198991 – Linux <= 2.6.23 clocksources buffer overflow (CVE-2007-5908)

Bug 198991 - Linux <= 2.6.23 clocksources buffer overflow (CVE-2007-5908)

Summary: Linux <= 2.6.23 clocksources buffer overflow (CVE-2007-5908)

Status:	RESOLVED INVALID

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Kernel (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Gentoo Security

URL:	http://marc.info/?l=linux-kernel&m=11...
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2007-11-12 23:32 UTC by Robert Buchholz (RETIRED)
Modified:	2007-12-01 23:16 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Robert Buchholz (RETIRED) gentoo-dev

2007-11-12 23:32:01 UTC

CVE-2007-5908 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5908):
  Buffer overflow in the (1) sysfs_show_available_clocksources and (2)
  sysfs_show_current_clocksources functions in Linux kernel 2.6.23 and earlier
  might allow local users to cause a denial of service or execute arbitrary
  code via crafted clock source names.

Comment 1 Robert Buchholz (RETIRED) gentoo-dev

2007-12-01 23:16:01 UTC

** REJECT ** Buffer overflow in the (1) sysfs_show_available_clocksources and (2) sysfs_show_current_clocksources functions in Linux kernel 2.6.23 and earlier might allow local users to cause a denial of service or execute arbitrary code via crafted clock source names. NOTE: follow-on analysis by Linux developers states that "There is no way for unprivileged users (or really even the root user) to add new clocksources."