CVE-2006-2935

Description

The dvd_read_bca function in the DVD handling code in drivers/cdrom/cdrom.c in Linux kernel 2.2.16, and later versions, assigns the wrong value to a length variable, which allows local users to execute arbitrary code via a crafted USB Storage device that triggers a buffer overflow.

CVSS Metrics

• v2.0•MEDIUM•Score: 4.6AV:L/AC:L/Au:N/C:P/I:P/A:P

EPSS Trends

Current EPSS score: 0.21%• Percentile: 44%

Techniques & Countermeasures

• CWE-120•Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

  The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer.

Affected Systems

• canonical•ubuntu_linux

  5.04 | 5.10 | 6.06

• debian•debian_linux

  3.1

• linux•linux_kernel

  ≥ 2.2.16, ≤ 2.16.16

References (40)

• http://www.ubuntu.com/usn/usn-331-1
• http://secunia.com/advisories/21934
• http://www.novell.com/linux/security/advisories/2006_42_kernel.html
• http://www.redhat.com/support/errata/RHSA-2007-0012.html
• http://www.redhat.com/support/errata/RHSA-2006-0617.html
• http://bugzilla.kernel.org/show_bug.cgi?id=2966
• http://secunia.com/advisories/21298
• http://secunia.com/advisories/23788
• http://secunia.com/advisories/21695
• http://secunia.com/advisories/21605
• http://www.novell.com/linux/security/advisories/2006_47_kernel.html
• http://www.debian.org/security/2006/dsa-1183
• http://www.mandriva.com/security/advisories?name=MDKSA-2006:150
• http://www.redhat.com/support/errata/RHSA-2007-0013.html
• http://www.mandriva.com/security/advisories?name=MDKSA-2006:151
• http://secunia.com/advisories/22082
• http://secunia.com/advisories/21614
• http://www.novell.com/linux/security/advisories/2006_64_kernel.html
• https://exchange.xforce.ibmcloud.com/vulnerabilities/27579
• http://secunia.com/advisories/22174
• https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10886
• http://secunia.com/advisories/24288
• http://www.vupen.com/english/advisories/2006/2680
• http://secunia.com/advisories/22822
• http://secunia.com/advisories/23064
• https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=197670
• http://support.avaya.com/elmodocs2/security/ASA-2007-078.htm
• http://support.avaya.com/elmodocs2/security/ASA-2006-254.htm
• http://www.ubuntu.com/usn/usn-346-1
• http://www.securityfocus.com/bid/18847
• http://secunia.com/advisories/22497
• http://secunia.com/advisories/21498
• http://support.avaya.com/elmodocs2/security/ASA-2006-203.htm
• http://www.redhat.com/support/errata/RHSA-2006-0710.html
• https://issues.rpath.com/browse/RPL-611
• http://www.securityfocus.com/archive/1/444887/100/0/threaded
• http://www.novell.com/linux/security/advisories/2006_49_kernel.html
• http://secunia.com/advisories/22093
• http://www.debian.org/security/2006/dsa-1184
• http://secunia.com/advisories/21179