Bug 475446 - (CVE-2008-5396) CVE-2008-5396 zaptel: Array index error in multiple zaptel drivers
CVE-2008-5396 zaptel: Array index error in multiple zaptel drivers
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
http://bugs.digium.com/view.php?id=13954
public=20081123,reported=20081203,sou...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-12-09 04:31 EST by Jan Lieskovsky
Modified: 2009-01-20 13:44 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-01-20 13:44:56 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2008-12-09 04:31:51 EST
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-5396 to
the following vulnerability:

Array index error in the (1) torisa.c and (2) dahdi/tor2.c drivers in
Zaptel (aka DAHDI) 1.4.11 and earlier allows local users in the
dialout group to overwrite an integer value in kernel memory by
writing to /dev/zap/ctl, related to missing validation of the sync
field associated with the ZT_SPANCONFIG ioctl.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5396
http://www.openwall.com/lists/oss-security/2008/12/03/10
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=507459
http://bugs.digium.com/view.php?id=13954

Patches:
http://bugs.digium.com/file_download.php?file_id=20796&type=bug  (tor2)
http://bugs.digium.com/file_download.php?file_id=20797&type=bug  (torisa)
http://bugs.digium.com/file_download.php?file_id=20808&type=bug  (wcte11xp)
Comment 1 Jan Lieskovsky 2008-12-09 04:34:24 EST
This issue affects all versions of the zaptel package, as shipped
with Fedora releases of 8, 9 and 10.

This issue affects the version of the zaptel package, as shipped
with Fedora Extra Packages for Enterprise Linux 5 (EPEL 5) project.

Please update the packages.
Comment 4 Jan Lieskovsky 2008-12-19 06:20:07 EST
There looks to be an array index overflow problem in the upstream tor2 patch.
Have brought forward upstream with this issue in:

http://bugs.digium.com/view.php?id=13954#96700
Comment 5 Eugene Teo (Security Response) 2008-12-19 08:23:13 EST
(In reply to comment #4)
> There looks to be an array index overflow problem in the upstream tor2 patch.
> Have brought forward upstream with this issue in:
> 
> http://bugs.digium.com/view.php?id=13954#96700

The issue has been addressed in upstream:
http://svn.digium.com/view/dahdi?view=rev&revision=5590
Comment 6 Tomas Hoger 2009-01-20 13:27:59 EST
I'm bit confused here.  Affected files are indeed part of the zaptel SRPM, but according to the build logs, they are not built or shipped in any of the (binary) RPMS.  The code does not seem to be part of the upstream kernel, and Fedora does no longer permit shipping kernel modules packages.  Can anyone clarify this?  This looks like notabug for Fedora.
Comment 7 Jeffrey C. Ollie 2009-01-20 13:37:59 EST
Yes, Fedora only ships the userspace libraries.  The zaptel/dadhi modules are not in the upstream kernel and Fedora prohibits kernel modules shipped outside of the kernel RPM.

I'd agree this is notabug.
Comment 8 Tomas Hoger 2009-01-20 13:44:56 EST
Jeffrey, thanks for quick confirmation!  Closing.

Note You need to log in before you can comment on or make changes to this bug.