[kernel-sec-discuss] r860 - active retired
jmm at alioth.debian.org
jmm at alioth.debian.org
Mon Jun 18 21:03:46 UTC 2007
Author: jmm
Date: 2007-06-18 21:03:46 +0000 (Mon, 18 Jun 2007)
New Revision: 860
Added:
retired/CVE-2005-4811
retired/CVE-2006-5754
retired/CVE-2006-5757
retired/CVE-2006-6056
retired/CVE-2007-1357
Removed:
active/CVE-2005-4811
active/CVE-2006-5754
active/CVE-2006-5757
active/CVE-2006-6056
active/CVE-2007-1357
Log:
retire some issues now resolved with the latest 2.6.8 DSA
Deleted: active/CVE-2005-4811
===================================================================
--- active/CVE-2005-4811 2007-06-18 20:59:43 UTC (rev 859)
+++ active/CVE-2005-4811 2007-06-18 21:03:46 UTC (rev 860)
@@ -1,23 +0,0 @@
-Candidate: CVE-2005-4811
-References:
- http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=c7546f8f03f5a4fa612605b6be930234d6026860
-Description: hugetlb dos
-Ubuntu-Description:
- David Gibson discovered a Denial of Service vulnerability in the
- unmap_hugepage_area() function. By calling mmap() in a special way, a
- local user could exploit this to crash the kernel.
-Notes:
- - Pretty old fix, applied upstream in 2.6.11 or 2.6.12.
- - 2.6.10 and older have function in arch-specific
- arch/*/mm/hugetlbpage.c, thus requires some manual porting work
- dannf> In Debian's 2.4.27, the only existance of this function is in
- ia64 code, which already has the proper check
-Bugs:
-upstream: released (2.6.13)
-linux-2.6: released (2.6.13-1)
-2.6.8-sarge-security: released (2.6.8-16sarge7) [unmap_hugepage_area-check-null-pte.dpatch]
-2.4.27-sarge-security: N/A
-2.6.12-breezy-security: released
-2.6.15-dapper-security: released
-2.6.17-edgy: released
-2.6.18-etch-security: N/A
Deleted: active/CVE-2006-5754
===================================================================
--- active/CVE-2006-5754 2007-06-18 20:59:43 UTC (rev 859)
+++ active/CVE-2006-5754 2007-06-18 21:03:46 UTC (rev 860)
@@ -1,21 +0,0 @@
-Candidate: CVE-2006-5754
-References:
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=220971
-Description:
- The aio_setup_ring function in Linux kernel does not properly initialize a
- variable, which allows local users to cause a denial of service (crash) via
- an unspecified error path that causes an incorrect free operation.
-Ubuntu-Description:
-Notes:
- jmm> 3e45a10919b3bc290147d81a4eb0117f019ba16a
- dannf> From the description, I'm assuming this is the fix:
- http://linux.bkbits.net:8080/linux-2.6/?PAGE=cset&REV=418e67e3jfC3msWLXzcdTkI10dwtEg
- 'aio: remove incorrect initialization of "nr_pages"'
-Bugs:
-upstream: released (2.6.10-rc2)
-linux-2.6: released (2.6.10-1)
-2.6.18-etch-security: N/A
-2.6.8-sarge-security: released (2.6.8-16sarge7) [aio-fix-nr_pages-init.dpatch]
-2.4.27-sarge-security: N/A
-2.6.15-dapper-security: N/A
-2.6.17-edgy-security: N/A
Deleted: active/CVE-2006-5757
===================================================================
--- active/CVE-2006-5757 2007-06-18 20:59:43 UTC (rev 859)
+++ active/CVE-2006-5757 2007-06-18 21:03:46 UTC (rev 860)
@@ -1,28 +0,0 @@
-Candidate: CVE-2006-5757
-References:
- http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=e5657933863f43cc6bb76a54d659303dafaa9e58
-Description:
- Race condition in the __find_get_block_slow function in the ISO9660
- filesystem in Linux 2.6.18 and possibly other versions allows local
- users to cause a denial of service (infinite loop) by mounting a
- crafted ISO9660 filesystem containing malformed data structures.
-Ubuntu-Description:
- A race condition was found in the grow_buffers() function. By mounting a
- specially crafted ISO9660 or NTFS file system, a local attacker could
- exploit this to trigger an infinite loop in the kernel, rendering the
- machine unusable.
-Notes:
- http://projects.info-pull.com/mokb/MOKB-05-11-2006.html
- http://projects.info-pull.com/mokb/MOKB-19-11-2006.html
- dannf> Tried the MOKB-05-11-2006 reproducer on 2.4.27/ia64 & no
- dannf> infinite loop was triggered
- jmm> 2.4.27 has range checks, marking N/A
-Bugs:
-upstream: released (2.6.19-rc2)
-linux-2.6: released (2.6.18.dfsg.1-10) [2.6.16.38]
-2.6.18-etch-security: released (2.6.18.dfsg.1-10) [2.6.16.38]
-2.6.8-sarge-security: released (2.6.8-16sarge7) [__find_get_block_slow-race.dpatch]
-2.4.27-sarge-security: N/A
-2.6.12-breezy-security: released (2.6.12-10.43)
-2.6.15-dapper-security: released (2.6.15-28.51)
-2.6.17-edgy-security: released (2.6.17.1-11.35)
Deleted: active/CVE-2006-6056
===================================================================
--- active/CVE-2006-6056 2007-06-18 20:59:43 UTC (rev 859)
+++ active/CVE-2006-6056 2007-06-18 21:03:46 UTC (rev 860)
@@ -1,26 +0,0 @@
-Candidate: CVE-2006-6056
-References:
- http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=d6ddf55440833fd9404138026af246c51ebeef22
- MISC:http://projects.info-pull.com/mokb/MOKB-14-11-2006.html
-Description:
- Linux kernel 2.6.x up to 2.6.18 and possibly other versions, when SELinux
- hooks are enabled, allows local users to cause a denial of service (crash)
- via a malformed file stream that triggers a NULL pointer dereference in the
- superblock_doinit function, as demonstrated using an HFS filesystem image.
-Ubuntu-Description:
- The hfs file system driver did not properly handle corrupted data
- structures. By mounting a specially crafted hfs file system, a local
- attacker could exploit this to crash the kernel. This only affects
- systems which enable SELinux (Ubuntu disables SELinux by default).
-Notes:
- dannf> Though this bug fix applies to 2.4, 2.4 does not include SELinux
- so it should not be vulnerable to the DoS
-Bugs:
-upstream: released (2.6.19)
-linux-2.6: released (2.6.18.dfsg.1-10)
-2.6.18-etch-security: released (2.6.18.dfsg.1-10) [bugfix/2.6.16.38]
-2.6.8-sarge-security: released (2.6.8-16sarge7) [hfs-no-root-inode.dpatch]
-2.4.27-sarge-security: N/A
-2.6.12-breezy-security: released (2.6.12-10.43)
-2.6.15-dapper-security: released (2.6.15-28.51)
-2.6.17-edgy-security: released (2.6.17.1-11.35)
Deleted: active/CVE-2007-1357
===================================================================
--- active/CVE-2007-1357 2007-06-18 20:59:43 UTC (rev 859)
+++ active/CVE-2007-1357 2007-06-18 21:03:46 UTC (rev 860)
@@ -1,23 +0,0 @@
-Candidate: CVE-2007-1357
-References:
- http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=75559c167bddc1254db5bcff032ad5eed8bd6f4a
-Description:
-Ubuntu-Description:
- Philipp Richter discovered that the AppleTalk protocol handler did
- not sufficiently verify the length of packets. By sending a crafted
- AppleTalk packet, a remote attacker could exploit this to crash the
- kernel.
-Notes:
- dannf> commit msg says that the vulnerable code was added in 2.6.0-test5:
- http://git.kernel.org/?p=linux/kernel/git/tglx/history.git;a=commitdiff;h=7ab442d7e0a76402c12553ee256f756097cae2d2
- This code was never backported to 2.4, so I'm assuming its not
- vulnerable
-Bugs:
-upstream: released (2.6.21-rc6)
-linux-2.6: released (2.6.20-1) [bugfix/2.6.20.5]
-2.6.18-etch-security: released (2.6.18.dfsg.1-12etch1) [bugfix/appletalk-length-mismatch.patch, bugfix/appletalk-endianness-annotations.patch]
-2.6.8-sarge-security: released (2.6.8-16sarge7) [appletalk-length-mismatch.dpatch, appletalk-endianness-annotations.dpatch]
-2.4.27-sarge-security: N/A
-2.6.15-dapper-security: released (2.6.15-28.54)
-2.6.17-edgy-security: released (2.6.17.1-11.38)
-2.6.20-feisty-security: released (2.6.20-16.28)
Copied: retired/CVE-2005-4811 (from rev 859, active/CVE-2005-4811)
===================================================================
--- retired/CVE-2005-4811 (rev 0)
+++ retired/CVE-2005-4811 2007-06-18 21:03:46 UTC (rev 860)
@@ -0,0 +1,23 @@
+Candidate: CVE-2005-4811
+References:
+ http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=c7546f8f03f5a4fa612605b6be930234d6026860
+Description: hugetlb dos
+Ubuntu-Description:
+ David Gibson discovered a Denial of Service vulnerability in the
+ unmap_hugepage_area() function. By calling mmap() in a special way, a
+ local user could exploit this to crash the kernel.
+Notes:
+ - Pretty old fix, applied upstream in 2.6.11 or 2.6.12.
+ - 2.6.10 and older have function in arch-specific
+ arch/*/mm/hugetlbpage.c, thus requires some manual porting work
+ dannf> In Debian's 2.4.27, the only existance of this function is in
+ ia64 code, which already has the proper check
+Bugs:
+upstream: released (2.6.13)
+linux-2.6: released (2.6.13-1)
+2.6.8-sarge-security: released (2.6.8-16sarge7) [unmap_hugepage_area-check-null-pte.dpatch]
+2.4.27-sarge-security: N/A
+2.6.12-breezy-security: released
+2.6.15-dapper-security: released
+2.6.17-edgy: released
+2.6.18-etch-security: N/A
Copied: retired/CVE-2006-5754 (from rev 859, active/CVE-2006-5754)
===================================================================
--- retired/CVE-2006-5754 (rev 0)
+++ retired/CVE-2006-5754 2007-06-18 21:03:46 UTC (rev 860)
@@ -0,0 +1,21 @@
+Candidate: CVE-2006-5754
+References:
+ https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=220971
+Description:
+ The aio_setup_ring function in Linux kernel does not properly initialize a
+ variable, which allows local users to cause a denial of service (crash) via
+ an unspecified error path that causes an incorrect free operation.
+Ubuntu-Description:
+Notes:
+ jmm> 3e45a10919b3bc290147d81a4eb0117f019ba16a
+ dannf> From the description, I'm assuming this is the fix:
+ http://linux.bkbits.net:8080/linux-2.6/?PAGE=cset&REV=418e67e3jfC3msWLXzcdTkI10dwtEg
+ 'aio: remove incorrect initialization of "nr_pages"'
+Bugs:
+upstream: released (2.6.10-rc2)
+linux-2.6: released (2.6.10-1)
+2.6.18-etch-security: N/A
+2.6.8-sarge-security: released (2.6.8-16sarge7) [aio-fix-nr_pages-init.dpatch]
+2.4.27-sarge-security: N/A
+2.6.15-dapper-security: N/A
+2.6.17-edgy-security: N/A
Copied: retired/CVE-2006-5757 (from rev 859, active/CVE-2006-5757)
===================================================================
--- retired/CVE-2006-5757 (rev 0)
+++ retired/CVE-2006-5757 2007-06-18 21:03:46 UTC (rev 860)
@@ -0,0 +1,28 @@
+Candidate: CVE-2006-5757
+References:
+ http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=e5657933863f43cc6bb76a54d659303dafaa9e58
+Description:
+ Race condition in the __find_get_block_slow function in the ISO9660
+ filesystem in Linux 2.6.18 and possibly other versions allows local
+ users to cause a denial of service (infinite loop) by mounting a
+ crafted ISO9660 filesystem containing malformed data structures.
+Ubuntu-Description:
+ A race condition was found in the grow_buffers() function. By mounting a
+ specially crafted ISO9660 or NTFS file system, a local attacker could
+ exploit this to trigger an infinite loop in the kernel, rendering the
+ machine unusable.
+Notes:
+ http://projects.info-pull.com/mokb/MOKB-05-11-2006.html
+ http://projects.info-pull.com/mokb/MOKB-19-11-2006.html
+ dannf> Tried the MOKB-05-11-2006 reproducer on 2.4.27/ia64 & no
+ dannf> infinite loop was triggered
+ jmm> 2.4.27 has range checks, marking N/A
+Bugs:
+upstream: released (2.6.19-rc2)
+linux-2.6: released (2.6.18.dfsg.1-10) [2.6.16.38]
+2.6.18-etch-security: released (2.6.18.dfsg.1-10) [2.6.16.38]
+2.6.8-sarge-security: released (2.6.8-16sarge7) [__find_get_block_slow-race.dpatch]
+2.4.27-sarge-security: N/A
+2.6.12-breezy-security: released (2.6.12-10.43)
+2.6.15-dapper-security: released (2.6.15-28.51)
+2.6.17-edgy-security: released (2.6.17.1-11.35)
Copied: retired/CVE-2006-6056 (from rev 859, active/CVE-2006-6056)
===================================================================
--- retired/CVE-2006-6056 (rev 0)
+++ retired/CVE-2006-6056 2007-06-18 21:03:46 UTC (rev 860)
@@ -0,0 +1,26 @@
+Candidate: CVE-2006-6056
+References:
+ http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=d6ddf55440833fd9404138026af246c51ebeef22
+ MISC:http://projects.info-pull.com/mokb/MOKB-14-11-2006.html
+Description:
+ Linux kernel 2.6.x up to 2.6.18 and possibly other versions, when SELinux
+ hooks are enabled, allows local users to cause a denial of service (crash)
+ via a malformed file stream that triggers a NULL pointer dereference in the
+ superblock_doinit function, as demonstrated using an HFS filesystem image.
+Ubuntu-Description:
+ The hfs file system driver did not properly handle corrupted data
+ structures. By mounting a specially crafted hfs file system, a local
+ attacker could exploit this to crash the kernel. This only affects
+ systems which enable SELinux (Ubuntu disables SELinux by default).
+Notes:
+ dannf> Though this bug fix applies to 2.4, 2.4 does not include SELinux
+ so it should not be vulnerable to the DoS
+Bugs:
+upstream: released (2.6.19)
+linux-2.6: released (2.6.18.dfsg.1-10)
+2.6.18-etch-security: released (2.6.18.dfsg.1-10) [bugfix/2.6.16.38]
+2.6.8-sarge-security: released (2.6.8-16sarge7) [hfs-no-root-inode.dpatch]
+2.4.27-sarge-security: N/A
+2.6.12-breezy-security: released (2.6.12-10.43)
+2.6.15-dapper-security: released (2.6.15-28.51)
+2.6.17-edgy-security: released (2.6.17.1-11.35)
Copied: retired/CVE-2007-1357 (from rev 859, active/CVE-2007-1357)
===================================================================
--- retired/CVE-2007-1357 (rev 0)
+++ retired/CVE-2007-1357 2007-06-18 21:03:46 UTC (rev 860)
@@ -0,0 +1,23 @@
+Candidate: CVE-2007-1357
+References:
+ http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=75559c167bddc1254db5bcff032ad5eed8bd6f4a
+Description:
+Ubuntu-Description:
+ Philipp Richter discovered that the AppleTalk protocol handler did
+ not sufficiently verify the length of packets. By sending a crafted
+ AppleTalk packet, a remote attacker could exploit this to crash the
+ kernel.
+Notes:
+ dannf> commit msg says that the vulnerable code was added in 2.6.0-test5:
+ http://git.kernel.org/?p=linux/kernel/git/tglx/history.git;a=commitdiff;h=7ab442d7e0a76402c12553ee256f756097cae2d2
+ This code was never backported to 2.4, so I'm assuming its not
+ vulnerable
+Bugs:
+upstream: released (2.6.21-rc6)
+linux-2.6: released (2.6.20-1) [bugfix/2.6.20.5]
+2.6.18-etch-security: released (2.6.18.dfsg.1-12etch1) [bugfix/appletalk-length-mismatch.patch, bugfix/appletalk-endianness-annotations.patch]
+2.6.8-sarge-security: released (2.6.8-16sarge7) [appletalk-length-mismatch.dpatch, appletalk-endianness-annotations.dpatch]
+2.4.27-sarge-security: N/A
+2.6.15-dapper-security: released (2.6.15-28.54)
+2.6.17-edgy-security: released (2.6.17.1-11.38)
+2.6.20-feisty-security: released (2.6.20-16.28)
More information about the kernel-sec-discuss
mailing list