Common Vulnerabilities and Exposures assigned an identifier CVE-2007-5690 to the following vulnerability: Buffer overflow in sethdlc.c in the Asterisk Zaptel 1.4.5.1 might allow local users to gain privileges via a long device name (interface name) in the ifr_name field. References: http://www.securityfocus.com/archive/1/archive/1/482597/100/0/threaded http://www.eleytt.com/advisories/eleytt_ZAPTEL.pdf http://www.securityfocus.com/bid/26160 http://xforce.iss.net/xforce/xfdb/37335
Problem is that strcpy is used to copy user-supplied command line argument to fixed sized buffer. Size of the input is not checked. This applies to both sethdlc and sethdlc-new. Obvious way to reproduce: $ sethdlc `perl -e 'print "A"x1024;'` However, this issue does not seem to have security impact in Fedora. Tools are not installed setuid/setgid. It may also be called from ifup-hdlc script, but then arguments are taken from root-controlled configuration file. So I do not see any trust boundary being crossed. Jeff, can you please comment? Are you aware of any way for this tools being called with some untrusted input / arguments?
I'm unaware of how this could be exploited by anyone that doesn't already have root access. However, Digium has a patch in SVN that should fix the problem, and I've built new Zaptel packages with the patch applied: http://buildsys.fedoraproject.org/build-status/job.psp?uid=36880 https://admin.fedoraproject.org/updates/F7/pending/zaptel-1.4.6-1.fc7 https://admin.fedoraproject.org/updates/F8/pending/zaptel-1.4.6-1.fc8 http://koji.fedoraproject.org/koji/taskinfo?taskID=225106
Jeff, thanks for your feedback and for promptly building updated packages to address this bug, even though it has no security impact. Upstream Asterisk developers also do not consider this being a security issue: This advisory is a response to a false security vulnerability published in several places on the Internet. Had Asterisk's developers been notified prior to its publication, there would be no need for this. There is a potential for a buffer overflow in the sethdlc application; however, running this application requires root access to the server, which means that exploiting this vulnerability gains the attacker no more advantage than what he already has. As such, this is a bug, not a security vulnerability. Source: http://downloads.digium.com/pub/asa/AST-2007-024.html
zaptel-1.4.6-1.fc8 has been pushed to the Fedora 8 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update zaptel'
zaptel-1.4.6-1.fc7 has been pushed to the Fedora 7 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update zaptel'
zaptel-1.4.6-1.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
zaptel-1.4.6-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.