Only USB sound
|
| Author | Content |
|---|---|
| hkwint Mar 09, 2011 5:11 PM EDT |
I saw some websites proclaiming the problem was in Linux USB. But as far as I can tell, this problem only exists if you have the USB sound driver compiled and loaded. I think - except if you have USB sound - you shouldn't. |
| mrider Mar 10, 2011 5:20 PM EDT |
I've checked all my Debian machines - two Lennys and two Squeezes - and the snd-usb-caiaq.ko driver is present on them all. (That is the driver, right??) I have no idea whether or not the driver is loaded, but it's present. One of the computers doesn't even have a sound card or any sound devices attached. So at least Debian seems to ship it with every install. I'm not worried though. I'm sure the hole will be patched any day now, and I don't exactly go around looking for USB drives to connect to my computers... |
| tracyanne Mar 10, 2011 5:52 PM EDT |
It is in any case only a problem when the Device Name is longer than 80 characters.Quoting:The device drivers are vulnerable to buffer overflow condition when an USB device with an unusually long name (over 80 characters) is connected to the machine." I've been through all the USB devices I have, and their names all fall well short of 80 characters. Also as it's the Device Name, it's not something that can be casually created. |
| mrider Mar 10, 2011 8:17 PM EDT |
Well, the buffer is 80 characters. No doubt it would take considerably more than 80 characters to turn this into an actual exploit though. A device with a real name longer than 80 characters almost certainly wouldn't translate to exploit code. It would translate into a simple crash of one sort or another. Turning this into an "I pwned you" would require a specially crafted device name in which the characters past 80 did something specific. Once someone figured that out (which wouldn't be terribly difficult), then the next part would be convincing a user to insert that into their machine. Something along the lines of fixing it up and then leaving it laying around where a Linux user is known to frequent, or possibly sending it to a known Linux user and saying "take a look at the cool stuff on the disk". So as I say, "I don't exactly go around looking for USB drives to connect to my computers". Essentially, don't plug in any USB devices which you haven't already used unless you are either a) sure of the source, b) are running in a safe environment (think live disk), or c) are sure that driver isn't loaded. At least until this is patched. EDIT I should add that this is definitely something to keep in mind. I don't know about everyone else, but if I get an all new USB device (USB disk, one of those cool picture frames, or etcetera), the first thing I do is look at it from a Linux box, since Linux doesn't auto execute code. So for at least the short term, I'm going to be even more cautious than usual. Even if only a little more cautious. |
| jdixon Mar 10, 2011 9:49 PM EDT |
> I have no idea whether or not the driver is loaded, but it's present. Since it's a kernel driver, it's going to be present if your distribution compiles it as a module, which most probably do. It won't be loaded unless you have hardware which requires it. A simple lsmod should tell you whether it's loaded or not. |
| hkwint Mar 11, 2011 4:31 AM EDT |
mrider: As far as I understood, reading the device name is something which pretty much happens 'automagically' - just like autorun. I'm not sure if that devicename can be changed manually, or only in the hardware, such as some people claim. Like you said, make sure that driver isn't loaded (using lsmod as suggested above) while plugging in unknown drives.Of course, better don't plug in any unknown drives at all. But when you buy a new one, you can't get around plugging it in for the first time. |
Posting in this forum is limited to members of the group: [ForumMods, SITEADMINS, MEMBERS.]
Becoming a member of LXer is easy and free. Join Us!