[kernel-sec-discuss] r1154 - active retired
jmm at alioth.debian.org
jmm at alioth.debian.org
Fri Apr 4 08:23:01 UTC 2008
Author: jmm
Date: 2008-04-04 08:22:59 +0000 (Fri, 04 Apr 2008)
New Revision: 1154
Added:
retired/CVE-2005-0977
retired/CVE-2005-1265
retired/CVE-2006-0558
retired/CVE-2006-2448
retired/CVE-2006-3468
retired/CVE-2006-4572
retired/CVE-2006-5755
retired/CVE-2006-6060
retired/CVE-2007-0958
retired/CVE-2007-2453
Removed:
active/CVE-2005-0977
active/CVE-2005-1265
active/CVE-2006-0558
active/CVE-2006-2448
active/CVE-2006-3468
active/CVE-2006-4572
active/CVE-2006-5755
active/CVE-2006-6060
active/CVE-2007-0958
active/CVE-2007-2453
Log:
retire some issues now that Sarge support has ended
Deleted: active/CVE-2005-0977
===================================================================
--- active/CVE-2005-0977 2008-04-03 23:08:16 UTC (rev 1153)
+++ active/CVE-2005-0977 2008-04-04 08:22:59 UTC (rev 1154)
@@ -1,22 +0,0 @@
-Candidate: CVE-2005-0977
-References:
- http://www.ubuntulinux.org/support/documentation/usn/usn-103-1
- http://linux.bkbits.net:8080/linux-2.6/cset@420551fbRlv9-QG6Gw9Lw_bKVfPSsg
- http://lkml.org/lkml/2005/2/5/111
- http://www.securityfocus.com/bid/12970
-Description:
- The shmem_nopage function in shmem.c for the tmpfs driver in Linux kernel
- 2.6 does not properly verify the address argument, which allows local users
- to cause a denial of service (kernel crash) via an invalid address.
-Notes:
- dannf> 2.4 does look vulnerable, but the 2.6 fix won't work directly because
- dannf> 2.4 doesn't have i_size_read(). The 2.6 i_size_read() uses seqlocks,
- dannf> which aren't in 2.4, so the port isn't trivial for me.
- dannf> Forwarded to Willy Tarreau on 2008.01.17
-Bugs: 303177
-upstream: released (2.6.11)
-linux-2.6: N/A
-2.6.8-sarge-security: released (2.6.8-16) [mm-shmem-truncate.dpatch]
-2.4.27-sarge-security: ignored (2.4.27-10sarge6) "need porting help"
-2.6.18-etch-security: N/A
-
Deleted: active/CVE-2005-1265
===================================================================
--- active/CVE-2005-1265 2008-04-03 23:08:16 UTC (rev 1153)
+++ active/CVE-2005-1265 2008-04-04 08:22:59 UTC (rev 1154)
@@ -1,14 +0,0 @@
-Candidate: CVE-2005-1265
-References: http://www.ubuntulinux.org/support/documentation/usn/usn-137-1
-Description:
- The mmap function in the Linux Kernel 2.6.10 can be used to create memory
- maps with a start address beyond the end address, which allows local users
- to cause a denial of service (kernel crash)
-Notes:
- jmm> I've pulled the patch by Linus from the above-mentioned Ubuntu advisory
-Bugs:
-upstream: released (2.6.12)
-linux-2.6: N/A
-2.6.8-sarge-security: released (2.6.8-16sarge1) [mm-mmap-range-test.dpatch]
-2.4.27-sarge-security: ignored (2.4.27-10sarge6) "not sure if it affects 2.4 - code is very different; need porting help"
-2.6.18-etch-security: N/A
Deleted: active/CVE-2006-0558
===================================================================
--- active/CVE-2006-0558 2008-04-03 23:08:16 UTC (rev 1153)
+++ active/CVE-2006-0558 2008-04-04 08:22:59 UTC (rev 1154)
@@ -1,25 +0,0 @@
-Candidate: CVE-2006-0558
-References:
- MLIST:[linux-ia64] [PATCH 1/1] ia64: perfmon.c trips BUG_ON in put_page_testzero
- URL:http://marc.theaimsgroup.com/?l=linux-ia64&m=113882384921688
- CONFIRM:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=185082
- BID:17482
- URL:http://www.securityfocus.com/bid/17482
-Description:
- perfmon (perfmon.c) in Linux kernel on IA64 architectures allows local users
- to cause a denial of service (crash) by interrupting a task while another
- process is accessing the mm_struct, which triggers a BUG_ON action in the
- put_page_testzero function.proc
-Notes:
- dannf> This issue is unreproducible in 2.6.16, according to:
- dannf> http://marc.theaimsgroup.com/?l=linux-ia64&m=114530938403347&w=2
- dannf> So, I'm marking upstream as 2.6.16
- .
- dannf> I have a reproducer from SGI. It causes 2.6.8 to oops, but needs to
- dannf> be ported to the 2.4 perfmon API to test 2.4.27
-Bugs: 365375
-upstream: released (2.6.16)
-linux-2.6: released (2.6.16-1)
-2.6.8-sarge-security: released (2.6.8-16sarge3) [perfmon-exit-race.dpatch]
-2.4.27-sarge-security: ignored (2.4.27-10sarge6) "need porting help"
-2.6.18-etch-security: N/A
Deleted: active/CVE-2006-2448
===================================================================
--- active/CVE-2006-2448 2008-04-03 23:08:16 UTC (rev 1153)
+++ active/CVE-2006-2448 2008-04-04 08:22:59 UTC (rev 1154)
@@ -1,19 +0,0 @@
-Candidate: CVE-2006-2448
-References:
- http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=7c85d1f9d358b24c5b05c3a2783a78423775a080
-Description:
- Linux kernel before 2.6.16.21 and 2.6.17, when running on PowerPC, does not
- perform certain required access_ok checks, which allows local users to read
- arbitrary kernel memory on 64-bit systems (signal_64.c) and cause a denial of
- service (crash) and possibly read kernel memory on 32-bit systems
- (signal_32.c).
-Notes:
- dannf> Code has changed significantly since 2.6.8, its not clear to me
- if this fix is needed or how to apply it.
-Bugs:
-upstream: released (2.6.16.21)
-linux-2.6: released (2.6.16-15)
-2.6.8-sarge-security: ignored (2.6.8-16sarge5)
-2.4.27-sarge-security: ignored (2.4.27-10sarge4)
-2.6.18-etch-security: N/A
-
Deleted: active/CVE-2006-3468
===================================================================
--- active/CVE-2006-3468 2008-04-03 23:08:16 UTC (rev 1153)
+++ active/CVE-2006-3468 2008-04-04 08:22:59 UTC (rev 1154)
@@ -1,31 +0,0 @@
-Candidate: CVE-2006-3468
-References:
- http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=2ccb48ebb4de139eef4fcefd5f2bb823cb0d81b9
-Description:
- Linux kernel 2.6.x, when using both NFS and EXT3, allows remote
- attackers to cause a denial of service (file system panic) via a
- crafted UDP packet with a V2 lookup procedure that specifies a bad
- file handle (inode number), which triggers an error and causes an
- exported directory to be remounted read-only.
-Ubuntu-Description:
- James McKenzie discovered a Denial of Service vulnerability in the
- NFS driver. When exporting an ext3 file system over NFS, a remote
- attacker could exploit this to trigger a file system panic by sending
- a specially crafted UDP packet.
-Notes:
- http://lkml.org/lkml/2006/7/20/1: proposed patch
- unclear whether 2.4 is affected
- dannf> Submitted to Adrian Bunk for inclusion in 2.6.16.x
- dannf> ignoring 2.4 till a fix goes upstream
-Bugs:
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=199172
-upstream: released (2.6.17.8, 2.6.18-rc4)
-linux-2.6: released (2.6.18-1)
-2.6.8-sarge-security: released (2.6.8-16sarge5) [fs-ext3-bad-nfs-handle.dpatch]
-2.4.27-sarge-security: ignored (2.4.27-10sarge4)
-2.6.10-hoary-security: released (2.6.10-34.23)
-2.6.12-breezy-security: released (2.6.12-10.37)
-2.6.15-dapper-security: released (2.6.15-26.47)
-2.6.17-edgy: released (2.6.17-10.30)
-2.6.18-etch-security: N/A
-
Deleted: active/CVE-2006-4572
===================================================================
--- active/CVE-2006-4572 2008-04-03 23:08:16 UTC (rev 1153)
+++ active/CVE-2006-4572 2008-04-04 08:22:59 UTC (rev 1154)
@@ -1,25 +0,0 @@
-Candidate: CVE-2006-4572
-References:
- URL:http://readlist.com/lists/vger.kernel.org/linux-kernel/55/275979.html
- http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=6d381634d213580d40d431e7664dfb45f641b884
- http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=51d8b1a65291a6956b79374b6adbbadc2263bcf6
-Description:
- Multiple unspecified vulnerabilities in netfilter for IPv6 code in Linux
- kernel before 2.6.16.31 allow remote attackers to bypass intended restrictions
- via unknown vectors, aka (1) "ip6_tables protocol bypass bug" and
- (2) "ip6_tables extension header bypass bug".
-Ubuntu-Description:
- Mark Dowd discovered that the netfilter iptables module did not
- correcly handle fragmented packets. By sending specially crafted
- packets, a remote attacker could exploit this to bypass firewall
- rules.
-Notes:
- dannf> port to 2.4.27/2.6.8 is non-trivial, ignoring for now
-Bugs:
-upstream: released (2.6.19)
-linux-2.6: released (2.6.18.dfsg.1-9)
-2.6.18-etch-security: released (2.6.18.dfsg.1-9)
-2.6.8-sarge-security: ignored (2.6.8-16sarge7)
-2.4.27-sarge-security: ignored (2.4.27-10sarge6)
-2.6.15-dapper-security: released (2.6.15-28.51)
-2.6.17-edgy-security: released (2.6.17.1-10.34)
Deleted: active/CVE-2006-5755
===================================================================
--- active/CVE-2006-5755 2008-04-03 23:08:16 UTC (rev 1153)
+++ active/CVE-2006-5755 2008-04-04 08:22:59 UTC (rev 1154)
@@ -1,30 +0,0 @@
-Candidate: CVE-2006-5755
-References:
- http://kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=658fdbef66e5e9be79b457edc2cbbb3add840aa9
-Description:
- Linux kernel before 2.6.18, when running on x86_64 systems, does not
- properly save or restore EFLAGS during a context switch, which allows
- local users to cause a denial of service (crash) by causing SYSENTER
- to set an NT flag, which can trigger a crash on the IRET of the next
- task.
-Ubuntu-Description:
- The task switching code did not save and restore EFLAGS of processes.
- By starting a specially crafted executable, a local attacker could
- exploit this to eventually crash many other running processes. This
- only affects the amd64 platform.
-Notes:
- jmm> 658fdbef66e5e9be79b457edc2cbbb3add840aa9
- jmm> amd64 equivalent of CVE-2006-5173
- jmm> http://www.mail-archive.com/kgdb-bugreport@lists.sourceforge.net/msg00559.html
- dannf> marking sarge/2.4 N/A since we released no sarge/2.4/amd64 kernel
- dannf> ignoring for sarge7 because backport is non-trivial
- jmm> Affects xen
-Bugs:
-upstream: released (2.6.18)
-linux-2.6: released (2.6.18-1)
-2.6.18-etch-security: released (2.6.18.dfsg.1-13etch4)
-2.6.8-sarge-security: ignored (2.6.8-16sarge7)
-2.4.27-sarge-security: N/A
-2.6.12-breezy-security: released (2.6.12-10.43)
-2.6.15-dapper-security: released (2.6.15-28.51)
-2.6.17-edgy-security: released (2.6.17.1-11.35)
Deleted: active/CVE-2006-6060
===================================================================
--- active/CVE-2006-6060 2008-04-03 23:08:16 UTC (rev 1153)
+++ active/CVE-2006-6060 2008-04-04 08:22:59 UTC (rev 1154)
@@ -1,34 +0,0 @@
-Candidate: CVE-2006-6060
-References:
- MISC:http://projects.info-pull.com/mokb/MOKB-19-11-2006.html
-Description:
- The NTFS filesystem code in Linux kernel 2.6.x up to 2.6.18, and possibly
- other versions, allows local users to cause a denial of service (CPU
- consumption) via a malformed NTFS file stream that triggers an infinite loop
- in the __find_get_block_slow function.
-Ubuntu-Description:
-Notes:
- fixed by patch for CVE-2006-5757 since the bug is in the common
- __find_get_block_slow() function.
- dannf> reproducer at http://projects.info-pull.com/mokb/MOKB-19-11-2006.html
- dannf> I mounted the reproducer fs on an ia64/2.4.27 system and though
- it didn't cause an infinite loop, the system did lock up hard
- jmm> e5657933863f43cc6bb76a54d659303dafaa9e58 in Linus git
- dannf> The reproducer causes i386/2.4.36 to oops; but if this patch is
- backported and applied it will print:
- NTFS: Problem with runlist in extended record
- ... and then oops.
- So, I'm guessing this patch makes things better, but I don't think
- its worth the risk of applying it unless the other oops gets fixed
- as well.
- dannf> Unpatched 2.4.27 oopses and prints the same runlist message that
- patched 2.4.36 prints
-Bugs:
-upstream: released (2.6.19)
-linux-2.6: released (2.6.18.dfsg.1-10) [2.6.16.38]
-2.6.18-etch-security: released (2.6.18.dfsg.1-10) [2.6.16.38]
-2.6.8-sarge-security: released (2.6.8-16sarge7) [__find_get_block_slow-race.dpatch]
-2.4.27-sarge-security: ignored (2.4.27-10sarge6) "Fixes an oops, only to hit another oops"
-2.6.15-dapper-security: N/A - fixed in CVE-2006-5757
-2.6.17-edgy-security: N/A - already applied.
-2.6.20-feisty-security: N/A
Deleted: active/CVE-2007-0958
===================================================================
--- active/CVE-2007-0958 2008-04-03 23:08:16 UTC (rev 1153)
+++ active/CVE-2007-0958 2008-04-04 08:22:59 UTC (rev 1154)
@@ -1,21 +0,0 @@
-Candidate: CVE-2007-0958
-References:
- MISC:http://www.isec.pl/vulnerabilities/isec-0017-binfmt_elf.txt
- CONFIRM:http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.20
-Description:
- Linux kernel 2.6.x before 2.6.20 allows local users to read unreadable
- binaries by using the interpreter (PT_INTERP) functionality and triggering
- a core dump, a variant of CVE-2004-1073.
-Ubuntu-Description:
-Notes:
- dannf> Red Hat's 2.4 isn't vulnerable; Willy Tarreau asked the reporter
- for a reproducer in 2007.02. I sent Willy an e-mail on 2008.02.06
- to see if he ever heard back. Until then, I'll assume 2.4 is ok.
-Bugs:
-upstream: released (2.6.20)
-linux-2.6: released (2.6.20-1)
-2.6.18-etch-security: released (2.6.18.dfsg.1-12etch1) [bugfix/core-dump-unreadable-PT_INTERP.patch]
-2.6.8-sarge-security: released (2.6.8-16sarge7) [core-dump-unreadable-PT_INTERP.dpatch]
-2.4.27-sarge-security: ignored (2.4.27-10sarge6) "poked upstream on 2008.02.06"
-2.6.15-dapper-security: released (2.6.15-28.53)
-2.6.17-edgy-security: released (2.6.17.1-11.37)
Deleted: active/CVE-2007-2453
===================================================================
--- active/CVE-2007-2453 2008-04-03 23:08:16 UTC (rev 1153)
+++ active/CVE-2007-2453 2008-04-04 08:22:59 UTC (rev 1154)
@@ -1,27 +0,0 @@
-Candidate: CVE-2007-2453
-References:
- http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=7f397dcdb78d699a20d96bfcfb595a2411a5bbd2
- http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=602b6aeefe8932dd8bb15014e8fe6bb25d736361
- http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.21.4
-Description:
- The random number feature in Linux kernel 2.6 before 2.6.20.13, and 2.6.21.x
- before 2.6.21.4, (1) does not properly seed pools when there is no entropy,
- or (2) uses an incorrect cast when extracting entropy, which might cause the
- random number generator to provide the same values after reboots on systems
- without an entropy source.
-Ubuntu-Description:
- The random number generator was hashing a subset of the available
- entropy, leading to slightly less random numbers. Additionally, systems
- without an entropy source would be seeded with the same inputs at boot
- time, leading to a repeatable series of random numbers.
-Notes:
- dannf> started a thread on vendor-sec about a fix for 2.4 (2008.02.06)
-Bugs:
-upstream: released (2.6.21.4)
-linux-2.6: released (2.6.21-5)
-2.6.18-etch-security: released (2.6.18.dfsg.1-13etch1) [bugfix/random-fix-seeding-with-zero-entropy.patch, bugfix/random-fix-error-in-entropy-extraction.patch]
-2.6.8-sarge-security: ignored (2.6.8-17sarge1) "2.6.8 uses HASH_TRANSFORM, so I think its N/A for the hashing issue, but we still may need the zero-entropy fix"
-2.4.27-sarge-security: N/A "Matt Mackall says these don't affect 2.4 (though 2.4 has a number of other issues)"
-2.6.15-dapper-security: released (2.6.15-28.57)
-2.6.17-edgy-security: released (2.6.17.1-11.39)
-2.6.20-feisty-security: released (2.6.20-16.29)
Copied: retired/CVE-2005-0977 (from rev 1153, active/CVE-2005-0977)
===================================================================
--- retired/CVE-2005-0977 (rev 0)
+++ retired/CVE-2005-0977 2008-04-04 08:22:59 UTC (rev 1154)
@@ -0,0 +1,22 @@
+Candidate: CVE-2005-0977
+References:
+ http://www.ubuntulinux.org/support/documentation/usn/usn-103-1
+ http://linux.bkbits.net:8080/linux-2.6/cset@420551fbRlv9-QG6Gw9Lw_bKVfPSsg
+ http://lkml.org/lkml/2005/2/5/111
+ http://www.securityfocus.com/bid/12970
+Description:
+ The shmem_nopage function in shmem.c for the tmpfs driver in Linux kernel
+ 2.6 does not properly verify the address argument, which allows local users
+ to cause a denial of service (kernel crash) via an invalid address.
+Notes:
+ dannf> 2.4 does look vulnerable, but the 2.6 fix won't work directly because
+ dannf> 2.4 doesn't have i_size_read(). The 2.6 i_size_read() uses seqlocks,
+ dannf> which aren't in 2.4, so the port isn't trivial for me.
+ dannf> Forwarded to Willy Tarreau on 2008.01.17
+Bugs: 303177
+upstream: released (2.6.11)
+linux-2.6: N/A
+2.6.8-sarge-security: released (2.6.8-16) [mm-shmem-truncate.dpatch]
+2.4.27-sarge-security: ignored (2.4.27-10sarge6) "need porting help"
+2.6.18-etch-security: N/A
+
Copied: retired/CVE-2005-1265 (from rev 1153, active/CVE-2005-1265)
===================================================================
--- retired/CVE-2005-1265 (rev 0)
+++ retired/CVE-2005-1265 2008-04-04 08:22:59 UTC (rev 1154)
@@ -0,0 +1,14 @@
+Candidate: CVE-2005-1265
+References: http://www.ubuntulinux.org/support/documentation/usn/usn-137-1
+Description:
+ The mmap function in the Linux Kernel 2.6.10 can be used to create memory
+ maps with a start address beyond the end address, which allows local users
+ to cause a denial of service (kernel crash)
+Notes:
+ jmm> I've pulled the patch by Linus from the above-mentioned Ubuntu advisory
+Bugs:
+upstream: released (2.6.12)
+linux-2.6: N/A
+2.6.8-sarge-security: released (2.6.8-16sarge1) [mm-mmap-range-test.dpatch]
+2.4.27-sarge-security: ignored (2.4.27-10sarge6) "not sure if it affects 2.4 - code is very different; need porting help"
+2.6.18-etch-security: N/A
Copied: retired/CVE-2006-0558 (from rev 1153, active/CVE-2006-0558)
===================================================================
--- retired/CVE-2006-0558 (rev 0)
+++ retired/CVE-2006-0558 2008-04-04 08:22:59 UTC (rev 1154)
@@ -0,0 +1,25 @@
+Candidate: CVE-2006-0558
+References:
+ MLIST:[linux-ia64] [PATCH 1/1] ia64: perfmon.c trips BUG_ON in put_page_testzero
+ URL:http://marc.theaimsgroup.com/?l=linux-ia64&m=113882384921688
+ CONFIRM:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=185082
+ BID:17482
+ URL:http://www.securityfocus.com/bid/17482
+Description:
+ perfmon (perfmon.c) in Linux kernel on IA64 architectures allows local users
+ to cause a denial of service (crash) by interrupting a task while another
+ process is accessing the mm_struct, which triggers a BUG_ON action in the
+ put_page_testzero function.proc
+Notes:
+ dannf> This issue is unreproducible in 2.6.16, according to:
+ dannf> http://marc.theaimsgroup.com/?l=linux-ia64&m=114530938403347&w=2
+ dannf> So, I'm marking upstream as 2.6.16
+ .
+ dannf> I have a reproducer from SGI. It causes 2.6.8 to oops, but needs to
+ dannf> be ported to the 2.4 perfmon API to test 2.4.27
+Bugs: 365375
+upstream: released (2.6.16)
+linux-2.6: released (2.6.16-1)
+2.6.8-sarge-security: released (2.6.8-16sarge3) [perfmon-exit-race.dpatch]
+2.4.27-sarge-security: ignored (2.4.27-10sarge6) "need porting help"
+2.6.18-etch-security: N/A
Copied: retired/CVE-2006-2448 (from rev 1153, active/CVE-2006-2448)
===================================================================
--- retired/CVE-2006-2448 (rev 0)
+++ retired/CVE-2006-2448 2008-04-04 08:22:59 UTC (rev 1154)
@@ -0,0 +1,19 @@
+Candidate: CVE-2006-2448
+References:
+ http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=7c85d1f9d358b24c5b05c3a2783a78423775a080
+Description:
+ Linux kernel before 2.6.16.21 and 2.6.17, when running on PowerPC, does not
+ perform certain required access_ok checks, which allows local users to read
+ arbitrary kernel memory on 64-bit systems (signal_64.c) and cause a denial of
+ service (crash) and possibly read kernel memory on 32-bit systems
+ (signal_32.c).
+Notes:
+ dannf> Code has changed significantly since 2.6.8, its not clear to me
+ if this fix is needed or how to apply it.
+Bugs:
+upstream: released (2.6.16.21)
+linux-2.6: released (2.6.16-15)
+2.6.8-sarge-security: ignored (2.6.8-16sarge5)
+2.4.27-sarge-security: ignored (2.4.27-10sarge4)
+2.6.18-etch-security: N/A
+
Copied: retired/CVE-2006-3468 (from rev 1153, active/CVE-2006-3468)
===================================================================
--- retired/CVE-2006-3468 (rev 0)
+++ retired/CVE-2006-3468 2008-04-04 08:22:59 UTC (rev 1154)
@@ -0,0 +1,31 @@
+Candidate: CVE-2006-3468
+References:
+ http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=2ccb48ebb4de139eef4fcefd5f2bb823cb0d81b9
+Description:
+ Linux kernel 2.6.x, when using both NFS and EXT3, allows remote
+ attackers to cause a denial of service (file system panic) via a
+ crafted UDP packet with a V2 lookup procedure that specifies a bad
+ file handle (inode number), which triggers an error and causes an
+ exported directory to be remounted read-only.
+Ubuntu-Description:
+ James McKenzie discovered a Denial of Service vulnerability in the
+ NFS driver. When exporting an ext3 file system over NFS, a remote
+ attacker could exploit this to trigger a file system panic by sending
+ a specially crafted UDP packet.
+Notes:
+ http://lkml.org/lkml/2006/7/20/1: proposed patch
+ unclear whether 2.4 is affected
+ dannf> Submitted to Adrian Bunk for inclusion in 2.6.16.x
+ dannf> ignoring 2.4 till a fix goes upstream
+Bugs:
+ https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=199172
+upstream: released (2.6.17.8, 2.6.18-rc4)
+linux-2.6: released (2.6.18-1)
+2.6.8-sarge-security: released (2.6.8-16sarge5) [fs-ext3-bad-nfs-handle.dpatch]
+2.4.27-sarge-security: ignored (2.4.27-10sarge4)
+2.6.10-hoary-security: released (2.6.10-34.23)
+2.6.12-breezy-security: released (2.6.12-10.37)
+2.6.15-dapper-security: released (2.6.15-26.47)
+2.6.17-edgy: released (2.6.17-10.30)
+2.6.18-etch-security: N/A
+
Copied: retired/CVE-2006-4572 (from rev 1153, active/CVE-2006-4572)
===================================================================
--- retired/CVE-2006-4572 (rev 0)
+++ retired/CVE-2006-4572 2008-04-04 08:22:59 UTC (rev 1154)
@@ -0,0 +1,25 @@
+Candidate: CVE-2006-4572
+References:
+ URL:http://readlist.com/lists/vger.kernel.org/linux-kernel/55/275979.html
+ http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=6d381634d213580d40d431e7664dfb45f641b884
+ http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=51d8b1a65291a6956b79374b6adbbadc2263bcf6
+Description:
+ Multiple unspecified vulnerabilities in netfilter for IPv6 code in Linux
+ kernel before 2.6.16.31 allow remote attackers to bypass intended restrictions
+ via unknown vectors, aka (1) "ip6_tables protocol bypass bug" and
+ (2) "ip6_tables extension header bypass bug".
+Ubuntu-Description:
+ Mark Dowd discovered that the netfilter iptables module did not
+ correcly handle fragmented packets. By sending specially crafted
+ packets, a remote attacker could exploit this to bypass firewall
+ rules.
+Notes:
+ dannf> port to 2.4.27/2.6.8 is non-trivial, ignoring for now
+Bugs:
+upstream: released (2.6.19)
+linux-2.6: released (2.6.18.dfsg.1-9)
+2.6.18-etch-security: released (2.6.18.dfsg.1-9)
+2.6.8-sarge-security: ignored (2.6.8-16sarge7)
+2.4.27-sarge-security: ignored (2.4.27-10sarge6)
+2.6.15-dapper-security: released (2.6.15-28.51)
+2.6.17-edgy-security: released (2.6.17.1-10.34)
Copied: retired/CVE-2006-5755 (from rev 1153, active/CVE-2006-5755)
===================================================================
--- retired/CVE-2006-5755 (rev 0)
+++ retired/CVE-2006-5755 2008-04-04 08:22:59 UTC (rev 1154)
@@ -0,0 +1,30 @@
+Candidate: CVE-2006-5755
+References:
+ http://kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=658fdbef66e5e9be79b457edc2cbbb3add840aa9
+Description:
+ Linux kernel before 2.6.18, when running on x86_64 systems, does not
+ properly save or restore EFLAGS during a context switch, which allows
+ local users to cause a denial of service (crash) by causing SYSENTER
+ to set an NT flag, which can trigger a crash on the IRET of the next
+ task.
+Ubuntu-Description:
+ The task switching code did not save and restore EFLAGS of processes.
+ By starting a specially crafted executable, a local attacker could
+ exploit this to eventually crash many other running processes. This
+ only affects the amd64 platform.
+Notes:
+ jmm> 658fdbef66e5e9be79b457edc2cbbb3add840aa9
+ jmm> amd64 equivalent of CVE-2006-5173
+ jmm> http://www.mail-archive.com/kgdb-bugreport@lists.sourceforge.net/msg00559.html
+ dannf> marking sarge/2.4 N/A since we released no sarge/2.4/amd64 kernel
+ dannf> ignoring for sarge7 because backport is non-trivial
+ jmm> Affects xen
+Bugs:
+upstream: released (2.6.18)
+linux-2.6: released (2.6.18-1)
+2.6.18-etch-security: released (2.6.18.dfsg.1-13etch4)
+2.6.8-sarge-security: ignored (2.6.8-16sarge7)
+2.4.27-sarge-security: N/A
+2.6.12-breezy-security: released (2.6.12-10.43)
+2.6.15-dapper-security: released (2.6.15-28.51)
+2.6.17-edgy-security: released (2.6.17.1-11.35)
Copied: retired/CVE-2006-6060 (from rev 1153, active/CVE-2006-6060)
===================================================================
--- retired/CVE-2006-6060 (rev 0)
+++ retired/CVE-2006-6060 2008-04-04 08:22:59 UTC (rev 1154)
@@ -0,0 +1,34 @@
+Candidate: CVE-2006-6060
+References:
+ MISC:http://projects.info-pull.com/mokb/MOKB-19-11-2006.html
+Description:
+ The NTFS filesystem code in Linux kernel 2.6.x up to 2.6.18, and possibly
+ other versions, allows local users to cause a denial of service (CPU
+ consumption) via a malformed NTFS file stream that triggers an infinite loop
+ in the __find_get_block_slow function.
+Ubuntu-Description:
+Notes:
+ fixed by patch for CVE-2006-5757 since the bug is in the common
+ __find_get_block_slow() function.
+ dannf> reproducer at http://projects.info-pull.com/mokb/MOKB-19-11-2006.html
+ dannf> I mounted the reproducer fs on an ia64/2.4.27 system and though
+ it didn't cause an infinite loop, the system did lock up hard
+ jmm> e5657933863f43cc6bb76a54d659303dafaa9e58 in Linus git
+ dannf> The reproducer causes i386/2.4.36 to oops; but if this patch is
+ backported and applied it will print:
+ NTFS: Problem with runlist in extended record
+ ... and then oops.
+ So, I'm guessing this patch makes things better, but I don't think
+ its worth the risk of applying it unless the other oops gets fixed
+ as well.
+ dannf> Unpatched 2.4.27 oopses and prints the same runlist message that
+ patched 2.4.36 prints
+Bugs:
+upstream: released (2.6.19)
+linux-2.6: released (2.6.18.dfsg.1-10) [2.6.16.38]
+2.6.18-etch-security: released (2.6.18.dfsg.1-10) [2.6.16.38]
+2.6.8-sarge-security: released (2.6.8-16sarge7) [__find_get_block_slow-race.dpatch]
+2.4.27-sarge-security: ignored (2.4.27-10sarge6) "Fixes an oops, only to hit another oops"
+2.6.15-dapper-security: N/A - fixed in CVE-2006-5757
+2.6.17-edgy-security: N/A - already applied.
+2.6.20-feisty-security: N/A
Copied: retired/CVE-2007-0958 (from rev 1153, active/CVE-2007-0958)
===================================================================
--- retired/CVE-2007-0958 (rev 0)
+++ retired/CVE-2007-0958 2008-04-04 08:22:59 UTC (rev 1154)
@@ -0,0 +1,21 @@
+Candidate: CVE-2007-0958
+References:
+ MISC:http://www.isec.pl/vulnerabilities/isec-0017-binfmt_elf.txt
+ CONFIRM:http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.20
+Description:
+ Linux kernel 2.6.x before 2.6.20 allows local users to read unreadable
+ binaries by using the interpreter (PT_INTERP) functionality and triggering
+ a core dump, a variant of CVE-2004-1073.
+Ubuntu-Description:
+Notes:
+ dannf> Red Hat's 2.4 isn't vulnerable; Willy Tarreau asked the reporter
+ for a reproducer in 2007.02. I sent Willy an e-mail on 2008.02.06
+ to see if he ever heard back. Until then, I'll assume 2.4 is ok.
+Bugs:
+upstream: released (2.6.20)
+linux-2.6: released (2.6.20-1)
+2.6.18-etch-security: released (2.6.18.dfsg.1-12etch1) [bugfix/core-dump-unreadable-PT_INTERP.patch]
+2.6.8-sarge-security: released (2.6.8-16sarge7) [core-dump-unreadable-PT_INTERP.dpatch]
+2.4.27-sarge-security: ignored (2.4.27-10sarge6) "poked upstream on 2008.02.06"
+2.6.15-dapper-security: released (2.6.15-28.53)
+2.6.17-edgy-security: released (2.6.17.1-11.37)
Copied: retired/CVE-2007-2453 (from rev 1133, active/CVE-2007-2453)
===================================================================
--- retired/CVE-2007-2453 (rev 0)
+++ retired/CVE-2007-2453 2008-04-04 08:22:59 UTC (rev 1154)
@@ -0,0 +1,27 @@
+Candidate: CVE-2007-2453
+References:
+ http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=7f397dcdb78d699a20d96bfcfb595a2411a5bbd2
+ http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=602b6aeefe8932dd8bb15014e8fe6bb25d736361
+ http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.21.4
+Description:
+ The random number feature in Linux kernel 2.6 before 2.6.20.13, and 2.6.21.x
+ before 2.6.21.4, (1) does not properly seed pools when there is no entropy,
+ or (2) uses an incorrect cast when extracting entropy, which might cause the
+ random number generator to provide the same values after reboots on systems
+ without an entropy source.
+Ubuntu-Description:
+ The random number generator was hashing a subset of the available
+ entropy, leading to slightly less random numbers. Additionally, systems
+ without an entropy source would be seeded with the same inputs at boot
+ time, leading to a repeatable series of random numbers.
+Notes:
+ dannf> started a thread on vendor-sec about a fix for 2.4 (2008.02.06)
+Bugs:
+upstream: released (2.6.21.4)
+linux-2.6: released (2.6.21-5)
+2.6.18-etch-security: released (2.6.18.dfsg.1-13etch1) [bugfix/random-fix-seeding-with-zero-entropy.patch, bugfix/random-fix-error-in-entropy-extraction.patch]
+2.6.8-sarge-security: N/A "2.6.8 uses HASH_TRANSFORM, so I think its N/A"
+2.4.27-sarge-security: N/A "Matt Mackall says these don't affect 2.4 (though 2.4 has a number of other issues)"
+2.6.15-dapper-security: released (2.6.15-28.57)
+2.6.17-edgy-security: released (2.6.17.1-11.39)
+2.6.20-feisty-security: released (2.6.20-16.29)
More information about the kernel-sec-discuss
mailing list