Your message dated Wed, 03 Dec 2008 10:32:04 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#507459: fixed in zaptel 1:1.4.11~dfsg-3
has caused the Debian Bug report #507459,
regarding zaptel: insufficient input validation in some zaptel drivers
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
507459: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=507459
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: zaptel
Version: 1.4.11~dfsg-3
Severity: grave
Tags: pending security
Impact: local privileges escalation
Version: all versions (Now fixed in SVN, rev 4588)
Upstream issue: http://bugs.digium.com/view.php?id=13954
Fix for Etch version: attached dpatch
Fix for Lenny version: http://svn.debian.org/viewsvn/pkg-voip?rev=6507&view=rev
Some older Zaptel drivers do not apply input validation on the sync
field from the ioctl ZT_SPANCONFIG . This is sent on /dev/zap/ctl ,
which in Debian is writable to the group dialout.
In Zaptel this ioctl is mostly handled by the specific spanconfig
function of the low-level driver. Thus this will not have any impact
unless someone has the matching hardware.
* torisa.c is a driver for the old ISA dual-span T1 card, which I believe
nobody actually uses.
* tor2.c is the driver for the Zapata Telephony Tormenta 2 card quad
T1/E1 card. Still sold today.
Those two drivers use one specific field from the ioctl struct as an
array index and write there, assuming it is between 0 and 1 (torisa) or
3 (tor2). So we have a nice way to write over many places in kernel
space. The value to write, though, is not easy to control and can't even
be 0.
* wct1xxp.c is the driver for Digium's earlier single-span E1 cards
(now deprecated: E100P and T100P.
* wcte11xp is the driver for Digium's TE110P, which was was slightly
better, but replaced is now EOL.
The issue with those two is that the value from this field is written to
a register, while we only wanted to get its first bit. I'm still not
sure if it has any interesting impact for the user, but it is definetly
misbehaving.
Analog cards do not have a spanconfig method. Our package also includes
several other drivers for digital cards that do have a spanconfig method
(cwain, qozap, zaphfc, vzaphfc and ztgsm in Etch, and in Lenny: also
ds1x1f) but none of them seem to have this problem.
--
Tzafrir Cohen
icq#16849755 jabber:[EMAIL PROTECTED]
+972-50-7952406 mailto:[EMAIL PROTECTED]
http://www.xorcom.com iax:[EMAIL PROTECTED]/tzafrir
#! /bin/sh /usr/share/dpatch/dpatch-run
## fix_sync_validation.dpatch by Tzafrir Cohen <[EMAIL PROTECTED]>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: Don't trust input coming from the field 'sync' in the ioctl
## DP: ZT_SPANCONFIG (e.g. the span "timing" in zaptel.conf)
## DP:
## DP: Upstream issue: http://bugs.digium.com/view.php?id=13954
@DPATCH@
Index: 1.2/wcte11xp.c
===================================================================
--- 1.2/wcte11xp.c (revision 4586)
+++ 1.2/wcte11xp.c (revision 4587)
@@ -932,7 +932,7 @@
span->txlevel = lc->lbo;
span->rxlevel = 0;
/* Do we want to SYNC on receive or not */
- wc->sync = lc->sync;
+ wc->sync = (lc->sync) ? 1 : 0;
/* If already running, apply changes immediately */
if (span->flags & ZT_FLAG_RUNNING)
return t1xxp_startup(span);
Index: 1.2/tor2.c
===================================================================
--- 1.2/tor2.c (revision 4586)
+++ 1.2/tor2.c (revision 4587)
@@ -203,6 +203,13 @@
if (debug)
printk("Tor2: Configuring span %d\n", span->spanno);
+
+ if ((lc->sync < 0) || (lc->sync >= SPANS_PER_CARD)) {
+ printk(KERN_WARNING "%s %d: invalid span timing value %d.\n",
+ THIS_MODULE->name, span->spanno, lc->sync);
+ return -EINVAL;
+ }
+
/* XXX We assume lineconfig is okay and shouldn't XXX */
span->lineconfig = lc->lineconfig;
span->txlevel = lc->lbo;
Index: 1.2/torisa.c
===================================================================
--- 1.2/torisa.c (revision 4586)
+++ 1.2/torisa.c (revision 4587)
@@ -602,6 +602,13 @@
{
if (debug)
printk("TorISA: Configuring span %d\n", span->spanno);
+
+ if ((lc->sync < 0) || (lc->sync >= 2)) {
+ printk(KERN_WARNING "%s %d: invalid span timing value %d.\n",
+ THIS_MODULE->name, span->spanno, lc->sync);
+ return -EINVAL;
+ }
+
/* XXX We assume lineconfig is okay and shouldn't XXX */
span->lineconfig = lc->lineconfig;
span->txlevel = lc->lbo;
Index: 1.2/wct1xxp.c
===================================================================
--- 1.2/wct1xxp.c (revision 4586)
+++ 1.2/wct1xxp.c (revision 4587)
@@ -738,7 +738,7 @@
span->txlevel = lc->lbo;
span->rxlevel = 0;
/* Do we want to SYNC on receive or not */
- wc->sync = lc->sync;
+ wc->sync = (lc->sync) ? 1 : 0;
/* If already running, apply changes immediately */
if (span->flags & ZT_FLAG_RUNNING)
return t1xxp_startup(span);
--- End Message ---
--- Begin Message ---
Source: zaptel
Source-Version: 1:1.4.11~dfsg-3
We believe that the bug you reported is fixed in the latest version of
zaptel, which is due to be installed in the Debian FTP archive:
libtonezone-dev_1.4.11~dfsg-3_i386.deb
to pool/main/z/zaptel/libtonezone-dev_1.4.11~dfsg-3_i386.deb
libtonezone1_1.4.11~dfsg-3_i386.deb
to pool/main/z/zaptel/libtonezone1_1.4.11~dfsg-3_i386.deb
zaptel-source_1.4.11~dfsg-3_all.deb
to pool/main/z/zaptel/zaptel-source_1.4.11~dfsg-3_all.deb
zaptel_1.4.11~dfsg-3.diff.gz
to pool/main/z/zaptel/zaptel_1.4.11~dfsg-3.diff.gz
zaptel_1.4.11~dfsg-3.dsc
to pool/main/z/zaptel/zaptel_1.4.11~dfsg-3.dsc
zaptel_1.4.11~dfsg-3_i386.deb
to pool/main/z/zaptel/zaptel_1.4.11~dfsg-3_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Mark Purcell <[EMAIL PROTECTED]> (supplier of updated zaptel package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 03 Dec 2008 19:52:06 +1100
Source: zaptel
Binary: zaptel libtonezone1 libtonezone-dev zaptel-source
Architecture: source all i386
Version: 1:1.4.11~dfsg-3
Distribution: unstable
Urgency: high
Maintainer: Debian VoIP Team <[EMAIL PROTECTED]>
Changed-By: Mark Purcell <[EMAIL PROTECTED]>
Description:
libtonezone-dev - tonezone library (development)
libtonezone1 - tonezone library (runtime)
zaptel - zapata telephony utilities
zaptel-source - Zapata telephony interface (source code for kernel driver)
Closes: 507459
Changes:
zaptel (1:1.4.11~dfsg-3) unstable; urgency=high
.
[ Tzafrir Cohen ]
* Patch fix_sync_validation: Better ioctl input validation (Closes: #507459)
* zaptel.init: exit on a different condition: Nicer handling of ztdummy.
* zaptel.init: Give a sane default to XPP_SYNC.
.
[ Mark Purcell ]
* Urgency high to fix RC bug
* Update debian/watch
* Add ${misc:Depends} fixes:debhelper-but-no-misc-depends
Checksums-Sha1:
7f1db095855c195376f48b84f3c7273736bea57d 1441 zaptel_1.4.11~dfsg-3.dsc
1a4ac4c6ff2d182645211bbce9fb747a0afc13f5 187639 zaptel_1.4.11~dfsg-3.diff.gz
a881b170a3b0800f2e700c233fe2e4f98649f80d 1146314
zaptel-source_1.4.11~dfsg-3_all.deb
b9f10a4e06a60990c6db7a06bec5e1b45a4b3a04 299348 zaptel_1.4.11~dfsg-3_i386.deb
3c4f11d347a1763752938292bb01ebe15bf82bb4 72750
libtonezone1_1.4.11~dfsg-3_i386.deb
600f8f404d1f3ea56264d6293e7a8c78ec512478 73784
libtonezone-dev_1.4.11~dfsg-3_i386.deb
Checksums-Sha256:
7121a7d7e648ecbe0c7818b4505b36ece0418033c6c5e7f631f2736dd4c3291f 1441
zaptel_1.4.11~dfsg-3.dsc
1a2a7f6c610125af678a9a119573b173b6e32ab934d42adf539aaf1d6830d5c4 187639
zaptel_1.4.11~dfsg-3.diff.gz
b439fc880bf43a365326c9cb4fc3bc8a55b74ad9136e71093a8076c2154cbc6b 1146314
zaptel-source_1.4.11~dfsg-3_all.deb
e842fc7882dd57ba525a3e6ecc1d82214761508c1aa3b4159393416ee1b5c9d8 299348
zaptel_1.4.11~dfsg-3_i386.deb
f30879cc8fa32c3d571335cddc6cfac08fe938f1fc7aedc4864464af0b855a25 72750
libtonezone1_1.4.11~dfsg-3_i386.deb
6520cf0aeb7a5557dae977e7df976a4edae759c1dd7364228f2fe8a8ed2fa358 73784
libtonezone-dev_1.4.11~dfsg-3_i386.deb
Files:
add6dc69774f985a662832a80f6bd153 1441 comm optional zaptel_1.4.11~dfsg-3.dsc
4cbd54a94a6c012fb880b7c4b043c874 187639 comm optional
zaptel_1.4.11~dfsg-3.diff.gz
96b5fba99136b71607a32d6d0e84d680 1146314 devel optional
zaptel-source_1.4.11~dfsg-3_all.deb
24c426f98fe7e7492970bcb046050cd4 299348 comm optional
zaptel_1.4.11~dfsg-3_i386.deb
01d57dd34254d455b8099d0a15af39db 72750 libs optional
libtonezone1_1.4.11~dfsg-3_i386.deb
9b595bb71c6e19086ff784cc6244a9c9 73784 libdevel optional
libtonezone-dev_1.4.11~dfsg-3_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkk2XXQACgkQoCzanz0IthKRlgCghiV432agIWzidB+fZbf5sdWt
pwsAnjJlBxPAg4MgQrZSCQ250Kno3L9T
=9/Cu
-----END PGP SIGNATURE-----
--- End Message ---
