[kernel-sec-discuss] r933 - active

keescook-guest at alioth.debian.org keescook-guest at alioth.debian.org
Thu Aug 30 23:56:26 UTC 2007 

Author: keescook-guest
Date: 2007-08-30 23:56:26 +0000 (Thu, 30 Aug 2007)
New Revision: 933

Modified:
   active/CVE-2007-3104
   active/CVE-2007-3105
   active/CVE-2007-3513
   active/CVE-2007-3719
   active/CVE-2007-3848
   active/CVE-2007-3851
   active/CVE-2007-4308
Log:
edgy released; descriptions updated

Modified: active/CVE-2007-3104
===================================================================
--- active/CVE-2007-3104	2007-08-29 14:41:25 UTC (rev 932)
+++ active/CVE-2007-3104	2007-08-30 23:56:26 UTC (rev 933)
@@ -1,14 +1,14 @@
 Candidate: CVE-2007-3104
 References: 
 Description: 
+ The sysfs_readdir function in the Linux kernel in Red Hat Enterprise
+ Linux 4.5 allows local users to cause a denial of service (kernel OOPS)
+ by dereferencing a null pointer to an inode in a dentry.
 Ubuntu-Description: 
- sysfs_readdir NULL ptr dereference causes kernel oops
- .   
  A flaw in the sysfs_readdir function allowed a local user to cause a
  denial of service by dereferencing a NULL pointer.
- .
+Notes: 
  Bug fix available in RedHat kernel-2.6.9-55.0.2.EL.src.rpm release
-Notes: 
 Bugs: 
 upstream: 
 linux-2.6: 
@@ -16,5 +16,5 @@
 2.6.8-sarge-security: 
 2.4.27-sarge-security: 
 2.6.15-dapper-security: pending (2.6.15-29.58)
-2.6.17-edgy-security: pending (2.6.17.1-12.40) [a8c3f241ea411211c4802098f23a8da309e8bbd1]
+2.6.17-edgy-security: released (2.6.17.1-12.40) [a8c3f241ea411211c4802098f23a8da309e8bbd1]
 2.6.20-feisty-security: pending (2.6.20-16.30) [5ca45c7e9e3d363c7bd3a5419742cb3368baf474]

Modified: active/CVE-2007-3105
===================================================================
--- active/CVE-2007-3105	2007-08-29 14:41:25 UTC (rev 932)
+++ active/CVE-2007-3105	2007-08-30 23:56:26 UTC (rev 933)
@@ -1,7 +1,18 @@
 Candidate: CVE-2007-3105
 References: 
 Description: 
+ Stack-based buffer overflow in the random number generator (RNG)
+ implementation in the Linux kernel before 2.6.22 might allow local root
+ users to cause a denial of service or gain privileges by setting the
+ default wakeup threshold to a value greater than the output pool size,
+ which triggers writing random numbers to the stack by the pool transfer
+ function involving "bound check ordering". NOTE: this issue might only
+ cross privilege boundaries in environments that have granular assignment
+ of privileges for root.
 Ubuntu-Description: 
+ A buffer overflow was discovered in the random number generator.  In
+ environments with granular assignment of root privileges, a local attacker
+ could gain additional privileges.
 Notes: 
 Bugs: 
 upstream: released (2.6.21, 2.6.22.3)
@@ -10,5 +21,5 @@
 2.6.8-sarge-security: 
 2.4.27-sarge-security: 
 2.6.15-dapper-security: pending (2.6.15-29.58) 
-2.6.17-edgy-security: pending (2.6.17.1-12.40) [f22710043b7d89b496f7910e9c87ed62519dff14]
+2.6.17-edgy-security: released (2.6.17.1-12.40) [f22710043b7d89b496f7910e9c87ed62519dff14]
 2.6.20-feisty-security: pending (2.6.20-16.30) [542a98d0809f0eccc5cf23ed402285e995e0b31e]

Modified: active/CVE-2007-3513
===================================================================
--- active/CVE-2007-3513	2007-08-29 14:41:25 UTC (rev 932)
+++ active/CVE-2007-3513	2007-08-30 23:56:26 UTC (rev 933)
@@ -15,5 +15,5 @@
 2.6.8-sarge-security: 
 2.4.27-sarge-security: 
 2.6.15-dapper-security: released (2.6.15-28.57)
-2.6.17-edgy-security: pending (2.6.17.1-12.40) [85816b5fa3476f3fcf7758a1bd338d69184085d7]
+2.6.17-edgy-security: released (2.6.17.1-12.40) [85816b5fa3476f3fcf7758a1bd338d69184085d7]
 2.6.20-feisty-security: pending (2.6.20-16.30) [165018c61779a357d33947a2ae169148b6ab8d9f]

Modified: active/CVE-2007-3719
===================================================================
--- active/CVE-2007-3719	2007-08-29 14:41:25 UTC (rev 932)
+++ active/CVE-2007-3719	2007-08-30 23:56:26 UTC (rev 933)
@@ -15,4 +15,4 @@
 2.4.27-sarge-security: 
 2.6.15-dapper-security: ignore (low priority, no obvious upstream fix)
 2.6.17-edgy-security: ignore (low priority, no obvious upstream fix)
-2.6.20-feisty-security: 
+2.6.20-feisty-security: ignore (low priority, no obvious upstream fix)

Modified: active/CVE-2007-3848
===================================================================
--- active/CVE-2007-3848	2007-08-29 14:41:25 UTC (rev 932)
+++ active/CVE-2007-3848	2007-08-30 23:56:26 UTC (rev 933)
@@ -7,6 +7,9 @@
  by causing a setuid-root parent process to die, which delivers an
  attacker-controlled parent process death signal (PR_SET_PDEATHSIG).
 Ubuntu-Description: 
+ It was discovered that certain setuid-root processes did not correctly
+ reset process death signal handlers.  A local user could manipulate this
+ to send signals to processes they would not normally have access to.
 Notes: 
 Bugs: 
 upstream: 
@@ -15,5 +18,5 @@
 2.6.8-sarge-security: pending (2.6.8-17sarge1) [reset-pdeathsig-on-suid.dpatch]
 2.4.27-sarge-security: needed
 2.6.15-dapper-security: pending (2.6.15-29.58)
-2.6.17-edgy-security: pending (linux-2.6 commit d2d56c5f51028cb9f3d800882eb6f4cbd3f9099f)
+2.6.17-edgy-security: released (2.6.17.1-12.40)
 2.6.20-feisty-security: pending (2.6.20-16.30)

Modified: active/CVE-2007-3851
===================================================================
--- active/CVE-2007-3851	2007-08-29 14:41:25 UTC (rev 932)
+++ active/CVE-2007-3851	2007-08-30 23:56:26 UTC (rev 933)
@@ -7,6 +7,9 @@
  X11 session and Direct Rendering Manager (DRM) to write to arbitrary
  memory locations and gain privileges via a crafted batchbuffer.
 Ubuntu-Description: 
+ The Direct Rendering Manager for the i915 driver could be made to write
+ to arbitrary memory locations.  An attacker with access to a running X11
+ session could send a specially crafted buffer and gain root privileges.
 Notes: 
  jmm> Code was introduced after 2.6.18, but backported to Etch
 Bugs: 
@@ -16,5 +19,5 @@
 2.6.8-sarge-security: N/A
 2.4.27-sarge-security: N/A
 2.6.15-dapper-security: N/A 
-2.6.17-edgy-security: pending (2.6.17.1-12.40) [cc8e06db0f30d589b1bc6d164fadb28631f638b1]
+2.6.17-edgy-security: released (2.6.17.1-12.40) [cc8e06db0f30d589b1bc6d164fadb28631f638b1]
 2.6.20-feisty-security: pending (2.6.20-16.30) [d475e30926c7d8337bc3008f42cae01da740ee12]

Modified: active/CVE-2007-4308
===================================================================
--- active/CVE-2007-4308	2007-08-29 14:41:25 UTC (rev 932)
+++ active/CVE-2007-4308	2007-08-30 23:56:26 UTC (rev 933)
@@ -2,12 +2,16 @@
 References: 
  http://kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.23-rc2
  http://lkml.org/lkml/2007/7/23/195
+ linux-2.6 commit 719be62903a6e6419789557cb3ed0e840d3e4ca9
 Description: 
  The (1) aac_cfg_open and (2) aac_compat_ioctl functions in the SCSI
  layer ioctl path in aacraid in the Linux kernel before 2.6.23-rc2 do
  not check permissions for ioctls, which might allow local users to
  cause a denial of service or gain privileges.
 Ubuntu-Description: 
+ It was discovered that the aacraid SCSI driver did not correctly check
+ permissions on certain ioctls.  A local attacker could cause a denial
+ of service or gain privileges.
 Notes: 
  jmm> 2.4.27 code is quite different, but appears vulnerable as well
 Bugs: 
@@ -17,5 +21,5 @@
 2.6.8-sarge-security: pending (2.6.8-17sarge1) [aacraid-ioctl-perm-check.dpatch]
 2.4.27-sarge-security: needed
 2.6.15-dapper-security: pending (2.6.15-29.58)
-2.6.17-edgy-security: pending (linux-2.6 commit 719be62903a6e6419789557cb3ed0e840d3e4ca9)
+2.6.17-edgy-security: released (2.6.17.1-12.40)
 2.6.20-feisty-security: pending (2.6.20-16.30)

More information about the kernel-sec-discuss mailing list