[kernel-sec-discuss] r774 - active retired
Moritz Muehlenhoff
jmm at alioth.debian.org
Mon Apr 30 17:08:06 UTC 2007
Author: jmm
Date: 2007-04-30 17:08:05 +0000 (Mon, 30 Apr 2007)
New Revision: 774
Added:
retired/CVE-2006-3634
retired/CVE-2006-3741
retired/CVE-2006-3745
retired/CVE-2006-4145
retired/CVE-2006-4535
retired/CVE-2006-4538
retired/CVE-2006-4813
retired/CVE-2006-4997
retired/CVE-2006-5158
retired/CVE-2006-5173
retired/CVE-2006-5174
retired/CVE-2006-5648
retired/CVE-2006-5649
retired/CVE-2006-5749
retired/CVE-2006-6304
Removed:
active/CVE-2006-3634
active/CVE-2006-3741
active/CVE-2006-3745
active/CVE-2006-4145
active/CVE-2006-4535
active/CVE-2006-4538
active/CVE-2006-4813
active/CVE-2006-4997
active/CVE-2006-5158
active/CVE-2006-5173
active/CVE-2006-5174
active/CVE-2006-5648
active/CVE-2006-5649
active/CVE-2006-5749
active/CVE-2006-6304
Log:
retire several issues
Deleted: active/CVE-2006-3634
===================================================================
--- active/CVE-2006-3634 2007-04-30 17:04:40 UTC (rev 773)
+++ active/CVE-2006-3634 2007-04-30 17:08:05 UTC (rev 774)
@@ -1,21 +0,0 @@
-Candidate: CVE-2006-3634
-References:
- http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=bafe00cc9297ca77b66e5c83e5e65e17c0c997c8
- http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=13492c50f69bdf60a42debc6bd3ec49cc1dc941e
-Description:
- The (1) __futex_atomic_op and (2) futex_atomic_cmpxchg_inatomic functions in
- Linux kernel 2.6.17-rc4 to 2.6.18-rc2 performs the atomic futex operation
- with user space addresses instead of kernel space addresses, which allows
- local users to cause a denial of service (crash).
-Ubuntu-Description:
-Notes:
- dannf> s390 didn't have a futex.h until after 2.6.16
-Bugs:
-upstream: released (2.6.18-rc2)
-linux-2.6: released (2.6.17-1)
-2.6.8-sarge-security: N/A
-2.4.27-sarge-security: N/A
-2.6.10-hoary-security: N/A
-2.6.12-breezy-security: N/A
-2.6.15-dapper-security: N/A
-2.6.17-edgy: ignored
Deleted: active/CVE-2006-3741
===================================================================
--- active/CVE-2006-3741 2007-04-30 17:04:40 UTC (rev 773)
+++ active/CVE-2006-3741 2007-04-30 17:08:05 UTC (rev 774)
@@ -1,20 +0,0 @@
-Candidate: CVE-2006-3741
-References:
- http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=b8444d00762703e1b6146fce12ce2684885f8bf6
-Description:
- The perfmonctl system call (sys_perfmonctl) in Linux kernel 2.4.x and
- 2.6 before 2.6.18, when running on Itanium systems, does not properly
- track the reference count for file descriptors, which allows local
- users to cause a denial of service (file descriptor consumption).
-Ubuntu-Description:
-Notes:
- dannf> I don't think 2.4 is affected - there are no existing calls to fput
-Bugs:
-upstream: released (2.6.18)
-linux-2.6: released (2.6.18-1)
-2.6.8-sarge-security: released (2.6.8-16sarge6) [perfmon-fd-refcnt.dpatch]
-2.4.27-sarge-security: N/A
-2.6.10-hoary-security: ignored
-2.6.12-breezy-security: ignored
-2.6.15-dapper-security: ignored
-2.6.17-edgy: released (2.6.17-10.31)
Deleted: active/CVE-2006-3745
===================================================================
--- active/CVE-2006-3745 2007-04-30 17:04:40 UTC (rev 773)
+++ active/CVE-2006-3745 2007-04-30 17:08:05 UTC (rev 774)
@@ -1,20 +0,0 @@
-Candidate: CVE-2006-3745
-References:
- http://www.kernel.org/git/?p=linux/kernel/git/stable/linux-2.6.17.y.git;a=commit;h=96ec9da385cf72c5f775e5f163420ea92e66ded2
- http://www.kernel.org/git/?p=linux/kernel/git/davem/net-2.6.git;a=commit;h=e12289f0bc673dabb22be32d2df54b0ebfc7cf2b
-Description: sctp potential local privilege escalation
-Ubuntu-Description:
- Wei Wang of McAfee Avert Labs discovered a buffer overflow in the
- sctp_make_abort_user() function of iptables' SCTP module. On
- computers which use this module, a local attacker could expoit this
- to execute arbitrary code with root privileges.
-Notes:
-Bugs:
-upstream: released (2.6.18-rc5)
-linux-2.6: released (2.6.17-7)
-2.6.8-sarge-security: released (2.6.8-16sarge5) [sctp-priv-elevation.dpatch]
-2.4.27-sarge-security: released (2.4.27-10sarge4) [228_sctp-priv-elevation.diff]
-2.6.10-hoary-security: released (2.6.10-34.23)
-2.6.12-breezy-security: released (2.6.12-10.37)
-2.6.15-dapper-security: released (2.6.15-26.47)
-2.6.17-edgy: released (2.6.17-10.31)
Deleted: active/CVE-2006-4145
===================================================================
--- active/CVE-2006-4145 2007-04-30 17:04:40 UTC (rev 773)
+++ active/CVE-2006-4145 2007-04-30 17:08:05 UTC (rev 774)
@@ -1,20 +0,0 @@
-Candidate: CVE-2006-4145
-References:
- http://www.kernel.org/git/?p=linux/kernel/git/stable/linux-2.6.17.y.git;a=commit;h=7127be29378b1230eb8dd8b84f18d6b69c56e959
-Description:
- Fix possible UDF deadlock and memory corruption
-Ubuntu-Description:
- The UDF file system does not handle extends larger than 1 GB, but did
- not check for this restriction on truncating files. A local user
- could exploit this to crash the kernel.
-Notes:
- dannf> Submitted upstream on 2006.08.27
-Bugs:
-upstream: released (2.6.17.10), released (2.6.18-rc5)
-linux-2.6: released (2.6.17-7)
-2.6.8-sarge-security: released (2.6.8-16sarge5) [udf-deadlock.dpatch]
-2.4.27-sarge-security: released (2.4.27-10sarge4) [231_udf-deadlock.diff]
-2.6.10-hoary-security: released (2.6.10-34.23)
-2.6.12-breezy-security: released (2.6.12-10.37)
-2.6.15-dapper-security: released (2.6.15-26.47)
-2.6.17-edgy: released (2.6.17-10.30)
Deleted: active/CVE-2006-4535
===================================================================
--- active/CVE-2006-4535 2007-04-30 17:04:40 UTC (rev 773)
+++ active/CVE-2006-4535 2007-04-30 17:08:05 UTC (rev 774)
@@ -1,20 +0,0 @@
-Candidate: CVE-2006-4535
-References:
- http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=b9ac86727fc02cc7117ef3fe518a4d51cd573c82
-Description:
- fix for CVE-2006-3745 sctp fix from dave miller
-Ubuntu-Description:
- Sridhar Samudrala discovered a local Denial of Service vulnerability
- in the handling of SCTP sockets. By opening such a socket with a
- special SO_LINGER value, a local attacker could exploit this to crash
- the kernel.
-Notes:
-Bugs:
-upstream: released (2.6.18-rc6)
-linux-2.6: released (2.6.18-1)
-2.6.8-sarge-security: released (2.6.8-16sarge5) [sctp-priv-elevation-2.dpatch]
-2.4.27-sarge-security: released (2.4.27-10sarge4) [228_sctp-priv-elevation-2.diff]
-2.6.10-hoary-security: released (2.6.10-34.24)
-2.6.12-breezy-security: released (2.6.12-10.40)
-2.6.15-dapper-security: released (2.6.15-27.48)
-2.6.17-edgy: released (2.6.17-10.31)
Deleted: active/CVE-2006-4538
===================================================================
--- active/CVE-2006-4538 2007-04-30 17:04:40 UTC (rev 773)
+++ active/CVE-2006-4538 2007-04-30 17:08:05 UTC (rev 774)
@@ -1,24 +0,0 @@
-Candidate: CVE-2006-4538
-References:
- http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=3a459756810912d2c2bf188cef566af255936b4d
- http://www.kernel.org/git/?p=linux/kernel/git/stable/linux-2.6.17.y.git;a=commit;h=8833ebaa3f4325820fe3338ccf6fae04f6669254
-Description:
- Linux kernel 2.6.17 and earlier, when running on IA64 or SPARC
- platforms, allows local users to cause a denial of service (crash) via
- a malformed ELF file that triggers memory maps that cross region
- boundaries.
-Ubuntu-Description:
- Kirill Korotaev discovered that the ELF loader on the ia64 and sparc
- platforms did not sufficiently verify the memory layout. By
- attempting to execute a specially crafted executable, a local user
- could exploit this to crash the kernel.
-Notes:
-Bugs:
-upstream: released (2.6.18-rc7)
-linux-2.6: released (2.6.18-1)
-2.6.8-sarge-security: released (2.6.8-16sarge6) [ia64-sparc-cross-region-mappings.dpatch]
-2.4.27-sarge-security: released (2.4.27-10sarge5) [233_ia64-sparc-cross-region-mappings.diff]
-2.6.10-hoary-security: released (2.6.10-34.24)
-2.6.12-breezy-security: released (2.6.12-10.40)
-2.6.15-dapper-security: released (2.6.15-27.48)
-2.6.17-edgy: released (2.6.17-10.31)
Deleted: active/CVE-2006-4813
===================================================================
--- active/CVE-2006-4813 2007-04-30 17:04:40 UTC (rev 773)
+++ active/CVE-2006-4813 2007-04-30 17:08:05 UTC (rev 774)
@@ -1,23 +0,0 @@
-Candidate: CVE-2006-4813
-References:
- http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=152becd26e0563aefdbc4fd1fe491928efe92d1f
-Description:
- The __block_prepare_write function in fs/buffer.c for Linux kernel 2.6.x before 2.6.13
- does not properly clear buffers during certain error conditions, which allows local
- users to read portions of files that have been unlinked.
-Ubuntu-Description:
- Dmitriy Monakhov discovered an information leak in the
- __block_prepare_write() function. During error recovery, this
- function did not properly clear memory buffers which could allow
- local users to read portions of unlinked files.
-Notes:
- dannf> I don't think 2.4 is affected because the BH_New bit is not
- dannf> cleared after get_block returns - marking 2.4.27 N/A
-Bugs:
-upstream: released (2.6.13-rc1)
-linux-2.6: released (2.6.13-1)
-2.6.8-sarge-security: released (2.6.8-16sarge6) [__block_prepare_write-recovery.dpatch]
-2.4.27-sarge-security: N/A
-2.6.12-breezy-security: released (CVE-2006-4813)
-2.6.15-dapper-security: released
-2.6.17-edgy: released
Deleted: active/CVE-2006-4997
===================================================================
--- active/CVE-2006-4997 2007-04-30 17:04:40 UTC (rev 773)
+++ active/CVE-2006-4997 2007-04-30 17:08:05 UTC (rev 774)
@@ -1,19 +0,0 @@
-Candidate: CVE-2006-4997
-References:
- http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=fe26109a9dfd9327fdbe630fc819e1b7450986b2
-Description:
- IP over ATM clip_mkip dereference freed pointer
-Ubuntu-Description:
- ADLab Venustech Info Ltd discovered that the ATM network driver
- referenced an already released pointer in some circumstances. By
- sending specially crafted packets to a host over ATM, a remote
- attacker could exploit this to crash that host.
-Notes:
-Bugs:
-upstream: released (2.4.34-pre4, 2.6.18)
-linux-2.6: released (2.6.18-1)
-2.6.8-sarge-security: released (2.6.8-16sarge6) [atm-clip-freed-skb-deref.dpatch]
-2.4.27-sarge-security: released (2.4.27-10sarge5) [234_atm-clip-freed-skb-deref.diff]
-2.6.12-breezy-security: released (2.6.12-10.41)
-2.6.15-dapper-security: released (2.6.15-27.49)
-2.6.17-edgy: released (2.6.17-10.31)
Deleted: active/CVE-2006-5158
===================================================================
--- active/CVE-2006-5158 2007-04-30 17:04:40 UTC (rev 773)
+++ active/CVE-2006-5158 2007-04-30 17:08:05 UTC (rev 774)
@@ -1,23 +0,0 @@
-Candidate: CVE-2006-5158
-References:
- http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=9b5b1f5bf9dcdb6f23abf65977a675eb4deba3c0
-Description:
- The nlmclnt_mark_reclaim in clntlock.c in NFS lockd in Linux kernel
- before 2.6.16 allows remote attackers to cause a denial of service
- (process crash) and deny access to NFS exports via unspecified
- vectors that trigger a kernel oops (null dereference) and a deadlock.
-Ubuntu-Description:
- Matthias Andree discovered that the NFS locking management daemon
- (lockd) did not correctly handle mixing of 'lock' and 'nolock' option
- mounts on the same client. A remote attacker could exploit this to
- crash lockd and thus rendering the NFS imports inaccessible.
-Notes:
- Bug introduced in 2.6.9, fixed in 2.6.15-rc6
-Bugs:
-upstream:
-linux-2.6:
-2.6.8-sarge-security: N/A
-2.4.27-sarge-security: N/A
-2.6.12-breezy-security: released (2.6.12-10.41)
-2.6.15-dapper-security: N/A
-2.6.17-edgy: N/A
Deleted: active/CVE-2006-5173
===================================================================
--- active/CVE-2006-5173 2007-04-30 17:04:40 UTC (rev 773)
+++ active/CVE-2006-5173 2007-04-30 17:08:05 UTC (rev 774)
@@ -1,26 +0,0 @@
-Candidate: CVE-2006-5173
-References:
- http://kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=47a5c6fa0e204a2b63309c648bb2fde36836c826
-Description:
- Alignment Check (AC) flag in EFLAGS is not saved/restored during task
- switch, thus was leaking to other tasks. Those eventually died with a
- SIGBUS.
-Ubuntu-Description:
- The task switching code did not save and restore EFLAGS of processes.
- By starting a specially crafted executable, a local attacker could
- exploit this to eventually crash many other running processes.
-Notes:
- incorrect optimization in some later 2.6.x kernel, reverted
- Local DoS.
-
- Are we sure this affects 2.6.17 and before? The CFI_ADJUST_CFA_OFFSET
- doesn't seem to be present in these kernels.
-Bugs:
-upstream: released (2.6.18)
-linux-2.6: released (2.6.18-1)
-2.6.8-sarge-security: N/A
-2.4.27-sarge-security: N/A
-2.6.10-hoary-security: N/A
-2.6.12-breezy-security: N/A
-2.6.15-dapper-security: released (2.6.15-27.49)
-2.6.17-edgy: released (2.6.17.1-10.34)
Deleted: active/CVE-2006-5174
===================================================================
--- active/CVE-2006-5174 2007-04-30 17:04:40 UTC (rev 773)
+++ active/CVE-2006-5174 2007-04-30 17:08:05 UTC (rev 774)
@@ -1,22 +0,0 @@
-Candidate: CVE-2006-5174
-References:
- http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=52149ba6b0ddf3e9d965257cc0513193650b3ea8
-Description:
- The copy_from_user function in the uaccess code in Linux kernel 2.6
- before 2.6.19-rc1, when running on s390, does not properly clear a
- kernel buffer, which allows local user space programs to read
- portions of kernel memory by "appending to a file from a bad
- address," which triggers a fault that prevents the unused memory from
- being cleared in the kernel buffer.
-Ubuntu-Description:
-Notes:
- jmm> Fix from 2.6.18-3 was reverted, caused problems
-Bugs:
-upstream: released (2.6.18.1)
-linux-2.6: needed
-2.6.8-sarge-security: released (2.6.8-16sarge6) [s390-uaccess-memleak.dpatch]
-2.4.27-sarge-security: released (2.4.27-10sarge5) [236_s390-uaccess-memleak.diff]
-2.6.10-hoary-security: ignored
-2.6.12-breezy-security: ignored
-2.6.15-dapper-security: ignored
-2.6.17-edgy: ignored
Deleted: active/CVE-2006-5648
===================================================================
--- active/CVE-2006-5648 2007-04-30 17:04:40 UTC (rev 773)
+++ active/CVE-2006-5648 2007-04-30 17:08:05 UTC (rev 774)
@@ -1,28 +0,0 @@
-Candidate: CVE-2006-5648
-References:
- http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=69588298188b40ed7f75c98a6fd328d82f23ca21
-Description:
- The sys_[gs]et_robust_list() syscalls were wired up on PowerPC but
- didn't work correctly because futex_atomic_cmpxchg_inatomic() wasn't
- implemented. Implement it, based on __cmpxchg_u32().
-Ubuntu-Description:
- Fabio Massimo Di Nitto discovered that the sys_get_robust_list and
- sys_set_robust_list system calls lacked proper lock handling on the
- powerpc platform. A local attacker could exploit this to create
- unkillable processes, drain all available CPU/memory, and render the
- machine unrebootable.
-Notes:
- http://ozlabs.org/pipermail/linuxppc-dev/2006-October/027338.html
- dannf> Looks like sparc is also vulnerable in 2.6.18, see:
- http://lists.debian.org/debian-kernel/2006/12/msg00787.html
- But, as this is a powerpc specific CVE, I'll mark Debian as ok
-Bugs:
-upstream: released (2.6.18)
-linux-2.6: released (2.6.18-1)
-2.6.18-etch-security: N/A
-2.6.8-sarge-security: N/A
-2.4.27-sarge-security: N/A
-2.6.12-breezy-security: N/A
-2.6.15-dapper-security: N/A
-2.6.17-edgy-security: released (2.6.17.1-10.34)
-2.6.19-feisty: released
Deleted: active/CVE-2006-5649
===================================================================
--- active/CVE-2006-5649 2007-04-30 17:04:40 UTC (rev 773)
+++ active/CVE-2006-5649 2007-04-30 17:08:05 UTC (rev 774)
@@ -1,24 +0,0 @@
-Candidate: CVE-2006-5649
-References:
- http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=4393c4f6788cee65095dd838cfeca6edefbfeb52
-Description:
- The alignment exception used to only check the exception table for
- -EFAULT, not for other errors. That opens an oops window if we can
- coerce the kernel into getting an alignment exception for other
- reasons in what would normally be a user-protected accessor, which
- can be done via some of the futex ops. This fixes it by always
- checking the exception tables.
-Ubuntu-Description:
- Fabio Massimo Di Nitto discovered a flaw in the alignment check
- exception handling on the powerpc platform. A local attacker could
- exploit this to cause a kernel panic and crash the machine.
-Notes:
- http://ozlabs.org/pipermail/linuxppc-dev/2006-October/027338.html
-Bugs:
-upstream: released (2.6.19-rc5), released (2.6.18.3)
-linux-2.6: released (2.6.18-4)
-2.6.8-sarge-security: released (2.6.8-16sarge6) [ppc-alignment-exception-table-check.dpatch]
-2.4.27-sarge-security: released (2.4.27-10sarge5) [235_ppc-alignment-exception-table-check.diff]
-2.6.12-breezy-security: released (2.6.12-10.41)
-2.6.15-dapper-security: released (2.6.15-27.49)
-2.6.17-edgy-security: released (2.6.17.1-10.34)
Deleted: active/CVE-2006-5749
===================================================================
--- active/CVE-2006-5749 2007-04-30 17:04:40 UTC (rev 773)
+++ active/CVE-2006-5749 2007-04-30 17:08:05 UTC (rev 774)
@@ -1,30 +0,0 @@
-Candidate: CVE-2006-5749
-References:
- http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=dab6df63086762629936e8b89a5984bae39724f6
-Description:
- The isdn_ppp_ccp_reset_alloc_state function in
- drivers/isdn/isdn_ppp.c in the Linux 2.4 kernel before 2.4.34-rc4
- does not call the init_timer function for the ISDN PPP CCP reset
- state timer, which has unknown attack vectors and results in a system
- crash.
-Ubuntu-Description:
- Al Viro reported that the ISDN PPP module did not initialize the
- reset state timer. By sending specially crafted ISDN packets, a
- remote attacker could exploit this to crash the kernel.
-Notes:
- dannf> According to Marcel Holtmann, 2.4 and 2.6 < 2.6.13 are not vulnerable.
- dannf> Indeed, in 2.4.27 & 2.6.8, init_timer() just sets timer->base to NULL,
- dannf> so the memset() is sufficient to avoid this crash.
- dannf> However, in 2.6.8 init_timer() also sets a magic number. add_timer()
- dannf> will call __mod_timer(), which calls check_timer(), which will cause
- dannf> the kernel to whine if this magic number is not set. I don't think this
- dannf> will cause a crash, so I'm considering a non-security issue
-Bugs:
-upstream: released (2.6.20-rc5)
-linux-2.6: released (2.6.20-1)
-2.6.18-etch-security: released (2.6.18.dfsg.1-10)
-2.6.8-sarge-security: N/A
-2.4.27-sarge-security: N/A
-2.6.12-breezy-security: released (2.6.12-10.43)
-2.6.15-dapper-security: released (2.6.15-28.51)
-2.6.17-edgy-security: released (2.6.17.1-11.35)
Deleted: active/CVE-2006-6304
===================================================================
--- active/CVE-2006-6304 2007-04-30 17:04:40 UTC (rev 773)
+++ active/CVE-2006-6304 2007-04-30 17:08:05 UTC (rev 774)
@@ -1,14 +0,0 @@
-Candidate: CVE-2006-6304
-References:
-Description:
-Ubuntu-Description:
-Notes: Only 2.6.19 affected
-Bugs:
-upstream:
-linux-2.6:
-2.6.18-etch-security: N/A
-2.6.8-sarge-security: N/A
-2.4.27-sarge-security: N/A
-2.6.12-breezy-security: N/A
-2.6.15-dapper-security: N/A
-2.6.17-edgy-security: N/A
Copied: retired/CVE-2006-3634 (from rev 762, active/CVE-2006-3634)
Copied: retired/CVE-2006-3741 (from rev 762, active/CVE-2006-3741)
Copied: retired/CVE-2006-3745 (from rev 762, active/CVE-2006-3745)
Copied: retired/CVE-2006-4145 (from rev 762, active/CVE-2006-4145)
Copied: retired/CVE-2006-4535 (from rev 762, active/CVE-2006-4535)
Copied: retired/CVE-2006-4538 (from rev 762, active/CVE-2006-4538)
Copied: retired/CVE-2006-4813 (from rev 762, active/CVE-2006-4813)
Copied: retired/CVE-2006-4997 (from rev 762, active/CVE-2006-4997)
Copied: retired/CVE-2006-5158 (from rev 762, active/CVE-2006-5158)
Copied: retired/CVE-2006-5173 (from rev 762, active/CVE-2006-5173)
Copied: retired/CVE-2006-5174 (from rev 762, active/CVE-2006-5174)
Copied: retired/CVE-2006-5648 (from rev 762, active/CVE-2006-5648)
Copied: retired/CVE-2006-5649 (from rev 762, active/CVE-2006-5649)
Copied: retired/CVE-2006-5749 (from rev 762, active/CVE-2006-5749)
Copied: retired/CVE-2006-6304 (from rev 762, active/CVE-2006-6304)
More information about the kernel-sec-discuss
mailing list