A buffer overflow flaw was found in the Linux kernel's Auerswald PBX/System Telephone usb driver implementation. There's no upstream patch as the affected driver was removed from the kernel in 2.6.27. For more information, check out the references: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4067 http://labs.mwrinfosecurity.com/files/Advisories/mwri_linux-usb-buffer-overflow_2009-10-29.pdf Acknowledgement: Red Hat would like to thank Rafael Dominguez Vega for reporting this issue.
Statement: This issue did not affect the Linux kernel as shipped with Red Hat Enterprise Linux 6 and Red Hat Enterprise MRG as the affected code has been removed. It was addressed in Red Hat Enterprise Linux 5 via https://rhn.redhat.com/errata/RHSA-2011-1386.html. Red Hat Enterprise Linux 4 is now in Production 3 of the maintenance life-cycle, https://access.redhat.com/support/policy/updates/errata/, therefore the fix for this issue is not currently planned to be included in the future updates.
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2011:1386 https://rhn.redhat.com/errata/RHSA-2011-1386.html
Created kernel tracking bugs for this issue Affects: fedora-all [bug 748675]
(In reply to comment #8) > This issue has been addressed in following products: > > Red Hat Enterprise Linux 5 > > Via RHSA-2011:1386 https://rhn.redhat.com/errata/RHSA-2011-1386.html Can you please attach the content of the patch here or point to me the commit which contains this fix? Thanks.
(In reply to comment #10) > (In reply to comment #8) > > This issue has been addressed in following products: > > > > Red Hat Enterprise Linux 5 > > > > Via RHSA-2011:1386 https://rhn.redhat.com/errata/RHSA-2011-1386.html > > Can you please attach the content of the patch here or point to me the commit > which contains this fix? > > Thanks. This was not fixed upstream as it was removed in 2.6.27. This issue is Red Hat Enterprise Linux 5 specific. Thanks.
diff --git a/drivers/usb/misc/auerswald.c b/drivers/usb/misc/auerswald.c index 1fef36e..9aeb632 100644 --- a/drivers/usb/misc/auerswald.c +++ b/drivers/usb/misc/auerswald.c @@ -1950,13 +1950,15 @@ static int auerswald_probe (struct usb_interface *intf, /* Try to get a suitable textual description of the device */ /* Device name:*/ - ret = usb_string( cp->usbdev, AUSI_DEVICE, cp->dev_desc, AUSI_DLEN-1); + /* Save room for serial and subscriber prefixes */ + ret = usb_string( cp->usbdev, AUSI_DEVICE, cp->dev_desc, AUSI_DLEN-1-6-2); if (ret >= 0) { u += ret; /* Append Serial Number */ memcpy(&cp->dev_desc[u], ",Ser# ", 6); u += 6; - ret = usb_string( cp->usbdev, AUSI_SERIALNR, &cp->dev_desc[u], AUSI_DLEN-u-1); + /* save room for subscriber prefix */ + ret = usb_string( cp->usbdev, AUSI_SERIALNR, &cp->dev_desc[u], AUSI_DLEN-u-1-2); if (ret >= 0) { u += ret; /* Append subscriber number */