Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 68436

Summary: net-dialup/speedtouch: privilege escalation vulnerability
Product: Gentoo Security Reporter: Luke Macken (RETIRED) <lewk>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: net-dialup
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
URL: http://speedtouch.sourceforge.net/index.php?/news.en.html
Whiteboard: C1 [glsa] lewk
Package list:
Runtime testing required: ---

Description Luke Macken (RETIRED) gentoo-dev 2004-10-21 12:36:11 UTC 
TITLE:
Speedtouch USB Driver Privilege Escalation Vulnerability

SECUNIA ADVISORY ID:
SA12916

VERIFY ADVISORY:
http://secunia.com/advisories/12916/

CRITICAL:
Less critical

IMPACT:
Privilege escalation

WHERE:
Local system

SOFTWARE:
Speedtouch USB driver 1.x
http://secunia.com/product/4124/

DESCRIPTION:
A vulnerability has been reported in Speedtouch USB Driver, which
potentially can be exploited by malicious, local users to gain
escalated privileges.

The vulnerability is caused due to an unspecified format string
errors in "modem_run", "pppoa2", and "pppoa3".

Successful exploitation may potentially allow execution of arbitrary
code with escalated privileges.

SOLUTION:
Update to version 1.3.1.
http://sourceforge.net/project/showfiles.php?group_id=32758&package_id=28264&release_id=271734

PROVIDED AND/OR DISCOVERED BY:
The vendor credits Max Vozeler.

ORIGINAL ADVISORY:
http://speedtouch.sourceforge.net/index.php?/news.en.html

- - -

See also: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0834
Comment 1 Luke Macken (RETIRED) gentoo-dev 2004-10-21 12:38:17 UTC 
net-dialup,

please bump speedtouch to 1.3.1, thanks.
Comment 2 Luke Macken (RETIRED) gentoo-dev 2004-10-27 08:53:39 UTC 
We should have had this GLSA out yesterday at the latest.

net-dialup, please bump package.
Comment 3 Heinrich Wendel (RETIRED) gentoo-dev 2004-10-27 09:31:15 UTC 
commited 1.3.1 as x86
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2004-10-27 12:26:19 UTC 
amd64, hppa, alpha : please test and mark net-dialup/speedtouch-1.3.1 stable
Comment 5 Bryan Østergaard (RETIRED) gentoo-dev 2004-10-28 02:42:30 UTC 
Alpha stable.
Comment 6 SpanKY gentoo-dev 2004-10-31 01:24:35 UTC 
hppa stable
Comment 7 Simon Stelling (RETIRED) gentoo-dev 2004-11-02 02:45:05 UTC 
stable now on amd64
i couldn't really test it as i don't have a adsl-modem, but it seems to work. sorry for the big delay
Comment 8 Luke Macken (RETIRED) gentoo-dev 2004-11-02 06:22:06 UTC 
GLSA 200411-04