[kernel-sec-discuss] r1142 - active retired
jmm at alioth.debian.org
jmm at alioth.debian.org
Fri Feb 22 22:05:23 UTC 2008
Author: jmm
Date: 2008-02-22 22:05:22 +0000 (Fri, 22 Feb 2008)
New Revision: 1142
Added:
retired/CVE-2006-5823
retired/CVE-2006-6054
retired/CVE-2006-7203
retired/CVE-2007-1353
retired/CVE-2007-2172
retired/CVE-2007-2525
retired/CVE-2007-3105
retired/CVE-2007-3739
retired/CVE-2007-3740
retired/CVE-2007-4308
retired/CVE-2007-4573
Removed:
active/CVE-2006-5823
active/CVE-2006-6054
active/CVE-2006-7203
active/CVE-2007-1353
active/CVE-2007-2172
active/CVE-2007-2525
active/CVE-2007-3105
active/CVE-2007-3739
active/CVE-2007-3740
active/CVE-2007-4308
active/CVE-2007-4573
Log:
retire more issues
Deleted: active/CVE-2006-5823
===================================================================
--- active/CVE-2006-5823 2008-02-22 22:00:24 UTC (rev 1141)
+++ active/CVE-2006-5823 2008-02-22 22:05:22 UTC (rev 1142)
@@ -1,26 +0,0 @@
-Candidate: CVE-2006-5823
-References:
- http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=8bb0269160df2a60764013994d0bc5165406cf4a
- MISC:http://projects.info-pull.com/mokb/MOKB-07-11-2006.html
- SECUNIA:22767
- URL:http://secunia.com/advisories/22767
-Description:
- The zlib_inflate function in Linux kernel 2.6.x allows local users to cause a
- denial of service (crash) via a malformed filesystem that uses zlib
- compression that triggers memory corruption, as demonstrated using cramfs.
-Ubuntu-Description:
- A buffer overread was found in the zlib_inflate() function. By
- tricking an user into mounting a specially crafted file system which
- uses zlib compression (such as cramfs), this could be exploited to
- crash the kernel.
-Notes:
- dannf> This is reproducible in 2.4.27
-Bugs:
-upstream: released (2.4.36-pre2, 2.6.20-rc1)
-linux-2.6: released (2.6.20-1)
-2.6.18-etch-security: released (2.6.18.dfsg.1-10)
-2.6.8-sarge-security: released (2.6.8-17sarge1) [cramfs-check-block-length.dpatch]
-2.4.27-sarge-security: released (2.4.27-10sarge6) [254_cramfs-check-block-length.diff]
-2.6.12-breezy-security: released (2.6.12-10.43)
-2.6.15-dapper-security: released (2.6.15-28.51)
-2.6.17-edgy-security: released (2.6.17.1-11.35)
Deleted: active/CVE-2006-6054
===================================================================
--- active/CVE-2006-6054 2008-02-22 22:00:24 UTC (rev 1141)
+++ active/CVE-2006-6054 2008-02-22 22:05:22 UTC (rev 1142)
@@ -1,24 +0,0 @@
-Candidate: CVE-2006-6054
-References:
- http://www.kernel.org/git/?p=linux/kernel/git/stable/linux-2.6.19.y.git;a=commit;h=8d312ae11257a259d78e122fd73274b8ef4789d1
- http://projects.info-pull.com/mokb/MOKB-12-11-2006.html
-Description:
- The ext2 file system code in Linux kernel 2.6.x allows local users to cause a
- denial of service (crash) via an ext2 stream with malformed data structures
- that triggers an error in the ext2_check_page due to a length that is smaller
- than the minimum.
-Ubuntu-Description:
- The ext2 file system driver did not properly handle corrupted data
- structures. By mounting a specially crafted ext2 file system, a local
- attacker could exploit this to crash the kernel.
-Notes:
- dannf> 2.4 backports submitted upstream on 2008.01.21
-Bugs:
-upstream: released (2.6.20-rc5)
-linux-2.6: released (2.6.18.dfsg.1-10) [bugfix/2.6.18.38]
-2.6.18-etch-security: released (2.6.18.dfsg.1-10) [bugfix/2.6.16.38]
-2.6.8-sarge-security: released (2.6.8-17sarge1) [ext2-skip-pages-past-num-blocks.dpatch]
-2.4.27-sarge-security: released (2.4.27-10sarge6) [258_ext2_readdir-f_pos-fix.diff, 259_ext2_readdir-infinite-loop.diff, 260_ext2-skip-pages-past-num-blocks.diff]
-2.6.12-breezy-security: released (2.6.12-10.43)
-2.6.15-dapper-security: released (2.6.15-28.51)
-2.6.17-edgy-security: released (2.6.17.1-11.35)
Deleted: active/CVE-2006-7203
===================================================================
--- active/CVE-2006-7203 2008-02-22 22:00:24 UTC (rev 1141)
+++ active/CVE-2006-7203 2008-02-22 22:05:22 UTC (rev 1142)
@@ -1,22 +0,0 @@
-Candidate: CVE-2006-7203
-References:
- http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff_plain;h=822191a2fa1584a29c3224ab328507adcaeac1ab
-Description:
- The compat_sys_mount function in fs/compat.c in Linux kernel 2.6.20
- and earlier allows local users to cause a denial of service (NULL
- pointer dereference and oops) by mounting a smbfs file system in
- compatibility mode ("mount -t smbfs").
-Ubuntu-Description:
- The compat_sys_mount function allowed local users to cause a denial of
- service when mounting a smbfs filesystem in compatibility mode.
-Notes:
- jmm> Vulnerable code not present in 2.4.27
-Bugs:
-upstream: released (2.6.20, 2.6.18.6)
-linux-2.6: released (2.6.20-1)
-2.6.18-etch-security: released (2.6.18.dfsg.1-9) [bugfix/2.6.18.6]
-2.6.8-sarge-security: released (2.6.8-17sarge1) [compat_sys_mount-NULL-data_page.dpatch]
-2.4.27-sarge-security: N/A
-2.6.15-dapper-security: released (2.6.15-28.57)
-2.6.17-edgy-security: released (2.6.17.1-11.39) [b47f37617947e31bb19441e18714683e4ec86820]
-2.6.20-feisty-security: N/A
Deleted: active/CVE-2007-1353
===================================================================
--- active/CVE-2007-1353 2008-02-22 22:00:24 UTC (rev 1141)
+++ active/CVE-2007-1353 2008-02-22 22:05:22 UTC (rev 1142)
@@ -1,26 +0,0 @@
-Candidate: CVE-2007-1353
-References:
- http://www.kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4.34.3
- http://www.securityfocus.com/bid/23594
- http://www.frsirt.com/english/advisories/2007/1495
- http://secunia.com/advisories/24976
-Description:
- The setsockopt function in the L2CAP and HCI Bluetooth support in the Linux
- kernel before 2.4.34.3 allows context-dependent attackers to read kernel
- memory and obtain sensitive information via unspecified vectors involving the
- copy_from_user function accessing an uninitialized stack buffer.
-Ubuntu-Description:
- Ilja van Sprundel discovered that Bluetooth setsockopt calls could leak
- kernel memory contents via an uninitialized stack buffer. A local
- attacker could exploit this flaw to view sensitive kernel information.
-Notes:
- jmm> This was fixed in git on 2007-05-04, marking 2.6.22 as fixed version
-Bugs:
-upstream: released (2.6.22)
-linux-2.6: released (2.6.22-1)
-2.6.18-etch-security: released (2.6.18.dfsg.1-13etch1) [bugfix/bluetooth-l2cap-hci-info-leaks.patch]
-2.6.8-sarge-security: released (2.6.8-17sarge1) [bluetooth-l2cap-hci-info-leaks.dpatch]
-2.4.27-sarge-security: released (2.4.27-10sarge6) [244_bluetooth-l2cap-hci-info-leaks.diff]
-2.6.15-dapper-security: released (2.6.15-28.57)
-2.6.17-edgy-security: released (2.6.17.1-11.39) [6529b3249b30c826d8ab991d839c6cb4e952c1ed]
-2.6.20-feisty-security: released (2.6.20-16.29)
Deleted: active/CVE-2007-2172
===================================================================
--- active/CVE-2007-2172 2008-02-22 22:00:24 UTC (rev 1141)
+++ active/CVE-2007-2172 2008-02-22 22:05:22 UTC (rev 1142)
@@ -1,26 +0,0 @@
-Candidate: CVE-2007-2172
-References:
- http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=a979101106f549f4ed80d6dcbc35077be34d4346
- http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=a0ee18b9b7d3847976c6fb315c06a34fb296de0e
-Description:
- A typo in Linux kernel 2.6 before 2.6.21-rc6 causes RTA_MAX to be
- used as an array size instead of RTN_MAX, which leads to an "out of
- bound access" by the (1) dn_fib_props (dn_fib.c, DECNet) and (2)
- fib_props (fib_semantics.c, IPv4) functions.
-Ubuntu-Description:
- The IPv4 and DECnet network protocol handlers misdeclared an array
- variable so that it became smaller than intended. By sending crafted
- packets over a netlink socket, a local attacker could exploit this
- to crash the kernel.
-Notes:
- dannf> Debian kernels currently only have the decnet patch - ipv4 patch
- is still needed
-Bugs:
-upstream: released (2.4.34.3, 2.6.21)
-linux-2.6: released (2.6.21-1)
-2.6.18-etch-security: released (2.6.18.dfsg.1-13etch2) [bugfix/dn_fib-out-of-bounds.patch, bugfix/ipv4-fib_props-out-of-bounds.patch]
-2.6.8-sarge-security: released (2.6.8-17sarge1) [dn_fib-out-of-bounds.dpatch, ipv4-fib_props-out-of-bounds.dpatch]
-2.4.27-sarge-security: released (2.4.27-10sarge6) [246_dn_fib-out-of-bounds.diff, 266_ipv4-fib_props-out-of-bounds.diff]
-2.6.15-dapper-security: released (2.6.15-28.54)
-2.6.17-edgy-security: released (2.6.17.1-11.38)
-2.6.20-feisty-security: released (2.6.20-16.28)
Deleted: active/CVE-2007-2525
===================================================================
--- active/CVE-2007-2525 2008-02-22 22:00:24 UTC (rev 1141)
+++ active/CVE-2007-2525 2008-02-22 22:05:22 UTC (rev 1142)
@@ -1,22 +0,0 @@
-Candidate: CVE-2007-2525
-References:
-Description:
- Memory leak in the PPP over Ethernet (PPPoE) socket implementation in the
- Linux kernel before 2.6.21-git8 allows local users to cause a denial of
- service (memory consumption) by creating a socket using connect, and
- releasing it before the PPPIOCGCHAN ioctl is initialized.
-Ubuntu-Description:
- A flaw was discovered in the PPP over Ethernet implementation. Local
- attackers could manipulate ioctls and cause kernel memory consumption
- leading to a denial of service.
-Notes:
- jmm> 202a03acf9994076055df40ae093a5c5474ad0bd
-Bugs:
-upstream: released (2.6.21)
-linux-2.6: released (2.6.21-1)
-2.6.18-etch-security: released (2.6.18.dfsg.1-13etch1) [bugfix/pppoe-socket-release-mem-leak.patch]
-2.6.8-sarge-security: released (2.6.8-17sarge1) [pppoe-socket-release-mem-leak.dpatch]
-2.4.27-sarge-security: released (2.4.27-10sarge6) [255_pppoe-socket-release-mem-leak.diff]
-2.6.15-dapper-security: released (2.6.15-28.57)
-2.6.17-edgy-security: released (2.6.17.1-11.39) [123623f9ad4d9bbe55c03b33ce79123e948b107f]
-2.6.20-feisty-security: released (2.6.20-16.31) [168038c2da7f984a07fd169270b2cac561e1c90c]
Deleted: active/CVE-2007-3105
===================================================================
--- active/CVE-2007-3105 2008-02-22 22:00:24 UTC (rev 1141)
+++ active/CVE-2007-3105 2008-02-22 22:05:22 UTC (rev 1142)
@@ -1,28 +0,0 @@
-Candidate: CVE-2007-3105
-References:
-Description:
- Stack-based buffer overflow in the random number generator (RNG)
- implementation in the Linux kernel before 2.6.22 might allow local root
- users to cause a denial of service or gain privileges by setting the
- default wakeup threshold to a value greater than the output pool size,
- which triggers writing random numbers to the stack by the pool transfer
- function involving "bound check ordering". NOTE: this issue might only
- cross privilege boundaries in environments that have granular assignment
- of privileges for root.
-Ubuntu-Description:
- A buffer overflow was discovered in the random number generator. In
- environments with granular assignment of root privileges, a local attacker
- could gain additional privileges.
-Notes:
- jmm> Vulnerable code not present in 2.4.27
- jmm> 2.6.8 is affected, but since we don't have full SE Linux support in
- jmm> Sarge, I don't believe this is an issue, which needs to be fixed
-Bugs:
-upstream: released (2.6.21, 2.6.22.3)
-linux-2.6: released (2.6.21-1)
-2.6.18-etch-security: released (2.6.18.dfsg.1-13etch2) [bugfix/random-bound-check-ordering.patch]
-2.6.8-sarge-security: released (2.6.8-17sarge2) [random-bound-check-ordering.dpatch]
-2.4.27-sarge-security: N/A
-2.6.15-dapper-security: released (2.6.15-29.58)
-2.6.17-edgy-security: released (2.6.17.1-12.40) [f22710043b7d89b496f7910e9c87ed62519dff14]
-2.6.20-feisty-security: released (2.6.20-16.31) [542a98d0809f0eccc5cf23ed402285e995e0b31e]
Deleted: active/CVE-2007-3739
===================================================================
--- active/CVE-2007-3739 2008-02-22 22:00:24 UTC (rev 1141)
+++ active/CVE-2007-3739 2008-02-22 22:05:22 UTC (rev 1142)
@@ -1,31 +0,0 @@
-Candidate: CVE-2007-3739
-References:
- MLIST:[lkml] 20070129 [PATCH] Don't allow the stack to grow into hugetlb reserved regions
- URL:http://lkml.org/lkml/2007/1/29/180
- MISC:https://bugzilla.redhat.com/show_bug.cgi?id=253313
- REDHAT:RHSA-2007:0705
- URL:http://www.redhat.com/support/errata/RHSA-2007-0705.html
- SECUNIA:26760
- URL:http://secunia.com/advisories/26760
- XF:kernel-stack-expansion-dos(36592)
- URL:http://xforce.iss.net/xforce/xfdb/36592
-Description:
- mm/mmap.c in the hugetlb kernel, when run on PowerPC systems, does
- not prevent stack expansion from entering into reserved kernel page
- memory, which allows local users to cause a denial of service (OOPS)
- via unspecified vectors.
-Ubuntu-Description:
- It was discovered that hugetlb kernels on PowerPC systems did not prevent
- the stack from colliding with reserved kernel memory. Local attackers
- could exploit this and crash the system, causing a denial of service.
-Notes:
- jmm> 68589bc353037f233fe510ad9ff432338c95db66
-Bugs:
-upstream: released (2.6.20)
-linux-2.6: released (2.6.20)
-2.6.18-etch-security: released (2.6.18.dfsg.1-13etch3) [bugfix/prevent-stack-growth-into-hugetlb-region.patch]
-2.6.8-sarge-security: released (2.6.8-17sarge1) [prevent-stack-growth-into-hugetlb-region.dpatch]
-2.4.27-sarge-security: N/A "files/functions non-existant in 2.4"
-2.6.15-dapper-security: released (2.6.15-29.59)
-2.6.17-edgy-security: released (2.6.17.1-12.41 ae30f170a8c2988179b2b34c7e562f57eb0556bc)
-2.6.20-feisty-security: released (2.6.20-16.32 e84eef7bd84cb46ae573e21d4047fa2a65072294)
Deleted: active/CVE-2007-3740
===================================================================
--- active/CVE-2007-3740 2008-02-22 22:00:24 UTC (rev 1141)
+++ active/CVE-2007-3740 2008-02-22 22:05:22 UTC (rev 1142)
@@ -1,25 +0,0 @@
-Candidate: CVE-2007-3740
-References:
- https://bugzilla.redhat.com/show_bug.cgi?id=253314
- http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=3ce53fc4c57603d99c330a6ee2fe96d94f2d350f
-Description:
- The CIFS filesystem, when Unix extension support is enabled, does
- not honor the umask of a process, which allows local users to gain
- privileges.
-Ubuntu-Description:
- It was discovered that certain CIFS filesystem actions did not honor the
- umask of a process. Local attackers could exploit this to gain additional
- privileges.
- jmm> from maks:
- jmm> 3ce53fc4c57603d99c330a6ee2fe96d94f2d350f v2.6.22-rc5
- jmm> a8cd925f74c3b1b6d1192f9e75f9d12cc2ab148a v2.6.24-rc1
-Notes:
-Bugs:
-upstream: released (2.6.22-rc5) [3ce53fc4c57603d99c330a6ee2fe96d94f2d350f]
-linux-2.6: released (2.6.22-1)
-2.6.18-etch-security: released (2.6.18.dfsg.1-13etch3) [bugfix/cifs-honor-umask.patch]
-2.6.8-sarge-security: released (2.6.8-17sarge1) [cifs-honor-umask.dpatch]
-2.4.27-sarge-security: N/A
-2.6.15-dapper-security: released (2.6.15-29.59)
-2.6.17-edgy-security: released (2.6.17.1-12.41 79255d92e1277021fc1be8e72897fe6177ab9b67)
-2.6.20-feisty-security: released (2.6.20-16.32 d01415424757d4573d6fb28e44858607dca80eaa)
Deleted: active/CVE-2007-4308
===================================================================
--- active/CVE-2007-4308 2008-02-22 22:00:24 UTC (rev 1141)
+++ active/CVE-2007-4308 2008-02-22 22:05:22 UTC (rev 1142)
@@ -1,25 +0,0 @@
-Candidate: CVE-2007-4308
-References:
- http://kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.23-rc2
- http://lkml.org/lkml/2007/7/23/195
- linux-2.6 commit 719be62903a6e6419789557cb3ed0e840d3e4ca9
-Description:
- The (1) aac_cfg_open and (2) aac_compat_ioctl functions in the SCSI
- layer ioctl path in aacraid in the Linux kernel before 2.6.23-rc2 do
- not check permissions for ioctls, which might allow local users to
- cause a denial of service or gain privileges.
-Ubuntu-Description:
- It was discovered that the aacraid SCSI driver did not correctly check
- permissions on certain ioctls. A local attacker could cause a denial
- of service or gain privileges.
-Notes:
- jmm> 2.4.27 code is quite different, but appears vulnerable as well
-Bugs: 443694
-upstream: released (2.6.23-rc2)
-linux-2.6: released (2.6.22-4)
-2.6.18-etch-security: released (2.6.18.dfsg.1-13etch2) [bugfix/aacraid-ioctl-perm-check.patch]
-2.6.8-sarge-security: released (2.6.8-17sarge1) [aacraid-ioctl-perm-check.dpatch]
-2.4.27-sarge-security: released (2.4.27-10sarge6) [262_aacraid-ioctl-perm-check.diff]
-2.6.15-dapper-security: released (2.6.15-29.58)
-2.6.17-edgy-security: released (2.6.17.1-12.40)
-2.6.20-feisty-security: released (2.6.20-16.31)
Deleted: active/CVE-2007-4573
===================================================================
--- active/CVE-2007-4573 2008-02-22 22:00:24 UTC (rev 1141)
+++ active/CVE-2007-4573 2008-02-22 22:05:22 UTC (rev 1142)
@@ -1,19 +0,0 @@
-Candidate: CVE-2007-4573
-References:
- http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=176df2457ef6207156ca1a40991c54ca01fef567
-Description:
-Ubuntu-Description:
- Wojciech Purczynski discovered that the Linux kernel ia32 syscall
- emulation in x86_64 kernels did not correctly clear the high bits of
- registers. Local attackers could exploit this to gain root privileges.
-Notes:
- jmm> Fix in etch3 didn't fix the problem for Xen guests
-Bugs:
-upstream: released (2.6.22.7)
-linux-2.6: released (2.6.22-5)
-2.6.18-etch-security: released (2.6.18.dfsg.1-13etch4) [bugfix/amd64-zero-extend-32bit-ptrace.patch, bugfix/amd64-zero-extend-32bit-ptrace-xen.patch]
-2.6.8-sarge-security: released (2.6.8-17sarge1) [amd64-zero-extend-32bit-ptrace.dpatch]
-2.4.27-sarge-security: N/A
-2.6.15-dapper-security: released (2.6.15-29.59)
-2.6.17-edgy-security: released (2.6.17.1-12.41 bac7adb35e5a3630511249b4f1bbdaff3b574455)
-2.6.20-feisty-security: released (2.6.20-16.32 1145a8797aa4994275922e9fde299e7bb115edf0)
Copied: retired/CVE-2006-5823 (from rev 1141, active/CVE-2006-5823)
===================================================================
--- retired/CVE-2006-5823 (rev 0)
+++ retired/CVE-2006-5823 2008-02-22 22:05:22 UTC (rev 1142)
@@ -0,0 +1,26 @@
+Candidate: CVE-2006-5823
+References:
+ http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=8bb0269160df2a60764013994d0bc5165406cf4a
+ MISC:http://projects.info-pull.com/mokb/MOKB-07-11-2006.html
+ SECUNIA:22767
+ URL:http://secunia.com/advisories/22767
+Description:
+ The zlib_inflate function in Linux kernel 2.6.x allows local users to cause a
+ denial of service (crash) via a malformed filesystem that uses zlib
+ compression that triggers memory corruption, as demonstrated using cramfs.
+Ubuntu-Description:
+ A buffer overread was found in the zlib_inflate() function. By
+ tricking an user into mounting a specially crafted file system which
+ uses zlib compression (such as cramfs), this could be exploited to
+ crash the kernel.
+Notes:
+ dannf> This is reproducible in 2.4.27
+Bugs:
+upstream: released (2.4.36-pre2, 2.6.20-rc1)
+linux-2.6: released (2.6.20-1)
+2.6.18-etch-security: released (2.6.18.dfsg.1-10)
+2.6.8-sarge-security: released (2.6.8-17sarge1) [cramfs-check-block-length.dpatch]
+2.4.27-sarge-security: released (2.4.27-10sarge6) [254_cramfs-check-block-length.diff]
+2.6.12-breezy-security: released (2.6.12-10.43)
+2.6.15-dapper-security: released (2.6.15-28.51)
+2.6.17-edgy-security: released (2.6.17.1-11.35)
Copied: retired/CVE-2006-6054 (from rev 1141, active/CVE-2006-6054)
===================================================================
--- retired/CVE-2006-6054 (rev 0)
+++ retired/CVE-2006-6054 2008-02-22 22:05:22 UTC (rev 1142)
@@ -0,0 +1,24 @@
+Candidate: CVE-2006-6054
+References:
+ http://www.kernel.org/git/?p=linux/kernel/git/stable/linux-2.6.19.y.git;a=commit;h=8d312ae11257a259d78e122fd73274b8ef4789d1
+ http://projects.info-pull.com/mokb/MOKB-12-11-2006.html
+Description:
+ The ext2 file system code in Linux kernel 2.6.x allows local users to cause a
+ denial of service (crash) via an ext2 stream with malformed data structures
+ that triggers an error in the ext2_check_page due to a length that is smaller
+ than the minimum.
+Ubuntu-Description:
+ The ext2 file system driver did not properly handle corrupted data
+ structures. By mounting a specially crafted ext2 file system, a local
+ attacker could exploit this to crash the kernel.
+Notes:
+ dannf> 2.4 backports submitted upstream on 2008.01.21
+Bugs:
+upstream: released (2.6.20-rc5)
+linux-2.6: released (2.6.18.dfsg.1-10) [bugfix/2.6.18.38]
+2.6.18-etch-security: released (2.6.18.dfsg.1-10) [bugfix/2.6.16.38]
+2.6.8-sarge-security: released (2.6.8-17sarge1) [ext2-skip-pages-past-num-blocks.dpatch]
+2.4.27-sarge-security: released (2.4.27-10sarge6) [258_ext2_readdir-f_pos-fix.diff, 259_ext2_readdir-infinite-loop.diff, 260_ext2-skip-pages-past-num-blocks.diff]
+2.6.12-breezy-security: released (2.6.12-10.43)
+2.6.15-dapper-security: released (2.6.15-28.51)
+2.6.17-edgy-security: released (2.6.17.1-11.35)
Copied: retired/CVE-2006-7203 (from rev 1141, active/CVE-2006-7203)
===================================================================
--- retired/CVE-2006-7203 (rev 0)
+++ retired/CVE-2006-7203 2008-02-22 22:05:22 UTC (rev 1142)
@@ -0,0 +1,22 @@
+Candidate: CVE-2006-7203
+References:
+ http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff_plain;h=822191a2fa1584a29c3224ab328507adcaeac1ab
+Description:
+ The compat_sys_mount function in fs/compat.c in Linux kernel 2.6.20
+ and earlier allows local users to cause a denial of service (NULL
+ pointer dereference and oops) by mounting a smbfs file system in
+ compatibility mode ("mount -t smbfs").
+Ubuntu-Description:
+ The compat_sys_mount function allowed local users to cause a denial of
+ service when mounting a smbfs filesystem in compatibility mode.
+Notes:
+ jmm> Vulnerable code not present in 2.4.27
+Bugs:
+upstream: released (2.6.20, 2.6.18.6)
+linux-2.6: released (2.6.20-1)
+2.6.18-etch-security: released (2.6.18.dfsg.1-9) [bugfix/2.6.18.6]
+2.6.8-sarge-security: released (2.6.8-17sarge1) [compat_sys_mount-NULL-data_page.dpatch]
+2.4.27-sarge-security: N/A
+2.6.15-dapper-security: released (2.6.15-28.57)
+2.6.17-edgy-security: released (2.6.17.1-11.39) [b47f37617947e31bb19441e18714683e4ec86820]
+2.6.20-feisty-security: N/A
Copied: retired/CVE-2007-1353 (from rev 1141, active/CVE-2007-1353)
===================================================================
--- retired/CVE-2007-1353 (rev 0)
+++ retired/CVE-2007-1353 2008-02-22 22:05:22 UTC (rev 1142)
@@ -0,0 +1,26 @@
+Candidate: CVE-2007-1353
+References:
+ http://www.kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4.34.3
+ http://www.securityfocus.com/bid/23594
+ http://www.frsirt.com/english/advisories/2007/1495
+ http://secunia.com/advisories/24976
+Description:
+ The setsockopt function in the L2CAP and HCI Bluetooth support in the Linux
+ kernel before 2.4.34.3 allows context-dependent attackers to read kernel
+ memory and obtain sensitive information via unspecified vectors involving the
+ copy_from_user function accessing an uninitialized stack buffer.
+Ubuntu-Description:
+ Ilja van Sprundel discovered that Bluetooth setsockopt calls could leak
+ kernel memory contents via an uninitialized stack buffer. A local
+ attacker could exploit this flaw to view sensitive kernel information.
+Notes:
+ jmm> This was fixed in git on 2007-05-04, marking 2.6.22 as fixed version
+Bugs:
+upstream: released (2.6.22)
+linux-2.6: released (2.6.22-1)
+2.6.18-etch-security: released (2.6.18.dfsg.1-13etch1) [bugfix/bluetooth-l2cap-hci-info-leaks.patch]
+2.6.8-sarge-security: released (2.6.8-17sarge1) [bluetooth-l2cap-hci-info-leaks.dpatch]
+2.4.27-sarge-security: released (2.4.27-10sarge6) [244_bluetooth-l2cap-hci-info-leaks.diff]
+2.6.15-dapper-security: released (2.6.15-28.57)
+2.6.17-edgy-security: released (2.6.17.1-11.39) [6529b3249b30c826d8ab991d839c6cb4e952c1ed]
+2.6.20-feisty-security: released (2.6.20-16.29)
Copied: retired/CVE-2007-2172 (from rev 1141, active/CVE-2007-2172)
===================================================================
--- retired/CVE-2007-2172 (rev 0)
+++ retired/CVE-2007-2172 2008-02-22 22:05:22 UTC (rev 1142)
@@ -0,0 +1,26 @@
+Candidate: CVE-2007-2172
+References:
+ http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=a979101106f549f4ed80d6dcbc35077be34d4346
+ http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=a0ee18b9b7d3847976c6fb315c06a34fb296de0e
+Description:
+ A typo in Linux kernel 2.6 before 2.6.21-rc6 causes RTA_MAX to be
+ used as an array size instead of RTN_MAX, which leads to an "out of
+ bound access" by the (1) dn_fib_props (dn_fib.c, DECNet) and (2)
+ fib_props (fib_semantics.c, IPv4) functions.
+Ubuntu-Description:
+ The IPv4 and DECnet network protocol handlers misdeclared an array
+ variable so that it became smaller than intended. By sending crafted
+ packets over a netlink socket, a local attacker could exploit this
+ to crash the kernel.
+Notes:
+ dannf> Debian kernels currently only have the decnet patch - ipv4 patch
+ is still needed
+Bugs:
+upstream: released (2.4.34.3, 2.6.21)
+linux-2.6: released (2.6.21-1)
+2.6.18-etch-security: released (2.6.18.dfsg.1-13etch2) [bugfix/dn_fib-out-of-bounds.patch, bugfix/ipv4-fib_props-out-of-bounds.patch]
+2.6.8-sarge-security: released (2.6.8-17sarge1) [dn_fib-out-of-bounds.dpatch, ipv4-fib_props-out-of-bounds.dpatch]
+2.4.27-sarge-security: released (2.4.27-10sarge6) [246_dn_fib-out-of-bounds.diff, 266_ipv4-fib_props-out-of-bounds.diff]
+2.6.15-dapper-security: released (2.6.15-28.54)
+2.6.17-edgy-security: released (2.6.17.1-11.38)
+2.6.20-feisty-security: released (2.6.20-16.28)
Copied: retired/CVE-2007-2525 (from rev 1141, active/CVE-2007-2525)
===================================================================
--- retired/CVE-2007-2525 (rev 0)
+++ retired/CVE-2007-2525 2008-02-22 22:05:22 UTC (rev 1142)
@@ -0,0 +1,22 @@
+Candidate: CVE-2007-2525
+References:
+Description:
+ Memory leak in the PPP over Ethernet (PPPoE) socket implementation in the
+ Linux kernel before 2.6.21-git8 allows local users to cause a denial of
+ service (memory consumption) by creating a socket using connect, and
+ releasing it before the PPPIOCGCHAN ioctl is initialized.
+Ubuntu-Description:
+ A flaw was discovered in the PPP over Ethernet implementation. Local
+ attackers could manipulate ioctls and cause kernel memory consumption
+ leading to a denial of service.
+Notes:
+ jmm> 202a03acf9994076055df40ae093a5c5474ad0bd
+Bugs:
+upstream: released (2.6.21)
+linux-2.6: released (2.6.21-1)
+2.6.18-etch-security: released (2.6.18.dfsg.1-13etch1) [bugfix/pppoe-socket-release-mem-leak.patch]
+2.6.8-sarge-security: released (2.6.8-17sarge1) [pppoe-socket-release-mem-leak.dpatch]
+2.4.27-sarge-security: released (2.4.27-10sarge6) [255_pppoe-socket-release-mem-leak.diff]
+2.6.15-dapper-security: released (2.6.15-28.57)
+2.6.17-edgy-security: released (2.6.17.1-11.39) [123623f9ad4d9bbe55c03b33ce79123e948b107f]
+2.6.20-feisty-security: released (2.6.20-16.31) [168038c2da7f984a07fd169270b2cac561e1c90c]
Copied: retired/CVE-2007-3105 (from rev 1141, active/CVE-2007-3105)
===================================================================
--- retired/CVE-2007-3105 (rev 0)
+++ retired/CVE-2007-3105 2008-02-22 22:05:22 UTC (rev 1142)
@@ -0,0 +1,28 @@
+Candidate: CVE-2007-3105
+References:
+Description:
+ Stack-based buffer overflow in the random number generator (RNG)
+ implementation in the Linux kernel before 2.6.22 might allow local root
+ users to cause a denial of service or gain privileges by setting the
+ default wakeup threshold to a value greater than the output pool size,
+ which triggers writing random numbers to the stack by the pool transfer
+ function involving "bound check ordering". NOTE: this issue might only
+ cross privilege boundaries in environments that have granular assignment
+ of privileges for root.
+Ubuntu-Description:
+ A buffer overflow was discovered in the random number generator. In
+ environments with granular assignment of root privileges, a local attacker
+ could gain additional privileges.
+Notes:
+ jmm> Vulnerable code not present in 2.4.27
+ jmm> 2.6.8 is affected, but since we don't have full SE Linux support in
+ jmm> Sarge, I don't believe this is an issue, which needs to be fixed
+Bugs:
+upstream: released (2.6.21, 2.6.22.3)
+linux-2.6: released (2.6.21-1)
+2.6.18-etch-security: released (2.6.18.dfsg.1-13etch2) [bugfix/random-bound-check-ordering.patch]
+2.6.8-sarge-security: released (2.6.8-17sarge2) [random-bound-check-ordering.dpatch]
+2.4.27-sarge-security: N/A
+2.6.15-dapper-security: released (2.6.15-29.58)
+2.6.17-edgy-security: released (2.6.17.1-12.40) [f22710043b7d89b496f7910e9c87ed62519dff14]
+2.6.20-feisty-security: released (2.6.20-16.31) [542a98d0809f0eccc5cf23ed402285e995e0b31e]
Copied: retired/CVE-2007-3739 (from rev 1141, active/CVE-2007-3739)
===================================================================
--- retired/CVE-2007-3739 (rev 0)
+++ retired/CVE-2007-3739 2008-02-22 22:05:22 UTC (rev 1142)
@@ -0,0 +1,31 @@
+Candidate: CVE-2007-3739
+References:
+ MLIST:[lkml] 20070129 [PATCH] Don't allow the stack to grow into hugetlb reserved regions
+ URL:http://lkml.org/lkml/2007/1/29/180
+ MISC:https://bugzilla.redhat.com/show_bug.cgi?id=253313
+ REDHAT:RHSA-2007:0705
+ URL:http://www.redhat.com/support/errata/RHSA-2007-0705.html
+ SECUNIA:26760
+ URL:http://secunia.com/advisories/26760
+ XF:kernel-stack-expansion-dos(36592)
+ URL:http://xforce.iss.net/xforce/xfdb/36592
+Description:
+ mm/mmap.c in the hugetlb kernel, when run on PowerPC systems, does
+ not prevent stack expansion from entering into reserved kernel page
+ memory, which allows local users to cause a denial of service (OOPS)
+ via unspecified vectors.
+Ubuntu-Description:
+ It was discovered that hugetlb kernels on PowerPC systems did not prevent
+ the stack from colliding with reserved kernel memory. Local attackers
+ could exploit this and crash the system, causing a denial of service.
+Notes:
+ jmm> 68589bc353037f233fe510ad9ff432338c95db66
+Bugs:
+upstream: released (2.6.20)
+linux-2.6: released (2.6.20)
+2.6.18-etch-security: released (2.6.18.dfsg.1-13etch3) [bugfix/prevent-stack-growth-into-hugetlb-region.patch]
+2.6.8-sarge-security: released (2.6.8-17sarge1) [prevent-stack-growth-into-hugetlb-region.dpatch]
+2.4.27-sarge-security: N/A "files/functions non-existant in 2.4"
+2.6.15-dapper-security: released (2.6.15-29.59)
+2.6.17-edgy-security: released (2.6.17.1-12.41 ae30f170a8c2988179b2b34c7e562f57eb0556bc)
+2.6.20-feisty-security: released (2.6.20-16.32 e84eef7bd84cb46ae573e21d4047fa2a65072294)
Copied: retired/CVE-2007-3740 (from rev 1141, active/CVE-2007-3740)
===================================================================
--- retired/CVE-2007-3740 (rev 0)
+++ retired/CVE-2007-3740 2008-02-22 22:05:22 UTC (rev 1142)
@@ -0,0 +1,25 @@
+Candidate: CVE-2007-3740
+References:
+ https://bugzilla.redhat.com/show_bug.cgi?id=253314
+ http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=3ce53fc4c57603d99c330a6ee2fe96d94f2d350f
+Description:
+ The CIFS filesystem, when Unix extension support is enabled, does
+ not honor the umask of a process, which allows local users to gain
+ privileges.
+Ubuntu-Description:
+ It was discovered that certain CIFS filesystem actions did not honor the
+ umask of a process. Local attackers could exploit this to gain additional
+ privileges.
+ jmm> from maks:
+ jmm> 3ce53fc4c57603d99c330a6ee2fe96d94f2d350f v2.6.22-rc5
+ jmm> a8cd925f74c3b1b6d1192f9e75f9d12cc2ab148a v2.6.24-rc1
+Notes:
+Bugs:
+upstream: released (2.6.22-rc5) [3ce53fc4c57603d99c330a6ee2fe96d94f2d350f]
+linux-2.6: released (2.6.22-1)
+2.6.18-etch-security: released (2.6.18.dfsg.1-13etch3) [bugfix/cifs-honor-umask.patch]
+2.6.8-sarge-security: released (2.6.8-17sarge1) [cifs-honor-umask.dpatch]
+2.4.27-sarge-security: N/A
+2.6.15-dapper-security: released (2.6.15-29.59)
+2.6.17-edgy-security: released (2.6.17.1-12.41 79255d92e1277021fc1be8e72897fe6177ab9b67)
+2.6.20-feisty-security: released (2.6.20-16.32 d01415424757d4573d6fb28e44858607dca80eaa)
Copied: retired/CVE-2007-4308 (from rev 1141, active/CVE-2007-4308)
===================================================================
--- retired/CVE-2007-4308 (rev 0)
+++ retired/CVE-2007-4308 2008-02-22 22:05:22 UTC (rev 1142)
@@ -0,0 +1,25 @@
+Candidate: CVE-2007-4308
+References:
+ http://kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.23-rc2
+ http://lkml.org/lkml/2007/7/23/195
+ linux-2.6 commit 719be62903a6e6419789557cb3ed0e840d3e4ca9
+Description:
+ The (1) aac_cfg_open and (2) aac_compat_ioctl functions in the SCSI
+ layer ioctl path in aacraid in the Linux kernel before 2.6.23-rc2 do
+ not check permissions for ioctls, which might allow local users to
+ cause a denial of service or gain privileges.
+Ubuntu-Description:
+ It was discovered that the aacraid SCSI driver did not correctly check
+ permissions on certain ioctls. A local attacker could cause a denial
+ of service or gain privileges.
+Notes:
+ jmm> 2.4.27 code is quite different, but appears vulnerable as well
+Bugs: 443694
+upstream: released (2.6.23-rc2)
+linux-2.6: released (2.6.22-4)
+2.6.18-etch-security: released (2.6.18.dfsg.1-13etch2) [bugfix/aacraid-ioctl-perm-check.patch]
+2.6.8-sarge-security: released (2.6.8-17sarge1) [aacraid-ioctl-perm-check.dpatch]
+2.4.27-sarge-security: released (2.4.27-10sarge6) [262_aacraid-ioctl-perm-check.diff]
+2.6.15-dapper-security: released (2.6.15-29.58)
+2.6.17-edgy-security: released (2.6.17.1-12.40)
+2.6.20-feisty-security: released (2.6.20-16.31)
Copied: retired/CVE-2007-4573 (from rev 1141, active/CVE-2007-4573)
===================================================================
--- retired/CVE-2007-4573 (rev 0)
+++ retired/CVE-2007-4573 2008-02-22 22:05:22 UTC (rev 1142)
@@ -0,0 +1,19 @@
+Candidate: CVE-2007-4573
+References:
+ http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=176df2457ef6207156ca1a40991c54ca01fef567
+Description:
+Ubuntu-Description:
+ Wojciech Purczynski discovered that the Linux kernel ia32 syscall
+ emulation in x86_64 kernels did not correctly clear the high bits of
+ registers. Local attackers could exploit this to gain root privileges.
+Notes:
+ jmm> Fix in etch3 didn't fix the problem for Xen guests
+Bugs:
+upstream: released (2.6.22.7)
+linux-2.6: released (2.6.22-5)
+2.6.18-etch-security: released (2.6.18.dfsg.1-13etch4) [bugfix/amd64-zero-extend-32bit-ptrace.patch, bugfix/amd64-zero-extend-32bit-ptrace-xen.patch]
+2.6.8-sarge-security: released (2.6.8-17sarge1) [amd64-zero-extend-32bit-ptrace.dpatch]
+2.4.27-sarge-security: N/A
+2.6.15-dapper-security: released (2.6.15-29.59)
+2.6.17-edgy-security: released (2.6.17.1-12.41 bac7adb35e5a3630511249b4f1bbdaff3b574455)
+2.6.20-feisty-security: released (2.6.20-16.32 1145a8797aa4994275922e9fde299e7bb115edf0)
More information about the kernel-sec-discuss
mailing list