Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 251324

Summary: <net-misc/zaptel-1.2.27-r1 /dev/zap/ctl Memory overwrite (CVE-2008-{5396,5744})
Product: Gentoo Security Reporter: Robert Buchholz (RETIRED) <rbu>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: chainsaw, kfm, rajiv, voip+disabled
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://bugs.digium.com/view.php?id=13954
Whiteboard: B1 [noglsa]
Package list:
Runtime testing required: ---

Description Robert Buchholz (RETIRED) gentoo-dev 2008-12-17 16:04:54 UTC 
CVE-2008-5396 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5396):
  Array index error in the (1) torisa.c and (2) dahdi/tor2.c drivers in
  Zaptel (aka DAHDI) 1.4.11 and earlier allows local users in the
  dialout group to overwrite an integer value in kernel memory by
  writing to /dev/zap/ctl, related to missing validation of the sync
  field associated with the ZT_SPANCONFIG ioctl.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-12-17 16:31:57 UTC 
According to the upstream but, this also affects 1.2. Patch is upstream.
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2008-12-27 18:54:20 UTC 
(In reply to comment #1)
> According to the upstream but, this also affects 1.2. Patch is upstream.
                           ^^^^^ bug, obviously
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-12-27 18:58:15 UTC 
The upstream patch is incomplete, please see:
http://www.openwall.com/lists/oss-security/2008/12/19/2

This is CVE-2008-5744 (which does not affect us if we do not bump using the patch).
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2008-12-27 18:59:17 UTC 
CVE-2008-5744 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5744):
  Array index error in the dahdi/tor2.c driver in Zaptel (aka DAHDI)
  1.4.11 and earlier allows local users in the dialout group to
  overwrite an integer value in kernel memory by writing to
  /dev/zap/ctl, related to an incorrect tor2 patch for CVE-2008-5396
  that uses the wrong variable in a range check against the value of
  lc->sync.
Comment 5 Rajiv Aaron Manglani (RETIRED) gentoo-dev 2009-07-27 01:04:14 UTC 
net-misc/zaptel-1.2.27-r1 in cvs.
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2009-07-27 09:47:14 UTC 
I have confirmed the patch is indeed the fixed one. Apparently the incomplete patch never made it into the SVN.
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2009-07-27 09:47:35 UTC 
Arches, please test and mark stable:
=net-misc/zaptel-1.2.27-r1
Target keywords : "amd64 ppc x86"
Comment 8 Rajiv Aaron Manglani (RETIRED) gentoo-dev 2009-07-27 12:21:19 UTC 
rbu: the incomplete patch affected only dahdi and not zaptel 1.2*.
Comment 9 Markus Meier gentoo-dev 2009-07-27 22:05:17 UTC 
amd64/x86 stable
Comment 10 Joe Jezak (RETIRED) gentoo-dev 2009-12-27 07:53:43 UTC 
This fails to compile on ppc due to the kernel module eclass incorrectly determining the architecture (it detects ppc instead of powerpc).
Comment 11 Joe Jezak (RETIRED) gentoo-dev 2010-08-11 22:24:18 UTC 
Seems like it works with my current kernel. Marked ppc stable.
Comment 12 Tim Sammut (RETIRED) gentoo-dev 2010-11-20 23:31:50 UTC 
GLSA Request filed.
Comment 13 kfm 2011-03-27 14:38:29 UTC 
At this point, zaptel is no longer in the portage tree - nor is any version of asterisk that supports it.
Comment 14 Rajiv Aaron Manglani (RETIRED) gentoo-dev 2011-05-22 20:19:03 UTC 
security team: please close this bug as 'invalid'. zaptel is no longer in the tree.
Comment 15 Tim Sammut (RETIRED) gentoo-dev 2011-05-23 02:39:07 UTC 
(In reply to comment #14)
> security team: please close this bug as 'invalid'. zaptel is no longer in the
> tree.

Hi, Rajiv. We need to publish a GLSA before we can close this bug. Feel free to email me or the team if you have questions on the policy. Thanks.
Comment 16 Sergey Popov (RETIRED) gentoo-dev 2014-02-28 09:53:00 UTC 
Removed from tree long time ago