Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 783318 - (CVE-2012-0065) CVE-2012-0065 usbmuxd 1.0.7 receive_packet() Buffer Overflow Vulnerability
CVE-2012-0065 usbmuxd 1.0.7 receive_packet() Buffer Overflow Vulnerability
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20120112,reported=2...
: Security
Depends On: 783523
Blocks: 783319
  Show dependency treegraph
 
Reported: 2012-01-19 18:40 EST by Kurt Seifried
Modified: 2012-10-04 14:55 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-10-04 14:55:58 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Kurt Seifried 2012-01-19 18:40:48 EST 
From secunia:

rigan has reported a vulnerability in usbmuxd, which potentially can be
exploited by malicious people with physical access to compromise a
vulnerable system.

The vulnerability is caused due to a boundary error within the
"receive_packet()" function (libusbmuxd/libusbmuxd.c) when processing a
property list containing an overly long "SerialNumber" field, which can
be exploited to cause a heap-based buffer overflow.

Successful exploitation may allow the execution of arbitrary code, but
requires that the attacker is able to connect a malicious USB device.

https://secunia.com/advisories/47545/
https://bugs.gentoo.org/show_bug.cgi?id=399409

source code commit:
http://git.marcansoft.com/?p=usbmuxd.git;a=commitdiff;h=f794991993af56a74795891b4ff9da506bc893e6

This vulnerability requires physical access so a USB device can be plugged in, setting priority to low despite a CVSS2 score of 4.6.
Comment 1 Vincent Danen 2012-01-20 12:41:52 EST 
The receive_packet() function was first introduced on May 25 2010 via:

http://cgit.sukimashita.com/usbmuxd.git/commit/?id=00c3c56e38f10d0f20145d5735b2fc0fd926555d

and:

http://cgit.sukimashita.com/usbmuxd.git/commit/?id=6cb505257ff848aa7ead80b60b575effc3a915fa

(the latter introduced plist-based support, which is the commit that introduced the flaw)

This code is not present in usbmuxd 1.0.2, it looks like it would have been first included (judging by release dates) in 1.0.5:

http://cgit.sukimashita.com/usbmuxd.git/tag/?id=v1.0.5

Statement:

Not vulnerable. This issue did not affect the versions of usbmuxd as shipped with Red Hat Enterprise Linux 6.
Comment 2 Vincent Danen 2012-01-20 12:43:20 EST 
Created usbmuxd tracking bugs for this issue

Affects: fedora-all [bug 783523]
Comment 3 Peter Robinson 2012-02-02 08:19:35 EST 
I plan to add this patch as shipped in Debian 
http://patch-tracker.debian.org/patch/series/view/usbmuxd/1.0.7-2/90-cve-2012-0065.patch
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.