Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 251324 - <net-misc/zaptel-1.2.27-r1 /dev/zap/ctl Memory overwrite (CVE-2008-{5396,5744})
Summary: <net-misc/zaptel-1.2.27-r1 /dev/zap/ctl Memory overwrite (CVE-2008-{5396,5744})
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: http://bugs.digium.com/view.php?id=13954
Whiteboard: B1 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2008-12-17 16:04 UTC by Robert Buchholz (RETIRED)
Modified: 2014-02-28 09:53 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-12-17 16:04:54 UTC 
CVE-2008-5396 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5396):
  Array index error in the (1) torisa.c and (2) dahdi/tor2.c drivers in
  Zaptel (aka DAHDI) 1.4.11 and earlier allows local users in the
  dialout group to overwrite an integer value in kernel memory by
  writing to /dev/zap/ctl, related to missing validation of the sync
  field associated with the ZT_SPANCONFIG ioctl.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-12-17 16:31:57 UTC 
According to the upstream but, this also affects 1.2. Patch is upstream.
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2008-12-27 18:54:20 UTC 
(In reply to comment #1)
> According to the upstream but, this also affects 1.2. Patch is upstream.
                           ^^^^^ bug, obviously
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-12-27 18:58:15 UTC 
The upstream patch is incomplete, please see:
http://www.openwall.com/lists/oss-security/2008/12/19/2

This is CVE-2008-5744 (which does not affect us if we do not bump using the patch).
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2008-12-27 18:59:17 UTC 
CVE-2008-5744 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5744):
  Array index error in the dahdi/tor2.c driver in Zaptel (aka DAHDI)
  1.4.11 and earlier allows local users in the dialout group to
  overwrite an integer value in kernel memory by writing to
  /dev/zap/ctl, related to an incorrect tor2 patch for CVE-2008-5396
  that uses the wrong variable in a range check against the value of
  lc->sync.
Comment 5 Rajiv Aaron Manglani (RETIRED) gentoo-dev 2009-07-27 01:04:14 UTC 
net-misc/zaptel-1.2.27-r1 in cvs.
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2009-07-27 09:47:14 UTC 
I have confirmed the patch is indeed the fixed one. Apparently the incomplete patch never made it into the SVN.
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2009-07-27 09:47:35 UTC 
Arches, please test and mark stable:
=net-misc/zaptel-1.2.27-r1
Target keywords : "amd64 ppc x86"
Comment 8 Rajiv Aaron Manglani (RETIRED) gentoo-dev 2009-07-27 12:21:19 UTC 
rbu: the incomplete patch affected only dahdi and not zaptel 1.2*.
Comment 9 Markus Meier gentoo-dev 2009-07-27 22:05:17 UTC 
amd64/x86 stable
Comment 10 Joe Jezak (RETIRED) gentoo-dev 2009-12-27 07:53:43 UTC 
This fails to compile on ppc due to the kernel module eclass incorrectly determining the architecture (it detects ppc instead of powerpc).
Comment 11 Joe Jezak (RETIRED) gentoo-dev 2010-08-11 22:24:18 UTC 
Seems like it works with my current kernel. Marked ppc stable.
Comment 12 Tim Sammut (RETIRED) gentoo-dev 2010-11-20 23:31:50 UTC 
GLSA Request filed.
Comment 13 kfm 2011-03-27 14:38:29 UTC 
At this point, zaptel is no longer in the portage tree - nor is any version of asterisk that supports it.
Comment 14 Rajiv Aaron Manglani (RETIRED) gentoo-dev 2011-05-22 20:19:03 UTC 
security team: please close this bug as 'invalid'. zaptel is no longer in the tree.
Comment 15 Tim Sammut (RETIRED) gentoo-dev 2011-05-23 02:39:07 UTC 
(In reply to comment #14)
> security team: please close this bug as 'invalid'. zaptel is no longer in the
> tree.

Hi, Rajiv. We need to publish a GLSA before we can close this bug. Feel free to email me or the team if you have questions on the policy. Thanks.
Comment 16 Sergey Popov gentoo-dev 2014-02-28 09:53:00 UTC 
Removed from tree long time ago