Report forwarded to debian-bugs-dist@lists.debian.org, Paul Slootman <paul@debian.org>: Bug#408530; Package libcapi20-3.
(full text, mbox, link).
Acknowledgement sent to John Hughes <john@Calva.COM>:
New Bug report received and forwarded. Copy sent to Paul Slootman <paul@debian.org>.
(full text, mbox, link).
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libcapi20-3: buffer overflow in "printbuf" called from capi_cmsg2str
Date: Fri, 26 Jan 2007 16:34:32 +0100
Package: libcapi20-3
Version: 1:3.9.20060704-2.2
Severity: important
the bufprint routine used by capi_cmsg2str does an unbounded vsprintf
into a 8192 byte buffer, perhaps hoping it's big enough.
It isn't.
Looks like someone needs some vsnprintf like training wheels.
(around line 898 in "convert.c")
#4 0xb7c9e811 in raise () from /lib/tls/i686/cmov/libc.so.6
#5 0xb7c9ffb9 in abort () from /lib/tls/i686/cmov/libc.so.6
#6 0xb6bbf21c in bufprint (fmt=0xb6bc061f " %02x") at convert.c:910
#7 0xb6bbf63f in protocol_message_2_pars (cmsg=0xb69d4234, level=2) at
convert.c:927
#8 0xb6bbf34c in protocol_message_2_pars (cmsg=0xb69d4234, level=1) at
convert.c:1003
#9 0xb6bbf722 in capi_cmsg2str (cmsg=0xb69d4234) at convert.c:1045
#10 0xb6be4d16 in capidev_loop (data=0x0) at chan_capi.c:4051
#11 0x080ed2c0 in dummy_start (data=0x81e6ee8) at utils.c:545
#12 0xb7f16240 in start_thread () from
/lib/tls/i686/cmov/libpthread.so.0
#13 0xb7d4132e in clone () from /lib/tls/i686/cmov/libc.so.6
(gdb) frame 7
#7 0xb6bbf63f in protocol_message_2_pars (cmsg=0xb69d4234, level=2) at
convert.c:927
927 bufprint(" %02x", *m);
(gdb) p p - buf
$1 = 8194
(gdb) p *cmsg
$2 = {ApplId = 1, Command = 2 '\002', Subcommand = 130 '\202',
Messagenumber = 5019, adr = {adrController = 257,
adrPLCI = 257, adrNCCI = 257}, AdditionalInfo = CAPI_COMPOSE,
B1configuration = 0x0, B1protocol = 0,
B2configuration = 0x0, B2protocol = 0, B3configuration = 0x0,
B3protocol = 0, BC = 0xb6b4eb5e "\003\200\220�",
BChannelinformation = 0xb6b4eb67 "", BProtocol = CAPI_COMPOSE,
CalledPartyNumber = 0xb6b4eb5a "",
CalledPartySubaddress = 0xb6b4eb5c "", CallingPartyNumber = 0xb6b4eb5b
"", CallingPartySubaddress = 0xb6b4eb5d "",
CIPmask = 0, CIPmask2 = 0, CIPValue = 16, Class = 0, ConnectedNumber =
0x0, ConnectedSubaddress = 0x0, Data32 = 0,
Data64 = 0, DataHandle = 0, DataLength = 0,
FacilityConfirmationParameter = 0x0,
Facilitydataarray = 0xb6b4eb6a "", FacilityIndicationParameter = 0x0,
FacilityRequestParameter = 0x0,
FacilityResponseParameters = 0x0, FacilitySelector = 0, Flags = 0,
Function = 0, Globalconfiguration = 0x0,
HLC = 0xb6b4eb63 "\002\221\201\004", Info = 0, InfoElement = 0x0,
InfoMask = 0, InfoNumber = 0,
Keypadfacility = 0xb6b4eb68 "", LLC = 0xb6b4eb62 "", ManuData = 0x0,
ManuID = 0, NCPI = 0x0, Reason = 0,
Reason_B3 = 0, Reject = 0, Useruserdata = 0xb6b4eb69 "",
SendingComplete = 0xb6b4eb6b '�' <repeats 127 times>,
Data = 0x0, l = 31, p = 14, par = 0xb6bc0bbc
"\003\024\016\020\017\021\v)#\004\f(0\0342\001\001",
m = 0xb6b4eb4c "\037", buf = '\0' <repeats 179 times>}
-- System Information:
Debian Release: 4.0
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-jh-1
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
Versions of packages libcapi20-3 depends on:
ii libc6 2.3.6.ds1-10 GNU C Library: Shared libraries
libcapi20-3 recommends no packages.
-- no debconf information
Information forwarded to debian-bugs-dist@lists.debian.org, Paul Slootman <paul@debian.org>: Bug#408530; Package libcapi20-3.
(full text, mbox, link).
Acknowledgement sent to Lionel Elie Mamane <lionel@mamane.lu>:
Extra info received and forwarded to list. Copy sent to Paul Slootman <paul@debian.org>.
(full text, mbox, link).
Subject: Re: Bug#408530: libcapi20-3: buffer overflow in "printbuf" called from capi_cmsg2str
Date: Fri, 26 Jan 2007 16:59:19 +0100
tags 408530 +security
severity 408530 grave
On Fri, Jan 26, 2007 at 04:34:32PM +0100, John Hughes wrote:
> Package: libcapi20-3
> Version: 1:3.9.20060704-2.2
> Severity: important
> the bufprint routine used by capi_cmsg2str does an unbounded
> vsprintf into a 8192 byte buffer, perhaps hoping it's big enough.
If the content of that vsprintf can be controlled by remote peers,
this may lead to a remote security hole for daemons using CAPI
(pppd-capi-plugin, asterisk-chan-capi, capi4hylafax, ...). Or a DoS.
If the content of that vsprintf can be controlled by local users
making use of a system service (such as sending a fax, making a phone
call, ...) that uses CAPI, this is a privilege escalation or remote
authenticated user security hole, or a DoS.
If someone determines this is not exploitable, feel free to remove
security tag and take severity down to important again.
--
Lionel
Tags added: security
Request was from Lionel Elie Mamane <lionel@mamane.lu>
to control@bugs.debian.org.
(full text, mbox, link).
Severity set to `grave' from `important'
Request was from Lionel Elie Mamane <lionel@mamane.lu>
to control@bugs.debian.org.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Paul Slootman <paul@debian.org>: Bug#408530; Package libcapi20-3.
(full text, mbox, link).
Acknowledgement sent to Lubomir Kundrak <lkundrak@redhat.com>:
Extra info received and forwarded to list. Copy sent to Paul Slootman <paul@debian.org>.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Paul Slootman <paul@debian.org>: Bug#408530; Package libcapi20-3.
(full text, mbox, link).
Acknowledgement sent to Ben Hutchings <ben@decadent.org.uk>:
Extra info received and forwarded to list. Copy sent to Paul Slootman <paul@debian.org>.
(full text, mbox, link).
clone 408530 -1 -2
reassign -1 asterisk-chan-capi
retitle -1 asterisk-chan-capi: Need a mutex for calls to capi_{cmsg,message}2str
reassign -2 linux-2.6
retitle -2 linux-2.6: capi_{cmsg,message}2str not thread-safe; vulnerable to buffer overflow
block -1 with 408530
tags -2 upstream
forwarded -2 http://bugzilla.kernel.org/show_bug.cgi?id=8028
thanks
This function and capi_message2str are not thread-safe either; nor can
they be made so without the use of TSS for their buffers. chan_capi
will need to use a mutex to prevent collision between concurrent uses of
these functions. I don't know what can be done in the kernel. The
buffer overflow could conceivably be due to two concurrent calls to
these functions rather than a single message.
Ben.
--
Ben Hutchings
It is easier to change the specification to fit the program than vice versa.
Bug 408530 cloned as bugs 411293, 411294.
Request was from Ben Hutchings <ben@decadent.org.uk>
to control@bugs.debian.org.
(full text, mbox, link).
Blocking bugs of 411293 added: 408530
Request was from Ben Hutchings <ben@decadent.org.uk>
to control@bugs.debian.org.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Paul Slootman <paul@debian.org>: Bug#408530; Package libcapi20-3.
(full text, mbox, link).
Acknowledgement sent to Ben Hutchings <ben@decadent.org.uk>:
Extra info received and forwarded to list. Copy sent to Paul Slootman <paul@debian.org>.
(full text, mbox, link).
Tags added: patch
Request was from Ben Hutchings <ben@decadent.org.uk>
to control@bugs.debian.org.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Paul Slootman <paul@debian.org>: Bug#408530; Package libcapi20-3.
(full text, mbox, link).
Acknowledgement sent to Ben Hutchings <ben@decadent.org.uk>:
Extra info received and forwarded to list. Copy sent to Paul Slootman <paul@debian.org>.
(full text, mbox, link).
The same patch is applicable to sarge with trivial adjustment.
Ben.
--
Ben Hutchings
If God had intended Man to program,
we'd have been born with serial I/O ports.
Subject: Bug#408530: fixed in isdnutils 1:3.9.20060704-3
Date: Tue, 27 Feb 2007 17:47:04 +0000
Source: isdnutils
Source-Version: 1:3.9.20060704-3
We believe that the bug you reported is fixed in the latest version of
isdnutils, which is due to be installed in the Debian FTP archive:
capiutils_3.9.20060704-3_amd64.deb
to pool/main/i/isdnutils/capiutils_3.9.20060704-3_amd64.deb
ipppd_3.9.20060704-3_amd64.deb
to pool/main/i/isdnutils/ipppd_3.9.20060704-3_amd64.deb
isdnactivecards_3.9.20060704-3_amd64.deb
to pool/main/i/isdnutils/isdnactivecards_3.9.20060704-3_amd64.deb
isdneurofile_3.9.20060704-3_amd64.deb
to pool/main/i/isdnutils/isdneurofile_3.9.20060704-3_amd64.deb
isdnlog-data_3.9.20060704-3_all.deb
to pool/main/i/isdnutils/isdnlog-data_3.9.20060704-3_all.deb
isdnlog_3.9.20060704-3_amd64.deb
to pool/main/i/isdnutils/isdnlog_3.9.20060704-3_amd64.deb
isdnutils-base_3.9.20060704-3_amd64.deb
to pool/main/i/isdnutils/isdnutils-base_3.9.20060704-3_amd64.deb
isdnutils-doc_3.9.20060704-3_all.deb
to pool/main/i/isdnutils/isdnutils-doc_3.9.20060704-3_all.deb
isdnutils-xtools_3.9.20060704-3_amd64.deb
to pool/main/i/isdnutils/isdnutils-xtools_3.9.20060704-3_amd64.deb
isdnutils_3.9.20060704-3.diff.gz
to pool/main/i/isdnutils/isdnutils_3.9.20060704-3.diff.gz
isdnutils_3.9.20060704-3.dsc
to pool/main/i/isdnutils/isdnutils_3.9.20060704-3.dsc
isdnutils_3.9.20060704-3_amd64.deb
to pool/main/i/isdnutils/isdnutils_3.9.20060704-3_amd64.deb
isdnvbox_3.9.20060704-3_amd64.deb
to pool/main/i/isdnutils/isdnvbox_3.9.20060704-3_amd64.deb
isdnvboxclient_3.9.20060704-3_amd64.deb
to pool/main/i/isdnutils/isdnvboxclient_3.9.20060704-3_amd64.deb
isdnvboxserver_3.9.20060704-3_amd64.deb
to pool/main/i/isdnutils/isdnvboxserver_3.9.20060704-3_amd64.deb
libcapi20-3_3.9.20060704-3_amd64.deb
to pool/main/i/isdnutils/libcapi20-3_3.9.20060704-3_amd64.deb
libcapi20-dev_3.9.20060704-3_amd64.deb
to pool/main/i/isdnutils/libcapi20-dev_3.9.20060704-3_amd64.deb
pppdcapiplugin_3.9.20060704-3_amd64.deb
to pool/main/i/isdnutils/pppdcapiplugin_3.9.20060704-3_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 408530@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Paul Slootman <paul@debian.org> (supplier of updated isdnutils package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 27 Feb 2007 16:48:24 +0100
Source: isdnutils
Binary: isdnvbox isdnlog isdnutils isdneurofile isdnutils-xtools isdnutils-base isdnvboxserver isdnutils-doc isdnactivecards isdnlog-data pppdcapiplugin ipppd libcapi20-dev capiutils isdnvboxclient libcapi20-3
Architecture: source all amd64
Version: 1:3.9.20060704-3
Distribution: unstable
Urgency: high
Maintainer: Paul Slootman <paul@debian.org>
Changed-By: Paul Slootman <paul@debian.org>
Description:
capiutils - Utilities for CAPI-capable ISDN cards
ipppd - PPP daemon for syncPPP over ISDN
isdnactivecards - Support utilities for active ISDN cards.
isdneurofile - ISDN eurofile transfer tool
isdnlog - ISDN connection logger
isdnlog-data - data for isdnlog users
isdnutils - Most important ISDN-related packages and utilities
isdnutils-base - ISDN utilities, the basic (minimal) set
isdnutils-doc - Extensive documentation for isdnutils
isdnutils-xtools - ISDN utilities that use X
isdnvbox - ISDN answering machine, client and server
isdnvboxclient - ISDN answering machine, client
isdnvboxserver - ISDN answering machine, server
libcapi20-3 - libraries for CAPI support
libcapi20-dev - libraries for CAPI support
pppdcapiplugin - plugin for pppd to communicate with CAPI-capable ISDN cards
Closes: 388610392690396301408530409039412516
Changes:
isdnutils (1:3.9.20060704-3) unstable; urgency=high
.
* Fix critical bug, potential buffer overflow in capi_cmsg2str, patch from
Ben Hutchings. closes:#408530
* Acknowledge NMUs. closes:#392690
* Galician debconf translated added. closes:#412516
* Vietnamese updated. closes:#409039
* Use invoke-rc.d instead of directly calling the init script in
isdnutils-base.prerm. closes:#396301
* Remove the explicit sourcing of /usr/share/debconf/confmodule in
isdnutils-base.postrm, as now the debhelper thing works properly.
closes:#388610
Files:
2cc4ef716457b305653b68a8d5852310 1180 utils extra isdnutils_3.9.20060704-3.dsc
aba9ca67b9005cb739e99dff619ff9f8 791021 utils extra isdnutils_3.9.20060704-3.diff.gz
a89a24bd1e1c25c69058f0038d7473e5 831392 utils extra isdnlog-data_3.9.20060704-3_all.deb
c166e25f7cad64d06ac75c19d82339a7 658236 doc extra isdnutils-doc_3.9.20060704-3_all.deb
1be261fd1e87ea0f1e517058dc906466 30758 utils optional isdnutils_3.9.20060704-3_amd64.deb
8efee3a85722c1c4aac69d2661538786 159818 utils optional isdnutils-base_3.9.20060704-3_amd64.deb
d8f37a8e84b4907059d079706ee3522c 47078 x11 extra isdnutils-xtools_3.9.20060704-3_amd64.deb
09ac0f408377116b26db92738c547190 174320 net extra ipppd_3.9.20060704-3_amd64.deb
460f6465f831c5413fb76439f8471629 593808 utils extra isdnlog_3.9.20060704-3_amd64.deb
e5064eefa657a01b512026c2562344e8 25470 utils extra isdnvbox_3.9.20060704-3_amd64.deb
70b9ecaad553a7e1b56a889e01533389 69036 utils extra isdnvboxclient_3.9.20060704-3_amd64.deb
baa2b6ca4c887fe9d4356661b12d1e6a 142976 utils extra isdnvboxserver_3.9.20060704-3_amd64.deb
a992dbf478ec30a5b1d89a60e2c6ed46 84956 net extra capiutils_3.9.20060704-3_amd64.deb
ef5692f096228764162658173458b92f 42240 libs extra libcapi20-3_3.9.20060704-3_amd64.deb
6f4ce34cf6b7d9e2598e064af2d4eb76 30660 libdevel extra libcapi20-dev_3.9.20060704-3_amd64.deb
c9b5704af9d1b737d0f40ceb467f8b46 142822 net extra pppdcapiplugin_3.9.20060704-3_amd64.deb
69ed0be99953d2bb40d0c1fda5be3183 1652832 utils extra isdnactivecards_3.9.20060704-3_amd64.deb
c648c4861fbeca877fbb09b94fd64459 178708 comm extra isdneurofile_3.9.20060704-3_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFF5GoRutvvqbTW3hMRAt74AJ9q+X6Qig52ovmWpy92b43l8fUy4ACfdcn3
jqW1tNVL6kMqOJCJ2Pxu9+Q=
=U3Ew
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 25 Jun 2007 02:26:28 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.