[kernel-sec-discuss] r1066 - active scripts

keescook-guest at alioth.debian.org keescook-guest at alioth.debian.org
Wed Dec 19 01:39:51 UTC 2007 

Author: keescook-guest
Date: 2007-12-19 01:39:51 +0000 (Wed, 19 Dec 2007)
New Revision: 1066

Modified:
   active/CVE-2006-6058
   active/CVE-2007-4133
   active/CVE-2007-4567
   active/CVE-2007-4849
   active/CVE-2007-4997
   active/CVE-2007-5093
   active/CVE-2007-5500
   active/CVE-2007-5501
   scripts/ubuntu-usn-desc
Log:
Ubuntu kernel updates

Modified: active/CVE-2006-6058
===================================================================
--- active/CVE-2006-6058	2007-12-18 15:32:10 UTC (rev 1065)
+++ active/CVE-2006-6058	2007-12-19 01:39:51 UTC (rev 1066)
@@ -13,6 +13,10 @@
  function. NOTE: this issue might be due to an integer overflow or signedness
  error.
 Ubuntu-Description: 
+ The minix filesystem did not properly validate certain filesystem values.
+ If a local attacker could trick the system into attempting to mount a
+ corrupted minix filesystem, the kernel could be made to hang for long
+ periods of time, resulting in a denial of service.
 Notes: 
  dannf> ignored for sarge for now - only applies under very rare circumstances
         and don't know if there's an upstream fix
@@ -28,6 +32,6 @@
 2.6.8-sarge-security: ignored
 2.4.27-sarge-security: ignored
 2.6.15-dapper-security: pending (2.6.15-29.61)
-2.6.17-edgy-security: pending (2.6.17.1-12.42)
-2.6.20-feisty-security: pending (2.6.20-16.33)
-2.6.22-gutsy-security: pending (2.6.22-14.47)
+2.6.17-edgy-security: released (2.6.17.1-12.42)
+2.6.20-feisty-security: released (2.6.20-16.33)
+2.6.22-gutsy-security: released (2.6.22-14.47)

Modified: active/CVE-2007-4133
===================================================================
--- active/CVE-2007-4133	2007-12-18 15:32:10 UTC (rev 1065)
+++ active/CVE-2007-4133	2007-12-19 01:39:51 UTC (rev 1066)
@@ -3,7 +3,15 @@
  http://git.kernel.org/gitweb.cgi?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=856fc29505556cf263f3dcda2533cf3766c14ab6
  https://bugzilla.redhat.com/show_bug.cgi?id=253926
 Description: 
+ The (1) hugetlb_vmtruncate_list and (2) hugetlb_vmtruncate functions
+ in fs/hugetlbfs/inode.c in the Linux kernel before 2.6.19-rc4 perform
+ certain prio_tree calculations using HPAGE_SIZE instead of PAGE_SIZE
+ units, which allows local users to cause a denial of service (panic)
+ via unspecified vectors.
 Ubuntu-Description: 
+ Certain calculations in the hugetlb code were not correct.  A local
+ attacker could exploit this to cause a kernel panic, leading to a denial
+ of service.
 Notes: 
  jmm> 2.4 doesn't contain hugetlbfs
 Bugs: 
@@ -13,6 +21,6 @@
 2.6.8-sarge-security: 
 2.4.27-sarge-security: N/A
 2.6.15-dapper-security: pending (2.6.15-29.61)
-2.6.17-edgy-security: pending (2.6.17.1-12.42)
+2.6.17-edgy-security: released (2.6.17.1-12.42)
 2.6.20-feisty-security: N/A
 2.6.22-gutsy-security: N/A

Modified: active/CVE-2007-4567
===================================================================
--- active/CVE-2007-4567	2007-12-18 15:32:10 UTC (rev 1065)
+++ active/CVE-2007-4567	2007-12-19 01:39:51 UTC (rev 1066)
@@ -4,6 +4,11 @@
  http://bugzilla.kernel.org/show_bug.cgi?id=8450
 Description: 
 Ubuntu-Description: 
+ Eric Sesterhenn and Victor Julien discovered that the hop-by-hop IPv6
+ extended header was not correctly validated.  If a system was configured
+ for IPv6, a remote attacker could send a specially crafted IPv6 packet
+ and cause the kernel to panic, leading to a denial of service.  This
+ was only vulnerable in Ubuntu 7.04.
 Notes: 
  kees> introduced in 2.6.20, fixed in 2.6.22
 Bugs: 
@@ -14,5 +19,5 @@
 2.4.27-sarge-security: N/A
 2.6.15-dapper-security: N/A
 2.6.17-edgy-security: N/A
-2.6.20-feisty-security: pending (2.6.20-2.6.20-16.33)
+2.6.20-feisty-security: released (2.6.20-2.6.20-16.33)
 2.6.22-gutsy-security: N/A

Modified: active/CVE-2007-4849
===================================================================
--- active/CVE-2007-4849	2007-12-18 15:32:10 UTC (rev 1065)
+++ active/CVE-2007-4849	2007-12-19 01:39:51 UTC (rev 1066)
@@ -11,6 +11,8 @@
  restricted files or directories after a remount of a filesystem, related to "legacy
  modes" and an inconsistency between dentry permissions and inode permissions.
 Ubuntu-Description: 
+ Permissions were not correctly stored on JFFS2 ACLs.  For systems using
+ ACLs on JFFS2, a local attacker may gain access to private files.
 Notes: 
  jmm> ACL support was introduced in 2.6.17 with commit aa98d7cf59b5b0764d3502662053489585faf2fe, marking
  jmm> earlier Debian releases as N/A
@@ -22,5 +24,5 @@
 2.4.27-sarge-security: N/A
 2.6.15-dapper-security: N/A
 2.6.17-edgy-security: N/A
-2.6.20-feisty-security: pending (2.6.20-16.33)
-2.6.22-gutsy-security: pending (2.6.22-14.47)
+2.6.20-feisty-security: released (2.6.20-16.33)
+2.6.22-gutsy-security: released (2.6.22-14.47)

Modified: active/CVE-2007-4997
===================================================================
--- active/CVE-2007-4997	2007-12-18 15:32:10 UTC (rev 1065)
+++ active/CVE-2007-4997	2007-12-19 01:39:51 UTC (rev 1066)
@@ -4,6 +4,10 @@
  http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.23.y.git;a=commitdiff;h=04045f98e0457aba7d4e6736f37eed189c48a5f7
 Description: 
 Ubuntu-Description: 
+ Chris Evans discovered that the 802.11 network stack did not correctly
+ handle certain QOS frames.  A remote attacker on the local wireless network
+ could send specially crafted packets that would panic the kernel, resulting
+ in a denial of service.
 Notes: 
  > The summary is that an evil 80211 frame can crash out a victim's
  > machine. It only applies to drivers using the 80211 wireless code, and
@@ -19,6 +23,6 @@
 2.6.8-sarge-security: N/A
 2.4.27-sarge-security: N/A
 2.6.15-dapper-security: pending (2.6.15-29.61)
-2.6.17-edgy-security: pending (2.6.17.1-12.42)
-2.6.20-feisty-security: pending (2.6.20-16.33)
-2.6.22-gutsy-security: pending (2.6.22-14.47)
+2.6.17-edgy-security: released (2.6.17.1-12.42)
+2.6.20-feisty-security: released (2.6.20-16.33)
+2.6.22-gutsy-security: released (2.6.22-14.47)

Modified: active/CVE-2007-5093
===================================================================
--- active/CVE-2007-5093	2007-12-18 15:32:10 UTC (rev 1065)
+++ active/CVE-2007-5093	2007-12-19 01:39:51 UTC (rev 1066)
@@ -17,6 +17,10 @@
  the disconnect is invoked. NOTE: this rarely crosses privilege boundaries,
  unless the attacker can convince the victim to unplug the affected device.
 Ubuntu-Description: 
+ The Philips USB Webcam driver did not correctly handle disconnects.
+ If a local attacker tricked another user into disconnecting a webcam
+ unsafely, the kernel could hang or consume CPU resources, leading to
+ a denial of service.
 Notes: 
  kees> debug regression was fixed in http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.22.y.git;a=commitdiff;h=a3a066bffd7754e6d40c48972e698352f6cd6c4e
 Bugs: 
@@ -26,6 +30,6 @@
 2.6.8-sarge-security: 
 2.4.27-sarge-security: 
 2.6.15-dapper-security: pending (2.6.15-29.61)
-2.6.17-edgy-security: pending (2.6.17.1-12.42)
-2.6.20-feisty-security: pending (2.6.20-16.33)
+2.6.17-edgy-security: released (2.6.17.1-12.42)
+2.6.20-feisty-security: released (2.6.20-16.33)
 2.6.22-gutsy-security: N/A

Modified: active/CVE-2007-5500
===================================================================
--- active/CVE-2007-5500	2007-12-18 15:32:10 UTC (rev 1065)
+++ active/CVE-2007-5500	2007-12-19 01:39:51 UTC (rev 1066)
@@ -4,6 +4,10 @@
 Description: 
  wait_task_stopped: Check p->exit_state instead of TASK_TRACED
 Ubuntu-Description: 
+ Scott James Remnant discovered that the waitid function could be made
+ to hang the system.  A local attacker could execute a specially crafted
+ program which would leave the system unresponsive, resulting in a denial
+ of service.
 Notes: 
  kees> 2.6.15 does not actually lock up -- it just spins in userspace
  jmm> This was introduced with commit 14bf01bb0599c89fc7f426d20353b76e12555308
@@ -15,6 +19,6 @@
 2.6.8-sarge-security: N/A
 2.4.27-sarge-security: N/A
 2.6.15-dapper-security: pending (2.6.15-29.61)
-2.6.17-edgy-security: pending (2.6.17.1-12.42)
-2.6.20-feisty-security: pending (2.6.20-16.33)
-2.6.22-gutsy-security: pending (2.6.22-14.47)
+2.6.17-edgy-security: released (2.6.17.1-12.42)
+2.6.20-feisty-security: released (2.6.20-16.33)
+2.6.22-gutsy-security: released (2.6.22-14.47)

Modified: active/CVE-2007-5501
===================================================================
--- active/CVE-2007-5501	2007-12-18 15:32:10 UTC (rev 1065)
+++ active/CVE-2007-5501	2007-12-19 01:39:51 UTC (rev 1066)
@@ -3,6 +3,10 @@
  http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=96a2d41a3e495734b63bff4e5dd0112741b93b38
 Description: 
 Ubuntu-Description: 
+ Ilpo Järvinen discovered that it might be possible for the TCP stack
+ to panic the kernel when receiving a crafted ACK response.  Only Ubuntu
+ 7.10 contained the vulnerable code, and it is believed not to have
+ been exploitable.
 Notes: 
  dannf> Jan Lieskovsky pointed out that tcp_write_queue_head() was introduced
  dannf> in 2.6.21-git1
@@ -15,4 +19,4 @@
 2.6.15-dapper-security: N/A
 2.6.17-edgy-security: N/A
 2.6.20-feisty-security: N/A
-2.6.22-gutsy-security: pending (2.6.22-14.47)
+2.6.22-gutsy-security: released (2.6.22-14.47)

Modified: scripts/ubuntu-usn-desc
===================================================================
--- scripts/ubuntu-usn-desc	2007-12-18 15:32:10 UTC (rev 1065)
+++ scripts/ubuntu-usn-desc	2007-12-19 01:39:51 UTC (rev 1066)
@@ -18,6 +18,8 @@
                  )
 
 for cve in sys.argv[1:]:
+    if cve == "--cve":
+        continue
     desc = deb822.deb822(file(cve))['Ubuntu-Description'].strip()
     if len(sys.argv[1:])!=1:
         desc += " (%s)"%cve

More information about the kernel-sec-discuss mailing list