[kernel-sec-discuss] r939 - active retired

keescook-guest at alioth.debian.org keescook-guest at alioth.debian.org
Fri Aug 31 18:18:07 UTC 2007 

Author: keescook-guest
Date: 2007-08-31 18:18:07 +0000 (Fri, 31 Aug 2007)
New Revision: 939

Added:
   retired/CVE-2007-2876
   retired/CVE-2007-2878
   retired/CVE-2007-3642
   retired/CVE-2007-3851
Removed:
   active/CVE-2007-2876
   active/CVE-2007-2878
   active/CVE-2007-3642
   active/CVE-2007-3851
Modified:
   active/CVE-2007-3104
Log:
retiring inactive CVEs

Deleted: active/CVE-2007-2876
===================================================================
--- active/CVE-2007-2876	2007-08-31 18:13:47 UTC (rev 938)
+++ active/CVE-2007-2876	2007-08-31 18:18:07 UTC (rev 939)
@@ -1,26 +0,0 @@
-Candidate: CVE-2007-2876
-References: 
- http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.21.4
-Description: 
- The sctp_new function in (1) ip_conntrack_proto_sctp.c and (2)
- nf_conntrack_proto_sctp.c in Netfilter in Linux kernel 2.6 before 2.6.20.13,
- and 2.6.21.x before 2.6.21.4, allows remote attackers to cause a denial of
- service by causing certain invalid states that trigger a NULL pointer
- dereference.
-Ubuntu-Description: 
- Vilmos Nebehaj discovered that the SCTP netfilter code did not correctly
- validate certain states.  A remote attacker could send a specially crafted
- packet causing a denial of service.
-Notes: 
- When creating a new connection by sending an unknown chunk type, we
- don't transition to a valid state, causing a NULL pointer dereference in
- sctp_packet when accessing sctp_timeouts[SCTP_CONNTRACK_NONE].
-Bugs: 
-upstream: released (2.6.21.4)
-linux-2.6: released (2.6.21-5)
-2.6.18-etch-security: released (2.6.18.dfsg.1-13etch1) [bugfix/nf_conntrack_sctp-null-deref.patch]
-2.6.8-sarge-security: N/A
-2.4.27-sarge-security: N/A
-2.6.15-dapper-security: released (2.6.15-28.57)
-2.6.17-edgy-security: released (2.6.17.1-11.39) [71405ef45b6a5da5419cf4580db7fe9666a63774]
-2.6.20-feisty-security: released (2.6.20-16.31) [b72e4ea43b03b980f6818a10050f2d65d347f36c]

Deleted: active/CVE-2007-2878
===================================================================
--- active/CVE-2007-2878	2007-08-31 18:13:47 UTC (rev 938)
+++ active/CVE-2007-2878	2007-08-31 18:18:07 UTC (rev 939)
@@ -1,29 +0,0 @@
-Candidate: CVE-2007-2878
-References:
- http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.21.2
-Description: 
- The VFAT compat ioctls in the Linux kernel before 2.6.21.2, when run
- on a 64-bit system, allow local users to corrupt a kernel_dirent struct
- and cause a denial of service (system crash) via unknown vectors.
-Ubuntu-Description: 
- Luca Tettamanti discovered a flaw in the VFAT compat ioctls on 64-bit
- systems.  A local attacker could corrupt a kernel_dirent struct and cause
- a denial of service.
-Notes: 
- dannf> reproduced in etch using reproducer provided in the changeset
- dannf> backporting the fix only proved hazardous as there was some recent
- dannf> restructuring - i've elected to backport that as well
- dannf> (fat-move-ioctl-compat-code.patch)
- dannf> marking sarge kernels as N/A because amd64 wasn't officially supported
- dannf> and the backport is non-trivial (read: risk outweighs benefit)
- dannf>
- dannf> reverted from etch-security branch in r9295 due to ABI change
-Bugs: 
-upstream: released (2.6.21.2)
-linux-2.6: released (2.6.21-3)
-2.6.18-etch-security: ignored (2.6.18.dfsg.1-13etch1) "ABI breaker"
-2.6.8-sarge-security: N/A
-2.4.27-sarge-security: N/A
-2.6.15-dapper-security: released (2.6.15-28.57)
-2.6.17-edgy-security: released (2.6.17.1-11.39) [6dbbec837f43196339b1638dc799d898fcba9302]
-2.6.20-feisty-security: released (2.6.20-16.31) [5825ab378271ac6ead26504a46b0d404b63592dc]

Modified: active/CVE-2007-3104
===================================================================
--- active/CVE-2007-3104	2007-08-31 18:13:47 UTC (rev 938)
+++ active/CVE-2007-3104	2007-08-31 18:18:07 UTC (rev 939)
@@ -8,7 +8,7 @@
  A flaw in the sysfs_readdir function allowed a local user to cause a
  denial of service by dereferencing a NULL pointer.
 Notes: 
- Bug fix available in RedHat kernel-2.6.9-55.0.2.EL.src.rpm release
+ pkl> Bug fix available in RedHat kernel-2.6.9-55.0.2.EL.src.rpm release
 Bugs: 
 upstream: 
 linux-2.6: 

Deleted: active/CVE-2007-3642
===================================================================
--- active/CVE-2007-3642	2007-08-31 18:13:47 UTC (rev 938)
+++ active/CVE-2007-3642	2007-08-31 18:18:07 UTC (rev 939)
@@ -1,26 +0,0 @@
-Candidate: CVE-2007-3642
-References: 
- http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=25845b5155b55cd77e42655ec24161ba3feffa47
- http://patchwork.netfilter.org/netfilter-devel/patch.pl?id=499
-Description:
- The decode_choice function in net/netfilter/nf_conntrack_h323_asn1.c
- in the Linux kernel before 2.6.20.15, 2.6.21.x before 2.6.21.6, and
- before 2.6.22 allows remote attackers to cause a denial of service
- (crash) via an encoded, out-of-range index value for a choice field,
- which triggers a NULL pointer dereference.
-Ubuntu-Description: 
- Zhongling Wen discovered that the h323 conntrack handler did not correctly
- handle certain bitfields.  A remote attacker could send a specially crafted
- packet and cause a denial of service.
-Notes: 
- pkl> [NETFILTER]: nf_conntrack_h323: add checking of out-of-range on choices' index values
- dannf> file got renamed between 2.6.18 & 2.6.21
-Bugs: 
-upstream: 
-linux-2.6: released (2.6.21-6) [bugfix/all/stable/2.6.21.6.patch]
-2.6.18-etch-security: released (2.6.18.dfsg.1-13etch1) [bugfix/nf_conntrack_h323-bounds-checking.patch]
-2.6.8-sarge-security: N/A
-2.4.27-sarge-security: N/A
-2.6.15-dapper-security:  N/A - code doesn't seem to exist
-2.6.17-edgy-security: N/A - code doesn't seem to exist
-2.6.20-feisty-security: released (2.6.20-16.31) [c411287f75b34e8cbeba8e7832c4cf1c235e8568]

Deleted: active/CVE-2007-3851
===================================================================
--- active/CVE-2007-3851	2007-08-31 18:13:47 UTC (rev 938)
+++ active/CVE-2007-3851	2007-08-31 18:18:07 UTC (rev 939)
@@ -1,23 +0,0 @@
-Candidate: CVE-2007-3851
-References:
- http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=21f16289270447673a7263ccc0b22d562fb01ecb
-Description: 
- The drm/i915 component in the Linux kernel before 2.6.22.2, when used
- with i965G and later chipsets, allows local users with access to an
- X11 session and Direct Rendering Manager (DRM) to write to arbitrary
- memory locations and gain privileges via a crafted batchbuffer.
-Ubuntu-Description: 
- The Direct Rendering Manager for the i915 driver could be made to write
- to arbitrary memory locations.  An attacker with access to a running X11
- session could send a specially crafted buffer and gain root privileges.
-Notes: 
- jmm> Code was introduced after 2.6.18, but backported to Etch
-Bugs: 
-upstream: released (2.6.22.2)
-linux-2.6: 
-2.6.18-etch-security: released (2.6.18.dfsg.1-13etch1) [bugfix/i965-secure-batchbuffer.patch]
-2.6.8-sarge-security: N/A
-2.4.27-sarge-security: N/A
-2.6.15-dapper-security: N/A 
-2.6.17-edgy-security: released (2.6.17.1-12.40) [cc8e06db0f30d589b1bc6d164fadb28631f638b1]
-2.6.20-feisty-security: released (2.6.20-16.31) [d475e30926c7d8337bc3008f42cae01da740ee12]

Copied: retired/CVE-2007-2876 (from rev 938, active/CVE-2007-2876)
===================================================================
--- retired/CVE-2007-2876	                        (rev 0)
+++ retired/CVE-2007-2876	2007-08-31 18:18:07 UTC (rev 939)
@@ -0,0 +1,26 @@
+Candidate: CVE-2007-2876
+References: 
+ http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.21.4
+Description: 
+ The sctp_new function in (1) ip_conntrack_proto_sctp.c and (2)
+ nf_conntrack_proto_sctp.c in Netfilter in Linux kernel 2.6 before 2.6.20.13,
+ and 2.6.21.x before 2.6.21.4, allows remote attackers to cause a denial of
+ service by causing certain invalid states that trigger a NULL pointer
+ dereference.
+Ubuntu-Description: 
+ Vilmos Nebehaj discovered that the SCTP netfilter code did not correctly
+ validate certain states.  A remote attacker could send a specially crafted
+ packet causing a denial of service.
+Notes: 
+ When creating a new connection by sending an unknown chunk type, we
+ don't transition to a valid state, causing a NULL pointer dereference in
+ sctp_packet when accessing sctp_timeouts[SCTP_CONNTRACK_NONE].
+Bugs: 
+upstream: released (2.6.21.4)
+linux-2.6: released (2.6.21-5)
+2.6.18-etch-security: released (2.6.18.dfsg.1-13etch1) [bugfix/nf_conntrack_sctp-null-deref.patch]
+2.6.8-sarge-security: N/A
+2.4.27-sarge-security: N/A
+2.6.15-dapper-security: released (2.6.15-28.57)
+2.6.17-edgy-security: released (2.6.17.1-11.39) [71405ef45b6a5da5419cf4580db7fe9666a63774]
+2.6.20-feisty-security: released (2.6.20-16.31) [b72e4ea43b03b980f6818a10050f2d65d347f36c]

Copied: retired/CVE-2007-2878 (from rev 938, active/CVE-2007-2878)
===================================================================
--- retired/CVE-2007-2878	                        (rev 0)
+++ retired/CVE-2007-2878	2007-08-31 18:18:07 UTC (rev 939)
@@ -0,0 +1,29 @@
+Candidate: CVE-2007-2878
+References:
+ http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.21.2
+Description: 
+ The VFAT compat ioctls in the Linux kernel before 2.6.21.2, when run
+ on a 64-bit system, allow local users to corrupt a kernel_dirent struct
+ and cause a denial of service (system crash) via unknown vectors.
+Ubuntu-Description: 
+ Luca Tettamanti discovered a flaw in the VFAT compat ioctls on 64-bit
+ systems.  A local attacker could corrupt a kernel_dirent struct and cause
+ a denial of service.
+Notes: 
+ dannf> reproduced in etch using reproducer provided in the changeset
+ dannf> backporting the fix only proved hazardous as there was some recent
+ dannf> restructuring - i've elected to backport that as well
+ dannf> (fat-move-ioctl-compat-code.patch)
+ dannf> marking sarge kernels as N/A because amd64 wasn't officially supported
+ dannf> and the backport is non-trivial (read: risk outweighs benefit)
+ dannf>
+ dannf> reverted from etch-security branch in r9295 due to ABI change
+Bugs: 
+upstream: released (2.6.21.2)
+linux-2.6: released (2.6.21-3)
+2.6.18-etch-security: ignored (2.6.18.dfsg.1-13etch1) "ABI breaker"
+2.6.8-sarge-security: N/A
+2.4.27-sarge-security: N/A
+2.6.15-dapper-security: released (2.6.15-28.57)
+2.6.17-edgy-security: released (2.6.17.1-11.39) [6dbbec837f43196339b1638dc799d898fcba9302]
+2.6.20-feisty-security: released (2.6.20-16.31) [5825ab378271ac6ead26504a46b0d404b63592dc]

Copied: retired/CVE-2007-3642 (from rev 938, active/CVE-2007-3642)
===================================================================
--- retired/CVE-2007-3642	                        (rev 0)
+++ retired/CVE-2007-3642	2007-08-31 18:18:07 UTC (rev 939)
@@ -0,0 +1,26 @@
+Candidate: CVE-2007-3642
+References: 
+ http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=25845b5155b55cd77e42655ec24161ba3feffa47
+ http://patchwork.netfilter.org/netfilter-devel/patch.pl?id=499
+Description:
+ The decode_choice function in net/netfilter/nf_conntrack_h323_asn1.c
+ in the Linux kernel before 2.6.20.15, 2.6.21.x before 2.6.21.6, and
+ before 2.6.22 allows remote attackers to cause a denial of service
+ (crash) via an encoded, out-of-range index value for a choice field,
+ which triggers a NULL pointer dereference.
+Ubuntu-Description: 
+ Zhongling Wen discovered that the h323 conntrack handler did not correctly
+ handle certain bitfields.  A remote attacker could send a specially crafted
+ packet and cause a denial of service.
+Notes: 
+ pkl> [NETFILTER]: nf_conntrack_h323: add checking of out-of-range on choices' index values
+ dannf> file got renamed between 2.6.18 & 2.6.21
+Bugs: 
+upstream: 
+linux-2.6: released (2.6.21-6) [bugfix/all/stable/2.6.21.6.patch]
+2.6.18-etch-security: released (2.6.18.dfsg.1-13etch1) [bugfix/nf_conntrack_h323-bounds-checking.patch]
+2.6.8-sarge-security: N/A
+2.4.27-sarge-security: N/A
+2.6.15-dapper-security:  N/A - code doesn't seem to exist
+2.6.17-edgy-security: N/A - code doesn't seem to exist
+2.6.20-feisty-security: released (2.6.20-16.31) [c411287f75b34e8cbeba8e7832c4cf1c235e8568]

Copied: retired/CVE-2007-3851 (from rev 938, active/CVE-2007-3851)
===================================================================
--- retired/CVE-2007-3851	                        (rev 0)
+++ retired/CVE-2007-3851	2007-08-31 18:18:07 UTC (rev 939)
@@ -0,0 +1,23 @@
+Candidate: CVE-2007-3851
+References:
+ http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=21f16289270447673a7263ccc0b22d562fb01ecb
+Description: 
+ The drm/i915 component in the Linux kernel before 2.6.22.2, when used
+ with i965G and later chipsets, allows local users with access to an
+ X11 session and Direct Rendering Manager (DRM) to write to arbitrary
+ memory locations and gain privileges via a crafted batchbuffer.
+Ubuntu-Description: 
+ The Direct Rendering Manager for the i915 driver could be made to write
+ to arbitrary memory locations.  An attacker with access to a running X11
+ session could send a specially crafted buffer and gain root privileges.
+Notes: 
+ jmm> Code was introduced after 2.6.18, but backported to Etch
+Bugs: 
+upstream: released (2.6.22.2)
+linux-2.6: 
+2.6.18-etch-security: released (2.6.18.dfsg.1-13etch1) [bugfix/i965-secure-batchbuffer.patch]
+2.6.8-sarge-security: N/A
+2.4.27-sarge-security: N/A
+2.6.15-dapper-security: N/A 
+2.6.17-edgy-security: released (2.6.17.1-12.40) [cc8e06db0f30d589b1bc6d164fadb28631f638b1]
+2.6.20-feisty-security: released (2.6.20-16.31) [d475e30926c7d8337bc3008f42cae01da740ee12]

More information about the kernel-sec-discuss mailing list