706375 – (CVE-2009-4067) VUL-0: CVE-2009-4067: kernel: usb: buffer overflow in auerswald_probe()

Bug 706375 (CVE-2009-4067) - VUL-0: CVE-2009-4067: kernel: usb: buffer overflow in auerswald_probe()

Summary: VUL-0: CVE-2009-4067: kernel: usb: buffer overflow in auerswald_probe()

Status:	RESOLVED FIXED

Alias:	CVE-2009-4067

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	General (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Minor
Target Milestone:	---
Deadline:	2013-11-20
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	maint:released:sle10-sp4:43802 maint:...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2011-07-18 07:52 UTC by Ludwig Nussel
Modified:	2013-12-09 10:11 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	Other
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
fix for usb_string (1.03 KB, patch) 2011-08-12 09:31 UTC, Michal Hocko	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ludwig Nussel 2011-07-18 07:52:59 UTC

Your friendly security team received the following report via oss-security.
Please respond ASAP.
The issue is public.

------------------------------------------------------------------------------
Date: Fri, 15 Jul 2011 16:03:07 +0800
From: Eugene Teo <eugene@redhat.com>
Subject: [oss-security] CVE-2009-4067 kernel: usb: buffer overflow in auerswald_probe()

A buffer overflow flaw was found in the Linux kernel's Auerswald
PBX/System Telephone usb driver implementation. There's no upstream
patch as the affected driver was removed from the kernel in 2.6.27.

For more information, check out the references:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4067
http://labs.mwrinfosecurity.com/files/Advisories/mwri_linux-usb-buffer-overflow_2009-10-29.pdf
https://bugzilla.redhat.com/CVE-2009-4067

Comment 1 Ludwig Nussel 2011-07-18 07:54:09 UTC

auerswald.ko is in sle10, we should simply remove it.

Comment 2 Michal Hocko 2011-08-12 09:29:26 UTC

(In reply to comment #1)
> auerswald.ko is in sle10, we should simply remove it.

This will not be that easy. The driver is listed as supported. I will attach a patch which should help here in the next comment.

Comment 3 Michal Hocko 2011-08-12 09:31:57 UTC

Created attachment 445558 [details]
fix for usb_string

I have not fixed the driver directly but rather looked at usb_string which can test the size sign overflow as well. What do you think Greg? Does it make sense to push this upstream? The affected driver is not there anymore but it kind of makes sense because now we are testing only for 0 size.

Comment 4 Michal Hocko 2011-08-12 09:35:29 UTC

I guess that the issue is really minor because one would need a direct access to a HW to trigger it.

Comment 5 Thomas Biege 2011-08-12 16:35:18 UTC

please ignore, just adjusting priority

Comment 6 Greg Kroah-Hartman 2011-08-12 22:23:07 UTC

(In reply to comment #3)
> Created an attachment (id=445558) [details]
> fix for usb_string
> 
> I have not fixed the driver directly but rather looked at usb_string which can
> test the size sign overflow as well. What do you think Greg? Does it make sense
> to push this upstream? The affected driver is not there anymore but it kind of
> makes sense because now we are testing only for 0 size.

How about changing size to be ssize_t?  Would that solve this better?

Comment 7 Michal Hocko 2011-08-15 07:10:12 UTC

(In reply to comment #6)
> (In reply to comment #3)
> > Created an attachment (id=445558) [details] [details]
> > fix for usb_string
> > 
> > I have not fixed the driver directly but rather looked at usb_string which can
> > test the size sign overflow as well. What do you think Greg? Does it make sense
> > to push this upstream? The affected driver is not there anymore but it kind of
> > makes sense because now we are testing only for 0 size.
> 
> How about changing size to be ssize_t?

This is basically what the patch does. It casts the give size argument to the signed type while we are testing it.
Or did you mean changing usb_string function parameter? That would break the kABI as the function is exported for modules.

Comment 8 Michal Hocko 2011-09-05 15:11:51 UTC

Should I push the patch as is into SLES10* branches?

Comment 9 Jiri Kosina 2011-09-27 16:13:31 UTC

Please do, Michal. Thanks for taking care. This is indeed minor issue though.

Comment 10 Michal Hocko 2011-09-29 08:57:11 UTC

Pushed to SLES10_SP[34]_BRANCH and SLES10-SP3-TD branches.
I guess nothing else is affected.

Comment 11 Michal Hocko 2011-09-29 09:14:20 UTC

I forgot about SLES9_SP4_BRANCH and SLES9-SP3-TD which are affected as well.
Pushed now

Comment 12 Swamp Workflow Management 2011-10-28 00:01:28 UTC

Update released for: kernel-debug, kernel-debug-debuginfo, kernel-default, kernel-default-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms
Products:
SLE-DEBUGINFO 10-SP4 (ia64)
SLE-SDK 10-SP4 (ia64)
SLE-SERVER 10-SP4 (ia64)

Comment 13 Swamp Workflow Management 2011-10-28 00:52:34 UTC

Update released for: kernel-bigsmp, kernel-bigsmp-debuginfo, kernel-debug, kernel-debug-debuginfo, kernel-default, kernel-default-debuginfo, kernel-kdump, kernel-kdump-debuginfo, kernel-kdumppae, kernel-kdumppae-debuginfo, kernel-smp, kernel-smp-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms, kernel-syms-debuginfo, kernel-vmi, kernel-vmi-debuginfo, kernel-vmipae, kernel-vmipae-debuginfo, kernel-xen, kernel-xen-debuginfo, kernel-xenpae, kernel-xenpae-debuginfo
Products:
SLE-DEBUGINFO 10-SP4 (i386)
SLE-DESKTOP 10-SP4 (i386)
SLE-SDK 10-SP4 (i386)
SLE-SERVER 10-SP4 (i386)

Comment 14 Swamp Workflow Management 2011-10-28 01:00:12 UTC

Update released for: kernel-default, kernel-default-debuginfo, kernel-source, kernel-syms
Products:
SLE-DEBUGINFO 10-SP4 (s390x)
SLE-SERVER 10-SP4 (s390x)

Comment 15 Swamp Workflow Management 2011-10-28 01:27:09 UTC

Update released for: kernel-debug, kernel-debug-debuginfo, kernel-default, kernel-default-debuginfo, kernel-kdump, kernel-kdump-debuginfo, kernel-smp, kernel-smp-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms, kernel-xen, kernel-xen-debuginfo
Products:
SLE-DEBUGINFO 10-SP4 (x86_64)
SLE-DESKTOP 10-SP4 (x86_64)
SLE-SDK 10-SP4 (x86_64)
SLE-SERVER 10-SP4 (x86_64)

Comment 16 Swamp Workflow Management 2011-10-28 01:44:31 UTC

Update released for: kernel-default, kernel-default-debuginfo, kernel-iseries64, kernel-iseries64-debuginfo, kernel-kdump, kernel-kdump-debuginfo, kernel-ppc64, kernel-ppc64-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms
Products:
SLE-DEBUGINFO 10-SP4 (ppc)
SLE-SDK 10-SP4 (ppc)
SLE-SERVER 10-SP4 (ppc)

Comment 17 Marcus Meissner 2011-10-28 09:49:47 UTC

We have just released a SUSE Linux Enterprise 10 SP4 kernel update that
mentions/fixes this bug. The released version is 2.6.16.60-0.91.1.

Comment 18 Swamp Workflow Management 2011-11-17 14:13:07 UTC

Update released for: kernel-debug, kernel-debug-debuginfo, kernel-default, kernel-default-debuginfo, kernel-kdump, kernel-kdump-debuginfo, kernel-smp, kernel-smp-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms, kernel-xen, kernel-xen-debuginfo
Products:
SLE-SERVER 10-SP3-TERADATA (x86_64)

Comment 19 Swamp Workflow Management 2012-01-02 13:03:49 UTC

The SWAMPID for this issue is 44762.
This issue was rated as important.
Please submit fixed packages until 2012-01-09.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.

Comment 20 Swamp Workflow Management 2013-11-06 14:41:28 UTC

The SWAMPID for this issue is 54954.
This issue was rated as moderate.
Please submit fixed packages until 2013-11-20.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.

Comment 21 Swamp Workflow Management 2013-12-06 23:49:19 UTC

Update released for: kernel-default, kernel-default-debuginfo, kernel-source, kernel-syms
Products:
SLE-DEBUGINFO 10-SP3 (s390x)
SLE-SERVER 10-SP3-LTSS (s390x)

Comment 22 Swamp Workflow Management 2013-12-07 00:10:32 UTC

Update released for: kernel-debug, kernel-debug-debuginfo, kernel-default, kernel-default-debuginfo, kernel-kdump, kernel-kdump-debuginfo, kernel-smp, kernel-smp-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms, kernel-xen, kernel-xen-debuginfo
Products:
SLE-DEBUGINFO 10-SP3 (x86_64)
SLE-SERVER 10-SP3-LTSS (x86_64)

Comment 23 Swamp Workflow Management 2013-12-07 01:44:12 UTC

Update released for: kernel-bigsmp, kernel-bigsmp-debuginfo, kernel-debug, kernel-debug-debuginfo, kernel-default, kernel-default-debuginfo, kernel-kdump, kernel-kdump-debuginfo, kernel-kdumppae, kernel-kdumppae-debuginfo, kernel-smp, kernel-smp-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms, kernel-syms-debuginfo, kernel-vmi, kernel-vmi-debuginfo, kernel-vmipae, kernel-vmipae-debuginfo, kernel-xen, kernel-xen-debuginfo, kernel-xenpae, kernel-xenpae-debuginfo
Products:
SLE-DEBUGINFO 10-SP3 (i386)
SLE-SERVER 10-SP3-LTSS (i386)