[kernel-sec-discuss] r600 - active retired
Dann Frazier
dannf at costa.debian.org
Tue Sep 26 05:25:06 UTC 2006
Author: dannf
Date: 2006-09-26 05:25:01 +0000 (Tue, 26 Sep 2006)
New Revision: 600
Added:
retired/CVE-2004-2660
retired/CVE-2005-4798
retired/CVE-2006-1052
retired/CVE-2006-1343
retired/CVE-2006-1528
retired/CVE-2006-1855
retired/CVE-2006-1856
retired/CVE-2006-2444
retired/CVE-2006-2445
retired/CVE-2006-2934
retired/CVE-2006-2936
Removed:
active/CVE-2004-2660
active/CVE-2005-4798
active/CVE-2006-1052
active/CVE-2006-1343
active/CVE-2006-1528
active/CVE-2006-1855
active/CVE-2006-1856
active/CVE-2006-2444
active/CVE-2006-2445
active/CVE-2006-2934
active/CVE-2006-2936
Log:
retire all issues that have been fixed upstream and in all listed kernels that are affected
Deleted: active/CVE-2004-2660
===================================================================
--- active/CVE-2004-2660 2006-09-26 05:15:55 UTC (rev 599)
+++ active/CVE-2004-2660 2006-09-26 05:25:01 UTC (rev 600)
@@ -1,16 +0,0 @@
-Candidate: CVE-2004-2660
-References:
- CONFIRM:http://linux.bkbits.net:8080/linux-2.6/cset@4182a613oVsK0-8eCWpyYFrUf8rhLA
- CONFIRM:http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.10
-Description:
- Memory leak in direct-io.c in Linux kernel 2.6.x before 2.6.10 allows local
- users to cause a denial of service (memory consumption) via certain O_DIRECT
- (direct IO) write requests.
-Notes:
- jmm> This was only covered by MITRE in May 2006
- jmm> Vulnerable code not present in 2.4
-Bugs:
-upstream: released (2.6.10)
-linux-2.6: N/A
-2.6.8-sarge-security: released (2.6.8-16sarge5) [direct-io-write-mem-leak.dpatch]
-2.4.27-sarge-security: N/A
Deleted: active/CVE-2005-4798
===================================================================
--- active/CVE-2005-4798 2006-09-26 05:15:55 UTC (rev 599)
+++ active/CVE-2005-4798 2006-09-26 05:25:01 UTC (rev 600)
@@ -1,19 +0,0 @@
-Candidate: CVE-2005-4798
-References:
- http://www.ussg.iu.edu/hypermail/linux/kernel/0509.1/1333.html
- http://www.kernel.org/git/?p=linux/kernel/git/marcelo/linux-2.4.git;a=commit;h=87e03738fc15dc3ea4acde3a5dcb5f84b6b6152b
- http://www.kernel.org/git/?p=linux/kernel/git/marcelo/linux-2.4.git;a=commitdiff;h=87e03738fc15dc3ea4acde3a5dcb5f84b6b6152b
-Description:
- Buffer overflow in NFS readlink handling in the Linux Kernel 2.4 up to 2.4.31
- allows remote NFS servers to cause a denial of service (crash) via a long
- symlink, which is not properly handled in (1) nfs2xdr.c or (2) nfs3xdr.c and
- causes a crash in the NFS client.
-Notes:
- dannf> >= 2.6.13 not affected according to:
- dannf> http://www.ussg.iu.edu/hypermail/linux/kernel/0509.1/1333.html
- dannf> 2.6.8 looks affected to me - including my shot at a fix...
-Bugs:
-upstream:
-linux-2.6: N/A
-2.6.8-sarge-security: released (2.6.8-16sarge5) [nfs-handle-long-symlinks.dpatch]
-2.4.27-sarge-security: released (2.4.27-10sarge4) [223_nfs-handle-long-symlinks.diff]
Deleted: active/CVE-2006-1052
===================================================================
--- active/CVE-2006-1052 2006-09-26 05:15:55 UTC (rev 599)
+++ active/CVE-2006-1052 2006-09-26 05:25:01 UTC (rev 600)
@@ -1,15 +0,0 @@
-Candidate: CVE-2006-1052
-References:
- http://marc.theaimsgroup.com/?l=selinux&m=114226465106131&w=2
- http://marc.theaimsgroup.com/?l=git-commits-head&m=114210002712363&w=2
- http://selinuxnews.org/wp/index.php/2006/03/13/security-ptrace-bug-cve-2006-1052/
-Description:
- The selinux_ptrace logic in hooks.c in SELinux for Linux 2.6.6 allows local
- users with ptrace permissions to change the tracer SID to an SID of another
- process.
-Notes:
-Bugs:
-upstream: released (2.6.16)
-linux-2.6: released (2.6.16-1)
-2.6.8-sarge-security: released (2.6.8-16sarge5) [selinux-tracer-SID-fix.dpatch]
-2.4.27-sarge-security: N/A
Deleted: active/CVE-2006-1343
===================================================================
--- active/CVE-2006-1343 2006-09-26 05:15:55 UTC (rev 599)
+++ active/CVE-2006-1343 2006-09-26 05:25:01 UTC (rev 600)
@@ -1,18 +0,0 @@
-Candidate: CVE-2006-1343
-References:
- http://marc.theaimsgroup.com/?l=linux-netdev&m=114148078223594&w=2
-Description:
- net/ipv4/netfilter/ip_conntrack_core.c in Linux kernel 2.4 and 2.6, and
- possibly net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c in 2.6, does not
- clear sockaddr_in.sin_zero before returning IPv4 socket names from the
- getsockopt function with SO_ORIGINAL_DST, which allows local users to
- obtain portions of potentially sensitive memory.
-Notes:
- troyh> This isn't fixed upstream in 2.6 yet, at least not in the same way as 2.4
- dannf> marking ignored for sarge3/2.6 due to ^^
- jmm> It's now fixed upstream in 2.6 as well, let's include it in sarge4
-Bugs:
-upstream: released (2.4.33-pre3), released (2.6.16.19)
-linux-2.6: released (2.6.16-15)
-2.6.8-sarge-security: released (2.6.8-16sarge5) [netfilter-SO_ORIGINAL_DST-leak.dpatch]
-2.4.27-sarge-security: released (2.4.27-10sarge3) [212_ipv4-sin_zero_clear.diff]
Deleted: active/CVE-2006-1528
===================================================================
--- active/CVE-2006-1528 2006-09-26 05:15:55 UTC (rev 599)
+++ active/CVE-2006-1528 2006-09-26 05:25:01 UTC (rev 600)
@@ -1,14 +0,0 @@
-Candidate: CVE-2006-1528
-References:
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=168791
- http://linux.bkbits.net:8080/linux-2.6/cset@43220081yu9ClBQNuqSSnW_9amW7iQ
- http://marc.theaimsgroup.com/?l=linux-scsi&m=112540053711489&w=2
-Description:
- Linux kernel before 2.6.13 allows local users to cause a denial of service (crash) via
- a dio transfer from the sg driver to memory mapped (mmap) IO space.
-Notes:
-Bugs:
-upstream: released (2.6.13), released (2.4.33.1)
-linux-2.6: released (2.6.13-1)
-2.6.8-sarge-security: released (2.6.8-16sarge5) [sg-no-mmap-VM_IO.dpatch]
-2.4.27-sarge-security: released (2.4.27-10sarge4) [225_sg-no-mmap-VM_IO.diff]
Deleted: active/CVE-2006-1855
===================================================================
--- active/CVE-2006-1855 2006-09-26 05:15:55 UTC (rev 599)
+++ active/CVE-2006-1855 2006-09-26 05:25:01 UTC (rev 600)
@@ -1,16 +0,0 @@
-Candidate: CVE-2006-1855
-References:
- https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=127302
- http://www.redhat.com/support/errata/RHSA-2006-0493.html
-Description:
- choose_new_parent in Linux kernel before 2.6.11.12 includes certain
- debugging code, which allows local users to cause a denial of service
- (panic) by causing certain circumstances involving termination of a
- parent process.
-Notes:
- jmm> Vulnerable code not present in 2.4.27
-Bugs:
-upstream: released (2.6.11.12)
-linux-2.6: N/A
-2.6.8-sarge-security: released (2.6.8-16sarge5) [exit-bogus-bugon.dpatch]
-2.4.27-sarge-security: N/A
Deleted: active/CVE-2006-1856
===================================================================
--- active/CVE-2006-1856 2006-09-26 05:15:55 UTC (rev 599)
+++ active/CVE-2006-1856 2006-09-26 05:25:01 UTC (rev 600)
@@ -1,16 +0,0 @@
-Candidate: CVE-2006-1856
-References:
- Certain modifications to the Linux kernel 2.6.16 and earlier do not
- add the appropriate Linux Security Modules (LSM) file_permission hooks
- to the (1) readv and (2) writev functions, which might allow attackers
- to bypass intended access restrictions.
-Description:
- http://lists.jammed.com/linux-security-module/2005/09/0019.html
- http://www.ussg.iu.edu/hypermail/linux/kernel/0604.3/0777.html
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=191524
-Notes:
-Bugs:
-upstream: released (2.6.17)
-linux-2.6: released (2.6.17-1)
-2.6.8-sarge-security: released (2.6.8-16sarge5) [readv-writev-missing-lsm-check.dpatch, readv-writev-missing-lsm-check-compat.dpatch]
-2.4.27-sarge-security: N/A
Deleted: active/CVE-2006-2444
===================================================================
--- active/CVE-2006-2444 2006-09-26 05:15:55 UTC (rev 599)
+++ active/CVE-2006-2444 2006-09-26 05:25:01 UTC (rev 600)
@@ -1,17 +0,0 @@
-Candidate: CVE-2006-2444
-References:
- http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16.18
- http://www.kernel.org/git/?p=linux/kernel/git/stable/linux-2.6.16.y.git;a=commit;h=1db6b5a66e93ff125ab871d6b3f7363412cc87e8
-Description:
- The snmp_trap_decode function in the SNMP NAT helper for Linux kernel before
- 2.6.16.18 allows remote attackers to cause a denial of service (crash) via
- unspecified remote attack vectors that cause failures in snmp_trap_decode
- that trigger (1) frees of random memory or (2) frees of previously-freed
- memory (double-free) by snmp_trap_decode as well as its calling function, as
- demonstrated via certain test cases of the PROTOS SNMP test suite.
-Notes:
-Bugs:
-upstream: released (2.6.16.18)
-linux-2.6: released (2.6.16-15)
-2.6.8-sarge-security: released (2.6.8-16sarge5) [snmp-nat-mem-corruption-fix.dpatch]
-2.4.27-sarge-security: released (2.4.27-10sarge4) [226_snmp-nat-mem-corruption-fix.diff]
Deleted: active/CVE-2006-2445
===================================================================
--- active/CVE-2006-2445 2006-09-26 05:15:55 UTC (rev 599)
+++ active/CVE-2006-2445 2006-09-26 05:25:01 UTC (rev 600)
@@ -1,25 +0,0 @@
-Candidate: CVE-2006-2445
-References:
- http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=8f17fc20bfb75bcec4cfeda789738979c8338fdc
- http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=30f1e3dd8c72abda343bcf415f7d8894a02b4290
- http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=f53ae1dc3429529a58aa538e0a860d713c7079c3
- http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=ca531a0a5e01e5122f67cb6aca8fcbfc70e18e0b
-Description:
- Race condition in run_posix_cpu_timers in Linux kernel before 2.6.16.21
- allows local users to cause a denial of service (BUG_ON crash) by causing one
- CPU to attach a timer to a process that is exiting.
-Notes:
- jmm> Only exploitable on SMP systems
- jmm> 2.6.8 most probably not affected, but there was a reproducer posted to vendor-sec, should be double-checked
- jmm> Vulnerable code not present in 2.4
- dannf> 2.6.8 didn't have posix-cpu-timers
- mpitt> 2.6.10-hoary does not need 4th GIT patch, function does not exist
-Bugs:
-upstream: released (2.6.16.21)
-linux-2.6: released (2.6.16-15)
-2.6.8-sarge-security: N/A
-2.4.27-sarge-security: N/A
-2.6.10-hoary-security: released (2.6.10-34.21) [GIT patches 1 to 3]
-2.6.12-breezy-security: released (2.6.12-10.35) [GIT patches 1 to 3], needed [GIT patch 4]
-2.6.15-dapper-security: released (2.6.15-26.44) [GIT patches 1 to 3], needed [GIT patch 4]
-2.6.17-edgy: released
Deleted: active/CVE-2006-2934
===================================================================
--- active/CVE-2006-2934 2006-09-26 05:15:55 UTC (rev 599)
+++ active/CVE-2006-2934 2006-09-26 05:25:01 UTC (rev 600)
@@ -1,24 +0,0 @@
-Candidate: CVE-2006-2934
-References:
- http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=dd7271feba61d5dc0fab1cb5365db9926d35ea3a
-Description:
- SCTP conntrack (ip_conntrack_proto_sctp.c) in netfilter for Linux kernel
- 2.6.17 before 2.6.17.3 and 2.6.16 before 2.6.16.23 allows remote attackers to
- cause a denial of service (crash) via a packet without any chunks, which
- causes a variable to contain an invalid value that is later used to
- dereference a pointer.
-Ubuntu-Description:
- A Denial of service vulnerability was reported in iptables' SCTP
- conntrack module. On computers which use this iptables module, a
- remote attacker could expoit this to trigger a kernel crash.
-Notes:
- netfilter/sctp didn't exist in 2.6.8/2.4.27
-Bugs:
-upstream: released (2.6.16.23, 2.6.17.3)
-linux-2.6: released (2.6.17-3)
-2.6.8-sarge-security: N/A
-2.4.27-sarge-security: N/A
-2.6.10-hoary-security: released (2.6.10-34.23)
-2.6.12-breezy-security: released (2.6.12-10.37)
-2.6.15-dapper-security: released (2.6.15-26.46)
-2.6.17-edgy: released
Deleted: active/CVE-2006-2936
===================================================================
--- active/CVE-2006-2936 2006-09-26 05:15:55 UTC (rev 599)
+++ active/CVE-2006-2936 2006-09-26 05:25:01 UTC (rev 600)
@@ -1,24 +0,0 @@
-Candidate: CVE-2006-2936
-References:
- http://www.kernel.org/git/?p=linux/kernel/git/gregkh/patches.git;a=blob;h=4b4d9cfea17618b80d3ac785b701faeaf60141f1;hb=396eb2aac5+50ec55856c6843ef9017e800c3d656;f=usb/usb-serial-ftdi_sio-prevent-userspace-dos.patch
- http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=224654004ca688af67cec44d9300e8c3f647577c
-Description:
- The ftdi_sio driver (usb/serial/ftdi_sio.c) in Linux kernel 2.6.x up to
- 2.6.17, and possibly later versions, allows local users to cause a denial of
- service (memory consumption) by writing more data to the serial port than the
- hardware can handle, which causes the data to be queued.
-Ubuntu-Description:
- The ftdi_sio driver for serial USB ports did not limit the amount of
- pending data to be written. A local user could exploit this to drain
- all available kernel memory and thus render the system unusable.
-Notes:
- jmm> 2.4 not affected due to different memory allocation
-Bugs:
-upstream: released (2.6.16.26, 2.6.17.7)
-linux-2.6: released (2.6.17-5)
-2.6.8-sarge-security: released (2.6.8-16sarge5) [usb-serial-ftdi_sio-dos.patch]
-2.4.27-sarge-security: N/A
-2.6.10-hoary-security: released (2.6.10-34.23)
-2.6.12-breezy-security: released (2.6.12-10.37)
-2.6.15-dapper-security: released (2.6.15-26.46)
-2.6.17-edgy: released
Copied: retired/CVE-2004-2660 (from rev 598, active/CVE-2004-2660)
===================================================================
--- retired/CVE-2004-2660 (rev 0)
+++ retired/CVE-2004-2660 2006-09-26 05:25:01 UTC (rev 600)
@@ -0,0 +1,16 @@
+Candidate: CVE-2004-2660
+References:
+ CONFIRM:http://linux.bkbits.net:8080/linux-2.6/cset@4182a613oVsK0-8eCWpyYFrUf8rhLA
+ CONFIRM:http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.10
+Description:
+ Memory leak in direct-io.c in Linux kernel 2.6.x before 2.6.10 allows local
+ users to cause a denial of service (memory consumption) via certain O_DIRECT
+ (direct IO) write requests.
+Notes:
+ jmm> This was only covered by MITRE in May 2006
+ jmm> Vulnerable code not present in 2.4
+Bugs:
+upstream: released (2.6.10)
+linux-2.6: N/A
+2.6.8-sarge-security: released (2.6.8-16sarge5) [direct-io-write-mem-leak.dpatch]
+2.4.27-sarge-security: N/A
Copied: retired/CVE-2005-4798 (from rev 598, active/CVE-2005-4798)
===================================================================
--- retired/CVE-2005-4798 (rev 0)
+++ retired/CVE-2005-4798 2006-09-26 05:25:01 UTC (rev 600)
@@ -0,0 +1,19 @@
+Candidate: CVE-2005-4798
+References:
+ http://www.ussg.iu.edu/hypermail/linux/kernel/0509.1/1333.html
+ http://www.kernel.org/git/?p=linux/kernel/git/marcelo/linux-2.4.git;a=commit;h=87e03738fc15dc3ea4acde3a5dcb5f84b6b6152b
+ http://www.kernel.org/git/?p=linux/kernel/git/marcelo/linux-2.4.git;a=commitdiff;h=87e03738fc15dc3ea4acde3a5dcb5f84b6b6152b
+Description:
+ Buffer overflow in NFS readlink handling in the Linux Kernel 2.4 up to 2.4.31
+ allows remote NFS servers to cause a denial of service (crash) via a long
+ symlink, which is not properly handled in (1) nfs2xdr.c or (2) nfs3xdr.c and
+ causes a crash in the NFS client.
+Notes:
+ dannf> >= 2.6.13 not affected according to:
+ dannf> http://www.ussg.iu.edu/hypermail/linux/kernel/0509.1/1333.html
+ dannf> 2.6.8 looks affected to me - including my shot at a fix...
+Bugs:
+upstream:
+linux-2.6: N/A
+2.6.8-sarge-security: released (2.6.8-16sarge5) [nfs-handle-long-symlinks.dpatch]
+2.4.27-sarge-security: released (2.4.27-10sarge4) [223_nfs-handle-long-symlinks.diff]
Copied: retired/CVE-2006-1052 (from rev 598, active/CVE-2006-1052)
===================================================================
--- retired/CVE-2006-1052 (rev 0)
+++ retired/CVE-2006-1052 2006-09-26 05:25:01 UTC (rev 600)
@@ -0,0 +1,15 @@
+Candidate: CVE-2006-1052
+References:
+ http://marc.theaimsgroup.com/?l=selinux&m=114226465106131&w=2
+ http://marc.theaimsgroup.com/?l=git-commits-head&m=114210002712363&w=2
+ http://selinuxnews.org/wp/index.php/2006/03/13/security-ptrace-bug-cve-2006-1052/
+Description:
+ The selinux_ptrace logic in hooks.c in SELinux for Linux 2.6.6 allows local
+ users with ptrace permissions to change the tracer SID to an SID of another
+ process.
+Notes:
+Bugs:
+upstream: released (2.6.16)
+linux-2.6: released (2.6.16-1)
+2.6.8-sarge-security: released (2.6.8-16sarge5) [selinux-tracer-SID-fix.dpatch]
+2.4.27-sarge-security: N/A
Copied: retired/CVE-2006-1343 (from rev 598, active/CVE-2006-1343)
===================================================================
--- retired/CVE-2006-1343 (rev 0)
+++ retired/CVE-2006-1343 2006-09-26 05:25:01 UTC (rev 600)
@@ -0,0 +1,18 @@
+Candidate: CVE-2006-1343
+References:
+ http://marc.theaimsgroup.com/?l=linux-netdev&m=114148078223594&w=2
+Description:
+ net/ipv4/netfilter/ip_conntrack_core.c in Linux kernel 2.4 and 2.6, and
+ possibly net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c in 2.6, does not
+ clear sockaddr_in.sin_zero before returning IPv4 socket names from the
+ getsockopt function with SO_ORIGINAL_DST, which allows local users to
+ obtain portions of potentially sensitive memory.
+Notes:
+ troyh> This isn't fixed upstream in 2.6 yet, at least not in the same way as 2.4
+ dannf> marking ignored for sarge3/2.6 due to ^^
+ jmm> It's now fixed upstream in 2.6 as well, let's include it in sarge4
+Bugs:
+upstream: released (2.4.33-pre3), released (2.6.16.19)
+linux-2.6: released (2.6.16-15)
+2.6.8-sarge-security: released (2.6.8-16sarge5) [netfilter-SO_ORIGINAL_DST-leak.dpatch]
+2.4.27-sarge-security: released (2.4.27-10sarge3) [212_ipv4-sin_zero_clear.diff]
Copied: retired/CVE-2006-1528 (from rev 599, active/CVE-2006-1528)
===================================================================
--- retired/CVE-2006-1528 (rev 0)
+++ retired/CVE-2006-1528 2006-09-26 05:25:01 UTC (rev 600)
@@ -0,0 +1,14 @@
+Candidate: CVE-2006-1528
+References:
+ https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=168791
+ http://linux.bkbits.net:8080/linux-2.6/cset@43220081yu9ClBQNuqSSnW_9amW7iQ
+ http://marc.theaimsgroup.com/?l=linux-scsi&m=112540053711489&w=2
+Description:
+ Linux kernel before 2.6.13 allows local users to cause a denial of service (crash) via
+ a dio transfer from the sg driver to memory mapped (mmap) IO space.
+Notes:
+Bugs:
+upstream: released (2.6.13), released (2.4.33.1)
+linux-2.6: released (2.6.13-1)
+2.6.8-sarge-security: released (2.6.8-16sarge5) [sg-no-mmap-VM_IO.dpatch]
+2.4.27-sarge-security: released (2.4.27-10sarge4) [225_sg-no-mmap-VM_IO.diff]
Copied: retired/CVE-2006-1855 (from rev 598, active/CVE-2006-1855)
===================================================================
--- retired/CVE-2006-1855 (rev 0)
+++ retired/CVE-2006-1855 2006-09-26 05:25:01 UTC (rev 600)
@@ -0,0 +1,16 @@
+Candidate: CVE-2006-1855
+References:
+ https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=127302
+ http://www.redhat.com/support/errata/RHSA-2006-0493.html
+Description:
+ choose_new_parent in Linux kernel before 2.6.11.12 includes certain
+ debugging code, which allows local users to cause a denial of service
+ (panic) by causing certain circumstances involving termination of a
+ parent process.
+Notes:
+ jmm> Vulnerable code not present in 2.4.27
+Bugs:
+upstream: released (2.6.11.12)
+linux-2.6: N/A
+2.6.8-sarge-security: released (2.6.8-16sarge5) [exit-bogus-bugon.dpatch]
+2.4.27-sarge-security: N/A
Copied: retired/CVE-2006-1856 (from rev 598, active/CVE-2006-1856)
===================================================================
--- retired/CVE-2006-1856 (rev 0)
+++ retired/CVE-2006-1856 2006-09-26 05:25:01 UTC (rev 600)
@@ -0,0 +1,16 @@
+Candidate: CVE-2006-1856
+References:
+ Certain modifications to the Linux kernel 2.6.16 and earlier do not
+ add the appropriate Linux Security Modules (LSM) file_permission hooks
+ to the (1) readv and (2) writev functions, which might allow attackers
+ to bypass intended access restrictions.
+Description:
+ http://lists.jammed.com/linux-security-module/2005/09/0019.html
+ http://www.ussg.iu.edu/hypermail/linux/kernel/0604.3/0777.html
+ https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=191524
+Notes:
+Bugs:
+upstream: released (2.6.17)
+linux-2.6: released (2.6.17-1)
+2.6.8-sarge-security: released (2.6.8-16sarge5) [readv-writev-missing-lsm-check.dpatch, readv-writev-missing-lsm-check-compat.dpatch]
+2.4.27-sarge-security: N/A
Copied: retired/CVE-2006-2444 (from rev 598, active/CVE-2006-2444)
===================================================================
--- retired/CVE-2006-2444 (rev 0)
+++ retired/CVE-2006-2444 2006-09-26 05:25:01 UTC (rev 600)
@@ -0,0 +1,17 @@
+Candidate: CVE-2006-2444
+References:
+ http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16.18
+ http://www.kernel.org/git/?p=linux/kernel/git/stable/linux-2.6.16.y.git;a=commit;h=1db6b5a66e93ff125ab871d6b3f7363412cc87e8
+Description:
+ The snmp_trap_decode function in the SNMP NAT helper for Linux kernel before
+ 2.6.16.18 allows remote attackers to cause a denial of service (crash) via
+ unspecified remote attack vectors that cause failures in snmp_trap_decode
+ that trigger (1) frees of random memory or (2) frees of previously-freed
+ memory (double-free) by snmp_trap_decode as well as its calling function, as
+ demonstrated via certain test cases of the PROTOS SNMP test suite.
+Notes:
+Bugs:
+upstream: released (2.6.16.18)
+linux-2.6: released (2.6.16-15)
+2.6.8-sarge-security: released (2.6.8-16sarge5) [snmp-nat-mem-corruption-fix.dpatch]
+2.4.27-sarge-security: released (2.4.27-10sarge4) [226_snmp-nat-mem-corruption-fix.diff]
Copied: retired/CVE-2006-2445 (from rev 597, active/CVE-2006-2445)
===================================================================
--- retired/CVE-2006-2445 (rev 0)
+++ retired/CVE-2006-2445 2006-09-26 05:25:01 UTC (rev 600)
@@ -0,0 +1,25 @@
+Candidate: CVE-2006-2445
+References:
+ http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=8f17fc20bfb75bcec4cfeda789738979c8338fdc
+ http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=30f1e3dd8c72abda343bcf415f7d8894a02b4290
+ http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=f53ae1dc3429529a58aa538e0a860d713c7079c3
+ http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=ca531a0a5e01e5122f67cb6aca8fcbfc70e18e0b
+Description:
+ Race condition in run_posix_cpu_timers in Linux kernel before 2.6.16.21
+ allows local users to cause a denial of service (BUG_ON crash) by causing one
+ CPU to attach a timer to a process that is exiting.
+Notes:
+ jmm> Only exploitable on SMP systems
+ jmm> 2.6.8 most probably not affected, but there was a reproducer posted to vendor-sec, should be double-checked
+ jmm> Vulnerable code not present in 2.4
+ dannf> 2.6.8 didn't have posix-cpu-timers
+ mpitt> 2.6.10-hoary does not need 4th GIT patch, function does not exist
+Bugs:
+upstream: released (2.6.16.21)
+linux-2.6: released (2.6.16-15)
+2.6.8-sarge-security: N/A
+2.4.27-sarge-security: N/A
+2.6.10-hoary-security: released (2.6.10-34.21) [GIT patches 1 to 3]
+2.6.12-breezy-security: released (2.6.12-10.35) [GIT patches 1 to 3], needed [GIT patch 4]
+2.6.15-dapper-security: released (2.6.15-26.44) [GIT patches 1 to 3], needed [GIT patch 4]
+2.6.17-edgy: released
Copied: retired/CVE-2006-2934 (from rev 597, active/CVE-2006-2934)
===================================================================
--- retired/CVE-2006-2934 (rev 0)
+++ retired/CVE-2006-2934 2006-09-26 05:25:01 UTC (rev 600)
@@ -0,0 +1,24 @@
+Candidate: CVE-2006-2934
+References:
+ http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=dd7271feba61d5dc0fab1cb5365db9926d35ea3a
+Description:
+ SCTP conntrack (ip_conntrack_proto_sctp.c) in netfilter for Linux kernel
+ 2.6.17 before 2.6.17.3 and 2.6.16 before 2.6.16.23 allows remote attackers to
+ cause a denial of service (crash) via a packet without any chunks, which
+ causes a variable to contain an invalid value that is later used to
+ dereference a pointer.
+Ubuntu-Description:
+ A Denial of service vulnerability was reported in iptables' SCTP
+ conntrack module. On computers which use this iptables module, a
+ remote attacker could expoit this to trigger a kernel crash.
+Notes:
+ netfilter/sctp didn't exist in 2.6.8/2.4.27
+Bugs:
+upstream: released (2.6.16.23, 2.6.17.3)
+linux-2.6: released (2.6.17-3)
+2.6.8-sarge-security: N/A
+2.4.27-sarge-security: N/A
+2.6.10-hoary-security: released (2.6.10-34.23)
+2.6.12-breezy-security: released (2.6.12-10.37)
+2.6.15-dapper-security: released (2.6.15-26.46)
+2.6.17-edgy: released
Copied: retired/CVE-2006-2936 (from rev 598, active/CVE-2006-2936)
===================================================================
--- retired/CVE-2006-2936 (rev 0)
+++ retired/CVE-2006-2936 2006-09-26 05:25:01 UTC (rev 600)
@@ -0,0 +1,24 @@
+Candidate: CVE-2006-2936
+References:
+ http://www.kernel.org/git/?p=linux/kernel/git/gregkh/patches.git;a=blob;h=4b4d9cfea17618b80d3ac785b701faeaf60141f1;hb=396eb2aac5+50ec55856c6843ef9017e800c3d656;f=usb/usb-serial-ftdi_sio-prevent-userspace-dos.patch
+ http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=224654004ca688af67cec44d9300e8c3f647577c
+Description:
+ The ftdi_sio driver (usb/serial/ftdi_sio.c) in Linux kernel 2.6.x up to
+ 2.6.17, and possibly later versions, allows local users to cause a denial of
+ service (memory consumption) by writing more data to the serial port than the
+ hardware can handle, which causes the data to be queued.
+Ubuntu-Description:
+ The ftdi_sio driver for serial USB ports did not limit the amount of
+ pending data to be written. A local user could exploit this to drain
+ all available kernel memory and thus render the system unusable.
+Notes:
+ jmm> 2.4 not affected due to different memory allocation
+Bugs:
+upstream: released (2.6.16.26, 2.6.17.7)
+linux-2.6: released (2.6.17-5)
+2.6.8-sarge-security: released (2.6.8-16sarge5) [usb-serial-ftdi_sio-dos.patch]
+2.4.27-sarge-security: N/A
+2.6.10-hoary-security: released (2.6.10-34.23)
+2.6.12-breezy-security: released (2.6.12-10.37)
+2.6.15-dapper-security: released (2.6.15-26.46)
+2.6.17-edgy: released
More information about the kernel-sec-discuss
mailing list