Eugene Teo discovered the latest upstream patch http://bugs.digium.com/file_download.php?file_id=20796&type=bug for zaptel tor2 driver and for CVE-2008-5396 was incomplete. + if ((lc->sync < 0) || (lc->sync >= MAX_TOR_CARDS)) { + printk(KERN_WARNING "%s %d: invalid span timing value %d.\n", + THIS_MODULE->name, span->spanno, lc->sync); + return -EINVAL; + } We added check, so the lc->sync could be in the range only of 0-63. But then later in code, the tor2 driver contains this part: 216 /* if a sync src, put it in the proper place */ 217 if (lc->sync) { 218 p->tor->syncs[lc->sync - 1] = span->spanno; 219 p->tor->psyncs[lc->sync - 1] = p->span + 1; 220 } But p->tor->syncs/psyncs is defined as array, that could contain only four items: 79 struct tor2 { 80 /* This structure exists one per card */ 81 struct pci_dev *pci; /* Pointer to PCI device */ 82 int num; /* Which card we are */ 83 int syncsrc; /* active sync source */ 84 int syncs[SPANS_PER_CARD]; /* sync sources */ 85 int psyncs[SPANS_PER_CARD]; /* span-relative sync sources */ where 'SPANS_PER_CARD' is defined as: zaptel-1.4.9/kernel/tor2.c:#define SPANS_PER_CARD 4 so if the lc->sync would be higher than 5 (lc->sync -1) index of this array would overflow. References: http://bugs.digium.com/view.php?id=13954#96700 http://bugs.digium.com/view.php?id=13954 http://www.openwall.com/lists/oss-security/2008/12/19/2 Upstream patch: http://svn.digium.com/view/dahdi?view=rev&revision=5590
This issue affects all versions of the zaptel package, as shipped with Fedora releases of 8, 9 and 10. This issue affects the version of the zaptel package, as shipped with Fedora Extra Packages for Enterprise Linux 5 (EPEL 5) project. Please update the packages.
The original issue - CVE-2008-5396 - does not seem to have been addressed in Fedora in any way. If the corrected patch is used (assuming it's needed at all, see bug #475446#c6), there's no need to care about this CVE too much.
Kernel drivers not shipped in Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=475446#c6 Closing.