Your message dated Mon, 09 Mar 2015 19:50:08 +0000
with message-id <e1yv3gm-0005cp...@franck.debian.org>
and subject line Bug#775662: fixed in oss4 4.2-build2010-2
has caused the Debian Bug report #775662,
regarding oss4: Insufficient validation of USB device descriptors
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
775662: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775662
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: oss4
Version: 4.2-build2006-2
Severity: critical
Tags: security
[This was originally sent to the security team in 2012 but didn't go
further than that. However, the code has not changed at all since
then.]
In kernel/drv/oss_usb/oss_usb.c:
- count_source_controls(), add_controls_for_mixer(),
add_controls_for_proc(), add_controls_for_selector(),
translate_feature_mask_usb2(), translate_feature_mask(),
add_controls_for_feature(), traverse_source_controls(),
traverse_target_controls(), setup_legacy_mixer(),
get_feature_mask(), mixer_dump() and ossusb_init_audioctl()
do not check that descriptors are as long as expected.
- setup_legacy_mixer() does not reject invalid source unit numbers.
These are arbitrary unsigned bytes but used as an index within an
array of length 40.
In kernel/drv/oss_usb/ossusb_audio.c:
- prepare_altsetting() does not reject altsetting descriptors with an
invalid terminal link unit number.
- setup_format_I() and setup_format_II() do not check that descriptors
are as long as expected.
In kernel/drv/oss_usb/ossusb_midi.c:
- ossusb_init_midistream() does not check that descriptors are as
long as expected. (It requires that an altsetting descriptor is
at least 3 bytes long, but may use more than that.)
While unit numbers are validated in some places, validation is
inconsistent and probably wrong:
if (un->source <= 0 && un->source < devc->nunits)
if (*d > 0 && *d < devc->nunits)
if (portc->terminal_link > 0 && portc->terminal_link <= devc->nunits)
An invalid USB device descriptor may cause memory corruption or a
crash.
I didn't find any case where the driver would copy a lot of data from
the device descriptor, but I know people manage to exploit bugs for
privilege escalation even though they provide only very limited control
over the data to be written.
[I just noticed another bug in count_source_controls():
un = &devc->units[unit];
d = un->desc;
if (un == NULL)
return 0;
It's a bit late to be checking for a null pointer here. Thankfully this
shouldn't cause anything worse than a crash on Linux.]
Ben.
--
Ben Hutchings
The generation of random numbers is too important to be left to chance.
- Robert Coveyou
signature.asc
Description: This is a digitally signed message part
--- End Message ---
--- Begin Message ---
Source: oss4
Source-Version: 4.2-build2010-2
We believe that the bug you reported is fixed in the latest version of
oss4, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 775...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Samuel Thibault <sthiba...@debian.org> (supplier of updated oss4 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 09 Mar 2015 20:16:31 +0100
Source: oss4
Binary: oss4-base oss4-gtk oss4-dkms oss4-source oss4-dev liboss4-salsa2
liboss4-salsa-dev liboss4-salsa-asound2
Architecture: source all amd64
Version: 4.2-build2010-2
Distribution: unstable
Urgency: medium
Maintainer: Debian OSS4 Maintainers
<pkg-oss4-maintain...@lists.alioth.debian.org>
Changed-By: Samuel Thibault <sthiba...@debian.org>
Description:
liboss4-salsa-asound2 - OSS to Alsa compatibility library - binary
compatibility symlink
liboss4-salsa-dev - OSS to Alsa compatibility library -- development files
liboss4-salsa2 - OSS to Alsa compatibility library
oss4-base - Open Sound System - base package
oss4-dev - Open Sound System - development files
oss4-dkms - Open Sound System - DKMS module sources
oss4-gtk - Open Sound System - simple GTK2-based mixer control
oss4-source - Open Sound System - drivers sources
Closes: 775662
Changes:
oss4 (4.2-build2010-2) unstable; urgency=medium
.
* Disable USB drivers, which insufficiently validate USB device descriptors.
(Closes: #775662)
Checksums-Sha1:
6dadf099ed8e068cc13b98272cd778c08e7ae371 2527 oss4_4.2-build2010-2.dsc
f48c986c25517a9e182b67cbc84256ff28e98f9a 66892
oss4_4.2-build2010-2.debian.tar.xz
7eddd6ff1eb31b13cba3a02a063d96362c3b4e9b 27952 oss4-dev_4.2-build2010-2_all.deb
184db772c6c5964e7c5f071e3a7d15bb328a88a4 530788
oss4-base_4.2-build2010-2_amd64.deb
679dd8fca197c5c6bb9854c5c5598f59c8cd0810 27456
oss4-gtk_4.2-build2010-2_amd64.deb
15537e1301af331afc59be0dcf283ed3c5e912ad 659828
oss4-dkms_4.2-build2010-2_amd64.deb
31a7d67bfcfce5d6ee29b4eceaac2070a23ab221 837962
oss4-source_4.2-build2010-2_amd64.deb
b38fb548b75d7019e6076dfe35e3263a0dc968b8 42954
liboss4-salsa2_4.2-build2010-2_amd64.deb
b1c5571939938c194aaed702502564c349471f76 7664
liboss4-salsa-asound2_4.2-build2010-2_amd64.deb
Checksums-Sha256:
fd5cf1f84b1103dc177861eb0f01861c55c52a349f2daa6b007a93ab339f3976 2527
oss4_4.2-build2010-2.dsc
789246660edd075230597761b4f3f2700ff376a8bb6f756b8f94fe31e31f8fc4 66892
oss4_4.2-build2010-2.debian.tar.xz
3fb67d2d2c5728a89c746651eb583c2e07b4fdcfed6412cda1332e7e90aa3b15 27952
oss4-dev_4.2-build2010-2_all.deb
c8c5b63bad73ec9624f966d5fc4ddce8e92b65ba160c3813582de87482342094 530788
oss4-base_4.2-build2010-2_amd64.deb
5bd1c177eab52285e0649d949b7a7bd251c900be4f019b1809b167eb85e81cee 27456
oss4-gtk_4.2-build2010-2_amd64.deb
537e62d1c8fa6ab38c60eabe9a9bc0e104dfc72716728bfbbc1a5ae2b5c6a151 659828
oss4-dkms_4.2-build2010-2_amd64.deb
17be04e3b9ffe8bcd82c6f7816f74d56246a247f95551dd9be4f6221729ac30e 837962
oss4-source_4.2-build2010-2_amd64.deb
25fb03addcfc1e44983b17197067839290e4b20017b052ea576813d2953b5971 42954
liboss4-salsa2_4.2-build2010-2_amd64.deb
0d4bb5ded2a14bf2a28e781ef7b11722c598924f162e54a4d208817cc4f62b6d 7664
liboss4-salsa-asound2_4.2-build2010-2_amd64.deb
Files:
77a805fe1e53d545ed76f7d9f3af31cc 2527 sound optional oss4_4.2-build2010-2.dsc
39c68906cde8bc1181591fd3cdd5473f 66892 sound optional
oss4_4.2-build2010-2.debian.tar.xz
fd2b981530b3cbebbccaea2639abfe7e 27952 devel optional
oss4-dev_4.2-build2010-2_all.deb
556ac7a27f94c4e8d11d9201f08f107e 530788 sound optional
oss4-base_4.2-build2010-2_amd64.deb
f20e3fc67dd691eefe213264d6008115 27456 sound optional
oss4-gtk_4.2-build2010-2_amd64.deb
d5ee5442bbfed01f22a40c0b1142d445 659828 kernel optional
oss4-dkms_4.2-build2010-2_amd64.deb
599899f09cc165b45b5b9b9a82de5d20 837962 sound optional
oss4-source_4.2-build2010-2_amd64.deb
5956ec6109951e617a9ef401c38dcec5 42954 libs optional
liboss4-salsa2_4.2-build2010-2_amd64.deb
45e3c6274e8f7b05cb61d243410f424b 7664 libs optional
liboss4-salsa-asound2_4.2-build2010-2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJU/fTUAAoJEM8J0LDiiAQrtXYQAI9C8Tl7oxtW36kurPnzK9F6
nnh4CQ26zSGXme0F6s0fV0JrpFSy4F3dXlDv5PITypwYW+U2C1HBCOFwJOcu/Dh+
QN/U4z73UbPVdIFZOj2VyhV8EiHxlUhvl5yAX3GeGvZfZlwrAP7/0hYKp0rk8bL9
ScKE+G81l6sGnnpmphaMUTEmulZpUbNuNhtqxthv3MZGG8j/d/Ckom9AHb51CjFT
R5zNUxqcleY721oXPyV3Mt0YTmM/9eeXE7sIQFLu3554lMWth0ao8smFqgKzGvql
QNz1Md5ly8QOghqmWn00y6AMRuwo5sDLva2eT5DE26FoTbaE/Dq/EuV8rz7leosC
/lIHOrq7yPRG+1Js/p6t61cp76A8AsGhjBG9hoY9Wd7Sr0jgyuI/Y/9q7mBEswFL
4xYyaCyFCxe3Q7thlpJIiXi+Uu9yH8udJ7rc4FqmKOOYT+Wh+OIzvmPqyRXjKUPJ
rC1Q3plTLoZReLlc8PgEXbct0OEF+aunMIu2NBNWmrkd8taYJ/EjMuOErzImRa1/
jiv61EpJzDReJ47dFxFvDqSH5tHUYdyW95vWXnFpM3XRC/KoulJN4ZsfMQbG6Vek
6jQ5k9XNv6qmIltgTXUeOHmVRVsAeSGHwSLJ6/TNQxok4k8jKKqVYF5yfhaTGoii
aDbQEB8znWP8El1IliKa
=0JCS
-----END PGP SIGNATURE-----
--- End Message ---
