** Description changed: - The camera post processing engine (CPP) and video processing engine - (VPE) provide an ioctl system call interface to user space clients for - communication. When processing arguments passed to the - VIDIOC_MSM_CPP_DEQUEUE_STREAM_BUFF_INFO or - VIDIOC_MSM_VPE_DEQUEUE_STREAM_BUFF_INFO ioctl subdev handlers, a user - space supplied length value is used to copy memory to a local stack - buffer without proper bounds checking. An application with access to the - respective device nodes can use this flaw to, e.g., elevate privileges. + Multiple stack-based buffer overflows in the MSM camera driver for the + Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android + contributions for MSM devices and other products, allow attackers to gain + privileges via (1) a crafted VIDIOC_MSM_VPE_DEQUEUE_STREAM_BUFF_INFO ioctl + call, related to drivers/media/platform/msm/camera_v2/pproc/vpe/msm_vpe.c, + or (2) a crafted VIDIOC_MSM_CPP_DEQUEUE_STREAM_BUFF_INFO ioctl call, + related to drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c. Break-Fix: - c9c81836ee44db9974007d34cf2aaeb1a51a8d45 Break-Fix: - 28385b9c3054c91dca1aa194ffa750550c50f3ce
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1244800 Title: CVE-2013-4738 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1244800/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
