Description of problem: Dann Frazier has reported this issue to the lkml: "Hey, I noticed that the moxa input checking security bug described by CVE-2005-0504 appears to remain unfixed upstream. The issue is described here: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0504 Debian has been shipping the following patch from Andres Salomon. I tried contacting the listed maintainer a few months ago but received no response." Version-Release number of selected component (if applicable):
Alan Cox said to the above issue: " case MOXA_LOAD_BIOS: case MOXA_FIND_BOARD: case MOXA_LOAD_C320B: case MOXA_LOAD_CODE: if (!capable(CAP_SYS_RAWIO)) return -EPERM; break; At the point you abuse these calls you can already just load arbitary data from userspace anyway." -> This means once we have the "if (!capable(CAP_SYS_RAWIO))" check in the kernel code, we are sane. The problem is, this permission check is missing in the code of the RHEL4 kernel code. In RHEL-4 the code looks like the following: There the code looks like the following: case MOXA_LOAD_BIOS: case MOXA_FIND_BOARD: case MOXA_LOAD_C320B: case MOXA_LOAD_CODE: break; } -> so we are still vulnerable to the original issue reported by Dann Frazier in RHEL-4.
Created attachment 308530 [details] RH patch
This was addressed via: Red Hat Enterprise Linux version 2.1 (RHSA-2005:529) Red Hat Linux Advanced Workstation 2.1 (RHSA-2005:551) Red Hat Enterprise Linux version 3 (RHSA-2005:663) Red Hat Enterprise Linux version 4 (RHSA-2008:0237)