Package: zaptel Version: 1.4.11~dfsg-3 Severity: grave Tags: pending security
Impact: local privileges escalation Version: all versions (Now fixed in SVN, rev 4588) Upstream issue: http://bugs.digium.com/view.php?id=13954 Fix for Etch version: attached dpatch Fix for Lenny version: http://svn.debian.org/viewsvn/pkg-voip?rev=6507&view=rev Some older Zaptel drivers do not apply input validation on the sync field from the ioctl ZT_SPANCONFIG . This is sent on /dev/zap/ctl , which in Debian is writable to the group dialout. In Zaptel this ioctl is mostly handled by the specific spanconfig function of the low-level driver. Thus this will not have any impact unless someone has the matching hardware. * torisa.c is a driver for the old ISA dual-span T1 card, which I believe nobody actually uses. * tor2.c is the driver for the Zapata Telephony Tormenta 2 card quad T1/E1 card. Still sold today. Those two drivers use one specific field from the ioctl struct as an array index and write there, assuming it is between 0 and 1 (torisa) or 3 (tor2). So we have a nice way to write over many places in kernel space. The value to write, though, is not easy to control and can't even be 0. * wct1xxp.c is the driver for Digium's earlier single-span E1 cards (now deprecated: E100P and T100P. * wcte11xp is the driver for Digium's TE110P, which was was slightly better, but replaced is now EOL. The issue with those two is that the value from this field is written to a register, while we only wanted to get its first bit. I'm still not sure if it has any interesting impact for the user, but it is definetly misbehaving. Analog cards do not have a spanconfig method. Our package also includes several other drivers for digital cards that do have a spanconfig method (cwain, qozap, zaphfc, vzaphfc and ztgsm in Etch, and in Lenny: also ds1x1f) but none of them seem to have this problem. -- Tzafrir Cohen icq#16849755 jabber:[EMAIL PROTECTED] +972-50-7952406 mailto:[EMAIL PROTECTED] http://www.xorcom.com iax:[EMAIL PROTECTED]/tzafrir
#! /bin/sh /usr/share/dpatch/dpatch-run ## fix_sync_validation.dpatch by Tzafrir Cohen <[EMAIL PROTECTED]> ## ## All lines beginning with `## DP:' are a description of the patch. ## DP: Don't trust input coming from the field 'sync' in the ioctl ## DP: ZT_SPANCONFIG (e.g. the span "timing" in zaptel.conf) ## DP: ## DP: Upstream issue: http://bugs.digium.com/view.php?id=13954 @DPATCH@ Index: 1.2/wcte11xp.c =================================================================== --- 1.2/wcte11xp.c (revision 4586) +++ 1.2/wcte11xp.c (revision 4587) @@ -932,7 +932,7 @@ span->txlevel = lc->lbo; span->rxlevel = 0; /* Do we want to SYNC on receive or not */ - wc->sync = lc->sync; + wc->sync = (lc->sync) ? 1 : 0; /* If already running, apply changes immediately */ if (span->flags & ZT_FLAG_RUNNING) return t1xxp_startup(span); Index: 1.2/tor2.c =================================================================== --- 1.2/tor2.c (revision 4586) +++ 1.2/tor2.c (revision 4587) @@ -203,6 +203,13 @@ if (debug) printk("Tor2: Configuring span %d\n", span->spanno); + + if ((lc->sync < 0) || (lc->sync >= SPANS_PER_CARD)) { + printk(KERN_WARNING "%s %d: invalid span timing value %d.\n", + THIS_MODULE->name, span->spanno, lc->sync); + return -EINVAL; + } + /* XXX We assume lineconfig is okay and shouldn't XXX */ span->lineconfig = lc->lineconfig; span->txlevel = lc->lbo; Index: 1.2/torisa.c =================================================================== --- 1.2/torisa.c (revision 4586) +++ 1.2/torisa.c (revision 4587) @@ -602,6 +602,13 @@ { if (debug) printk("TorISA: Configuring span %d\n", span->spanno); + + if ((lc->sync < 0) || (lc->sync >= 2)) { + printk(KERN_WARNING "%s %d: invalid span timing value %d.\n", + THIS_MODULE->name, span->spanno, lc->sync); + return -EINVAL; + } + /* XXX We assume lineconfig is okay and shouldn't XXX */ span->lineconfig = lc->lineconfig; span->txlevel = lc->lbo; Index: 1.2/wct1xxp.c =================================================================== --- 1.2/wct1xxp.c (revision 4586) +++ 1.2/wct1xxp.c (revision 4587) @@ -738,7 +738,7 @@ span->txlevel = lc->lbo; span->rxlevel = 0; /* Do we want to SYNC on receive or not */ - wc->sync = lc->sync; + wc->sync = (lc->sync) ? 1 : 0; /* If already running, apply changes immediately */ if (span->flags & ZT_FLAG_RUNNING) return t1xxp_startup(span);
