Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 199845 - Kernel <=2.6.23 isdn_net_setcfg buffer overflow (CVE-2007-6063)
Summary: Kernel <=2.6.23 isdn_net_setcfg buffer overflow (CVE-2007-6063)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Kernel (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: [linux < 2.6.23.10][genpatches < 2.6....
Keywords:
Depends on:
Blocks:
 
Reported: 2007-11-20 23:37 UTC by Robert Buchholz (RETIRED)
Modified: 2013-09-12 04:57 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2007-11-20 23:37:51 UTC 
From RedHat:

The Linux kernel is prone to an buffer overflow vulnerability. This
issue is due to a design error in the 'isdn_net_setcfg()' function.
There is a buffer overflow vulnerability in function isdn_net_setcfg().

At line 1413, in drivers/isdn/i4l/isdn_common.c the 'cfg' is read from
user-space. so the 'cfg' is user-controlled. At line 1415, function
isdn_net_setcfg() is invoked. The '&cfg' is passed to isdn_net_setcfg()
as an argument.

At line 2805 in drivers/isdn/il4/isdn_net.c, function strcpy() is invoked. The
size of argument lp->msn is 32 and cfg->eaz is 256. Because the data of '*cfg'
is user-controlled (so cfg->eaz is user-controlled), it's possible to overrun 
destination string lp->msn by string cfg->eaz. When the length of string
'cfg->eaz' is greater than 32, a buffer overflow will occur.

This issue is public via:

http://bugzilla.kernel.org/show_bug.cgi?id=9416
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2007-11-25 15:22:53 UTC 
This is CVE-2007-6063.
Comment 3 svrmarty 2009-08-05 16:00:15 UTC 
latest update from 2007

please close