Report forwarded
to debian-bugs-dist@lists.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>: Bug#507459; Package zaptel.
(Mon, 01 Dec 2008 15:18:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Tzafrir Cohen <tzafrir.cohen@xorcom.com>:
New Bug report received and forwarded. Copy sent to Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>.
(Mon, 01 Dec 2008 15:18:05 GMT) (full text, mbox, link).
Package: zaptel
Version: 1.4.11~dfsg-3
Severity: grave
Tags: pending security
Impact: local privileges escalation
Version: all versions (Now fixed in SVN, rev 4588)
Upstream issue: http://bugs.digium.com/view.php?id=13954
Fix for Etch version: attached dpatch
Fix for Lenny version: http://svn.debian.org/viewsvn/pkg-voip?rev=6507&view=rev
Some older Zaptel drivers do not apply input validation on the sync
field from the ioctl ZT_SPANCONFIG . This is sent on /dev/zap/ctl ,
which in Debian is writable to the group dialout.
In Zaptel this ioctl is mostly handled by the specific spanconfig
function of the low-level driver. Thus this will not have any impact
unless someone has the matching hardware.
* torisa.c is a driver for the old ISA dual-span T1 card, which I believe
nobody actually uses.
* tor2.c is the driver for the Zapata Telephony Tormenta 2 card quad
T1/E1 card. Still sold today.
Those two drivers use one specific field from the ioctl struct as an
array index and write there, assuming it is between 0 and 1 (torisa) or
3 (tor2). So we have a nice way to write over many places in kernel
space. The value to write, though, is not easy to control and can't even
be 0.
* wct1xxp.c is the driver for Digium's earlier single-span E1 cards
(now deprecated: E100P and T100P.
* wcte11xp is the driver for Digium's TE110P, which was was slightly
better, but replaced is now EOL.
The issue with those two is that the value from this field is written to
a register, while we only wanted to get its first bit. I'm still not
sure if it has any interesting impact for the user, but it is definetly
misbehaving.
Analog cards do not have a spanconfig method. Our package also includes
several other drivers for digital cards that do have a spanconfig method
(cwain, qozap, zaphfc, vzaphfc and ztgsm in Etch, and in Lenny: also
ds1x1f) but none of them seem to have this problem.
--
Tzafrir Cohen
icq#16849755 jabber:tzafrir.cohen@xorcom.com
+972-50-7952406 mailto:tzafrir.cohen@xorcom.com
http://www.xorcom.com iax:guest@local.xorcom.com/tzafrir
Subject: Bug#507459: fixed in zaptel 1:1.4.11~dfsg-3
Date: Wed, 03 Dec 2008 10:32:04 +0000
Source: zaptel
Source-Version: 1:1.4.11~dfsg-3
We believe that the bug you reported is fixed in the latest version of
zaptel, which is due to be installed in the Debian FTP archive:
libtonezone-dev_1.4.11~dfsg-3_i386.deb
to pool/main/z/zaptel/libtonezone-dev_1.4.11~dfsg-3_i386.deb
libtonezone1_1.4.11~dfsg-3_i386.deb
to pool/main/z/zaptel/libtonezone1_1.4.11~dfsg-3_i386.deb
zaptel-source_1.4.11~dfsg-3_all.deb
to pool/main/z/zaptel/zaptel-source_1.4.11~dfsg-3_all.deb
zaptel_1.4.11~dfsg-3.diff.gz
to pool/main/z/zaptel/zaptel_1.4.11~dfsg-3.diff.gz
zaptel_1.4.11~dfsg-3.dsc
to pool/main/z/zaptel/zaptel_1.4.11~dfsg-3.dsc
zaptel_1.4.11~dfsg-3_i386.deb
to pool/main/z/zaptel/zaptel_1.4.11~dfsg-3_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 507459@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Mark Purcell <msp@debian.org> (supplier of updated zaptel package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 03 Dec 2008 19:52:06 +1100
Source: zaptel
Binary: zaptel libtonezone1 libtonezone-dev zaptel-source
Architecture: source all i386
Version: 1:1.4.11~dfsg-3
Distribution: unstable
Urgency: high
Maintainer: Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
Changed-By: Mark Purcell <msp@debian.org>
Description:
libtonezone-dev - tonezone library (development)
libtonezone1 - tonezone library (runtime)
zaptel - zapata telephony utilities
zaptel-source - Zapata telephony interface (source code for kernel driver)
Closes: 507459
Changes:
zaptel (1:1.4.11~dfsg-3) unstable; urgency=high
.
[ Tzafrir Cohen ]
* Patch fix_sync_validation: Better ioctl input validation (Closes: #507459)
* zaptel.init: exit on a different condition: Nicer handling of ztdummy.
* zaptel.init: Give a sane default to XPP_SYNC.
.
[ Mark Purcell ]
* Urgency high to fix RC bug
* Update debian/watch
* Add ${misc:Depends} fixes:debhelper-but-no-misc-depends
Checksums-Sha1:
7f1db095855c195376f48b84f3c7273736bea57d 1441 zaptel_1.4.11~dfsg-3.dsc
1a4ac4c6ff2d182645211bbce9fb747a0afc13f5 187639 zaptel_1.4.11~dfsg-3.diff.gz
a881b170a3b0800f2e700c233fe2e4f98649f80d 1146314 zaptel-source_1.4.11~dfsg-3_all.deb
b9f10a4e06a60990c6db7a06bec5e1b45a4b3a04 299348 zaptel_1.4.11~dfsg-3_i386.deb
3c4f11d347a1763752938292bb01ebe15bf82bb4 72750 libtonezone1_1.4.11~dfsg-3_i386.deb
600f8f404d1f3ea56264d6293e7a8c78ec512478 73784 libtonezone-dev_1.4.11~dfsg-3_i386.deb
Checksums-Sha256:
7121a7d7e648ecbe0c7818b4505b36ece0418033c6c5e7f631f2736dd4c3291f 1441 zaptel_1.4.11~dfsg-3.dsc
1a2a7f6c610125af678a9a119573b173b6e32ab934d42adf539aaf1d6830d5c4 187639 zaptel_1.4.11~dfsg-3.diff.gz
b439fc880bf43a365326c9cb4fc3bc8a55b74ad9136e71093a8076c2154cbc6b 1146314 zaptel-source_1.4.11~dfsg-3_all.deb
e842fc7882dd57ba525a3e6ecc1d82214761508c1aa3b4159393416ee1b5c9d8 299348 zaptel_1.4.11~dfsg-3_i386.deb
f30879cc8fa32c3d571335cddc6cfac08fe938f1fc7aedc4864464af0b855a25 72750 libtonezone1_1.4.11~dfsg-3_i386.deb
6520cf0aeb7a5557dae977e7df976a4edae759c1dd7364228f2fe8a8ed2fa358 73784 libtonezone-dev_1.4.11~dfsg-3_i386.deb
Files:
add6dc69774f985a662832a80f6bd153 1441 comm optional zaptel_1.4.11~dfsg-3.dsc
4cbd54a94a6c012fb880b7c4b043c874 187639 comm optional zaptel_1.4.11~dfsg-3.diff.gz
96b5fba99136b71607a32d6d0e84d680 1146314 devel optional zaptel-source_1.4.11~dfsg-3_all.deb
24c426f98fe7e7492970bcb046050cd4 299348 comm optional zaptel_1.4.11~dfsg-3_i386.deb
01d57dd34254d455b8099d0a15af39db 72750 libs optional libtonezone1_1.4.11~dfsg-3_i386.deb
9b595bb71c6e19086ff784cc6244a9c9 73784 libdevel optional libtonezone-dev_1.4.11~dfsg-3_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkk2XXQACgkQoCzanz0IthKRlgCghiV432agIWzidB+fZbf5sdWt
pwsAnjJlBxPAg4MgQrZSCQ250Kno3L9T
=9/Cu
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>: Bug#507459; Package zaptel.
(Wed, 03 Dec 2008 12:39:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Copy sent to Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>.
(Wed, 03 Dec 2008 12:39:04 GMT) (full text, mbox, link).
Subject: Re: Bug#507459: zaptel: insufficient input validation in some zaptel drivers
Date: Wed, 03 Dec 2008 13:37:17 +0100
* Tzafrir Cohen:
> Impact: local privileges escalation
> Version: all versions (Now fixed in SVN, rev 4588)
> Upstream issue: http://bugs.digium.com/view.php?id=13954
>
> Fix for Etch version: attached dpatch
> Fix for Lenny version: http://svn.debian.org/viewsvn/pkg-voip?rev=6507&view=rev
>
> Some older Zaptel drivers do not apply input validation on the sync
> field from the ioctl ZT_SPANCONFIG . This is sent on /dev/zap/ctl ,
> which in Debian is writable to the group dialout.
Would someone who can test a fixed Debian package please speak up?
Tzafrir, could you do that if we send you packages pre-release?
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>: Bug#507459; Package zaptel.
(Wed, 03 Dec 2008 13:12:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Tzafrir Cohen <tzafrir.cohen@xorcom.com>:
Extra info received and forwarded to list. Copy sent to Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>.
(Wed, 03 Dec 2008 13:12:09 GMT) (full text, mbox, link).
Subject: Re: Bug#507459: zaptel: insufficient input validation in some zaptel drivers
Date: Wed, 3 Dec 2008 15:05:46 +0200
On Wed, Dec 03, 2008 at 01:37:17PM +0100, Florian Weimer wrote:
> * Tzafrir Cohen:
>
> > Impact: local privileges escalation
> > Version: all versions (Now fixed in SVN, rev 4588)
> > Upstream issue: http://bugs.digium.com/view.php?id=13954
> >
> > Fix for Etch version: attached dpatch
> > Fix for Lenny version: http://svn.debian.org/viewsvn/pkg-voip?rev=6507&view=rev
> >
> > Some older Zaptel drivers do not apply input validation on the sync
> > field from the ioctl ZT_SPANCONFIG . This is sent on /dev/zap/ctl ,
> > which in Debian is writable to the group dialout.
>
> Would someone who can test a fixed Debian package please speak up?
>
> Tzafrir, could you do that if we send you packages pre-release?
I don't have that specific hardware. I can test it one hardwares I do
have to show it didn't break anything.
--
Tzafrir Cohen
icq#16849755 jabber:tzafrir.cohen@xorcom.com
+972-50-7952406 mailto:tzafrir.cohen@xorcom.com
http://www.xorcom.com iax:guest@local.xorcom.com/tzafrir
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 01 Jan 2009 07:26:53 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.