Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 551566

Summary: Kernel: multiple vulnerabilities in ozwpan driver, including RCE, DoS (CVE-2015-{4001,4002,4003,4004})
Product: Gentoo Security Reporter: Sam James <sam>
Component: KernelAssignee: Gentoo Kernel Security <security-kernel>
Status: RESOLVED FIXED    
Severity: normal CC: kernel
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4001
Whiteboard:
Package list:
Runtime testing required: ---

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2015-06-09 14:23:46 UTC 
From URLs:
----
-4001: Integer signedness error in the oz_hcd_get_desc_cnf function in drivers/staging/ozwpan/ozhcd.c in the OZWPAN driver in the Linux kernel through 4.0.5 allows remote attackers to cause a denial of service (system crash) or possibly execute arbitrary code via a crafted packet.
-4002: drivers/staging/ozwpan/ozusbsvc1.c in the OZWPAN driver in the Linux kernel through 4.0.5 does not ensure that certain length values are sufficiently large, which allows remote attackers to cause a denial of service (system crash or large loop) or possibly execute arbitrary code via a crafted packet, related to the (1) oz_usb_rx and (2) oz_usb_handle_ep_data functions.
-4003: The oz_usb_handle_ep_data function in drivers/staging/ozwpan/ozusbsvc1.c in the OZWPAN driver in the Linux kernel through 4.0.5 allows remote attackers to cause a denial of service (divide-by-zero error and system crash) via a crafted packet.
-4004: The OZWPAN driver in the Linux kernel through 4.0.5 relies on an untrusted length field during packet parsing, which allows remote attackers to obtain sensitive information from kernel memory or cause a denial of service (out-of-bounds read and system crash) via a crafted packet.
----
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4001
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4002
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4003
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4004

Affects:
<= 4.0.5 (for all CVEs)

Reproducible: Always
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2015-06-14 12:29:09 UTC 
CVE-2015-4004 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4004):
  The OZWPAN driver in the Linux kernel through 4.0.5 relies on an untrusted
  length field during packet parsing, which allows remote attackers to obtain
  sensitive information from kernel memory or cause a denial of service
  (out-of-bounds read and system crash) via a crafted packet.

CVE-2015-4003 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4003):
  The oz_usb_handle_ep_data function in drivers/staging/ozwpan/ozusbsvc1.c in
  the OZWPAN driver in the Linux kernel through 4.0.5 allows remote attackers
  to cause a denial of service (divide-by-zero error and system crash) via a
  crafted packet.

CVE-2015-4002 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4002):
  drivers/staging/ozwpan/ozusbsvc1.c in the OZWPAN driver in the Linux kernel
  through 4.0.5 does not ensure that certain length values are sufficiently
  large, which allows remote attackers to cause a denial of service (system
  crash or large loop) or possibly execute arbitrary code via a crafted
  packet, related to the (1) oz_usb_rx and (2) oz_usb_handle_ep_data
  functions.

CVE-2015-4001 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4001):
  Integer signedness error in the oz_hcd_get_desc_cnf function in
  drivers/staging/ozwpan/ozhcd.c in the OZWPAN driver in the Linux kernel
  through 4.0.5 allows remote attackers to cause a denial of service (system
  crash) or possibly execute arbitrary code via a crafted packet.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-03-25 22:33:09 UTC 
Fixed in 4.1.