Bug 198991

Summary:	Linux <= 2.6.23 clocksources buffer overflow (CVE-2007-5908)
Product:	Gentoo Security	Reporter:	Robert Buchholz (RETIRED) <rbu>
Component:	Kernel	Assignee:	Gentoo Security <security>
Status:	RESOLVED INVALID
Severity:	normal	CC:	bernd, kernel
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://marc.info/?l=linux-kernel&m=119451922608530&w=2
Whiteboard:
Package list:		Runtime testing required:	---

Description Robert Buchholz (RETIRED) gentoo-dev

2007-11-12 23:32:01 UTC

CVE-2007-5908 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5908):
  Buffer overflow in the (1) sysfs_show_available_clocksources and (2)
  sysfs_show_current_clocksources functions in Linux kernel 2.6.23 and earlier
  might allow local users to cause a denial of service or execute arbitrary
  code via crafted clock source names.

Comment 1 Robert Buchholz (RETIRED) gentoo-dev

2007-12-01 23:16:01 UTC

** REJECT ** Buffer overflow in the (1) sysfs_show_available_clocksources and (2) sysfs_show_current_clocksources functions in Linux kernel 2.6.23 and earlier might allow local users to cause a denial of service or execute arbitrary code via crafted clock source names. NOTE: follow-on analysis by Linux developers states that "There is no way for unprivileged users (or really even the root user) to add new clocksources."