var-201402-0147
Vulnerability from variot
The MSM camera driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to obtain sensitive information from kernel stack memory via (1) a crafted MSM_MCR_IOCTL_EVT_GET ioctl call, related to drivers/media/platform/msm/camera_v1/mercury/msm_mercury_sync.c, or (2) a crafted MSM_JPEG_IOCTL_EVT_GET ioctl call, related to drivers/media/platform/msm/camera_v2/jpeg_10/msm_jpeg_sync.c. (1) drivers/media/platform/msm/camera_v1/mercury/msm_mercury_sync.c (2) drivers/media/platform/msm/camera_v2/jpeg_10/msm_jpeg_sync.cAn attacker could gain privileges through the following items: (1) Cleverly crafted MSM_MCR_IOCTL_EVT_GET System call (2) Cleverly crafted MSM_JPEG_IOCTL_EVT_GET System call. Android for MSM project is prone to multiple information-disclosure vulnerabilities. Local attackers can exploit these issues to obtain sensitive information that may aid in launching further attacks. MSM camera driver for the Linux kernel is a Qualcomm platform camera driver project based on the Linux kernel. Description
A stack-based buffer overflow and a kernel memory disclosure vulnerability have been discovered in the system call handlers of the camera driver.
CVE-2013-4738
The camera post processing engine (CPP) and video processing engine (VPE) provide an ioctl system call interface to user space clients for communication. When processing arguments passed to the VIDIOC_MSM_CPP_DEQUEUE_STREAM_BUFF_INFO or VIDIOC_MSM_VPE_DEQUEUE_STREAM_BUFF_INFO ioctl subdev handlers, a user space supplied length value is used to copy memory to a local stack buffer without proper bounds checking. An application with access to the respective device nodes can use this flaw to, e.g., elevate privileges.
Access Vector: local Security Risk: high Vulnerability: CWE-121 (stack-based buffer overflow)
CVE-2013-4739
The Gemini JPEG encoder and the Jpeg1.0 common encoder/decoder engines of the camera driver are not properly initializing all members of a structure before copying it to user space.
Access Vector: local Security Risk: low Vulnerability: CWE-200 (information exposure)
Affected versions
All Android releases from CAF using a Linux kernel from the following heads:
- msm-3.4
- jb_3*
Patch
We advise customers to apply the following patches:
CVE-2013-4738:
https://www.codeaurora.org/cgit/quic/la/kernel/msm/commit/?id=c9c81836ee44db9974007d34cf2aaeb1a51a8d45
https://www.codeaurora.org/cgit/quic/la/kernel/msm/commit/?id=28385b9c3054c91dca1aa194ffa750550c50f3ce
CVE-2013-4739:
https://www.codeaurora.org/cgit/quic/la/kernel/msm/commit/?id=8604847927f952cc8e773b97eca24e1060a570f2
Credits
Reported by the researcher Jonathan Salwan and patched by Qualcomm Innovation Center
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201402-0147",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "quic mobile station modem kernel",
"scope": "eq",
"trust": 1.6,
"vendor": "qualcomm",
"version": "3.4"
},
{
"model": "android-msm",
"scope": "eq",
"trust": 1.0,
"vendor": "codeaurora",
"version": "2.6.29"
},
{
"model": "android for msm",
"scope": "eq",
"trust": 0.8,
"vendor": "android for msm",
"version": "2.6.29"
},
{
"model": "quic mobile station modem",
"scope": "eq",
"trust": 0.8,
"vendor": "qualcomm",
"version": "3.4"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2013-005980"
},
{
"db": "CNNVD",
"id": "CNNVD-201310-659"
},
{
"db": "NVD",
"id": "CVE-2013-4739"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/o:codeaurora:android-msm",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:qualcomm:quic_mobile_station_modem_kernel",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2013-005980"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Jonathan Salwan of the Sysdream Security Lab",
"sources": [
{
"db": "BID",
"id": "63264"
},
{
"db": "CNNVD",
"id": "CNNVD-201310-659"
}
],
"trust": 0.9
},
"cve": "CVE-2013-4739",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 3.9,
"id": "CVE-2013-4739",
"impactScore": 6.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 1.8,
"vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 3.9,
"id": "VHN-64741",
"impactScore": 6.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:L/AC:L/AU:N/C:C/I:N/A:N",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2013-4739",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "NVD",
"id": "CVE-2013-4739",
"trust": 0.8,
"value": "Medium"
},
{
"author": "CNNVD",
"id": "CNNVD-201310-659",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULHUB",
"id": "VHN-64741",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-64741"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-005980"
},
{
"db": "CNNVD",
"id": "CNNVD-201310-659"
},
{
"db": "NVD",
"id": "CVE-2013-4739"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "The MSM camera driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to obtain sensitive information from kernel stack memory via (1) a crafted MSM_MCR_IOCTL_EVT_GET ioctl call, related to drivers/media/platform/msm/camera_v1/mercury/msm_mercury_sync.c, or (2) a crafted MSM_JPEG_IOCTL_EVT_GET ioctl call, related to drivers/media/platform/msm/camera_v2/jpeg_10/msm_jpeg_sync.c. (1) drivers/media/platform/msm/camera_v1/mercury/msm_mercury_sync.c (2) drivers/media/platform/msm/camera_v2/jpeg_10/msm_jpeg_sync.cAn attacker could gain privileges through the following items: (1) Cleverly crafted MSM_MCR_IOCTL_EVT_GET System call (2) Cleverly crafted MSM_JPEG_IOCTL_EVT_GET System call. Android for MSM project is prone to multiple information-disclosure vulnerabilities. \nLocal attackers can exploit these issues to obtain sensitive information that may aid in launching further attacks. MSM camera driver for the Linux kernel is a Qualcomm platform camera driver project based on the Linux kernel. *Description*\n\nA stack-based buffer overflow and a kernel memory disclosure vulnerability\nhave been discovered in the system call handlers of the camera driver. \n\n*CVE-2013-4738*\n\nThe camera post processing engine (CPP) and video processing engine (VPE)\nprovide an ioctl system call interface to user space clients for\ncommunication. When processing arguments passed to the\nVIDIOC_MSM_CPP_DEQUEUE_STREAM_BUFF_INFO or\nVIDIOC_MSM_VPE_DEQUEUE_STREAM_BUFF_INFO ioctl subdev handlers, a user space\nsupplied length value is used to copy memory to a local stack buffer\nwithout proper bounds checking. An application with access to the\nrespective device nodes can use this flaw to, e.g., elevate privileges. \n\nAccess Vector: local\nSecurity Risk: high\nVulnerability: CWE-121 (stack-based buffer overflow)\n\n*CVE-2013-4739*\n\nThe Gemini JPEG encoder and the Jpeg1.0 common encoder/decoder engines of\nthe camera driver are not properly initializing all members of a structure\nbefore copying it to user space. \n\nAccess Vector: local\nSecurity Risk: low\nVulnerability: CWE-200 (information exposure)\n\n*Affected versions*\n\nAll Android releases from CAF using a Linux kernel from the following heads:\n\n- msm-3.4\n- jb_3*\n\n*Patch*\n\nWe advise customers to apply the following patches:\n\nCVE-2013-4738:\n-\nhttps://www.codeaurora.org/cgit/quic/la/kernel/msm/commit/?id=c9c81836ee44db9974007d34cf2aaeb1a51a8d45\n-\nhttps://www.codeaurora.org/cgit/quic/la/kernel/msm/commit/?id=28385b9c3054c91dca1aa194ffa750550c50f3ce\n\nCVE-2013-4739:\n-\nhttps://www.codeaurora.org/cgit/quic/la/kernel/msm/commit/?id=8604847927f952cc8e773b97eca24e1060a570f2\n\n*Credits*\n\nReported by the researcher Jonathan Salwan and patched by Qualcomm\nInnovation Center",
"sources": [
{
"db": "NVD",
"id": "CVE-2013-4739"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-005980"
},
{
"db": "BID",
"id": "63264"
},
{
"db": "VULHUB",
"id": "VHN-64741"
},
{
"db": "PACKETSTORM",
"id": "123704"
}
],
"trust": 2.07
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2013-4739",
"trust": 2.9
},
{
"db": "OPENWALL",
"id": "OSS-SECURITY/2013/10/15/4",
"trust": 1.7
},
{
"db": "BID",
"id": "63264",
"trust": 1.0
},
{
"db": "JVNDB",
"id": "JVNDB-2013-005980",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201310-659",
"trust": 0.7
},
{
"db": "MLIST",
"id": "[OSS-SECURITY] 20131015 REPORT - STACK-BASED BUFFER OVERFLOW AND MEMORY DISCLOSURE IN CAMERA DRIVER (CVE-2013-4748 CVE-2013-4739)",
"trust": 0.6
},
{
"db": "VULHUB",
"id": "VHN-64741",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "123704",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-64741"
},
{
"db": "BID",
"id": "63264"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-005980"
},
{
"db": "PACKETSTORM",
"id": "123704"
},
{
"db": "CNNVD",
"id": "CNNVD-201310-659"
},
{
"db": "NVD",
"id": "CVE-2013-4739"
}
]
},
"id": "VAR-201402-0147",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-64741"
}
],
"trust": 0.01
},
"last_update_date": "2024-11-23T22:31:20.842000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "QCIR-2013-00008-1",
"trust": 0.8,
"url": "https://www.codeaurora.org/projects/security-advisories/stack-based-buffer-overflow-and-memory-disclosure-camera-driver-cve-2013-4738-cve-2013-4739"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2013-005980"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-200",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-64741"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-005980"
},
{
"db": "NVD",
"id": "CVE-2013-4739"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.7,
"url": "https://www.codeaurora.org/projects/security-advisories/stack-based-buffer-overflow-and-memory-disclosure-camera-driver-cve-2013-4748-cve-2013-4739"
},
{
"trust": 1.7,
"url": "http://www.openwall.com/lists/oss-security/2013/10/15/4"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-4739"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-4739"
},
{
"trust": 0.6,
"url": "http://www.securityfocus.com/bid/63264"
},
{
"trust": 0.1,
"url": "https://www.codeaurora.org/cgit/quic/la/kernel/msm/commit/?id=8604847927f952cc8e773b97eca24e1060a570f2"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2013-4739"
},
{
"trust": 0.1,
"url": "https://www.codeaurora.org/cgit/quic/la/kernel/msm/commit/?id=28385b9c3054c91dca1aa194ffa750550c50f3ce"
},
{
"trust": 0.1,
"url": "https://www.codeaurora.org/cgit/quic/la/kernel/msm/commit/?id=c9c81836ee44db9974007d34cf2aaeb1a51a8d45"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2013-4738"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-64741"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-005980"
},
{
"db": "PACKETSTORM",
"id": "123704"
},
{
"db": "CNNVD",
"id": "CNNVD-201310-659"
},
{
"db": "NVD",
"id": "CVE-2013-4739"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-64741"
},
{
"db": "BID",
"id": "63264"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-005980"
},
{
"db": "PACKETSTORM",
"id": "123704"
},
{
"db": "CNNVD",
"id": "CNNVD-201310-659"
},
{
"db": "NVD",
"id": "CVE-2013-4739"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2014-02-03T00:00:00",
"db": "VULHUB",
"id": "VHN-64741"
},
{
"date": "2013-10-15T00:00:00",
"db": "BID",
"id": "63264"
},
{
"date": "2014-02-05T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2013-005980"
},
{
"date": "2013-10-21T22:22:22",
"db": "PACKETSTORM",
"id": "123704"
},
{
"date": "2013-10-15T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201310-659"
},
{
"date": "2014-02-03T03:55:03.723000",
"db": "NVD",
"id": "CVE-2013-4739"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2014-02-07T00:00:00",
"db": "VULHUB",
"id": "VHN-64741"
},
{
"date": "2015-03-19T09:31:00",
"db": "BID",
"id": "63264"
},
{
"date": "2014-02-05T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2013-005980"
},
{
"date": "2014-02-08T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201310-659"
},
{
"date": "2024-11-21T01:56:15.680000",
"db": "NVD",
"id": "CVE-2013-4739"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "local",
"sources": [
{
"db": "BID",
"id": "63264"
},
{
"db": "CNNVD",
"id": "CNNVD-201310-659"
}
],
"trust": 0.9
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "MSM For devices Qualcomm Innovation Center Android Used for contributions etc. Linux Kernel for MSM Vulnerability in camera driver to obtain important information",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2013-005980"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "information disclosure",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201310-659"
}
],
"trust": 0.6
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.