Package: src:linux Version: 3.2.78-1 Severity: minor Tags: security In 2010 an issue with the linux kernel implementation of v4l was discovered and reported to RedHat as <URL: https://bugzilla.redhat.com/show_bug.cgi?id=620629 >. It was assigned a CVE last year in <URL: http://www.openwall.com/lists/oss-security/2015/02/08/4 > and is still unsolved as far as I can tell.
If I understand the issue correctly, a user with access to /dev/video can cause the kernel to leak memory and eventually run out of memory by doing repeated calls to mmap(). In other words, users with video group membership can bring down the machine. According to <URL: https://security-tracker.debian.org/tracker/CVE-2010-5321 > the issue is present in Wheezy and onwards. It is probably present in earlier versions too. I picked the kernel version number used in wheezy for this report. I noticed this issue, as it is the oldest non-fixed CVE number reported by debsecan on my laptop, and decided it was time to track its progress in a bug report. -- Happy hacking Petter Reinholdtsen
