[kernel-sec-discuss] r533 - in patch-tracking: . retired

Dann Frazier dannf at costa.debian.org
Mon Aug 14 02:34:42 UTC 2006 

Author: dannf
Date: 2006-08-14 02:34:41 +0000 (Mon, 14 Aug 2006)
New Revision: 533

Added:
   patch-tracking/CVE-2004-1190
   patch-tracking/CVE-2004-2660
   patch-tracking/CVE-2005-1763
   patch-tracking/CVE-2006-0558
   patch-tracking/CVE-2006-0744
Removed:
   patch-tracking/retired/CVE-2004-1190
   patch-tracking/retired/CVE-2004-2660
   patch-tracking/retired/CVE-2005-1763
   patch-tracking/retired/CVE-2006-0558
   patch-tracking/retired/CVE-2006-0744
Log:
oops, these shouldn't have been retired

Copied: patch-tracking/CVE-2004-1190 (from rev 532, patch-tracking/retired/CVE-2004-1190)

Copied: patch-tracking/CVE-2004-2660 (from rev 532, patch-tracking/retired/CVE-2004-2660)

Copied: patch-tracking/CVE-2005-1763 (from rev 532, patch-tracking/retired/CVE-2005-1763)

Copied: patch-tracking/CVE-2006-0558 (from rev 532, patch-tracking/retired/CVE-2006-0558)

Copied: patch-tracking/CVE-2006-0744 (from rev 532, patch-tracking/retired/CVE-2006-0744)

Deleted: patch-tracking/retired/CVE-2004-1190
===================================================================
--- patch-tracking/retired/CVE-2004-1190	2006-08-14 02:24:50 UTC (rev 532)
+++ patch-tracking/retired/CVE-2004-1190	2006-08-14 02:34:41 UTC (rev 533)
@@ -1,24 +0,0 @@
-Candidate: CVE-2004-1190
-References: 
- http://www.novell.com/linux/security/advisories/2004_42_kernel.html
- http://xforce.iss.net/xforce/xfdb/18370
-Description:
- SUSE Linux before 9.1 and SUSE Linux Enterprise Server before 9 do not
- properly check commands sent to CD devices that have been opened read-only,
- which could allow local users to conduct unauthorized write activities to
- modify the firmware of associated SCSI devices.
- .
- dannf> skipping for 2.4/sarge3 - not sure if 2.4 is affected, but we should
-        revisit
-Notes: 
-Bugs: 300162
-upstream: released (2.6.10)
-linux-2.6: N/A
-2.6.8-sarge-security: released (2.6.8-14) [scsi-ioctl-cmd-warned.dpatch, scsi-ioctl-remove-dup.dpatch, scsi-ioctl-permit.dpatch, SG_IO-cap.dpatch, SG_IO-safe-commands-2.dpatch, SG_IO-safe-commands-3.dpatch, SG_IO-safe-commands-5.dpatch]
-2.4.27-sarge-security: ignored (2.4.27-10sarge3)
-2.4.19-woody-security: 
-2.4.18-woody-security: 
-2.4.17-woody-security: 
-2.4.16-woody-security: 
-2.4.17-woody-security-hppa: 
-2.4.17-woody-security-ia64: 

Deleted: patch-tracking/retired/CVE-2004-2660
===================================================================
--- patch-tracking/retired/CVE-2004-2660	2006-08-14 02:24:50 UTC (rev 532)
+++ patch-tracking/retired/CVE-2004-2660	2006-08-14 02:34:41 UTC (rev 533)
@@ -1,17 +0,0 @@
-Candidate: CVE-2004-2660
-References: 
-Description: 
-Notes: 
- jmm> This was only covered by MITRE in May 2006
- jmm> Vulnerable code not present in 2.4
-Bugs: 
-upstream: released (2.6.10)
-linux-2.6: N/A
-2.6.8-sarge-security: needed
-2.4.27-sarge-security: N/A
-2.4.19-woody-security: N/A
-2.4.18-woody-security: N/A
-2.4.17-woody-security: N/A
-2.4.16-woody-security: N/A
-2.4.17-woody-security-hppa: N/A
-2.4.17-woody-security-ia64: N/A

Deleted: patch-tracking/retired/CVE-2005-1763
===================================================================
--- patch-tracking/retired/CVE-2005-1763	2006-08-14 02:24:50 UTC (rev 532)
+++ patch-tracking/retired/CVE-2005-1763	2006-08-14 02:34:41 UTC (rev 533)
@@ -1,22 +0,0 @@
-Candidate: CVE-2005-1763
-References: 
- http://www.novell.com/linux/security/advisories/2005_29_kernel.html
-Description: 
- Buffer overflow in ptrace in the Linux Kernel for 64-bit architectures allows
- local users to write bytes into kernel memory.
-Notes: 
- dannf> The patch we have is only for x86_64.  This code was very different
- dannf> in 2.4, and we don't ship 2.4/amd64, so we can probably drop this one.
- dannf> The question is, does this affect other 64-bit archs?
-Bugs: 
-upstream: released (2.6.12-rc5)
-linux-2.6: N/A
-2.6.8-sarge-security: released (2.6.8-16sarge1) [arch-x86_64-kernel-ptrace-boundary-check.dpatch]
-2.4.27-sarge-security: ignored (2.4.27-10sarge4)
-2.4.19-woody-security: 
-2.4.18-woody-security: 
-2.4.17-woody-security: 
-2.4.16-woody-security: 
-2.4.17-woody-security-hppa: 
-2.4.17-woody-security-ia64: 
-2.4.18-woody-security-hppa: 

Deleted: patch-tracking/retired/CVE-2006-0558
===================================================================
--- patch-tracking/retired/CVE-2006-0558	2006-08-14 02:24:50 UTC (rev 532)
+++ patch-tracking/retired/CVE-2006-0558	2006-08-14 02:34:41 UTC (rev 533)
@@ -1,30 +0,0 @@
-Candidate: CVE-2006-0558
-References: 
- MLIST:[linux-ia64] [PATCH 1/1] ia64: perfmon.c trips BUG_ON in put_page_testzero
- URL:http://marc.theaimsgroup.com/?l=linux-ia64&m=113882384921688
- CONFIRM:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=185082
- BID:17482
- URL:http://www.securityfocus.com/bid/17482 
-Description: 
- perfmon (perfmon.c) in Linux kernel on IA64 architectures allows local users
- to cause a denial of service (crash) by interrupting a task while another
- process is accessing the mm_struct, which triggers a BUG_ON action in the
- put_page_testzero function.proc
-Notes: 
- dannf> This issue is unreproducible in 2.6.16, according to:
- dannf>  http://marc.theaimsgroup.com/?l=linux-ia64&m=114530938403347&w=2
- dannf> So, I'm marking upstream as 2.6.16
- .
- dannf> I have a reproducer from SGI.  It causes 2.6.8 to oops, but needs to
- dannf> be ported to the 2.4 perfmon API to test 2.4.27
-Bugs: 365375
-upstream: released (2.6.16)
-linux-2.6: released (2.6.16-1)
-2.6.8-sarge-security: released (2.6.8-16sarge3)
-2.4.27-sarge-security: 
-2.4.19-woody-security: 
-2.4.18-woody-security: 
-2.4.17-woody-security: 
-2.4.16-woody-security: 
-2.4.17-woody-security-hppa: 
-2.4.17-woody-security-ia64: 

Deleted: patch-tracking/retired/CVE-2006-0744
===================================================================
--- patch-tracking/retired/CVE-2006-0744	2006-08-14 02:24:50 UTC (rev 532)
+++ patch-tracking/retired/CVE-2006-0744	2006-08-14 02:34:41 UTC (rev 533)
@@ -1,20 +0,0 @@
-Candidate: CVE-2006-0744
-References: 
-Description:
- signal catching issue on em64t; similar to CVE-2006-0741
-Notes: 
- dannf> looks like redhat has developed a patch for their 2.4
- .
- dannf> no upstream 2.4 fix, and it is amd64-specific, so ignoring for
-        2.4/sarge3
-Bugs: 
-upstream:
-linux-2.6: released (2.6.16-7)
-2.6.8-sarge-security: released (2.6.8-16sarge3) [em64t-uncanonical-return-addr.dpatch]
-2.4.27-sarge-security: ignored (2.4.27-10sarge3)
-2.4.19-woody-security: 
-2.4.18-woody-security: 
-2.4.17-woody-security: 
-2.4.16-woody-security: 
-2.4.17-woody-security-hppa: 
-2.4.17-woody-security-ia64:

More information about the kernel-sec-discuss mailing list