zaptel多个驱动数组索引漏洞

BUGTRAQ ID: 32575 CVECAN ID: CVE-2008-5396,CVE-2008-5744 zaptel软件包是用于配置Zapata电话内核驱动的用户工具。 由于对ZTSPANCONFIG ioctl相关的sync字段缺少检查，导致Zaptel中的torisa.c驱动的torisaspanconfig函数和dahdi/tor2.c驱动的tor2spanconfig函数存在数组索引错误。dialout组中的本地用户可以通过写入/dev/zap/ctl覆盖内核内存中的整数值，导致拒绝服务或获得权限提升。 Diginum Zaptel 1.4.x Diginum Zapt...

Design/Logic Flaw

Array index error in the dahdi/tor2.c driver in Zaptel aka DAHDI 1.4.11 and earlier allows local users in the dialout group to overwrite an integer value in kernel memory by writing to /dev/zap/ctl, related to an incorrect tor2 patch for CVE-2008-5396 that uses the wrong variable in a range check...

CVE-2008-5744

CVE-2008-5744 describes an array index error in the zaptel/DAHDI driver (dahdi/tor2.c) that allows local users in the dialout group to overwrite kernel memory by writing to /dev/zap/ctl. Affected: Zaptel/DAHDI versions up to 1.4.11 (and related patches). The root cause relates to an incorrect tor...