ofono: fix CVE-2024-7539 - linux/poky.git - Mirror of git.yoctoproject.org/poky

diff options

author	Yogita Urade <yogita.urade@windriver.com>	2025-01-14 12:51:27 +0000
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2025-01-20 13:38:59 +0000
commit	49863645a07ae6e3970cf72ee856627706abdcb1 (patch)
tree	75e23826f9b55354c63e22ddeb6dcc5a3344ade3 /scripts/lib/devtool/ide_sdk.py
parent	23e695407ec0c663de3106863a46f597e2c31f2e (diff)
download	poky-49863645a07ae6e3970cf72ee856627706abdcb1.tar.gz

ofono: fix CVE-2024-7539

oFono CUSD Stack-based Buffer Overflow Code Execution Vulnerability. This vulnerability allows local attackers to execute arbitrary code on affected installations of oFono. An attacker must first obtain the ability to execute code on the target modem in order to exploit this vulnerability. The specific flaw exists within the parsing of responses from AT+CUSD commands. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-23195. Reference: https://security-tracker.debian.org/tracker/CVE-2024-7539 Upstream patch: https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=389e2344f86319265fb72ae590b470716e038fdc (From OE-Core rev: 55aea716ca4665cf45579247dd5feec5668dd94f) Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

Diffstat (limited to 'scripts/lib/devtool/ide_sdk.py')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: