+++ This bug was initially created as a clone of Bug #170867 +++
I don't think this is widely used, filing for completeness.
Buffer overflow in the bufprint function in capiutil.c in libcapi, as used in Linux kernel 2.6.9 to 2.6.20 and isdn4k-utils, allows local users to cause a denial of service (crash) and possibly gain privileges via a crafted CAPI packet.
any capi stuff from isdn4k-utils isn't used at all.
we have capi4k-utils for that.
so is this bug within capi4k-utils or isdn4k-utils?
The vulnerable function is char *capi_cmsg2str(_cmsg * cmsg) in convert.c. This also seems to be present in capi4k-utils.
I will provide a patch asap.
capi4k-utils-20050718-r3 in CVS.
should be stabilized now. ;-)
Arches please test and mark stable. Target keywords are:
capi4k-utils-20050718-r3.ebuild="amd64 ppc x86"
amd64 stable, also can you mirror the 37k patch please
uh, yes. I will make a tarball for both patches after this beast is stable...
Well, ppc is done, but I couldn't fully test it since I don't have ISDN. That being said, it all looks to be fine.
great. Then I will cleanup that package asap (removing old versions, place patches into tarball, etc.).
Are you able to determine if this bug is remotely accessible, and if it could be used to gain root-level priveleges? There's some information on the debian bug but no answers on either remote or if the exploit could lead to root-level access.
well, I guess that this is *very* unlikely, even if it would technically possible somehow. You have to send malicious ISDN-Messages through PSTN *and* your Software has to use capi_cmsg2str. And I guess, most of that dirty stuff is filtered from your telco. Furthermore, ISDN/CAPI-Software is most likely not run as root.
I now use ISDN for 12 years here in Germany (though nowadays rarely used for data but for voice) and I've never seen or heard of a remote root-exploit via ISDN on the protocol level. But that doesn't mean, that this isn't possible somehow. I'm not an expert on the ISDN protocol layer...
GLSA 200704-23, thanks everybody, sorry for the delay.
*** Bug 170867 has been marked as a duplicate of this bug. ***