Your message dated Mon, 09 Mar 2015 19:50:08 +0000 with message-id <e1yv3gm-0005cp...@franck.debian.org> and subject line Bug#775662: fixed in oss4 4.2-build2010-2 has caused the Debian Bug report #775662, regarding oss4: Insufficient validation of USB device descriptors to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 775662: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775662 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: oss4 Version: 4.2-build2006-2 Severity: critical Tags: security [This was originally sent to the security team in 2012 but didn't go further than that. However, the code has not changed at all since then.] In kernel/drv/oss_usb/oss_usb.c: - count_source_controls(), add_controls_for_mixer(), add_controls_for_proc(), add_controls_for_selector(), translate_feature_mask_usb2(), translate_feature_mask(), add_controls_for_feature(), traverse_source_controls(), traverse_target_controls(), setup_legacy_mixer(), get_feature_mask(), mixer_dump() and ossusb_init_audioctl() do not check that descriptors are as long as expected. - setup_legacy_mixer() does not reject invalid source unit numbers. These are arbitrary unsigned bytes but used as an index within an array of length 40. In kernel/drv/oss_usb/ossusb_audio.c: - prepare_altsetting() does not reject altsetting descriptors with an invalid terminal link unit number. - setup_format_I() and setup_format_II() do not check that descriptors are as long as expected. In kernel/drv/oss_usb/ossusb_midi.c: - ossusb_init_midistream() does not check that descriptors are as long as expected. (It requires that an altsetting descriptor is at least 3 bytes long, but may use more than that.) While unit numbers are validated in some places, validation is inconsistent and probably wrong: if (un->source <= 0 && un->source < devc->nunits) if (*d > 0 && *d < devc->nunits) if (portc->terminal_link > 0 && portc->terminal_link <= devc->nunits) An invalid USB device descriptor may cause memory corruption or a crash. I didn't find any case where the driver would copy a lot of data from the device descriptor, but I know people manage to exploit bugs for privilege escalation even though they provide only very limited control over the data to be written. [I just noticed another bug in count_source_controls(): un = &devc->units[unit]; d = un->desc; if (un == NULL) return 0; It's a bit late to be checking for a null pointer here. Thankfully this shouldn't cause anything worse than a crash on Linux.] Ben. -- Ben Hutchings The generation of random numbers is too important to be left to chance. - Robert Coveyousignature.asc
Description: This is a digitally signed message part
--- End Message ---
--- Begin Message ---Source: oss4 Source-Version: 4.2-build2010-2 We believe that the bug you reported is fixed in the latest version of oss4, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 775...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Samuel Thibault <sthiba...@debian.org> (supplier of updated oss4 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 09 Mar 2015 20:16:31 +0100 Source: oss4 Binary: oss4-base oss4-gtk oss4-dkms oss4-source oss4-dev liboss4-salsa2 liboss4-salsa-dev liboss4-salsa-asound2 Architecture: source all amd64 Version: 4.2-build2010-2 Distribution: unstable Urgency: medium Maintainer: Debian OSS4 Maintainers <pkg-oss4-maintain...@lists.alioth.debian.org> Changed-By: Samuel Thibault <sthiba...@debian.org> Description: liboss4-salsa-asound2 - OSS to Alsa compatibility library - binary compatibility symlink liboss4-salsa-dev - OSS to Alsa compatibility library -- development files liboss4-salsa2 - OSS to Alsa compatibility library oss4-base - Open Sound System - base package oss4-dev - Open Sound System - development files oss4-dkms - Open Sound System - DKMS module sources oss4-gtk - Open Sound System - simple GTK2-based mixer control oss4-source - Open Sound System - drivers sources Closes: 775662 Changes: oss4 (4.2-build2010-2) unstable; urgency=medium . * Disable USB drivers, which insufficiently validate USB device descriptors. (Closes: #775662) Checksums-Sha1: 6dadf099ed8e068cc13b98272cd778c08e7ae371 2527 oss4_4.2-build2010-2.dsc f48c986c25517a9e182b67cbc84256ff28e98f9a 66892 oss4_4.2-build2010-2.debian.tar.xz 7eddd6ff1eb31b13cba3a02a063d96362c3b4e9b 27952 oss4-dev_4.2-build2010-2_all.deb 184db772c6c5964e7c5f071e3a7d15bb328a88a4 530788 oss4-base_4.2-build2010-2_amd64.deb 679dd8fca197c5c6bb9854c5c5598f59c8cd0810 27456 oss4-gtk_4.2-build2010-2_amd64.deb 15537e1301af331afc59be0dcf283ed3c5e912ad 659828 oss4-dkms_4.2-build2010-2_amd64.deb 31a7d67bfcfce5d6ee29b4eceaac2070a23ab221 837962 oss4-source_4.2-build2010-2_amd64.deb b38fb548b75d7019e6076dfe35e3263a0dc968b8 42954 liboss4-salsa2_4.2-build2010-2_amd64.deb b1c5571939938c194aaed702502564c349471f76 7664 liboss4-salsa-asound2_4.2-build2010-2_amd64.deb Checksums-Sha256: fd5cf1f84b1103dc177861eb0f01861c55c52a349f2daa6b007a93ab339f3976 2527 oss4_4.2-build2010-2.dsc 789246660edd075230597761b4f3f2700ff376a8bb6f756b8f94fe31e31f8fc4 66892 oss4_4.2-build2010-2.debian.tar.xz 3fb67d2d2c5728a89c746651eb583c2e07b4fdcfed6412cda1332e7e90aa3b15 27952 oss4-dev_4.2-build2010-2_all.deb c8c5b63bad73ec9624f966d5fc4ddce8e92b65ba160c3813582de87482342094 530788 oss4-base_4.2-build2010-2_amd64.deb 5bd1c177eab52285e0649d949b7a7bd251c900be4f019b1809b167eb85e81cee 27456 oss4-gtk_4.2-build2010-2_amd64.deb 537e62d1c8fa6ab38c60eabe9a9bc0e104dfc72716728bfbbc1a5ae2b5c6a151 659828 oss4-dkms_4.2-build2010-2_amd64.deb 17be04e3b9ffe8bcd82c6f7816f74d56246a247f95551dd9be4f6221729ac30e 837962 oss4-source_4.2-build2010-2_amd64.deb 25fb03addcfc1e44983b17197067839290e4b20017b052ea576813d2953b5971 42954 liboss4-salsa2_4.2-build2010-2_amd64.deb 0d4bb5ded2a14bf2a28e781ef7b11722c598924f162e54a4d208817cc4f62b6d 7664 liboss4-salsa-asound2_4.2-build2010-2_amd64.deb Files: 77a805fe1e53d545ed76f7d9f3af31cc 2527 sound optional oss4_4.2-build2010-2.dsc 39c68906cde8bc1181591fd3cdd5473f 66892 sound optional oss4_4.2-build2010-2.debian.tar.xz fd2b981530b3cbebbccaea2639abfe7e 27952 devel optional oss4-dev_4.2-build2010-2_all.deb 556ac7a27f94c4e8d11d9201f08f107e 530788 sound optional oss4-base_4.2-build2010-2_amd64.deb f20e3fc67dd691eefe213264d6008115 27456 sound optional oss4-gtk_4.2-build2010-2_amd64.deb d5ee5442bbfed01f22a40c0b1142d445 659828 kernel optional oss4-dkms_4.2-build2010-2_amd64.deb 599899f09cc165b45b5b9b9a82de5d20 837962 sound optional oss4-source_4.2-build2010-2_amd64.deb 5956ec6109951e617a9ef401c38dcec5 42954 libs optional liboss4-salsa2_4.2-build2010-2_amd64.deb 45e3c6274e8f7b05cb61d243410f424b 7664 libs optional liboss4-salsa-asound2_4.2-build2010-2_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJU/fTUAAoJEM8J0LDiiAQrtXYQAI9C8Tl7oxtW36kurPnzK9F6 nnh4CQ26zSGXme0F6s0fV0JrpFSy4F3dXlDv5PITypwYW+U2C1HBCOFwJOcu/Dh+ QN/U4z73UbPVdIFZOj2VyhV8EiHxlUhvl5yAX3GeGvZfZlwrAP7/0hYKp0rk8bL9 ScKE+G81l6sGnnpmphaMUTEmulZpUbNuNhtqxthv3MZGG8j/d/Ckom9AHb51CjFT R5zNUxqcleY721oXPyV3Mt0YTmM/9eeXE7sIQFLu3554lMWth0ao8smFqgKzGvql QNz1Md5ly8QOghqmWn00y6AMRuwo5sDLva2eT5DE26FoTbaE/Dq/EuV8rz7leosC /lIHOrq7yPRG+1Js/p6t61cp76A8AsGhjBG9hoY9Wd7Sr0jgyuI/Y/9q7mBEswFL 4xYyaCyFCxe3Q7thlpJIiXi+Uu9yH8udJ7rc4FqmKOOYT+Wh+OIzvmPqyRXjKUPJ rC1Q3plTLoZReLlc8PgEXbct0OEF+aunMIu2NBNWmrkd8taYJ/EjMuOErzImRa1/ jiv61EpJzDReJ47dFxFvDqSH5tHUYdyW95vWXnFpM3XRC/KoulJN4ZsfMQbG6Vek 6jQ5k9XNv6qmIltgTXUeOHmVRVsAeSGHwSLJ6/TNQxok4k8jKKqVYF5yfhaTGoii aDbQEB8znWP8El1IliKa =0JCS -----END PGP SIGNATURE-----
--- End Message ---