HOME > VULNERABILITY NOTES


   VULNERABILITY NOTE

CERT-In Vulnerability Note CIVN-2008-121
Linux Kernel "snd_seq_oss_synth_make_info()" Information Disclosure Vulnerability

Original Issue Date: August 13, 2008

Severity Rating: Medium

System Affected

  • Linux Kernel Versions 2.6.x prior to 2.6.27-rc2.

Overview

A vulnerability has been reported in Linux Kernel, which could be exploited by a local attacker to obtain sensitive information from kernel memory.

Description

This vulnerability is caused due to an error in validating the user-supplied device number within the " snd_seq_oss_synth_make_info() " function in sound/core/seq/oss/seq_oss_synth.c, before returning information to the calling user. This can be exploited by local attacker by passing an invalid device number to the vulnerable function to disclose potential sensitive kernel memory information that may aid in further attacks.

Solution

This issue is fixed in Linux Kernel version 2.6.27-rc2.

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=82e68f7ffec3800425f2391c8c862
77606860442

Vendor Information

 Linux Kernel
http://kernel.org/pub/linux/kernel/v2.6/testing/Change
Log-2.6.27-rc2

References

SecurityFocus
http://www.securityfocus.com/bid/30559/info

Secunia
http://secunia.com/advisories/31366/

SecurityTracker
http://www.securitytracker.com/alerts/2008/Aug/1020636.html

Zenwalk
http://support.zenwalk.org/viewtopic.php?f=48&t=17981&sid=
063148c1a5f5fdbc240c68dc0eb37da0

CVE Name
CVE-2008-3272

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003