Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 170870 - net-dialup/{isdn4k-utils|capi4k-utils}: CAPI overflow (CVE-2007-1217)
Summary: net-dialup/{isdn4k-utils|capi4k-utils}: CAPI overflow (CVE-2007-1217)
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
Whiteboard: B1? [glsa] Falco
: 170867 (view as bug list)
Depends on:
Reported: 2007-03-14 13:16 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified: 2008-03-07 18:40 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-03-14 13:16:09 UTC
+++ This bug was initially created as a clone of Bug #170867 +++

I don't think this is widely used, filing for completeness.

Buffer overflow in the bufprint function in capiutil.c in libcapi, as used in Linux kernel 2.6.9 to 2.6.20 and isdn4k-utils, allows local users to cause a denial of service (crash) and possibly gain privileges via a crafted CAPI packet.
Comment 1 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-03-14 13:29:33 UTC
CCing maintainer
Comment 2 Stefan Briesenick (RETIRED) gentoo-dev 2007-03-14 15:25:48 UTC
any capi stuff from isdn4k-utils isn't used at all.
we have capi4k-utils for that.

so is this bug within capi4k-utils or isdn4k-utils?
Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-03-14 15:35:19 UTC
The vulnerable function is char *capi_cmsg2str(_cmsg * cmsg) in convert.c. This also seems to be present in capi4k-utils.


Comment 4 Stefan Briesenick (RETIRED) gentoo-dev 2007-03-15 00:01:43 UTC
ahh, k.

I will provide a patch asap.
Comment 5 Stefan Briesenick (RETIRED) gentoo-dev 2007-03-15 00:38:00 UTC
capi4k-utils-20050718-r3 in CVS.

should be stabilized now. ;-)
Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-03-15 18:23:44 UTC

Arches please test and mark stable. Target keywords are:

capi4k-utils-20050718-r3.ebuild="amd64 ppc x86"
Comment 7 Christian Faulhammer (RETIRED) gentoo-dev 2007-03-18 13:17:13 UTC
x86 stable
Comment 8 Steve Dibb (RETIRED) gentoo-dev 2007-03-22 02:03:03 UTC
amd64 stable, also can you mirror the 37k patch please
Comment 9 Stefan Briesenick (RETIRED) gentoo-dev 2007-03-22 08:17:17 UTC
uh, yes. I will make a tarball for both patches after this beast is stable... 
Comment 10 Chris Gianelloni (RETIRED) gentoo-dev 2007-03-23 15:31:03 UTC
Well, ppc is done, but I couldn't fully test it since I don't have ISDN.  That being said, it all looks to be fine.
Comment 11 Stefan Briesenick (RETIRED) gentoo-dev 2007-03-23 22:33:09 UTC
great. Then I will cleanup that package asap (removing old versions, place patches into tarball, etc.).
Comment 12 Matt Drew (RETIRED) gentoo-dev 2007-04-24 20:02:54 UTC

Are you able to determine if this bug is remotely accessible, and if it could be used to gain root-level priveleges?  There's some information on the debian bug but no answers on either remote or if the exploit could lead to root-level access.
Comment 13 Stefan Briesenick (RETIRED) gentoo-dev 2007-04-25 07:52:21 UTC
well, I guess that this is *very* unlikely, even if it would technically possible somehow. You have to send malicious ISDN-Messages through PSTN *and* your Software has to use capi_cmsg2str. And I guess, most of that dirty stuff is filtered from your telco. Furthermore, ISDN/CAPI-Software is most likely not run as root.

I now use ISDN for 12 years here in Germany (though nowadays rarely used for data but for voice) and I've never seen or heard of a remote root-exploit via ISDN on the protocol level. But that doesn't mean, that this isn't possible somehow. I'm not an expert on the ISDN protocol layer...
Comment 14 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-04-27 21:50:08 UTC
GLSA 200704-23, thanks everybody, sorry for the delay.
Comment 15 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-03-07 18:40:16 UTC
*** Bug 170867 has been marked as a duplicate of this bug. ***