 2.1 (RHSA-2005:551)
Red Hat Enterprise Linux version 3 (RHSA-2005:663)
Red Hat Enterprise Linux version 4 (RHSA-2008:0237)

Note You need to log in before you can comment on or make changes to this bug.