CERT-In Vulnerability Note CIVN-2008-120
Linux kernel uvc_parse_format function buffer overflow vulnerability

Original Issue Date: August 13, 2008

Severity Rating: High

System Affected

• Linux Kernel Versions prior to 2.6.26.1

Overview

A buffer overflow vulnerability has been reported in Linux Kernel, which could be exploited by a local attacker to execute arbitrary code with root privileges or cause the system to crash.

Description

This vulnerability is caused due to an improper bounds checking on the user supplied data, by the ‘ uvc_parse_format' function of ‘ drivers/media/video/uvc/uvc_driver.c' . Specifically, the vulnerability occurs while parsing format descriptors. A local attacker can exploit this issue to execute arbitrary code with root privileges or cause the system to crash.

Solution

Upgrade to Linux Kernel Version 2.6.26.1 or later.

Vendor Information

Linux Kernel
http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.26.1

References

SecurityFocus
http://www.securityfocus.com/bid/30514

IBM ISS
http://xforce.iss.net/xforce/xfdb/44184

Juniper Networks http://www.juniper.net/security/auto/vulnerabilities/vuln30514.html

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003