Debian Bug report logs -
#408530
libcapi20-3: buffer overflow in "printbuf" called from capi_cmsg2str
Reported by: John Hughes <john@Calva.COM>
Date: Fri, 26 Jan 2007 14:48:02 UTC
Severity: grave
Tags: patch, security
Found in version isdnutils/1:3.9.20060704-2.2
Fixed in version isdnutils/1:3.9.20060704-3
Done: Paul Slootman <paul@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Paul Slootman <paul@debian.org>:
Bug#408530; Package libcapi20-3.
(full text, mbox, link).
Acknowledgement sent to John Hughes <john@Calva.COM>:
New Bug report received and forwarded. Copy sent to Paul Slootman <paul@debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: libcapi20-3
Version: 1:3.9.20060704-2.2
Severity: important
the bufprint routine used by capi_cmsg2str does an unbounded vsprintf
into a 8192 byte buffer, perhaps hoping it's big enough.
It isn't.
Looks like someone needs some vsnprintf like training wheels.
(around line 898 in "convert.c")
#4 0xb7c9e811 in raise () from /lib/tls/i686/cmov/libc.so.6
#5 0xb7c9ffb9 in abort () from /lib/tls/i686/cmov/libc.so.6
#6 0xb6bbf21c in bufprint (fmt=0xb6bc061f " %02x") at convert.c:910
#7 0xb6bbf63f in protocol_message_2_pars (cmsg=0xb69d4234, level=2) at
convert.c:927
#8 0xb6bbf34c in protocol_message_2_pars (cmsg=0xb69d4234, level=1) at
convert.c:1003
#9 0xb6bbf722 in capi_cmsg2str (cmsg=0xb69d4234) at convert.c:1045
#10 0xb6be4d16 in capidev_loop (data=0x0) at chan_capi.c:4051
#11 0x080ed2c0 in dummy_start (data=0x81e6ee8) at utils.c:545
#12 0xb7f16240 in start_thread () from
/lib/tls/i686/cmov/libpthread.so.0
#13 0xb7d4132e in clone () from /lib/tls/i686/cmov/libc.so.6
(gdb) frame 7
#7 0xb6bbf63f in protocol_message_2_pars (cmsg=0xb69d4234, level=2) at
convert.c:927
927 bufprint(" %02x", *m);
(gdb) p p - buf
$1 = 8194
(gdb) p *cmsg
$2 = {ApplId = 1, Command = 2 '\002', Subcommand = 130 '\202',
Messagenumber = 5019, adr = {adrController = 257,
adrPLCI = 257, adrNCCI = 257}, AdditionalInfo = CAPI_COMPOSE,
B1configuration = 0x0, B1protocol = 0,
B2configuration = 0x0, B2protocol = 0, B3configuration = 0x0,
B3protocol = 0, BC = 0xb6b4eb5e "\003\200\220�",
BChannelinformation = 0xb6b4eb67 "", BProtocol = CAPI_COMPOSE,
CalledPartyNumber = 0xb6b4eb5a "",
CalledPartySubaddress = 0xb6b4eb5c "", CallingPartyNumber = 0xb6b4eb5b
"", CallingPartySubaddress = 0xb6b4eb5d "",
CIPmask = 0, CIPmask2 = 0, CIPValue = 16, Class = 0, ConnectedNumber =
0x0, ConnectedSubaddress = 0x0, Data32 = 0,
Data64 = 0, DataHandle = 0, DataLength = 0,
FacilityConfirmationParameter = 0x0,
Facilitydataarray = 0xb6b4eb6a "", FacilityIndicationParameter = 0x0,
FacilityRequestParameter = 0x0,
FacilityResponseParameters = 0x0, FacilitySelector = 0, Flags = 0,
Function = 0, Globalconfiguration = 0x0,
HLC = 0xb6b4eb63 "\002\221\201\004", Info = 0, InfoElement = 0x0,
InfoMask = 0, InfoNumber = 0,
Keypadfacility = 0xb6b4eb68 "", LLC = 0xb6b4eb62 "", ManuData = 0x0,
ManuID = 0, NCPI = 0x0, Reason = 0,
Reason_B3 = 0, Reject = 0, Useruserdata = 0xb6b4eb69 "",
SendingComplete = 0xb6b4eb6b '�' <repeats 127 times>,
Data = 0x0, l = 31, p = 14, par = 0xb6bc0bbc
"\003\024\016\020\017\021\v)#\004\f(0\0342\001\001",
m = 0xb6b4eb4c "\037", buf = '\0' <repeats 179 times>}
-- System Information:
Debian Release: 4.0
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-jh-1
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
Versions of packages libcapi20-3 depends on:
ii libc6 2.3.6.ds1-10 GNU C Library: Shared libraries
libcapi20-3 recommends no packages.
-- no debconf information
Information forwarded to debian-bugs-dist@lists.debian.org, Paul Slootman <paul@debian.org>:
Bug#408530; Package libcapi20-3.
(full text, mbox, link).
Acknowledgement sent to Lionel Elie Mamane <lionel@mamane.lu>:
Extra info received and forwarded to list. Copy sent to Paul Slootman <paul@debian.org>.
(full text, mbox, link).
Message #10 received at 408530@bugs.debian.org (full text, mbox, reply):
tags 408530 +security
severity 408530 grave
On Fri, Jan 26, 2007 at 04:34:32PM +0100, John Hughes wrote:
> Package: libcapi20-3
> Version: 1:3.9.20060704-2.2
> Severity: important
> the bufprint routine used by capi_cmsg2str does an unbounded
> vsprintf into a 8192 byte buffer, perhaps hoping it's big enough.
If the content of that vsprintf can be controlled by remote peers,
this may lead to a remote security hole for daemons using CAPI
(pppd-capi-plugin, asterisk-chan-capi, capi4hylafax, ...). Or a DoS.
If the content of that vsprintf can be controlled by local users
making use of a system service (such as sending a fax, making a phone
call, ...) that uses CAPI, this is a privilege escalation or remote
authenticated user security hole, or a DoS.
If someone determines this is not exploitable, feel free to remove
security tag and take severity down to important again.
--
Lionel
Tags added: security
Request was from Lionel Elie Mamane <lionel@mamane.lu>
to control@bugs.debian.org.
(full text, mbox, link).
Severity set to `grave' from `important'
Request was from Lionel Elie Mamane <lionel@mamane.lu>
to control@bugs.debian.org.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Paul Slootman <paul@debian.org>:
Bug#408530; Package libcapi20-3.
(full text, mbox, link).
Acknowledgement sent to Lubomir Kundrak <lkundrak@redhat.com>:
Extra info received and forwarded to list. Copy sent to Paul Slootman <paul@debian.org>.
(full text, mbox, link).
Message #19 received at 408530@bugs.debian.org (full text, mbox, reply):
Hi all,
Please notice that the routines in question are also repeated in Linux
kernel in drivers/isdn/capi/capiutil.c [1] and in isdn4k-utils in
capi20/convert.c [2].
[1] http://chuck.netbsd.sk/source/xref/kernel-2.6.9/linux-2.6.9/drivers/isdn/capi/capiutil.c#838
[2] http://chuck.netbsd.sk/source/xref/isdn4k-utils-CVS-2003-09-23/capi20/convert.c#957
Regards,
--
Lubomir Kundrak (Red Hat Security Response Team)
Information forwarded to debian-bugs-dist@lists.debian.org, Paul Slootman <paul@debian.org>:
Bug#408530; Package libcapi20-3.
(full text, mbox, link).
Acknowledgement sent to Ben Hutchings <ben@decadent.org.uk>:
Extra info received and forwarded to list. Copy sent to Paul Slootman <paul@debian.org>.
(full text, mbox, link).
Message #24 received at 408530@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
clone 408530 -1 -2
reassign -1 asterisk-chan-capi
retitle -1 asterisk-chan-capi: Need a mutex for calls to capi_{cmsg,message}2str
reassign -2 linux-2.6
retitle -2 linux-2.6: capi_{cmsg,message}2str not thread-safe; vulnerable to buffer overflow
block -1 with 408530
tags -2 upstream
forwarded -2 http://bugzilla.kernel.org/show_bug.cgi?id=8028
thanks
This function and capi_message2str are not thread-safe either; nor can
they be made so without the use of TSS for their buffers. chan_capi
will need to use a mutex to prevent collision between concurrent uses of
these functions. I don't know what can be done in the kernel. The
buffer overflow could conceivably be due to two concurrent calls to
these functions rather than a single message.
Ben.
--
Ben Hutchings
It is easier to change the specification to fit the program than vice versa.
[signature.asc (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Paul Slootman <paul@debian.org>:
Bug#408530; Package libcapi20-3.
(full text, mbox, link).
Acknowledgement sent to Ben Hutchings <ben@decadent.org.uk>:
Extra info received and forwarded to list. Copy sent to Paul Slootman <paul@debian.org>.
(full text, mbox, link).
Message #33 received at 408530@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
tags 408530 patch
thanks
Patch for isdnutils:
diff -u isdnutils-3.9.20060704/debian/rules isdnutils-3.9.20060704/debian/rules
--- isdnutils-3.9.20060704/debian/rules
+++ isdnutils-3.9.20060704/debian/rules
@@ -388,6 +388,7 @@
ppp-2.4.4b1 \
vbox-little-endian \
toplevel-make \
+ capi20-msg2str-safety \
ifeq ($(distribution),Ubuntu)
debian_patches += no-imake
only in patch2:
unchanged:
--- isdnutils-3.9.20060704.orig/debian/patches/capi20-msg2str-safety.dpatch
+++ isdnutils-3.9.20060704/debian/patches/capi20-msg2str-safety.dpatch
@@ -0,0 +1,58 @@
+#! /bin/sh -e
+
+# DP: Prevent buffer overflow in capi20_{cmsg,message}2str.
+# DP: Add warning that they are not thread-safe.
+
+dir=
+if [ $# -eq 3 -a "$2" = '-d' ]; then
+ pdir="-d $3"
+ dir="$3/"
+elif [ $# -ne 1 ]; then
+ echo >&2 "usage: `basename $0`: -patch|-unpatch [-d <srcdir>]"
+ exit 1
+fi
+case "$1" in
+ -patch)
+ patch $pdir -f --no-backup-if-mismatch -p0 < $0
+ ;;
+ -unpatch)
+ patch $pdir -f --no-backup-if-mismatch -R -p0 < $0
+ ;;
+ *)
+ echo >&2 "usage: `basename $0`: -patch|-unpatch [-d <srcdir>]"
+ exit 1
+esac
+exit 0
+
+--- capi20/capiutils.h~ 2005-03-08 07:26:47.000000000 +0000
++++ capi20/capiutils.h 2007-02-17 20:22:48.000000000 +0000
+@@ -308,6 +308,10 @@
+ #define capi20_cmd2str capi_cmd2str
+ char *capi_cmd2str(_cbyte cmd, _cbyte subcmd);
+
++/*
++ * WARNING: The following two functions use a single static buffer and
++ * are not thread-safe.
++ */
+ #define capi20_cmsg2str capi_cmsg2str
+ char *capi_cmsg2str(_cmsg * cmsg);
+
+--- capi20/convert.c~ 2005-05-09 09:23:01.000000000 +0100
++++ capi20/convert.c 2007-02-17 20:34:17.000000000 +0000
+@@ -894,10 +894,14 @@
+ static void bufprint(char *fmt,...)
+ {
+ va_list f;
++ size_t space = buf + sizeof(buf) - p, len;
+ va_start(f, fmt);
+- vsprintf(p, fmt, f);
++ len = vsnprintf(p, space, fmt, f);
+ va_end(f);
+- p += strlen(p);
++ if (len < space - 1)
++ p += len;
++ else
++ p += space - 1;
+ }
+
+ static void printstructlen(_cbyte * m, unsigned len)
-- END --
I can't test this in place because I don't know how to construct a
message that would overflow the buffer. However, the following test
program:
-- BEGIN --
static char buf[8192];
static char *p = 0;
#include <stdio.h>
#include <stdarg.h>
static void bufprint(char *fmt,...)
{
va_list f;
size_t space = buf + sizeof(buf) - p, len;
va_start(f, fmt);
len = vsnprintf(p, space, fmt, f);
va_end(f);
if (len < space - 1)
p += len;
else
p += space - 1;
}
int main(void)
{
int i;
p = buf;
p[0] = 0;
for (i = 0; i != 10; ++i)
{
bufprint("%4096s", "foo");
bufprint("%4096s", "bar?");
}
puts(buf);
}
-- END --
shows that output is truncated after the last character that will fit in
the buffer ("r" in this case) as intended.
Ben.
--
Ben Hutchings
It is easier to change the specification to fit the program than vice versa.
[signature.asc (application/pgp-signature, inline)]
Tags added: patch
Request was from Ben Hutchings <ben@decadent.org.uk>
to control@bugs.debian.org.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Paul Slootman <paul@debian.org>:
Bug#408530; Package libcapi20-3.
(full text, mbox, link).
Acknowledgement sent to Ben Hutchings <ben@decadent.org.uk>:
Extra info received and forwarded to list. Copy sent to Paul Slootman <paul@debian.org>.
(full text, mbox, link).
Message #40 received at 408530@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
The same patch is applicable to sarge with trivial adjustment.
Ben.
--
Ben Hutchings
If God had intended Man to program,
we'd have been born with serial I/O ports.
[signature.asc (application/pgp-signature, inline)]
Reply sent to Paul Slootman <paul@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to John Hughes <john@Calva.COM>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #45 received at 408530-close@bugs.debian.org (full text, mbox, reply):
Source: isdnutils
Source-Version: 1:3.9.20060704-3
We believe that the bug you reported is fixed in the latest version of
isdnutils, which is due to be installed in the Debian FTP archive:
capiutils_3.9.20060704-3_amd64.deb
to pool/main/i/isdnutils/capiutils_3.9.20060704-3_amd64.deb
ipppd_3.9.20060704-3_amd64.deb
to pool/main/i/isdnutils/ipppd_3.9.20060704-3_amd64.deb
isdnactivecards_3.9.20060704-3_amd64.deb
to pool/main/i/isdnutils/isdnactivecards_3.9.20060704-3_amd64.deb
isdneurofile_3.9.20060704-3_amd64.deb
to pool/main/i/isdnutils/isdneurofile_3.9.20060704-3_amd64.deb
isdnlog-data_3.9.20060704-3_all.deb
to pool/main/i/isdnutils/isdnlog-data_3.9.20060704-3_all.deb
isdnlog_3.9.20060704-3_amd64.deb
to pool/main/i/isdnutils/isdnlog_3.9.20060704-3_amd64.deb
isdnutils-base_3.9.20060704-3_amd64.deb
to pool/main/i/isdnutils/isdnutils-base_3.9.20060704-3_amd64.deb
isdnutils-doc_3.9.20060704-3_all.deb
to pool/main/i/isdnutils/isdnutils-doc_3.9.20060704-3_all.deb
isdnutils-xtools_3.9.20060704-3_amd64.deb
to pool/main/i/isdnutils/isdnutils-xtools_3.9.20060704-3_amd64.deb
isdnutils_3.9.20060704-3.diff.gz
to pool/main/i/isdnutils/isdnutils_3.9.20060704-3.diff.gz
isdnutils_3.9.20060704-3.dsc
to pool/main/i/isdnutils/isdnutils_3.9.20060704-3.dsc
isdnutils_3.9.20060704-3_amd64.deb
to pool/main/i/isdnutils/isdnutils_3.9.20060704-3_amd64.deb
isdnvbox_3.9.20060704-3_amd64.deb
to pool/main/i/isdnutils/isdnvbox_3.9.20060704-3_amd64.deb
isdnvboxclient_3.9.20060704-3_amd64.deb
to pool/main/i/isdnutils/isdnvboxclient_3.9.20060704-3_amd64.deb
isdnvboxserver_3.9.20060704-3_amd64.deb
to pool/main/i/isdnutils/isdnvboxserver_3.9.20060704-3_amd64.deb
libcapi20-3_3.9.20060704-3_amd64.deb
to pool/main/i/isdnutils/libcapi20-3_3.9.20060704-3_amd64.deb
libcapi20-dev_3.9.20060704-3_amd64.deb
to pool/main/i/isdnutils/libcapi20-dev_3.9.20060704-3_amd64.deb
pppdcapiplugin_3.9.20060704-3_amd64.deb
to pool/main/i/isdnutils/pppdcapiplugin_3.9.20060704-3_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 408530@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Paul Slootman <paul@debian.org> (supplier of updated isdnutils package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 27 Feb 2007 16:48:24 +0100
Source: isdnutils
Binary: isdnvbox isdnlog isdnutils isdneurofile isdnutils-xtools isdnutils-base isdnvboxserver isdnutils-doc isdnactivecards isdnlog-data pppdcapiplugin ipppd libcapi20-dev capiutils isdnvboxclient libcapi20-3
Architecture: source all amd64
Version: 1:3.9.20060704-3
Distribution: unstable
Urgency: high
Maintainer: Paul Slootman <paul@debian.org>
Changed-By: Paul Slootman <paul@debian.org>
Description:
capiutils - Utilities for CAPI-capable ISDN cards
ipppd - PPP daemon for syncPPP over ISDN
isdnactivecards - Support utilities for active ISDN cards.
isdneurofile - ISDN eurofile transfer tool
isdnlog - ISDN connection logger
isdnlog-data - data for isdnlog users
isdnutils - Most important ISDN-related packages and utilities
isdnutils-base - ISDN utilities, the basic (minimal) set
isdnutils-doc - Extensive documentation for isdnutils
isdnutils-xtools - ISDN utilities that use X
isdnvbox - ISDN answering machine, client and server
isdnvboxclient - ISDN answering machine, client
isdnvboxserver - ISDN answering machine, server
libcapi20-3 - libraries for CAPI support
libcapi20-dev - libraries for CAPI support
pppdcapiplugin - plugin for pppd to communicate with CAPI-capable ISDN cards
Closes: 388610 392690 396301 408530 409039 412516
Changes:
isdnutils (1:3.9.20060704-3) unstable; urgency=high
.
* Fix critical bug, potential buffer overflow in capi_cmsg2str, patch from
Ben Hutchings. closes:#408530
* Acknowledge NMUs. closes:#392690
* Galician debconf translated added. closes:#412516
* Vietnamese updated. closes:#409039
* Use invoke-rc.d instead of directly calling the init script in
isdnutils-base.prerm. closes:#396301
* Remove the explicit sourcing of /usr/share/debconf/confmodule in
isdnutils-base.postrm, as now the debhelper thing works properly.
closes:#388610
Files:
2cc4ef716457b305653b68a8d5852310 1180 utils extra isdnutils_3.9.20060704-3.dsc
aba9ca67b9005cb739e99dff619ff9f8 791021 utils extra isdnutils_3.9.20060704-3.diff.gz
a89a24bd1e1c25c69058f0038d7473e5 831392 utils extra isdnlog-data_3.9.20060704-3_all.deb
c166e25f7cad64d06ac75c19d82339a7 658236 doc extra isdnutils-doc_3.9.20060704-3_all.deb
1be261fd1e87ea0f1e517058dc906466 30758 utils optional isdnutils_3.9.20060704-3_amd64.deb
8efee3a85722c1c4aac69d2661538786 159818 utils optional isdnutils-base_3.9.20060704-3_amd64.deb
d8f37a8e84b4907059d079706ee3522c 47078 x11 extra isdnutils-xtools_3.9.20060704-3_amd64.deb
09ac0f408377116b26db92738c547190 174320 net extra ipppd_3.9.20060704-3_amd64.deb
460f6465f831c5413fb76439f8471629 593808 utils extra isdnlog_3.9.20060704-3_amd64.deb
e5064eefa657a01b512026c2562344e8 25470 utils extra isdnvbox_3.9.20060704-3_amd64.deb
70b9ecaad553a7e1b56a889e01533389 69036 utils extra isdnvboxclient_3.9.20060704-3_amd64.deb
baa2b6ca4c887fe9d4356661b12d1e6a 142976 utils extra isdnvboxserver_3.9.20060704-3_amd64.deb
a992dbf478ec30a5b1d89a60e2c6ed46 84956 net extra capiutils_3.9.20060704-3_amd64.deb
ef5692f096228764162658173458b92f 42240 libs extra libcapi20-3_3.9.20060704-3_amd64.deb
6f4ce34cf6b7d9e2598e064af2d4eb76 30660 libdevel extra libcapi20-dev_3.9.20060704-3_amd64.deb
c9b5704af9d1b737d0f40ceb467f8b46 142822 net extra pppdcapiplugin_3.9.20060704-3_amd64.deb
69ed0be99953d2bb40d0c1fda5be3183 1652832 utils extra isdnactivecards_3.9.20060704-3_amd64.deb
c648c4861fbeca877fbb09b94fd64459 178708 comm extra isdneurofile_3.9.20060704-3_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFF5GoRutvvqbTW3hMRAt74AJ9q+X6Qig52ovmWpy92b43l8fUy4ACfdcn3
jqW1tNVL6kMqOJCJ2Pxu9+Q=
=U3Ew
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 25 Jun 2007 02:26:28 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Fri Jan 5 17:41:10 2018;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.