From: Anton Arapov <aarapov@redhat.com> Subject: [RHEL5.1 PATCH] BZ232260: CVE-2007-1217 Overflow in CAPI subsystem Date: Thu, 28 Jun 2007 11:15:59 +0200 Bugzilla: 231072 Message-Id: <h87ipophgw.fsf@pepelac.englab.brq.redhat.com> Changelog: [misc] Overflow in CAPI subsystem BZ232260: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=232260 Description: The bufprint routine used by capi_cmsg2str does an unbounded vsprintf into a 8192 byte buffer, perhaps hoping it's big enough. If the content of that vsprintf can be controlled by remote peers, this may lead to a remote security hole for daemons using CAPI (pppd-capi-plugin, asterisk-chan-capi, capi4hylafax, ...). Or a DoS. If the content of that vsprintf can be controlled by local users making use of a system service (such as sending a fax, making a phone call, ...) that uses CAPI, this is a privilege escalation or remote authenticated user security hole, or a DoS. Upstream status: The patch by Don Howard: The upstream 2.6 patch has been nacked as it breaks kabi. The following patch changes bufprint() to do bounds checking when printing to it's buffer. Test status: Tested only for compilation on all supported platforms. Not really tested/no isdn hardware. ------------------------------------------------------- diff -urpN linux-2.6.18.noarch.orig/drivers/isdn/capi/capiutil.c linux-2.6.18.noarch/drivers/isdn/capi/capiutil.c --- linux-2.6.18.noarch.orig/drivers/isdn/capi/capiutil.c 2007-06-28 09:27:24.000000000 +0200 +++ linux-2.6.18.noarch/drivers/isdn/capi/capiutil.c 2007-06-28 09:28:38.000000000 +0200 @@ -712,8 +712,12 @@ static char *p = NULL; static void bufprint(char *fmt,...) { va_list f; + size_t remain = (p >= buf && p < buf+sizeof(buf)) + ? buf+sizeof(buf)-p + : 0; + va_start(f, fmt); - vsprintf(p, fmt, f); + vsnprintf(p, remain, fmt, f); va_end(f); p += strlen(p); } -- Anton Arapov, <aarapov@redhat.com> Kernel Development, Red Hat GPG Key ID: 0x6FA8C812