[kernel-sec-discuss] r1197 - active retired
dannf at alioth.debian.org
dannf at alioth.debian.org
Sun Jul 20 21:58:01 UTC 2008
Author: dannf
Date: 2008-07-20 21:58:00 +0000 (Sun, 20 Jul 2008)
New Revision: 1197
Added:
retired/CVE-2006-6058
retired/CVE-2006-7229
retired/CVE-2007-0004
retired/CVE-2007-2242
retired/CVE-2007-3104
retired/CVE-2007-3513
retired/CVE-2007-3848
retired/CVE-2007-4130
retired/CVE-2007-4133
retired/CVE-2007-4571
retired/CVE-2007-4997
retired/CVE-2007-5087
retired/CVE-2007-5093
retired/CVE-2007-5494
retired/CVE-2007-5500
retired/CVE-2007-5904
retired/CVE-2007-5938
retired/CVE-2007-5966
retired/CVE-2007-6063
retired/CVE-2007-6151
retired/CVE-2007-6206
retired/CVE-2007-6417
retired/CVE-2007-6694
retired/CVE-2007-6712
retired/CVE-2008-0001
retired/CVE-2008-0007
retired/CVE-2008-0009
retired/CVE-2008-0010
retired/CVE-2008-0163
retired/CVE-2008-0352
retired/CVE-2008-0600
retired/CVE-2008-1294
retired/CVE-2008-1375
retired/CVE-2008-1615
retired/CVE-2008-1669
retired/CVE-2008-1675
retired/block-all-signals-race
Removed:
active/CVE-2006-6058
active/CVE-2006-7229
active/CVE-2007-0004
active/CVE-2007-2242
active/CVE-2007-3104
active/CVE-2007-3513
active/CVE-2007-3848
active/CVE-2007-4130
active/CVE-2007-4133
active/CVE-2007-4571
active/CVE-2007-4997
active/CVE-2007-5087
active/CVE-2007-5093
active/CVE-2007-5494
active/CVE-2007-5500
active/CVE-2007-5904
active/CVE-2007-5938
active/CVE-2007-5966
active/CVE-2007-6063
active/CVE-2007-6151
active/CVE-2007-6206
active/CVE-2007-6417
active/CVE-2007-6694
active/CVE-2007-6712
active/CVE-2008-0001
active/CVE-2008-0007
active/CVE-2008-0009
active/CVE-2008-0010
active/CVE-2008-0163
active/CVE-2008-0352
active/CVE-2008-0600
active/CVE-2008-1294
active/CVE-2008-1375
active/CVE-2008-1615
active/CVE-2008-1669
active/CVE-2008-1675
active/block-all-signals-race
Modified:
active/CVE-2006-6921
active/CVE-2006-7051
active/CVE-2007-2480
active/CVE-2007-3719
active/CVE-2007-6282
active/CVE-2007-6514
active/CVE-2008-0598
active/CVE-2008-2750
active/CVE-2008-2812
active/CVE-2008-2931
Log:
Debian updates; retire several issues
Deleted: active/CVE-2006-6058
===================================================================
--- active/CVE-2006-6058 2008-07-15 21:14:58 UTC (rev 1196)
+++ active/CVE-2006-6058 2008-07-20 21:58:00 UTC (rev 1197)
@@ -1,37 +0,0 @@
-Candidate: CVE-2006-6058
-References:
- http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.23.y.git;a=commitdiff;h=f0ae3188daf70ed07a4dfbeb133bef3a92838a15
- MISC:http://projects.info-pull.com/mokb/MOKB-17-11-2006.html
- FRSIRT:ADV-2006-4613
- URL:http://www.frsirt.com/english/advisories/2006/4613
- SECUNIA:23034
- URL:http://secunia.com/advisories/23034
-Description:
- The minix filesystem code in Linux kernel 2.6.x up to 2.6.18, and possibly
- other versions, allows local users to cause a denial of service (hang) via a
- malformed minix file stream that triggers an infinite loop in the minix_bmap
- function. NOTE: this issue might be due to an integer overflow or signedness
- error.
-Ubuntu-Description:
- The minix filesystem did not properly validate certain filesystem values.
- If a local attacker could trick the system into attempting to mount a
- corrupted minix filesystem, the kernel could be made to hang for long
- periods of time, resulting in a denial of service.
-Notes:
- dannf> ignored for sarge for now - only applies under very rare circumstances
- and don't know if there's an upstream fix
- jmm> We can ignore this, it has no practical ramifications
- dannf> Though I agree its minor, I suspect its not so rare that admins
- set user-mountable media's filesystem type to 'auto' in fstab,
- allowing them to use any fs on the system. I could see this being
- used to annoy sysadmins, e.g., in a university lab setting
-Bugs:
-upstream: released (2.6.23.7, 2.6.24-rc1) [f44ec6f3f89889a469773b1fd894f8fcc07c29cf]
-linux-2.6: released (2.6.23-1) [bugfix/2.6.23.7.patch]
-2.6.18-etch-security: released (2.6.18.dfsg.1-13etch6) [bugfix/minixfs-printk-hang.patch]
-2.6.8-sarge-security: released (2.6.8-17sarge1) [minixfs-printk-hang.dpatch]
-2.4.27-sarge-security: ignored (2.4.27-10sarge6) "no printk_ratelimit in 2.4 - needs port"
-2.6.15-dapper-security: released (2.6.15-29.61)
-2.6.17-edgy-security: released (2.6.17.1-12.42)
-2.6.20-feisty-security: released (2.6.20-16.33)
-2.6.22-gutsy-security: released (2.6.22-14.47)
Modified: active/CVE-2006-6921
===================================================================
--- active/CVE-2006-6921 2008-07-15 21:14:58 UTC (rev 1196)
+++ active/CVE-2006-6921 2008-07-20 21:58:00 UTC (rev 1197)
@@ -15,6 +15,7 @@
upstream:
linux-2.6: needed
2.6.18-etch-security: ignored (2.6.18.dfsg.1-13etch6) "no upstream fix"
+2.6.24-etchnhalf-security: ignored "no upstream fix"
2.6.8-sarge-security: ignored (2.6.8-16sarge7)
2.4.27-sarge-security: N/A
2.6.15-dapper-security: ignored
Modified: active/CVE-2006-7051
===================================================================
--- active/CVE-2006-7051 2008-07-15 21:14:58 UTC (rev 1196)
+++ active/CVE-2006-7051 2008-07-20 21:58:00 UTC (rev 1197)
@@ -18,10 +18,13 @@
on the number of pending signals
kees> Pending signals limit is now set by pam 0.99.x.
jmm> d02479bdeb1c9b037892061cdcf4e730183391fa
+ dannf> The milw0rm exploit seems to still work on 2.6.24, so I don't think
+ the d02479b changeset changed this behavior.
Bugs:
upstream: released (2.6.23-rc4)
linux-2.6: released (2.6.23-1)
2.6.18-etch-security: ignored (2.6.18.dfsg.1-13etch6) "no upstream patch"
+2.6.24-etchnhalf-security: ignored "no upstream patch"
2.6.8-sarge-security: ignored (2.6.8-17sarge1) "no upstream patch"
2.4.27-sarge-security: N/A "No posix-timers.c"
2.6.15-dapper-security: ignore (no upstream patch)
Deleted: active/CVE-2006-7229
===================================================================
--- active/CVE-2006-7229 2008-07-15 21:14:58 UTC (rev 1196)
+++ active/CVE-2006-7229 2008-07-20 21:58:00 UTC (rev 1197)
@@ -1,17 +0,0 @@
-Candidate: CVE-2006-7229
-References:
- https://bugs.launchpad.net/ubuntu/+source/linux-source-2.6.15/+bug/65631
-Description:
-Ubuntu-Description:
-Notes:
- dannf> This appears to be Ubuntu-specific
-Bugs:
-upstream: N/A
-linux-2.6: N/A
-2.6.18-etch-security: N/A
-2.6.8-sarge-security: N/A
-2.4.27-sarge-security: N/A
-2.6.15-dapper-security: released (2.6.15-29.61)
-2.6.17-edgy-security: N/A
-2.6.20-feisty-security: N/A
-2.6.22-gutsy-security: N/A
Deleted: active/CVE-2007-0004
===================================================================
--- active/CVE-2007-0004 2008-07-15 21:14:58 UTC (rev 1196)
+++ active/CVE-2007-0004 2008-07-20 21:58:00 UTC (rev 1197)
@@ -1,29 +0,0 @@
-Candidate: CVE-2007-0004
-Description:
- The NFS client implementation in the kernel in Red Hat Enterprise Linux (RHEL)
- 3, when a filesystem is mounted with the noacl option, checks permissions for
- the open system call via vfs_permission (mode bits) data rather than an NFS
- ACCESS call to the server, which allows local client processes to obtain a
- false success status from open calls that the server would deny, and possibly
- obtain sensitive information about file permissions on the server, as
- demonstrated in a root_squash environment. NOTE: it is uncertain whether any
- scenarios involving this issue cross privilege boundaries.
-References:
- https://bugzilla.redhat.com/show_bug.cgi?id=199715
-Ubuntu-Description:
-Notes:
- dannf> Don't know that this bug every affected upstream, but looks like we
- may have introduced it into 2.4.27 w/ 084_ea_acl-2.diff
- dannf> Unknown security implications (though certainly a bug), and RHEL3
- never included the patch in their bugzilla, so ignoring
-Bugs:
-upstream: N/A
-linux-2.6: N/A
-2.6.18-etch-security: N/A
-2.6.8-sarge-security: N/A
-2.4.27-sarge-security: ignored (2.4.27-10sarge6)
-2.6.15-dapper-security: N/A
-2.6.17-edgy-security: ignored (EOL)
-2.6.20-feisty-security: N/A
-2.6.22-gutsy-security: N/A
-2.6.24-hardy-security: N/A
Deleted: active/CVE-2007-2242
===================================================================
--- active/CVE-2007-2242 2008-07-15 21:14:58 UTC (rev 1196)
+++ active/CVE-2007-2242 2008-07-20 21:58:00 UTC (rev 1197)
@@ -1,33 +0,0 @@
-Candidate: CVE-2007-2242
-References:
- http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.20.y.git;a=commit;h=010831ab8436dfd9304b203467566fb6b135c24f
- http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.20.y.git;a=commit;h=9d08f139275450f9366d85ba09b9a2e09bb33766
-Description:
- The IPv6 protocol allows remote attackers to cause a denial of service via
- crafted IPv6 type 0 route headers (IPV6_RTHDR_TYPE_0) that create network
- amplification between two routers.
-Ubuntu-Description:
- A flaw was discovered in the IPv6 stack's handling of type 0 route headers.
- By sending a specially crafted IPv6 packet, a remote attacker could cause
- a denial of service between two IPv6 hosts.
-Notes:
- dannf> Some info from Vlad Yasevich:
- <vlad> dannf: is someone including commits 010831ab8436dfd9304b203467566fb6b135c24f and 9d08f139275450f9366d85ba09b9a2e09bb33766 (IPv6 routing header changes) in the debian kernel?
- ...
- <dannf> vlad: right, but (010831ab8436dfd9304b203467566fb6b135c24f) is security, so it'll be included in etch if necessary
- <dannf> s/necessary/affected/
- <vlad> dannf: you need the second one I listed as well, since the first one has a bug in it.
- <dannf> vlad: oh, ok - thx
- <vlad> dannf: although for the purposes of 2.6.18, the second one might be a no-op and the first one might need to be modified a bit.
- jmm> Contacted Willy
- dannf> functions are different, but 2.4 code looks similar
- dannf> My 2.4 backport attempt causes a crash at boot time, ignoring for now
-Bugs: 421595
-upstream: released (2.6.21)
-linux-2.6: released (2.6.21-1)
-2.6.18-etch-security: released (2.6.18.dfsg.1-13etch1) [bugfix/ipv6-disallow-RH0-by-default.patch]
-2.6.8-sarge-security: needed
-2.4.27-sarge-security: ignored (2.4.27-10sarge6) "needs port"
-2.6.15-dapper-security: released (2.6.15-29.58)
-2.6.17-edgy-security: released (2.6.17.1-11.39) [fee89820efa8e3479b39149dcfb2b1bccdaadedc]
-2.6.20-feisty-security: released (2.6.20-16.28)
Modified: active/CVE-2007-2480
===================================================================
--- active/CVE-2007-2480 2008-07-15 21:14:58 UTC (rev 1196)
+++ active/CVE-2007-2480 2008-07-20 21:58:00 UTC (rev 1197)
@@ -14,6 +14,7 @@
upstream: released (2.6.22)
linux-2.6: released (2.6.22-1)
2.6.18-etch-security: ignored (2.6.18.dfsg.1-13etch6) "needs backport"
+2.6.24-etchnhalf-security: N/A
2.6.8-sarge-security: ignored (2.6.8-17sarge1) "needs backport"
2.4.27-sarge-security: ignored (2.4.27-10sarge6) "needs backport if affected"
2.6.15-dapper-security: N/A
Deleted: active/CVE-2007-3104
===================================================================
--- active/CVE-2007-3104 2008-07-15 21:14:58 UTC (rev 1196)
+++ active/CVE-2007-3104 2008-07-20 21:58:00 UTC (rev 1197)
@@ -1,21 +0,0 @@
-Candidate: CVE-2007-3104
-References:
-Description:
- The sysfs_readdir function in the Linux kernel in Red Hat Enterprise
- Linux 4.5 allows local users to cause a denial of service (kernel OOPS)
- by dereferencing a null pointer to an inode in a dentry.
-Ubuntu-Description:
- A flaw in the sysfs_readdir function allowed a local user to cause a
- denial of service by dereferencing a NULL pointer.
-Notes:
- pkl> Bug fix available in RedHat kernel-2.6.9-55.0.2.EL.src.rpm release
- jmm> 01da2425f327d7ac673e594bee5655523115970b
-Bugs:
-upstream: released (2.6.22.2)
-linux-2.6: released (2.6.22-4)
-2.6.18-etch-security: released (2.6.18.dfsg.1-13etch5) [bugfix/sysfs_readdir-NULL-deref-1.patch, bugfix/sysfs_readdir-NULL-deref-2.patch, bugfix/sysfs-fix-condition-check.patch]
-2.6.8-sarge-security: needed "code is very different in 2.6.8, if no reproducer, ignore"
-2.4.27-sarge-security: N/A
-2.6.15-dapper-security: released (2.6.15-29.58)
-2.6.17-edgy-security: released (2.6.17.1-12.40) [a8c3f241ea411211c4802098f23a8da309e8bbd1]
-2.6.20-feisty-security: released (2.6.20-16.31) [5ca45c7e9e3d363c7bd3a5419742cb3368baf474]
Deleted: active/CVE-2007-3513
===================================================================
--- active/CVE-2007-3513 2008-07-15 21:14:58 UTC (rev 1196)
+++ active/CVE-2007-3513 2008-07-20 21:58:00 UTC (rev 1197)
@@ -1,19 +0,0 @@
-Candidate: CVE-2007-3513
-References:
-Description:
- The lcd_write function in drivers/usb/misc/usblcd.c in the Linux kernel
- before 2.6.22-rc7 does not limit the amount of memory used by a caller,
- which allows local users to cause a denial of service (memory consumption).
-Ubuntu-Description:
- A flaw was discovered in the usblcd driver. A local attacker could cause
- large amounts of kernel memory consumption, leading to a denial of service.
-Notes:
-Bugs:
-upstream: released (2.6.22-rc7)
-linux-2.6: released (2.6.22-1)
-2.6.18-etch-security: released (2.6.18.dfsg.1-13etch1) [bugfix/usblcd-limit-memory-consumption.patch]
-2.6.8-sarge-security: ignored (2.6.8-17sarge1) "Too different"
-2.4.27-sarge-security: ignored (2.4.27-10sarge6) "Too different"
-2.6.15-dapper-security: released (2.6.15-28.57)
-2.6.17-edgy-security: released (2.6.17.1-12.40) [85816b5fa3476f3fcf7758a1bd338d69184085d7]
-2.6.20-feisty-security: released (2.6.20-16.31) [165018c61779a357d33947a2ae169148b6ab8d9f]
Modified: active/CVE-2007-3719
===================================================================
--- active/CVE-2007-3719 2008-07-15 21:14:58 UTC (rev 1196)
+++ active/CVE-2007-3719 2008-07-20 21:58:00 UTC (rev 1197)
@@ -12,6 +12,7 @@
upstream:
linux-2.6:
2.6.18-etch-security: ignored (2.6.18.dfsg.1-13etch6) "no upstream fix"
+2.6.24-etchnhalf-security: ignored "low priority/no upstream fix"
2.6.8-sarge-security: ignored (2.6.8-17sarge1) "no upstream fix"
2.4.27-sarge-security: ignored (2.4.27-10sarge6) "no upstream fix"
2.6.15-dapper-security: ignored (low priority, no obvious upstream fix)
Deleted: active/CVE-2007-3848
===================================================================
--- active/CVE-2007-3848 2008-07-15 21:14:58 UTC (rev 1196)
+++ active/CVE-2007-3848 2008-07-20 21:58:00 UTC (rev 1197)
@@ -1,22 +0,0 @@
-Candidate: CVE-2007-3848
-References:
- http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=d2d56c5f51028cb9f3d800882eb6f4cbd3f9099f
-Description:
- Linux kernel 2.4.35 and other versions allows local users to send
- arbitrary signals to a child process that is running at higher privileges
- by causing a setuid-root parent process to die, which delivers an
- attacker-controlled parent process death signal (PR_SET_PDEATHSIG).
-Ubuntu-Description:
- It was discovered that certain setuid-root processes did not correctly
- reset process death signal handlers. A local user could manipulate this
- to send signals to processes they would not normally have access to.
-Notes:
-Bugs:
-upstream: released (2.6.22.4)
-linux-2.6: released (2.6.22-4)
-2.6.18-etch-security: released (2.6.18.dfsg.1-13etch1) [bugfix/reset-pdeathsig-on-suid.patch]
-2.6.8-sarge-security: pending (2.6.8-17sarge1) [reset-pdeathsig-on-suid.dpatch]
-2.4.27-sarge-security: released (2.4.27-10sarge6) [247_reset-pdeathsig-on-suid.diff]
-2.6.15-dapper-security: released (2.6.15-29.58)
-2.6.17-edgy-security: released (2.6.17.1-12.40)
-2.6.20-feisty-security: released (2.6.20-16.31)
Deleted: active/CVE-2007-4130
===================================================================
--- active/CVE-2007-4130 2008-07-15 21:14:58 UTC (rev 1196)
+++ active/CVE-2007-4130 2008-07-20 21:58:00 UTC (rev 1197)
@@ -1,20 +0,0 @@
-Candidate: CVE-2007-4130
-Description:
- The Linux kernel 2.6.9 before 2.6.9-67 in Red Hat Enterprise Linux (RHEL) 4
- on Itanium (ia64) does not properly handle page faults during NUMA memory
- access, which allows local users to cause a denial of service (panic) via
- invalid arguments to set_mempolicy in an MPOL_BIND operation.
-References:
-Ubuntu-Description:
-Notes:
-Bugs:
-upstream:
-linux-2.6:
-2.6.18-etch-security: ignored (2.6.18.dfsg.1-18etch2) "no known upstream fix"
-2.6.8-sarge-security: ignored (2.6.8-17sarge2) "no known upstream fix"
-2.4.27-sarge-security: ignored (2.4.27-10sarge6) "no known upstream fix"
-2.6.15-dapper-security: N/A
-2.6.17-edgy-security: ignored (EOL)
-2.6.20-feisty-security: N/A
-2.6.22-gutsy-security: N/A
-2.6.24-hardy-security: N/A
Deleted: active/CVE-2007-4133
===================================================================
--- active/CVE-2007-4133 2008-07-15 21:14:58 UTC (rev 1196)
+++ active/CVE-2007-4133 2008-07-20 21:58:00 UTC (rev 1197)
@@ -1,26 +0,0 @@
-Candidate: CVE-2007-4133
-References:
- http://git.kernel.org/gitweb.cgi?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=856fc29505556cf263f3dcda2533cf3766c14ab6
- https://bugzilla.redhat.com/show_bug.cgi?id=253926
-Description:
- The (1) hugetlb_vmtruncate_list and (2) hugetlb_vmtruncate functions
- in fs/hugetlbfs/inode.c in the Linux kernel before 2.6.19-rc4 perform
- certain prio_tree calculations using HPAGE_SIZE instead of PAGE_SIZE
- units, which allows local users to cause a denial of service (panic)
- via unspecified vectors.
-Ubuntu-Description:
- Certain calculations in the hugetlb code were not correct. A local
- attacker could exploit this to cause a kernel panic, leading to a denial
- of service.
-Notes:
- jmm> 2.4 doesn't contain hugetlbfs
-Bugs:
-upstream: released (2.6.19)
-linux-2.6: released (2.6.20-1)
-2.6.18-etch-security: released (2.6.18.dfsg.1-13etch4) [bugfix/hugetlb-prio_tree-unit-fix.patch]
-2.6.8-sarge-security: released (2.6.8-17sarge1) [hugetlb-prio_tree-unit-fix.dpatch]
-2.4.27-sarge-security: N/A
-2.6.15-dapper-security: released (2.6.15-29.61)
-2.6.17-edgy-security: released (2.6.17.1-12.42)
-2.6.20-feisty-security: N/A
-2.6.22-gutsy-security: N/A
Deleted: active/CVE-2007-4571
===================================================================
--- active/CVE-2007-4571 2008-07-15 21:14:58 UTC (rev 1196)
+++ active/CVE-2007-4571 2008-07-20 21:58:00 UTC (rev 1197)
@@ -1,30 +0,0 @@
-Candidate: CVE-2007-4571
-References:
- http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=ccec6e2c4a74adf76ed4e2478091a311b1806212
- http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.22.y.git;a=commitdiff;h=788450fa451454cc8ff3593b4f9fdb653c296583
- http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.22.8
- http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=600
-Description:
- The snd_mem_proc_read function in sound/core/memalloc.c in the Advanced Linux
- Sound Architecture (ALSA) in the Linux kernel before 2.6.22.8 does not return
- the correct write size, which allows local users to obtain sensitive
- information (kernel memory contents) via a small count argument, as
- demonstrated by multiple reads of /proc/driver/snd-page-alloc.
-Ubuntu-Description:
- It was discovered that the ALSA /proc interface did not write the
- correct number of bytes when reporting memory allocations. A local
- attacker might be able to access sensitive kernel memory, leading to
- a loss of privacy.
-Notes:
- dannf> ABI changer, was reverted from etch-security (r9547)
-Bugs:
-upstream: released (2.6.22.8)
-linux-2.6: released (2.6.22-5)
-2.6.18-etch-security: released (2.6.18.dfsg.1-17etch1) [bugfix/proc-snd-page-alloc-mem-leak.patch]
-2.6.8-sarge-security: N/A "cannot reproduce w/ ALSA in 2.6.8, alsa-driver package was affected/fixed in DSA 1505"
-2.4.27-sarge-security: N/A "alsa-driver package was affected/fixed in DSA 1505"
-2.6.15-dapper-security: released (2.6.15-52.67)
-2.6.17-edgy-security: ignored (EOL)
-2.6.20-feisty-security: released (2.6.20-17.36)
-2.6.22-gutsy-security: N/A
-2.6.24-hardy-security: N/A
Deleted: active/CVE-2007-4997
===================================================================
--- active/CVE-2007-4997 2008-07-15 21:14:58 UTC (rev 1196)
+++ active/CVE-2007-4997 2008-07-20 21:58:00 UTC (rev 1197)
@@ -1,28 +0,0 @@
-Candidate: CVE-2007-4997
-References:
- http://git.kernel.org/?p=linux/kernel/git/avi/kvm.git;a=commitdiff;h=04045f98e0457aba7d4e6736f37eed189c48a5f7
- http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.23.y.git;a=commitdiff;h=04045f98e0457aba7d4e6736f37eed189c48a5f7
-Description:
-Ubuntu-Description:
- Chris Evans discovered that the 802.11 network stack did not correctly
- handle certain QOS frames. A remote attacker on the local wireless network
- could send specially crafted packets that would panic the kernel, resulting
- in a denial of service.
-Notes:
- > The summary is that an evil 80211 frame can crash out a victim's
- > machine. It only applies to drivers using the 80211 wireless code, and
- > only then to certain drivers (and even then depends on a card's
- > firmware not dropping a dubious packet). I must confess I'm not
- > keeping track of Linux wireless support, and the different protocol
- > stacks etc.
- jmm> 04045f98e0457aba7d4e6736f37eed189c48a5f7
-Bugs:
-upstream: released (2.6.23)
-linux-2.6: released (2.6.23-1)
-2.6.18-etch-security: released (2.6.18.dfsg.1-13etch5) [bugfix/ieee80211-underflow.patch]
-2.6.8-sarge-security: N/A
-2.4.27-sarge-security: N/A
-2.6.15-dapper-security: released (2.6.15-29.61)
-2.6.17-edgy-security: released (2.6.17.1-12.42)
-2.6.20-feisty-security: released (2.6.20-16.33)
-2.6.22-gutsy-security: released (2.6.22-14.47)
Deleted: active/CVE-2007-5087
===================================================================
--- active/CVE-2007-5087 2008-07-15 21:14:58 UTC (rev 1196)
+++ active/CVE-2007-5087 2008-07-20 21:58:00 UTC (rev 1197)
@@ -1,24 +0,0 @@
-Candidate: CVE-2007-5087
-References:
- http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.4.35.y.git;a=commitdiff;h=b7ae15e7707050baafe5a35e3d4f2d175197d222
-Description:
- The ATM module in the Linux kernel before 2.4.35.3, when CLIP support is
- enabled, allows local users to cause a denial of service (kernel panic) by
- reading /proc/net/atm/arp before the CLIP module has been loaded.
-Ubuntu-Description:
-Notes:
-Bugs:
- dannf> Vulnerable code was added to 2.4 in:
- http://linux.bkbits.net:8080/linux-2.4/?PAGE=gnupatch&REV=1.1448.44.17
- which was after 2.4.27
- dannf> The commit notes that 2.6 isn't vulnerable because teh arp entry is
- handled in clip.c. I've verified this is true for both 2.6.8 and 2.6.18.
-upstream: released (2.4.36-pre2)
-linux-2.6: N/A
-2.6.18-etch-security: N/A
-2.6.8-sarge-security: N/A
-2.4.27-sarge-security: N/A
-2.6.15-dapper-security: N/A
-2.6.17-edgy-security: ignored (EOL)
-2.6.20-feisty-security: N/A
-2.6.22-gutsy-security: N/A
Deleted: active/CVE-2007-5093
===================================================================
--- active/CVE-2007-5093 2008-07-15 21:14:58 UTC (rev 1196)
+++ active/CVE-2007-5093 2008-07-20 21:58:00 UTC (rev 1197)
@@ -1,35 +0,0 @@
-Candidate: CVE-2007-5093
-References:
- http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6-stable.git;a=commitdiff;h=852ffe0acf89f959e8d35080bbd2bdc2d8f2e9e5
- http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.22.y.git;a=commitdiff;h=85237f202d46d55c1bffe0c5b1aa3ddc0f1dce4d
- MLIST:20070902 Oops in pwc v4l driver
- URL:http://marc.info/?l=linux-kernel&m=118873457814808&w=2
- MLIST:20070903 Re: Oops in pwc v4l driver
- URL:http://marc.info/?l=linux-kernel&m=118880154122548&w=2
- CONFIRM:http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.22.6
- BID:25504
- URL:http://www.securityfocus.com/bid/25504
-Description:
- The disconnect method in the Philips USB Webcam (pwc) driver in Linux kernel
- 2.6.x before 2.6.22.6 "relies on user space to close the device," which
- allows user-assisted local attackers to cause a denial of service (USB
- subsystem hang and CPU consumption in khubd) by not closing the device after
- the disconnect is invoked. NOTE: this rarely crosses privilege boundaries,
- unless the attacker can convince the victim to unplug the affected device.
-Ubuntu-Description:
- The Philips USB Webcam driver did not correctly handle disconnects.
- If a local attacker tricked another user into disconnecting a webcam
- unsafely, the kernel could hang or consume CPU resources, leading to
- a denial of service.
-Notes:
- kees> debug regression was fixed in http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.22.y.git;a=commitdiff;h=a3a066bffd7754e6d40c48972e698352f6cd6ce4
-Bugs:
-upstream: released (2.6.22.6)
-linux-2.6: released (2.6.23-1)
-2.6.18-etch-security: released (2.6.18.dfsg.1-13etch4) [bugfix/usb-pwc-disconnect-block.patch]
-2.6.8-sarge-security: released (2.6.8-17sarge1) [usb-pwc-disconnect-block.dpatch]
-2.4.27-sarge-security: released (2.4.17-10sarge6) [263_usb-pwc-disconnect-block.diff]
-2.6.15-dapper-security: released (2.6.15-29.61)
-2.6.17-edgy-security: released (2.6.17.1-12.42)
-2.6.20-feisty-security: released (2.6.20-16.33)
-2.6.22-gutsy-security: N/A
Deleted: active/CVE-2007-5494
===================================================================
--- active/CVE-2007-5494 2008-07-15 21:14:58 UTC (rev 1196)
+++ active/CVE-2007-5494 2008-07-20 21:58:00 UTC (rev 1197)
@@ -1,16 +0,0 @@
-Candidate: CVE-2007-5494
-Description:
-References:
-Ubuntu-Description:
-Notes:
- jmm> Debian doesn't provide that patch
-Bugs:
-upstream: N/A
-linux-2.6: N/A
-2.6.18-etch-security: N/A
-2.6.8-sarge-security: N/A
-2.4.27-sarge-security: N/A
-2.6.15-dapper-security: N/A
-2.6.17-edgy-security: ignored (EOL)
-2.6.20-feisty-security: N/A
-2.6.22-gutsy-security: N/A
Deleted: active/CVE-2007-5500
===================================================================
--- active/CVE-2007-5500 2008-07-15 21:14:58 UTC (rev 1196)
+++ active/CVE-2007-5500 2008-07-20 21:58:00 UTC (rev 1197)
@@ -1,24 +0,0 @@
-Candidate: CVE-2007-5500
-References:
- http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.23.y.git;a=commitdiff;h=36ef66c5d137b9a31fd8c35d236fb9e26ef74f97
-Description:
- wait_task_stopped: Check p->exit_state instead of TASK_TRACED
-Ubuntu-Description:
- Scott James Remnant discovered that the waitid function could be made
- to hang the system. A local attacker could execute a specially crafted
- program which would leave the system unresponsive, resulting in a denial
- of service.
-Notes:
- kees> 2.6.15 does not actually lock up -- it just spins in userspace
- jmm> This was introduced with commit 14bf01bb0599c89fc7f426d20353b76e12555308
- jmm> 2.6.14 is the first major release to be affected, marking earlier versions N/A
-Bugs:
-upstream: released (2.6.23.8)
-linux-2.6: released (2.6.23-1)
-2.6.18-etch-security: released (2.6.18.dfsg.1-13etch5) [bugfix/wait_task_stopped-hang.patch]
-2.6.8-sarge-security: N/A
-2.4.27-sarge-security: N/A
-2.6.15-dapper-security: released (2.6.15-29.61)
-2.6.17-edgy-security: released (2.6.17.1-12.42)
-2.6.20-feisty-security: released (2.6.20-16.33)
-2.6.22-gutsy-security: released (2.6.22-14.47)
Deleted: active/CVE-2007-5904
===================================================================
--- active/CVE-2007-5904 2008-07-15 21:14:58 UTC (rev 1196)
+++ active/CVE-2007-5904 2008-07-20 21:58:00 UTC (rev 1197)
@@ -1,27 +0,0 @@
-Candidate: CVE-2007-5904
-Description:
- Multiple buffer overflows in CIFS VFS in Linux kernel 2.6.23 and earlier
- allows remote attackers to cause a denial of service (crash) and possibly
- execute arbitrary code via long SMB responses that trigger the overflows in
- the SendReceive function.
-References:
- http://marc.info/?l=linux-kernel&m=119455843205403&w=2
- http://marc.info/?l=linux-kernel&m=119457447724276&w=2
- http://git.kernel.org/?p=linux/kernel/git/sfrench/cifs-2.6.git;a=commit;h=133672efbc1085f9af990bdc145e1822ea93bcf3
-Ubuntu-Description:
- Multiple buffer overflows were discovered in the handling of CIFS
- filesystems. A malicious CIFS server could cause a client system crash
- or possibly execute arbitrary code with kernel privileges.
-Notes:
- kees> failed mount errors: a761ac579b89bc1f00212a42401398108deba65c
-Bugs:
-upstream:
-linux-2.6:
-2.6.18-etch-security: released (2.6.18.dfsg.1-13etch5) [bugfix/cifs-better-failed-mount-errors.patch, bugfix/cifs-corrupt-server-response-overflow.patch]
-2.6.8-sarge-security: ignored (2.6.8-17sarge2) "needs port if vulnerable"
-2.4.27-sarge-security: N/A "No CIFS"
-2.6.15-dapper-security: released (2.6.15-52.67)
-2.6.17-edgy-security: ignored (EOL)
-2.6.20-feisty-security: released (2.6.20-17.36)
-2.6.22-gutsy-security: released (2.6.22-15.54)
-2.6.24-hardy-security: N/A
Deleted: active/CVE-2007-5938
===================================================================
--- active/CVE-2007-5938 2008-07-15 21:14:58 UTC (rev 1196)
+++ active/CVE-2007-5938 2008-07-20 21:58:00 UTC (rev 1197)
@@ -1,23 +0,0 @@
-Candidate: CVE-2007-5938
-Description:
- The iwl_set_rate function in compatible/iwl3945-base.c in iwlwifi 1.1.21 and earlier
- dereferences an iwl_get_hw_mode return value without checking for NULL, which might
- allow remote attackers to cause a denial of service (kernel panic) via unspecified
- vectors during module initialization.
-References:
- http://article.gmane.org/gmane.linux.drivers.ipw3945.devel/1618
- http://bugs.gentoo.org/show_bug.cgi?id=199209
-Ubuntu-Description:
-Notes:
- jmm> c4ba9621f4f241f8c4d4f620ad4257af59d21f3e
-Bugs:
-upstream: released (2.6.24-rc4)
-linux-2.6: released (2.6.23-2)
-2.6.18-etch-security: N/A
-2.6.8-sarge-security: N/A
-2.4.27-sarge-security: N/A
-2.6.15-dapper-security: N/A
-2.6.17-edgy-security: ignored (EOL)
-2.6.20-feisty-security: N/A
-2.6.22-gutsy-security: N/A
-2.6.24-hardy-security: N/A
Deleted: active/CVE-2007-5966
===================================================================
--- active/CVE-2007-5966 2008-07-15 21:14:58 UTC (rev 1196)
+++ active/CVE-2007-5966 2008-07-20 21:58:00 UTC (rev 1197)
@@ -1,17 +0,0 @@
-Candidate: CVE-2007-5966
-Description:
-References:
- http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff_plain;h=62f0f61e6673e67151a7c8c0f9a09c7ea43fe2b5;hp=f194d132e4971111f85c18c96067acffb13cee6d
-Ubuntu-Description:
-Notes:
- dannf> hrtimer.c file didn't exist in 2.4.27/2.6.8
-Bugs:
-upstream: released (2.6.24-rc5)
-linux-2.6: released (2.6.23-2) [bugfix/all/2.6.23.10]
-2.6.18-etch-security: released (2.6.18.dfsg.1-13etch6) [bugfix/hrtimer-large-relative-timeouts-overflow.patch]
-2.6.8-sarge-security: N/A
-2.4.27-sarge-security: N/A
-2.6.15-dapper-security: N/A
-2.6.17-edgy-security: released (2.6.17.1-12.43)
-2.6.20-feisty-security: released (2.6.20-16.34)
-2.6.22-gutsy-security: released (2.6.22-14.48)
Deleted: active/CVE-2007-6063
===================================================================
--- active/CVE-2007-6063 2008-07-15 21:14:58 UTC (rev 1196)
+++ active/CVE-2007-6063 2008-07-20 21:58:00 UTC (rev 1197)
@@ -1,22 +0,0 @@
-Candidate: CVE-2007-6063
-Description:
- Buffer overflow in the isdn_net_setcfg function in isdn_net.c in Linux kernel
- 2.6.23 allows local users to have an unknown impact via a crafted argument to
- the isdn_ioctl function.
-References:
- http://bugzilla.kernel.org/show_bug.cgi?id=9416
- http://www.securityfocus.com/bid/26605
- http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=0f13864e5b24d9cbe18d125d41bfa4b726a82e40
-Ubuntu-Description:
-Notes:
- jmm> eafe1aa37e6ec2d56f14732b5240c4dd09f0613a
-Bugs:
-upstream: released (2.6.24-rc4) [0f13864e5b24d9cbe18d125d41bfa4b726a82e40]
-linux-2.6: released (2.6.23-2)
-2.6.18-etch-security: released (2.6.18.dfsg.1-13etch6) [bugfix/isdn-net-overflow.patch]
-2.6.8-sarge-security: released (2.6.8-17sarge1) [isdn-net-overflow.dpatch]
-2.4.27-sarge-security: released (2.4.27-10sarge6) [257_isdn-net-overflow.diff]
-2.6.15-dapper-security: released (2.6.15-51.65)
-2.6.17-edgy-security: released (2.6.17.1-12.43)
-2.6.20-feisty-security: released (2.6.20-16.34)
-2.6.22-gutsy-security: released (2.6.22-14.48)
Deleted: active/CVE-2007-6151
===================================================================
--- active/CVE-2007-6151 2008-07-15 21:14:58 UTC (rev 1196)
+++ active/CVE-2007-6151 2008-07-20 21:58:00 UTC (rev 1197)
@@ -1,19 +0,0 @@
-Candidate: CVE-2007-6151
-References:
- http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=eafe1aa37e6ec2d56f14732b5240c4dd09f0613a
-Description:
- The isdn_ioctl function in isdn_common.c in Linux kernel 2.6.23 allows
- local users to cause a denial of service via a struct in which iocts is
- not null terminated, which triggers a buffer overflow.
-Ubuntu-Description:
-Notes:
-Bugs:
-upstream:
-linux-2.6: released (2.6.23-2)
-2.6.18-etch-security: released (2.6.18.dfsg.1-17etch1) [bugfix/i4l-isdn_ioctl-mem-overrun.patch]
-2.6.8-sarge-security: released (2.6.8-17sarge1) [i4l-isdn_ioctl-mem-overrun.dpatch]
-2.4.27-sarge-security: released (2.4.27-10sarge6) [256_i4l-isdn_ioctl-mem-overrun.diff]
-2.6.15-dapper-security: released (2.6.15-51.65)
-2.6.17-edgy-security: released (2.6.17.1-12.43)
-2.6.20-feisty-security: released (2.6.20-16.34)
-2.6.22-gutsy-security: released (2.6.22-14.48)
Deleted: active/CVE-2007-6206
===================================================================
--- active/CVE-2007-6206 2008-07-15 21:14:58 UTC (rev 1196)
+++ active/CVE-2007-6206 2008-07-20 21:58:00 UTC (rev 1197)
@@ -1,21 +0,0 @@
-Candidate: CVE-2007-6206
-Description:
- Linux kernel 2.4.x and 2.6.x up to 2.6.24-rc3, and possibly other versions,
- does not change the UID of a core dump file if it exists before a root process
- creates a core dump in the same location, which might allow local users to
- obtain sensitive information.
-References:
- http://bugzilla.kernel.org/show_bug.cgi?id=3043
- http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=c46f739dd39db3b07ab5deb4e3ec81e1c04a91af
-Ubuntu-Description:
-Notes:
-Bugs:
-upstream: pending (2.6.24)
-linux-2.6: needed
-2.6.18-etch-security: released (2.6.18.dfsg.1-13etch6) [bugfix/coredump-only-to-same-uid.patch]
-2.6.8-sarge-security: released (2.6.8-17sarge1) [coredump-only-to-same-uid.dpatch]
-2.4.27-sarge-security: released (2.4.27-10sarge6) [253_coredump-only-to-same-uid.diff]
-2.6.15-dapper-security: released (2.6.15-51.65)
-2.6.17-edgy-security: released (2.6.17.1-12.43)
-2.6.20-feisty-security: released (2.6.20-16.34)
-2.6.22-gutsy-security: released (2.6.22-14.48)
Modified: active/CVE-2007-6282
===================================================================
--- active/CVE-2007-6282 2008-07-15 21:14:58 UTC (rev 1196)
+++ active/CVE-2007-6282 2008-07-20 21:58:00 UTC (rev 1197)
@@ -11,7 +11,7 @@
upstream:
linux-2.6:
2.6.18-etch-security: pending (2.6.18.dfsg.1-18etch7) [bugfix/esp-iv-in-linear-part-of-skb.patch]
-2.6.24-etchnhalf-security:
+2.6.24-etchnhalf-security: pending (2.6.24-6~etchnhalf.4) [bugfix/esp-iv-in-linear-part-of-skb.patch]
2.6.15-dapper-security: pending
2.6.20-feisty-security: pending
2.6.22-gutsy-security: pending
Deleted: active/CVE-2007-6417
===================================================================
--- active/CVE-2007-6417 2008-07-15 21:14:58 UTC (rev 1196)
+++ active/CVE-2007-6417 2008-07-20 21:58:00 UTC (rev 1197)
@@ -1,23 +0,0 @@
-Candidate: CVE-2007-6417
-Description:
- The shmem_getpage function (mm/shmem.c) in Linux kernel 2.6.11 through 2.6.23 does
- not properly clear allocated memory in some rare circumstances, which might allow
- local users to read sensitive kernel data or cause a denial of service (crash).
-References:
- http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e84e2e132c9c66d8498e7710d4ea532d1feaaac5
- http://marc.info/?l=linux-kernel&m=119627664702379&w=2
- http://marc.info/?l=linux-kernel&m=119743651829347&w=2
- http://marc.info/?l=linux-kernel&m=119769771026243&w=2
-Ubuntu-Description:
-Notes:
- dannf> Commit log suggests this was a regression introduced in 2.6.11
-Bugs:
-upstream: released (2.6.22.15, 2.6.23.10, 2.6.24-rc4) [e84e2e132c9c66d8498e7710d4ea532d1feaaac5]
-linux-2.6: released (2.6.23-2) [bugfix/all/2.6.23.10]
-2.6.18-etch-security: released (2.6.18.dfsg.1-13etch6) [bugfix/tmpfs-restore-clear_highpage.patch]
-2.6.8-sarge-security: N/A
-2.4.27-sarge-security: N/A
-2.6.15-dapper-security: released (2.6.15-51.65)
-2.6.17-edgy-security: released (2.6.17.1-12.43)
-2.6.20-feisty-security: released (2.6.20-16.34)
-2.6.22-gutsy-security: released (2.6.22-14.48)
Modified: active/CVE-2007-6514
===================================================================
--- active/CVE-2007-6514 2008-07-15 21:14:58 UTC (rev 1196)
+++ active/CVE-2007-6514 2008-07-20 21:58:00 UTC (rev 1197)
@@ -7,10 +7,8 @@
Bugs:
upstream:
linux-2.6:
-2.6.18-etch-security:
-2.6.24-etchnhalf-security:
-2.6.8-sarge-security:
-2.4.27-sarge-security:
+2.6.18-etch-security: ignored "no upstream fix"
+2.6.24-etchnhalf-security: ignored "no upstream fix"
2.6.15-dapper-security:
2.6.17-edgy-security: ignored (EOL)
2.6.20-feisty-security:
Deleted: active/CVE-2007-6694
===================================================================
--- active/CVE-2007-6694 2008-07-15 21:14:58 UTC (rev 1196)
+++ active/CVE-2007-6694 2008-07-20 21:58:00 UTC (rev 1197)
@@ -1,28 +0,0 @@
-Candidate: CVE-2007-6694
-Description:
- The chrp_show_cpuinfo function (chrp/setup.c) in Linux kernel 2.4.21
- through 2.6.18-53, when running on PowerPC, might allow local users
- to cause a denial of service (crash) via unknown vectors that cause
- the of_get_property function to fail, which triggers a NULL pointer
- dereference.
-References:
- http://marc.info/?l=linux-kernel&m=119576191029571&w=2
-Ubuntu-Description:
- It was discovered that PowerPC kernels did not correctly handle reporting
- certain system details. By requesting a specific set of information,
- a local attacker could cause a system crash resulting in a denial
- of service.
-Notes:
- jmm> This appears more of a regular bug with a specific piece of hw
- jmm> than a security problem. Do we support the chrp POWER platform?
-Bugs:
-upstream:
-linux-2.6:
-2.6.18-etch-security: released (2.6.18.dfsg.1-18etch2) [bugfix/powerpc-chrp-null-deref.patch]
-2.6.8-sarge-security: released (2.6.8-17sarge2) [powerpc-chrp-null-deref.dpatch]
-2.4.27-sarge-security: released (2.4.27-10sarge6) [265_powerpc-chrp-null-deref.diff]
-2.6.15-dapper-security: released (2.6.15-52.67)
-2.6.17-edgy-security: ignored (EOL)
-2.6.20-feisty-security: released (2.6.20-17.36)
-2.6.22-gutsy-security: released (2.6.22-15.54)
-2.6.24-hardy-security: released (2.6.24-19.34)
Deleted: active/CVE-2007-6712
===================================================================
--- active/CVE-2007-6712 2008-07-15 21:14:58 UTC (rev 1196)
+++ active/CVE-2007-6712 2008-07-20 21:58:00 UTC (rev 1197)
@@ -1,19 +0,0 @@
-Candidate: CVE-2007-6712
-Description:
- Integer overflow in the hrtimer_forward function (hrtimer.c) in Linux
- kernel 2.6.21-rc4, when running on 64-bit systems, allows local users to
- cause a denial of service (infinite loop) via a timer with a large expiry
- value, which causes the timer to always be expired.
-References:
- http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=5a7780e725d1bb4c3094fcc12f1c5c5faea1e988
-Ubuntu-Description:
-Notes:
-Bugs:
-upstream:
-linux-2.6:
-2.6.18-etch-security: released (2.6.18.dfsg.1-18etch5) [bugfix/hrtimer-prevent-overrun.patch, bugfix/ktime-fix-MTIME_SEC_MAX-on-32-bit.patch]
-2.6.24-etchnhalf-security: N/A
-2.6.15-dapper-security: N/A
-2.6.20-feisty-security: released (2.6.20-17.36)
-2.6.22-gutsy-security: released (2.6.22-15.54)
-2.6.24-hardy-security: N/A
Deleted: active/CVE-2008-0001
===================================================================
--- active/CVE-2008-0001 2008-07-15 21:14:58 UTC (rev 1196)
+++ active/CVE-2008-0001 2008-07-20 21:58:00 UTC (rev 1197)
@@ -1,16 +0,0 @@
-Candidate: CVE-2008-0001
-Description:
-References:
- http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=974a9f0b47da74e28f68b9c8645c3786aa5ace1a
-Ubuntu-Description:
-Notes:
-Bugs:
-upstream: released (2.6.23.14, 2.6.24-rc8)
-linux-2.6: released (2.6.24-1)
-2.6.18-etch-security: released (2.6.18.dfsg.1-17etch1) [bugfix/vfs-use-access-mode-flag.patch]
-2.6.8-sarge-security: N/A
-2.4.27-sarge-security: N/A
-2.6.15-dapper-security: released (2.6.15-51.65)
-2.6.17-edgy-security: released (2.6.17.1-12.43)
-2.6.20-feisty-security: released (2.6.20-16.34)
-2.6.22-gutsy-security: released (2.6.22-14.48)
Deleted: active/CVE-2008-0007
===================================================================
--- active/CVE-2008-0007 2008-07-15 21:14:58 UTC (rev 1196)
+++ active/CVE-2008-0007 2008-07-20 21:58:00 UTC (rev 1197)
@@ -1,23 +0,0 @@
-Candidate: CVE-2008-0007
-Description:
- Linux kernel before 2.6.22.17, when using certain drivers that register
- a fault handler that does not perform range checks, allows local users
- to access kernel memory via an out-of-range offset.
-References:
-Ubuntu-Description:
- It was discovered that some device driver fault handlers did not
- correctly verify memory ranges. A local attacker could exploit this
- to access sensitive kernel memory, possibly leading to a loss of privacy.
-Notes:
-Bugs:
-upstream: released (2.6.24.1)
-linux-2.6: released (2.6.24-4)
-2.6.18-etch-security: released (2.6.18.dfsg.1-18etch2) [bugfix/mmap-VM_DONTEXPAND.patch]
-2.6.24-etchnhalf-security: needed
-2.6.8-sarge-security: released (2.6.8-17sarge1) [mmap-VM_DONTEXPAND.dpatch]
-2.4.27-sarge-security: released (2.4.27-10sarge6) [264_mmap-VM_DONTEXPAND.diff]
-2.6.15-dapper-security: released (2.6.15-52.67)
-2.6.17-edgy-security: ignored (EOL)
-2.6.20-feisty-security: released (2.6.20-17.36)
-2.6.22-gutsy-security: released (2.6.22-15.54)
-2.6.24-hardy-security: N/A
Deleted: active/CVE-2008-0009
===================================================================
--- active/CVE-2008-0009 2008-07-15 21:14:58 UTC (rev 1196)
+++ active/CVE-2008-0009 2008-07-20 21:58:00 UTC (rev 1197)
@@ -1,17 +0,0 @@
-Candidate: CVE-2008-0009
-Description:
-References:
-Ubuntu-Description:
-Notes:
-Bugs:
-upstream: released (2.6.24.1)
-linux-2.6: released (2.6.24-4)
-2.6.18-etch-security: N/A
-2.6.24-etchnhalf-security: 2.6.24-4
-2.6.8-sarge-security: N/A
-2.4.27-sarge-security: N/A
-2.6.15-dapper-security: N/A
-2.6.17-edgy-security: ignored (EOL)
-2.6.20-feisty-security: N/A
-2.6.22-gutsy-security: N/A
-2.6.24-hardy-security: N/A
Deleted: active/CVE-2008-0010
===================================================================
--- active/CVE-2008-0010 2008-07-15 21:14:58 UTC (rev 1196)
+++ active/CVE-2008-0010 2008-07-20 21:58:00 UTC (rev 1197)
@@ -1,16 +0,0 @@
-Candidate: CVE-2008-0010
-Description:
-References:
-Ubuntu-Description:
-Notes:
-Bugs:
-upstream: released (2.6.24.1)
-linux-2.6: released (2.6.24-4)
-2.6.18-etch-security: released (2.6.18.dfsg.1-18etch1)
-2.6.24-etchnhalf-security: 2.6.24-4
-2.6.8-sarge-security: N/A
-2.4.27-sarge-security: N/A
-2.6.15-dapper-security: N/A
-2.6.17-edgy-security: ignored (EOL)
-2.6.20-feisty-security: N/A
-2.6.22-gutsy-security: N/A
Deleted: active/CVE-2008-0163
===================================================================
--- active/CVE-2008-0163 2008-07-15 21:14:58 UTC (rev 1196)
+++ active/CVE-2008-0163 2008-07-20 21:58:00 UTC (rev 1197)
@@ -1,17 +0,0 @@
-Candidate:
-Description:
-References:
-Ubuntu-Description:
-Notes:
-Bugs:
-upstream: N/A
-linux-2.6:
-2.6.18-etch-security: released (2.6.18.dfsg.1-18etch1)
-2.6.24-etchnhalf-security:
-2.6.8-sarge-security: N/A
-2.4.27-sarge-security: N/A
-2.6.15-dapper-security: N/A
-2.6.17-edgy-security: ignored (EOL)
-2.6.20-feisty-security: N/A
-2.6.22-gutsy-security: N/A
-2.6.24-hardy-security: N/A
Deleted: active/CVE-2008-0352
===================================================================
--- active/CVE-2008-0352 2008-07-15 21:14:58 UTC (rev 1196)
+++ active/CVE-2008-0352 2008-07-20 21:58:00 UTC (rev 1197)
@@ -1,25 +0,0 @@
-Candidate: CVE-2008-0352
-Description:
- The Linux kernel 2.6.20 through 2.6.21.1 allows remote attackers to cause a
- denial of service (panic) via a certain IPv6 packet, possibly involving the
- Jumbo Payload hop-by-hop option
-References:
- http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.21.2
-Ubuntu-Description:
-Notes:
- jmm> 08a6507044dd70c326de3ea484fd6d29b8101f17
- jmm> http://bugzilla.kernel.org/show_bug.cgi?id=8450
- dannf> Looks like this isn't an issue before
- a11d206d0f88e092419877c7f706cafb5e1c2e57
- Which appeared between 2.6.19 and 2.6.20
- kees> this is a dup of CVE-2007-4567
-Bugs:
-upstream: released (2.6.21.2)
-linux-2.6: released (2.6.22-1)
-2.6.18-etch-security: N/A
-2.6.8-sarge-security: N/A
-2.4.27-sarge-security: N/A
-2.6.15-dapper-security: N/A
-2.6.17-edgy-security: ignored (EOL)
-2.6.20-feisty-security: N/A (dup of CVE-2007-4567)
-2.6.22-gutsy-security: N/A
Modified: active/CVE-2008-0598
===================================================================
--- active/CVE-2008-0598 2008-07-15 21:14:58 UTC (rev 1196)
+++ active/CVE-2008-0598 2008-07-20 21:58:00 UTC (rev 1197)
@@ -7,10 +7,10 @@
Ubuntu-Description:
Notes:
Bugs: 490910
-upstream: needed
+upstream: pending (2.6.27-rc1)
linux-2.6: needed
-2.6.18-etch-security: needed
-2.6.24-etchnhalf-security: needed
+2.6.18-etch-security: pending (2.6.18.dfsg.1-18etch7) [bugfix/x86-add-copy_user_handle_tail.patch, x86-fix-copy_user.patch]
+2.6.24-etchnhalf-security: pending (2.6.24-6~etchnhalf.4) [bugfix/x86-add-copy_user_handle_tail.patch, x86-fix-copy_user.patch]
2.6.15-dapper-security:
2.6.20-feisty-security:
2.6.22-gutsy-security:
Deleted: active/CVE-2008-0600
===================================================================
--- active/CVE-2008-0600 2008-07-15 21:14:58 UTC (rev 1196)
+++ active/CVE-2008-0600 2008-07-20 21:58:00 UTC (rev 1197)
@@ -1,22 +0,0 @@
-Candidate: CVE-2008-0600
-Description:
- The vmsplice_to_pipe function in Linux kernel 2.6.17 through 2.6.24.1
- does not validate a certain userspace pointer before dereference, which
- allows local users to gain root privileges via crafted arguments in
- a vmsplice system call, a different vulnerability than CVE-2008-0009
- and CVE-2008-0010.
-References:
-Ubuntu-Description:
-Notes:
-Bugs:
-upstream: released (2.6.24.2)
-linux-2.6: released (2.6.24-4)
-2.6.18-etch-security: released (2.6.18.dfsg.1-18etch1)
-2.6.24-etchnhalf-security: 2.6.24-4
-2.6.8-sarge-security: N/A
-2.4.27-sarge-security: N/A
-2.6.15-dapper-security: N/A
-2.6.17-edgy-security: released (2.6.17.1-12.44)
-2.6.20-feisty-security: released (2.6.20-16.35)
-2.6.22-gutsy-security: released (2.6.22-14.52)
-2.6.24-hardy-security: N/A
Deleted: active/CVE-2008-1294
===================================================================
--- active/CVE-2008-1294 2008-07-15 21:14:58 UTC (rev 1196)
+++ active/CVE-2008-1294 2008-07-20 21:58:00 UTC (rev 1197)
@@ -1,29 +0,0 @@
-Candidate: CVE-2008-1294
-Description:
- Linux kernel 2.6.17, and other versions before 2.6.22, does not check
- when a user attempts to set RLIMIT_CPU to 0 until after the change is
- made, which allows local users to bypass intended resource limits.
-References:
-Ubuntu-Description:
- It was discovered that CPU resource limits could be bypassed.
- A malicious local user could exploit this to avoid administratively
- imposed resource limits.
-Notes:
- https://launchpad.net/bugs/107209
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=419706
- http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=9926e4c74300c4b31dee007298c6475d33369df0
- kees> for pre-2.6.17 kernels, two additional commits are needed:
- kees> ec9e16bacdba1da1ee15dd162384e22df5c87e09
- kees> e0661111e5441995f7a69dc4336c9f131cb9bc58
-Bugs:
-upstream:
-linux-2.6:
-2.6.18-etch-security: released (2.6.18.dfsg.1-18etch2) [bugfix/RLIMIT_CPU-earlier-checking.patch]
-2.6.24-etchnhalf-security:
-2.6.8-sarge-security:
-2.4.27-sarge-security:
-2.6.15-dapper-security: released (2.6.15-52.67)
-2.6.17-edgy-security: ignored (EOL)
-2.6.20-feisty-security: released (2.6.20-17.36)
-2.6.22-gutsy-security: N/A
-2.6.24-hardy-security: N/A
Deleted: active/CVE-2008-1375
===================================================================
--- active/CVE-2008-1375 2008-07-15 21:14:58 UTC (rev 1196)
+++ active/CVE-2008-1375 2008-07-20 21:58:00 UTC (rev 1197)
@@ -1,23 +0,0 @@
-Candidate: CVE-2008-1375
-Description:
- dnotify race
-References:
- http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=214b7049a7929f03bbd2786aaef04b8b79db34e2
-Ubuntu-Description:
- A race condition was discovered between dnotify fcntl() and close() in
- the kernel. If a local attacker performed malicious dnotify requests,
- they could cause memory consumption leading to a denial of service,
- or possibly send arbitrary signals to any process.
-Notes:
- kees> ABI changer due to header addition?
- kees> http://svn.debian.org/wsvn/kernel/dists/etch-security/linux-2.6/debian/patches/bugfix/dnotify-race-avoid-abi-change.patch?op=file&rev=0&sc=0
-Bugs:
-upstream: pending (2.6.26-rc1)
-linux-2.6: needed
-2.6.18-etch-security: released (2.6.18.dfsg.1-18etch2) [bugfix/dnotify-race.patch]
-2.6.24-etchnhalf-security: needed
-2.6.15-dapper-security: released (2.6.15-52.67)
-2.6.17-edgy-security: ignored (EOL)
-2.6.20-feisty-security: released (2.6.20-17.36)
-2.6.22-gutsy-security: released (2.6.22-15.54)
-2.6.24-hardy-security: released (2.6.24-19.34)
Deleted: active/CVE-2008-1615
===================================================================
--- active/CVE-2008-1615 2008-07-15 21:14:58 UTC (rev 1196)
+++ active/CVE-2008-1615 2008-07-20 21:58:00 UTC (rev 1197)
@@ -1,18 +0,0 @@
-Candidate: CVE-2008-1615
-Description:
- Linux kernel 2.6.18, and possibly other versions, when running on AMD64
- architectures, allows local users to cause a denial of service (crash)
- via certain ptrace calls.
-References:
-Ubuntu-Description:
-Notes:
- kees> http://marc.info/?l=linux-kernel&m=120219781932243
-Bugs:
-upstream:
-linux-2.6:
-2.6.18-etch-security: released (2.6.18.dfsg.1-18etch5) [bugfix/amd64-cs-corruption.patch]
-2.6.24-etchnhalf-security: released (2.6.24-6~etchnhalf.3) [bugfix/amd64-cs-corruption.patch]
-2.6.15-dapper-security: pending
-2.6.20-feisty-security: pending
-2.6.22-gutsy-security: pending
-2.6.24-hardy-security: pending
Deleted: active/CVE-2008-1669
===================================================================
--- active/CVE-2008-1669 2008-07-15 21:14:58 UTC (rev 1196)
+++ active/CVE-2008-1669 2008-07-20 21:58:00 UTC (rev 1197)
@@ -1,20 +0,0 @@
-Candidate: CVE-2008-1669
-Description:
- "add rcu_read_lock() to fs/locks.c and fix fcntl store/load"
-References:
-Ubuntu-Description:
- On SMP systems, a race condition existed in fcntl(). Local attackers
- could perform malicious locks, causing system crashes and leading to
- a denial of service.
-Notes:
- kees> http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=0b2bac2f1ea0d33a3621b27ca68b9ae760fca2e9
- kees> linux-2.6.24.y: 0bbbae3bfd732f6c4d6b2a67121d77bf6b1c7f70
-Bugs:
-upstream: released (2.6.24.7, 2.6.25.2)
-linux-2.6: released (2.6.25-2)
-2.6.18-etch-security: released (2.6.18.dfsg.1-18etch4) [bugfix/fcntl_setlk-close-race.patch]
-2.6.24-etchnhalf-security: released (2.6.24-6~etchnhalf.2) [bugfix/all/stable/2.6.24.7.patch]
-2.6.15-dapper-security: released (2.6.15-52.67)
-2.6.20-feisty-security: released (2.6.20-17.36)
-2.6.22-gutsy-security: released (2.6.22-15.54)
-2.6.24-hardy-security: released (2.6.24-19.34)
Deleted: active/CVE-2008-1675
===================================================================
--- active/CVE-2008-1675 2008-07-15 21:14:58 UTC (rev 1196)
+++ active/CVE-2008-1675 2008-07-20 21:58:00 UTC (rev 1197)
@@ -1,20 +0,0 @@
-Candidate: CVE-2008-1675
-Description:
-References:
- http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.24.y.git;a=commitdiff;h=a30678eb8ce99a7b4c716ad41c8c10a04d731127
- http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.24.y.git;a=commitdiff;h=f1b6098616f329d26199f278f228a7b27d36558d
-Ubuntu-Description:
- The tehuti network driver did not correctly handle certain IO functions.
- A local attacker could perform malicious requests to the driver,
- potentially accessing kernel memory, leading to privilege escalation
- or access to private system information.
-Notes:
-Bugs:
-upstream: released (2.6.24.6)
-linux-2.6: released (2.6.24-7)
-2.6.18-etch-security: N/A
-2.6.24-etchnhalf-security: released (linux-2.6.24 2.6.24-6~etchnhalf.2) [bugfix/all/stable/2.6.24.6.patch]
-2.6.15-dapper-security: N/A
-2.6.20-feisty-security: N/A
-2.6.22-gutsy-security: N/A
-2.6.24-hardy-security: released (2.6.24-19.34)
Modified: active/CVE-2008-2750
===================================================================
--- active/CVE-2008-2750 2008-07-15 21:14:58 UTC (rev 1196)
+++ active/CVE-2008-2750 2008-07-20 21:58:00 UTC (rev 1197)
@@ -10,10 +10,10 @@
Notes:
kees> linux-2.6: 6b6707a50c7598a83820077393f8823ab791abf8
Bugs:
-upstream:
-linux-2.6:
-2.6.18-etch-security: N/A
-2.6.24-etchnhalf-security:
+upstream: released (2.6.26-rc6)
+linux-2.6: released (2.6.26-rc6)
+2.6.18-etch-security: N/A "code added after 2.6.18"
+2.6.24-etchnhalf-security: pending (2.6.24-6~etchnhalf.4) "bugfix/l2tp-pppol2tp_recvmsg-corruption.patch"
2.6.15-dapper-security: N/A
2.6.20-feisty-security: N/A
2.6.22-gutsy-security: N/A
Modified: active/CVE-2008-2812
===================================================================
--- active/CVE-2008-2812 2008-07-15 21:14:58 UTC (rev 1196)
+++ active/CVE-2008-2812 2008-07-20 21:58:00 UTC (rev 1197)
@@ -4,10 +4,10 @@
Ubuntu-Description:
Notes:
Bugs:
-upstream:
-linux-2.6:
+upstream: released (2.6.25.10)
+linux-2.6: released (2.6.25-7) [bugfix/all/stable/2.6.25.10.patch]
2.6.18-etch-security: pending (2.6.18.dfsg.1-18etch7) [bugfix/tty-fix-for-tty-operations-bugs.patch]
-2.6.24-etchnhalf-security:
+2.6.24-etchnhalf-security: pending (2.6.24-6~etchnhalf.4) [bugfix/tty-fix-for-tty-operations-bugs.patch]
2.6.15-dapper-security:
2.6.20-feisty-security:
2.6.22-gutsy-security:
Modified: active/CVE-2008-2931
===================================================================
--- active/CVE-2008-2931 2008-07-15 21:14:58 UTC (rev 1196)
+++ active/CVE-2008-2931 2008-07-20 21:58:00 UTC (rev 1197)
@@ -8,7 +8,7 @@
Bugs:
upstream: released (2.6.21)
linux-2.6: N/A
-2.6.18-etch-security: needed
+2.6.18-etch-security: pending (2.6.18.dfsg.1-18etch7) [bugfix/check-privileges-before-setting-mount-propagation.patch]
2.6.24-etchnhalf-security: N/A
2.6.15-dapper-security:
2.6.20-feisty-security:
Deleted: active/block-all-signals-race
===================================================================
--- active/block-all-signals-race 2008-07-15 21:14:58 UTC (rev 1196)
+++ active/block-all-signals-race 2008-07-20 21:58:00 UTC (rev 1197)
@@ -1,17 +0,0 @@
-Candidate: Needed
-References:
- http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff_plain;h=c70d3d703ad94727dab2a3664aeee33d71e00715
- http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff_plain;h=9ac95f2f90e022c16d293d7978faddf7e779a1a9
- http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff_plain;h=1ff0be1534839dabec85f6d16dc36734f4e158bf
- http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff_plain;h=21b4da78c941f292f6daf87abb562d6285216e51
-Description:
- Race in copy_signhand()/do_sigaction that lets you create small processes that
- block all signals, including SIGKILL.
-Notes:
-Bugs:
-upstream:
-linux-2.6: pending (2.6.15.5)
-2.6.8-sarge-security:
-2.4.27-sarge-security:
-2.6.18-etch-security: N/A
-
Copied: retired/CVE-2006-6058 (from rev 1196, active/CVE-2006-6058)
===================================================================
--- retired/CVE-2006-6058 (rev 0)
+++ retired/CVE-2006-6058 2008-07-20 21:58:00 UTC (rev 1197)
@@ -0,0 +1,37 @@
+Candidate: CVE-2006-6058
+References:
+ http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.23.y.git;a=commitdiff;h=f0ae3188daf70ed07a4dfbeb133bef3a92838a15
+ MISC:http://projects.info-pull.com/mokb/MOKB-17-11-2006.html
+ FRSIRT:ADV-2006-4613
+ URL:http://www.frsirt.com/english/advisories/2006/4613
+ SECUNIA:23034
+ URL:http://secunia.com/advisories/23034
+Description:
+ The minix filesystem code in Linux kernel 2.6.x up to 2.6.18, and possibly
+ other versions, allows local users to cause a denial of service (hang) via a
+ malformed minix file stream that triggers an infinite loop in the minix_bmap
+ function. NOTE: this issue might be due to an integer overflow or signedness
+ error.
+Ubuntu-Description:
+ The minix filesystem did not properly validate certain filesystem values.
+ If a local attacker could trick the system into attempting to mount a
+ corrupted minix filesystem, the kernel could be made to hang for long
+ periods of time, resulting in a denial of service.
+Notes:
+ dannf> ignored for sarge for now - only applies under very rare circumstances
+ and don't know if there's an upstream fix
+ jmm> We can ignore this, it has no practical ramifications
+ dannf> Though I agree its minor, I suspect its not so rare that admins
+ set user-mountable media's filesystem type to 'auto' in fstab,
+ allowing them to use any fs on the system. I could see this being
+ used to annoy sysadmins, e.g., in a university lab setting
+Bugs:
+upstream: released (2.6.23.7, 2.6.24-rc1) [f44ec6f3f89889a469773b1fd894f8fcc07c29cf]
+linux-2.6: released (2.6.23-1) [bugfix/2.6.23.7.patch]
+2.6.18-etch-security: released (2.6.18.dfsg.1-13etch6) [bugfix/minixfs-printk-hang.patch]
+2.6.8-sarge-security: released (2.6.8-17sarge1) [minixfs-printk-hang.dpatch]
+2.4.27-sarge-security: ignored (2.4.27-10sarge6) "no printk_ratelimit in 2.4 - needs port"
+2.6.15-dapper-security: released (2.6.15-29.61)
+2.6.17-edgy-security: released (2.6.17.1-12.42)
+2.6.20-feisty-security: released (2.6.20-16.33)
+2.6.22-gutsy-security: released (2.6.22-14.47)
Property changes on: retired/CVE-2006-6058
___________________________________________________________________
Name: svn:mergeinfo
+
Copied: retired/CVE-2006-7229 (from rev 1196, active/CVE-2006-7229)
===================================================================
--- retired/CVE-2006-7229 (rev 0)
+++ retired/CVE-2006-7229 2008-07-20 21:58:00 UTC (rev 1197)
@@ -0,0 +1,17 @@
+Candidate: CVE-2006-7229
+References:
+ https://bugs.launchpad.net/ubuntu/+source/linux-source-2.6.15/+bug/65631
+Description:
+Ubuntu-Description:
+Notes:
+ dannf> This appears to be Ubuntu-specific
+Bugs:
+upstream: N/A
+linux-2.6: N/A
+2.6.18-etch-security: N/A
+2.6.8-sarge-security: N/A
+2.4.27-sarge-security: N/A
+2.6.15-dapper-security: released (2.6.15-29.61)
+2.6.17-edgy-security: N/A
+2.6.20-feisty-security: N/A
+2.6.22-gutsy-security: N/A
Property changes on: retired/CVE-2006-7229
___________________________________________________________________
Name: svn:mergeinfo
+
Copied: retired/CVE-2007-0004 (from rev 1196, active/CVE-2007-0004)
===================================================================
--- retired/CVE-2007-0004 (rev 0)
+++ retired/CVE-2007-0004 2008-07-20 21:58:00 UTC (rev 1197)
@@ -0,0 +1,29 @@
+Candidate: CVE-2007-0004
+Description:
+ The NFS client implementation in the kernel in Red Hat Enterprise Linux (RHEL)
+ 3, when a filesystem is mounted with the noacl option, checks permissions for
+ the open system call via vfs_permission (mode bits) data rather than an NFS
+ ACCESS call to the server, which allows local client processes to obtain a
+ false success status from open calls that the server would deny, and possibly
+ obtain sensitive information about file permissions on the server, as
+ demonstrated in a root_squash environment. NOTE: it is uncertain whether any
+ scenarios involving this issue cross privilege boundaries.
+References:
+ https://bugzilla.redhat.com/show_bug.cgi?id=199715
+Ubuntu-Description:
+Notes:
+ dannf> Don't know that this bug every affected upstream, but looks like we
+ may have introduced it into 2.4.27 w/ 084_ea_acl-2.diff
+ dannf> Unknown security implications (though certainly a bug), and RHEL3
+ never included the patch in their bugzilla, so ignoring
+Bugs:
+upstream: N/A
+linux-2.6: N/A
+2.6.18-etch-security: N/A
+2.6.8-sarge-security: N/A
+2.4.27-sarge-security: ignored (2.4.27-10sarge6)
+2.6.15-dapper-security: N/A
+2.6.17-edgy-security: ignored (EOL)
+2.6.20-feisty-security: N/A
+2.6.22-gutsy-security: N/A
+2.6.24-hardy-security: N/A
Property changes on: retired/CVE-2007-0004
___________________________________________________________________
Name: svn:mergeinfo
+
Copied: retired/CVE-2007-2242 (from rev 1196, active/CVE-2007-2242)
===================================================================
--- retired/CVE-2007-2242 (rev 0)
+++ retired/CVE-2007-2242 2008-07-20 21:58:00 UTC (rev 1197)
@@ -0,0 +1,33 @@
+Candidate: CVE-2007-2242
+References:
+ http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.20.y.git;a=commit;h=010831ab8436dfd9304b203467566fb6b135c24f
+ http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.20.y.git;a=commit;h=9d08f139275450f9366d85ba09b9a2e09bb33766
+Description:
+ The IPv6 protocol allows remote attackers to cause a denial of service via
+ crafted IPv6 type 0 route headers (IPV6_RTHDR_TYPE_0) that create network
+ amplification between two routers.
+Ubuntu-Description:
+ A flaw was discovered in the IPv6 stack's handling of type 0 route headers.
+ By sending a specially crafted IPv6 packet, a remote attacker could cause
+ a denial of service between two IPv6 hosts.
+Notes:
+ dannf> Some info from Vlad Yasevich:
+ <vlad> dannf: is someone including commits 010831ab8436dfd9304b203467566fb6b135c24f and 9d08f139275450f9366d85ba09b9a2e09bb33766 (IPv6 routing header changes) in the debian kernel?
+ ...
+ <dannf> vlad: right, but (010831ab8436dfd9304b203467566fb6b135c24f) is security, so it'll be included in etch if necessary
+ <dannf> s/necessary/affected/
+ <vlad> dannf: you need the second one I listed as well, since the first one has a bug in it.
+ <dannf> vlad: oh, ok - thx
+ <vlad> dannf: although for the purposes of 2.6.18, the second one might be a no-op and the first one might need to be modified a bit.
+ jmm> Contacted Willy
+ dannf> functions are different, but 2.4 code looks similar
+ dannf> My 2.4 backport attempt causes a crash at boot time, ignoring for now
+Bugs: 421595
+upstream: released (2.6.21)
+linux-2.6: released (2.6.21-1)
+2.6.18-etch-security: released (2.6.18.dfsg.1-13etch1) [bugfix/ipv6-disallow-RH0-by-default.patch]
+2.6.8-sarge-security: needed
+2.4.27-sarge-security: ignored (2.4.27-10sarge6) "needs port"
+2.6.15-dapper-security: released (2.6.15-29.58)
+2.6.17-edgy-security: released (2.6.17.1-11.39) [fee89820efa8e3479b39149dcfb2b1bccdaadedc]
+2.6.20-feisty-security: released (2.6.20-16.28)
Property changes on: retired/CVE-2007-2242
___________________________________________________________________
Name: svn:mergeinfo
+
Copied: retired/CVE-2007-3104 (from rev 1196, active/CVE-2007-3104)
===================================================================
--- retired/CVE-2007-3104 (rev 0)
+++ retired/CVE-2007-3104 2008-07-20 21:58:00 UTC (rev 1197)
@@ -0,0 +1,21 @@
+Candidate: CVE-2007-3104
+References:
+Description:
+ The sysfs_readdir function in the Linux kernel in Red Hat Enterprise
+ Linux 4.5 allows local users to cause a denial of service (kernel OOPS)
+ by dereferencing a null pointer to an inode in a dentry.
+Ubuntu-Description:
+ A flaw in the sysfs_readdir function allowed a local user to cause a
+ denial of service by dereferencing a NULL pointer.
+Notes:
+ pkl> Bug fix available in RedHat kernel-2.6.9-55.0.2.EL.src.rpm release
+ jmm> 01da2425f327d7ac673e594bee5655523115970b
+Bugs:
+upstream: released (2.6.22.2)
+linux-2.6: released (2.6.22-4)
+2.6.18-etch-security: released (2.6.18.dfsg.1-13etch5) [bugfix/sysfs_readdir-NULL-deref-1.patch, bugfix/sysfs_readdir-NULL-deref-2.patch, bugfix/sysfs-fix-condition-check.patch]
+2.6.8-sarge-security: needed "code is very different in 2.6.8, if no reproducer, ignore"
+2.4.27-sarge-security: N/A
+2.6.15-dapper-security: released (2.6.15-29.58)
+2.6.17-edgy-security: released (2.6.17.1-12.40) [a8c3f241ea411211c4802098f23a8da309e8bbd1]
+2.6.20-feisty-security: released (2.6.20-16.31) [5ca45c7e9e3d363c7bd3a5419742cb3368baf474]
Property changes on: retired/CVE-2007-3104
___________________________________________________________________
Name: svn:mergeinfo
+
Copied: retired/CVE-2007-3513 (from rev 1196, active/CVE-2007-3513)
===================================================================
--- retired/CVE-2007-3513 (rev 0)
+++ retired/CVE-2007-3513 2008-07-20 21:58:00 UTC (rev 1197)
@@ -0,0 +1,19 @@
+Candidate: CVE-2007-3513
+References:
+Description:
+ The lcd_write function in drivers/usb/misc/usblcd.c in the Linux kernel
+ before 2.6.22-rc7 does not limit the amount of memory used by a caller,
+ which allows local users to cause a denial of service (memory consumption).
+Ubuntu-Description:
+ A flaw was discovered in the usblcd driver. A local attacker could cause
+ large amounts of kernel memory consumption, leading to a denial of service.
+Notes:
+Bugs:
+upstream: released (2.6.22-rc7)
+linux-2.6: released (2.6.22-1)
+2.6.18-etch-security: released (2.6.18.dfsg.1-13etch1) [bugfix/usblcd-limit-memory-consumption.patch]
+2.6.8-sarge-security: ignored (2.6.8-17sarge1) "Too different"
+2.4.27-sarge-security: ignored (2.4.27-10sarge6) "Too different"
+2.6.15-dapper-security: released (2.6.15-28.57)
+2.6.17-edgy-security: released (2.6.17.1-12.40) [85816b5fa3476f3fcf7758a1bd338d69184085d7]
+2.6.20-feisty-security: released (2.6.20-16.31) [165018c61779a357d33947a2ae169148b6ab8d9f]
Property changes on: retired/CVE-2007-3513
___________________________________________________________________
Name: svn:mergeinfo
+
Copied: retired/CVE-2007-3848 (from rev 1196, active/CVE-2007-3848)
===================================================================
--- retired/CVE-2007-3848 (rev 0)
+++ retired/CVE-2007-3848 2008-07-20 21:58:00 UTC (rev 1197)
@@ -0,0 +1,22 @@
+Candidate: CVE-2007-3848
+References:
+ http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=d2d56c5f51028cb9f3d800882eb6f4cbd3f9099f
+Description:
+ Linux kernel 2.4.35 and other versions allows local users to send
+ arbitrary signals to a child process that is running at higher privileges
+ by causing a setuid-root parent process to die, which delivers an
+ attacker-controlled parent process death signal (PR_SET_PDEATHSIG).
+Ubuntu-Description:
+ It was discovered that certain setuid-root processes did not correctly
+ reset process death signal handlers. A local user could manipulate this
+ to send signals to processes they would not normally have access to.
+Notes:
+Bugs:
+upstream: released (2.6.22.4)
+linux-2.6: released (2.6.22-4)
+2.6.18-etch-security: released (2.6.18.dfsg.1-13etch1) [bugfix/reset-pdeathsig-on-suid.patch]
+2.6.8-sarge-security: pending (2.6.8-17sarge1) [reset-pdeathsig-on-suid.dpatch]
+2.4.27-sarge-security: released (2.4.27-10sarge6) [247_reset-pdeathsig-on-suid.diff]
+2.6.15-dapper-security: released (2.6.15-29.58)
+2.6.17-edgy-security: released (2.6.17.1-12.40)
+2.6.20-feisty-security: released (2.6.20-16.31)
Property changes on: retired/CVE-2007-3848
___________________________________________________________________
Name: svn:mergeinfo
+
Copied: retired/CVE-2007-4130 (from rev 1196, active/CVE-2007-4130)
===================================================================
--- retired/CVE-2007-4130 (rev 0)
+++ retired/CVE-2007-4130 2008-07-20 21:58:00 UTC (rev 1197)
@@ -0,0 +1,20 @@
+Candidate: CVE-2007-4130
+Description:
+ The Linux kernel 2.6.9 before 2.6.9-67 in Red Hat Enterprise Linux (RHEL) 4
+ on Itanium (ia64) does not properly handle page faults during NUMA memory
+ access, which allows local users to cause a denial of service (panic) via
+ invalid arguments to set_mempolicy in an MPOL_BIND operation.
+References:
+Ubuntu-Description:
+Notes:
+Bugs:
+upstream:
+linux-2.6:
+2.6.18-etch-security: N/A
+2.6.8-sarge-security: ignored (2.6.8-17sarge2) "no known upstream fix"
+2.4.27-sarge-security: ignored (2.4.27-10sarge6) "no known upstream fix"
+2.6.15-dapper-security: N/A
+2.6.17-edgy-security: ignored (EOL)
+2.6.20-feisty-security: N/A
+2.6.22-gutsy-security: N/A
+2.6.24-hardy-security: N/A
Property changes on: retired/CVE-2007-4130
___________________________________________________________________
Name: svn:mergeinfo
+
Copied: retired/CVE-2007-4133 (from rev 1196, active/CVE-2007-4133)
===================================================================
--- retired/CVE-2007-4133 (rev 0)
+++ retired/CVE-2007-4133 2008-07-20 21:58:00 UTC (rev 1197)
@@ -0,0 +1,26 @@
+Candidate: CVE-2007-4133
+References:
+ http://git.kernel.org/gitweb.cgi?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=856fc29505556cf263f3dcda2533cf3766c14ab6
+ https://bugzilla.redhat.com/show_bug.cgi?id=253926
+Description:
+ The (1) hugetlb_vmtruncate_list and (2) hugetlb_vmtruncate functions
+ in fs/hugetlbfs/inode.c in the Linux kernel before 2.6.19-rc4 perform
+ certain prio_tree calculations using HPAGE_SIZE instead of PAGE_SIZE
+ units, which allows local users to cause a denial of service (panic)
+ via unspecified vectors.
+Ubuntu-Description:
+ Certain calculations in the hugetlb code were not correct. A local
+ attacker could exploit this to cause a kernel panic, leading to a denial
+ of service.
+Notes:
+ jmm> 2.4 doesn't contain hugetlbfs
+Bugs:
+upstream: released (2.6.19)
+linux-2.6: released (2.6.20-1)
+2.6.18-etch-security: released (2.6.18.dfsg.1-13etch4) [bugfix/hugetlb-prio_tree-unit-fix.patch]
+2.6.8-sarge-security: released (2.6.8-17sarge1) [hugetlb-prio_tree-unit-fix.dpatch]
+2.4.27-sarge-security: N/A
+2.6.15-dapper-security: released (2.6.15-29.61)
+2.6.17-edgy-security: released (2.6.17.1-12.42)
+2.6.20-feisty-security: N/A
+2.6.22-gutsy-security: N/A
Property changes on: retired/CVE-2007-4133
___________________________________________________________________
Name: svn:mergeinfo
+
Copied: retired/CVE-2007-4571 (from rev 1196, active/CVE-2007-4571)
===================================================================
--- retired/CVE-2007-4571 (rev 0)
+++ retired/CVE-2007-4571 2008-07-20 21:58:00 UTC (rev 1197)
@@ -0,0 +1,30 @@
+Candidate: CVE-2007-4571
+References:
+ http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=ccec6e2c4a74adf76ed4e2478091a311b1806212
+ http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.22.y.git;a=commitdiff;h=788450fa451454cc8ff3593b4f9fdb653c296583
+ http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.22.8
+ http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=600
+Description:
+ The snd_mem_proc_read function in sound/core/memalloc.c in the Advanced Linux
+ Sound Architecture (ALSA) in the Linux kernel before 2.6.22.8 does not return
+ the correct write size, which allows local users to obtain sensitive
+ information (kernel memory contents) via a small count argument, as
+ demonstrated by multiple reads of /proc/driver/snd-page-alloc.
+Ubuntu-Description:
+ It was discovered that the ALSA /proc interface did not write the
+ correct number of bytes when reporting memory allocations. A local
+ attacker might be able to access sensitive kernel memory, leading to
+ a loss of privacy.
+Notes:
+ dannf> ABI changer, was reverted from etch-security (r9547)
+Bugs:
+upstream: released (2.6.22.8)
+linux-2.6: released (2.6.22-5)
+2.6.18-etch-security: released (2.6.18.dfsg.1-17etch1) [bugfix/proc-snd-page-alloc-mem-leak.patch]
+2.6.8-sarge-security: N/A "cannot reproduce w/ ALSA in 2.6.8, alsa-driver package was affected/fixed in DSA 1505"
+2.4.27-sarge-security: N/A "alsa-driver package was affected/fixed in DSA 1505"
+2.6.15-dapper-security: released (2.6.15-52.67)
+2.6.17-edgy-security: ignored (EOL)
+2.6.20-feisty-security: released (2.6.20-17.36)
+2.6.22-gutsy-security: N/A
+2.6.24-hardy-security: N/A
Property changes on: retired/CVE-2007-4571
___________________________________________________________________
Name: svn:mergeinfo
+
Copied: retired/CVE-2007-4997 (from rev 1196, active/CVE-2007-4997)
===================================================================
--- retired/CVE-2007-4997 (rev 0)
+++ retired/CVE-2007-4997 2008-07-20 21:58:00 UTC (rev 1197)
@@ -0,0 +1,28 @@
+Candidate: CVE-2007-4997
+References:
+ http://git.kernel.org/?p=linux/kernel/git/avi/kvm.git;a=commitdiff;h=04045f98e0457aba7d4e6736f37eed189c48a5f7
+ http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.23.y.git;a=commitdiff;h=04045f98e0457aba7d4e6736f37eed189c48a5f7
+Description:
+Ubuntu-Description:
+ Chris Evans discovered that the 802.11 network stack did not correctly
+ handle certain QOS frames. A remote attacker on the local wireless network
+ could send specially crafted packets that would panic the kernel, resulting
+ in a denial of service.
+Notes:
+ > The summary is that an evil 80211 frame can crash out a victim's
+ > machine. It only applies to drivers using the 80211 wireless code, and
+ > only then to certain drivers (and even then depends on a card's
+ > firmware not dropping a dubious packet). I must confess I'm not
+ > keeping track of Linux wireless support, and the different protocol
+ > stacks etc.
+ jmm> 04045f98e0457aba7d4e6736f37eed189c48a5f7
+Bugs:
+upstream: released (2.6.23)
+linux-2.6: released (2.6.23-1)
+2.6.18-etch-security: released (2.6.18.dfsg.1-13etch5) [bugfix/ieee80211-underflow.patch]
+2.6.8-sarge-security: N/A
+2.4.27-sarge-security: N/A
+2.6.15-dapper-security: released (2.6.15-29.61)
+2.6.17-edgy-security: released (2.6.17.1-12.42)
+2.6.20-feisty-security: released (2.6.20-16.33)
+2.6.22-gutsy-security: released (2.6.22-14.47)
Property changes on: retired/CVE-2007-4997
___________________________________________________________________
Name: svn:mergeinfo
+
Copied: retired/CVE-2007-5087 (from rev 1196, active/CVE-2007-5087)
===================================================================
--- retired/CVE-2007-5087 (rev 0)
+++ retired/CVE-2007-5087 2008-07-20 21:58:00 UTC (rev 1197)
@@ -0,0 +1,24 @@
+Candidate: CVE-2007-5087
+References:
+ http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.4.35.y.git;a=commitdiff;h=b7ae15e7707050baafe5a35e3d4f2d175197d222
+Description:
+ The ATM module in the Linux kernel before 2.4.35.3, when CLIP support is
+ enabled, allows local users to cause a denial of service (kernel panic) by
+ reading /proc/net/atm/arp before the CLIP module has been loaded.
+Ubuntu-Description:
+Notes:
+Bugs:
+ dannf> Vulnerable code was added to 2.4 in:
+ http://linux.bkbits.net:8080/linux-2.4/?PAGE=gnupatch&REV=1.1448.44.17
+ which was after 2.4.27
+ dannf> The commit notes that 2.6 isn't vulnerable because the arp entry is
+ handled in clip.c. I've verified this is true for both 2.6.8 and 2.6.18.
+upstream: released (2.4.36-pre2)
+linux-2.6: N/A
+2.6.18-etch-security: N/A
+2.6.8-sarge-security: N/A
+2.4.27-sarge-security: N/A
+2.6.15-dapper-security: N/A
+2.6.17-edgy-security: ignored (EOL)
+2.6.20-feisty-security: N/A
+2.6.22-gutsy-security: N/A
Property changes on: retired/CVE-2007-5087
___________________________________________________________________
Name: svn:mergeinfo
+
Copied: retired/CVE-2007-5093 (from rev 1196, active/CVE-2007-5093)
===================================================================
--- retired/CVE-2007-5093 (rev 0)
+++ retired/CVE-2007-5093 2008-07-20 21:58:00 UTC (rev 1197)
@@ -0,0 +1,35 @@
+Candidate: CVE-2007-5093
+References:
+ http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6-stable.git;a=commitdiff;h=852ffe0acf89f959e8d35080bbd2bdc2d8f2e9e5
+ http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.22.y.git;a=commitdiff;h=85237f202d46d55c1bffe0c5b1aa3ddc0f1dce4d
+ MLIST:20070902 Oops in pwc v4l driver
+ URL:http://marc.info/?l=linux-kernel&m=118873457814808&w=2
+ MLIST:20070903 Re: Oops in pwc v4l driver
+ URL:http://marc.info/?l=linux-kernel&m=118880154122548&w=2
+ CONFIRM:http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.22.6
+ BID:25504
+ URL:http://www.securityfocus.com/bid/25504
+Description:
+ The disconnect method in the Philips USB Webcam (pwc) driver in Linux kernel
+ 2.6.x before 2.6.22.6 "relies on user space to close the device," which
+ allows user-assisted local attackers to cause a denial of service (USB
+ subsystem hang and CPU consumption in khubd) by not closing the device after
+ the disconnect is invoked. NOTE: this rarely crosses privilege boundaries,
+ unless the attacker can convince the victim to unplug the affected device.
+Ubuntu-Description:
+ The Philips USB Webcam driver did not correctly handle disconnects.
+ If a local attacker tricked another user into disconnecting a webcam
+ unsafely, the kernel could hang or consume CPU resources, leading to
+ a denial of service.
+Notes:
+ kees> debug regression was fixed in http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.22.y.git;a=commitdiff;h=a3a066bffd7754e6d40c48972e698352f6cd6ce4
+Bugs:
+upstream: released (2.6.22.6)
+linux-2.6: released (2.6.23-1)
+2.6.18-etch-security: released (2.6.18.dfsg.1-13etch4) [bugfix/usb-pwc-disconnect-block.patch]
+2.6.8-sarge-security: released (2.6.8-17sarge1) [usb-pwc-disconnect-block.dpatch]
+2.4.27-sarge-security: released (2.4.17-10sarge6) [263_usb-pwc-disconnect-block.diff]
+2.6.15-dapper-security: released (2.6.15-29.61)
+2.6.17-edgy-security: released (2.6.17.1-12.42)
+2.6.20-feisty-security: released (2.6.20-16.33)
+2.6.22-gutsy-security: N/A
Property changes on: retired/CVE-2007-5093
___________________________________________________________________
Name: svn:mergeinfo
+
Copied: retired/CVE-2007-5494 (from rev 1196, active/CVE-2007-5494)
===================================================================
--- retired/CVE-2007-5494 (rev 0)
+++ retired/CVE-2007-5494 2008-07-20 21:58:00 UTC (rev 1197)
@@ -0,0 +1,16 @@
+Candidate: CVE-2007-5494
+Description:
+References:
+Ubuntu-Description:
+Notes:
+ jmm> Debian doesn't provide that patch
+Bugs:
+upstream: N/A
+linux-2.6: N/A
+2.6.18-etch-security: N/A
+2.6.8-sarge-security: N/A
+2.4.27-sarge-security: N/A
+2.6.15-dapper-security: N/A
+2.6.17-edgy-security: ignored (EOL)
+2.6.20-feisty-security: N/A
+2.6.22-gutsy-security: N/A
Property changes on: retired/CVE-2007-5494
___________________________________________________________________
Name: svn:mergeinfo
+
Copied: retired/CVE-2007-5500 (from rev 1196, active/CVE-2007-5500)
===================================================================
--- retired/CVE-2007-5500 (rev 0)
+++ retired/CVE-2007-5500 2008-07-20 21:58:00 UTC (rev 1197)
@@ -0,0 +1,24 @@
+Candidate: CVE-2007-5500
+References:
+ http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.23.y.git;a=commitdiff;h=36ef66c5d137b9a31fd8c35d236fb9e26ef74f97
+Description:
+ wait_task_stopped: Check p->exit_state instead of TASK_TRACED
+Ubuntu-Description:
+ Scott James Remnant discovered that the waitid function could be made
+ to hang the system. A local attacker could execute a specially crafted
+ program which would leave the system unresponsive, resulting in a denial
+ of service.
+Notes:
+ kees> 2.6.15 does not actually lock up -- it just spins in userspace
+ jmm> This was introduced with commit 14bf01bb0599c89fc7f426d20353b76e12555308
+ jmm> 2.6.14 is the first major release to be affected, marking earlier versions N/A
+Bugs:
+upstream: released (2.6.23.8)
+linux-2.6: released (2.6.23-1)
+2.6.18-etch-security: released (2.6.18.dfsg.1-13etch5) [bugfix/wait_task_stopped-hang.patch]
+2.6.8-sarge-security: N/A
+2.4.27-sarge-security: N/A
+2.6.15-dapper-security: released (2.6.15-29.61)
+2.6.17-edgy-security: released (2.6.17.1-12.42)
+2.6.20-feisty-security: released (2.6.20-16.33)
+2.6.22-gutsy-security: released (2.6.22-14.47)
Property changes on: retired/CVE-2007-5500
___________________________________________________________________
Name: svn:mergeinfo
+
Copied: retired/CVE-2007-5904 (from rev 1196, active/CVE-2007-5904)
===================================================================
--- retired/CVE-2007-5904 (rev 0)
+++ retired/CVE-2007-5904 2008-07-20 21:58:00 UTC (rev 1197)
@@ -0,0 +1,27 @@
+Candidate: CVE-2007-5904
+Description:
+ Multiple buffer overflows in CIFS VFS in Linux kernel 2.6.23 and earlier
+ allows remote attackers to cause a denial of service (crash) and possibly
+ execute arbitrary code via long SMB responses that trigger the overflows in
+ the SendReceive function.
+References:
+ http://marc.info/?l=linux-kernel&m=119455843205403&w=2
+ http://marc.info/?l=linux-kernel&m=119457447724276&w=2
+ http://git.kernel.org/?p=linux/kernel/git/sfrench/cifs-2.6.git;a=commit;h=133672efbc1085f9af990bdc145e1822ea93bcf3
+Ubuntu-Description:
+ Multiple buffer overflows were discovered in the handling of CIFS
+ filesystems. A malicious CIFS server could cause a client system crash
+ or possibly execute arbitrary code with kernel privileges.
+Notes:
+ kees> failed mount errors: a761ac579b89bc1f00212a42401398108deba65c
+Bugs:
+upstream:
+linux-2.6:
+2.6.18-etch-security: released (2.6.18.dfsg.1-13etch5) [bugfix/cifs-better-failed-mount-errors.patch, bugfix/cifs-corrupt-server-response-overflow.patch]
+2.6.8-sarge-security: ignored (2.6.8-17sarge2) "needs port if vulnerable"
+2.4.27-sarge-security: N/A "No CIFS"
+2.6.15-dapper-security: released (2.6.15-52.67)
+2.6.17-edgy-security: ignored (EOL)
+2.6.20-feisty-security: released (2.6.20-17.36)
+2.6.22-gutsy-security: released (2.6.22-15.54)
+2.6.24-hardy-security: N/A
Property changes on: retired/CVE-2007-5904
___________________________________________________________________
Name: svn:mergeinfo
+
Copied: retired/CVE-2007-5938 (from rev 1196, active/CVE-2007-5938)
===================================================================
--- retired/CVE-2007-5938 (rev 0)
+++ retired/CVE-2007-5938 2008-07-20 21:58:00 UTC (rev 1197)
@@ -0,0 +1,23 @@
+Candidate: CVE-2007-5938
+Description:
+ The iwl_set_rate function in compatible/iwl3945-base.c in iwlwifi 1.1.21 and earlier
+ dereferences an iwl_get_hw_mode return value without checking for NULL, which might
+ allow remote attackers to cause a denial of service (kernel panic) via unspecified
+ vectors during module initialization.
+References:
+ http://article.gmane.org/gmane.linux.drivers.ipw3945.devel/1618
+ http://bugs.gentoo.org/show_bug.cgi?id=199209
+Ubuntu-Description:
+Notes:
+ jmm> c4ba9621f4f241f8c4d4f620ad4257af59d21f3e
+Bugs:
+upstream: released (2.6.24-rc4)
+linux-2.6: released (2.6.23-2)
+2.6.18-etch-security: N/A
+2.6.8-sarge-security: N/A
+2.4.27-sarge-security: N/A
+2.6.15-dapper-security: N/A
+2.6.17-edgy-security: ignored (EOL)
+2.6.20-feisty-security: N/A
+2.6.22-gutsy-security: N/A
+2.6.24-hardy-security: N/A
Property changes on: retired/CVE-2007-5938
___________________________________________________________________
Name: svn:mergeinfo
+
Copied: retired/CVE-2007-5966 (from rev 1196, active/CVE-2007-5966)
===================================================================
--- retired/CVE-2007-5966 (rev 0)
+++ retired/CVE-2007-5966 2008-07-20 21:58:00 UTC (rev 1197)
@@ -0,0 +1,17 @@
+Candidate: CVE-2007-5966
+Description:
+References:
+ http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff_plain;h=62f0f61e6673e67151a7c8c0f9a09c7ea43fe2b5;hp=f194d132e4971111f85c18c96067acffb13cee6d
+Ubuntu-Description:
+Notes:
+ dannf> hrtimer.c file didn't exist in 2.4.27/2.6.8
+Bugs:
+upstream: released (2.6.24-rc5)
+linux-2.6: released (2.6.23-2) [bugfix/all/2.6.23.10]
+2.6.18-etch-security: released (2.6.18.dfsg.1-13etch6) [bugfix/hrtimer-large-relative-timeouts-overflow.patch]
+2.6.8-sarge-security: N/A
+2.4.27-sarge-security: N/A
+2.6.15-dapper-security: N/A
+2.6.17-edgy-security: released (2.6.17.1-12.43)
+2.6.20-feisty-security: released (2.6.20-16.34)
+2.6.22-gutsy-security: released (2.6.22-14.48)
Property changes on: retired/CVE-2007-5966
___________________________________________________________________
Name: svn:mergeinfo
+
Copied: retired/CVE-2007-6063 (from rev 1196, active/CVE-2007-6063)
===================================================================
--- retired/CVE-2007-6063 (rev 0)
+++ retired/CVE-2007-6063 2008-07-20 21:58:00 UTC (rev 1197)
@@ -0,0 +1,22 @@
+Candidate: CVE-2007-6063
+Description:
+ Buffer overflow in the isdn_net_setcfg function in isdn_net.c in Linux kernel
+ 2.6.23 allows local users to have an unknown impact via a crafted argument to
+ the isdn_ioctl function.
+References:
+ http://bugzilla.kernel.org/show_bug.cgi?id=9416
+ http://www.securityfocus.com/bid/26605
+ http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=0f13864e5b24d9cbe18d125d41bfa4b726a82e40
+Ubuntu-Description:
+Notes:
+ jmm> eafe1aa37e6ec2d56f14732b5240c4dd09f0613a
+Bugs:
+upstream: released (2.6.24-rc4) [0f13864e5b24d9cbe18d125d41bfa4b726a82e40]
+linux-2.6: released (2.6.23-2)
+2.6.18-etch-security: released (2.6.18.dfsg.1-13etch6) [bugfix/isdn-net-overflow.patch]
+2.6.8-sarge-security: released (2.6.8-17sarge1) [isdn-net-overflow.dpatch]
+2.4.27-sarge-security: released (2.4.27-10sarge6) [257_isdn-net-overflow.diff]
+2.6.15-dapper-security: released (2.6.15-51.65)
+2.6.17-edgy-security: released (2.6.17.1-12.43)
+2.6.20-feisty-security: released (2.6.20-16.34)
+2.6.22-gutsy-security: released (2.6.22-14.48)
Property changes on: retired/CVE-2007-6063
___________________________________________________________________
Name: svn:mergeinfo
+
Copied: retired/CVE-2007-6151 (from rev 1196, active/CVE-2007-6151)
===================================================================
--- retired/CVE-2007-6151 (rev 0)
+++ retired/CVE-2007-6151 2008-07-20 21:58:00 UTC (rev 1197)
@@ -0,0 +1,19 @@
+Candidate: CVE-2007-6151
+References:
+ http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=eafe1aa37e6ec2d56f14732b5240c4dd09f0613a
+Description:
+ The isdn_ioctl function in isdn_common.c in Linux kernel 2.6.23 allows
+ local users to cause a denial of service via a struct in which iocts is
+ not null terminated, which triggers a buffer overflow.
+Ubuntu-Description:
+Notes:
+Bugs:
+upstream:
+linux-2.6: released (2.6.23-2)
+2.6.18-etch-security: released (2.6.18.dfsg.1-17etch1) [bugfix/i4l-isdn_ioctl-mem-overrun.patch]
+2.6.8-sarge-security: released (2.6.8-17sarge1) [i4l-isdn_ioctl-mem-overrun.dpatch]
+2.4.27-sarge-security: released (2.4.27-10sarge6) [256_i4l-isdn_ioctl-mem-overrun.diff]
+2.6.15-dapper-security: released (2.6.15-51.65)
+2.6.17-edgy-security: released (2.6.17.1-12.43)
+2.6.20-feisty-security: released (2.6.20-16.34)
+2.6.22-gutsy-security: released (2.6.22-14.48)
Property changes on: retired/CVE-2007-6151
___________________________________________________________________
Name: svn:mergeinfo
+
Copied: retired/CVE-2007-6206 (from rev 1196, active/CVE-2007-6206)
===================================================================
--- retired/CVE-2007-6206 (rev 0)
+++ retired/CVE-2007-6206 2008-07-20 21:58:00 UTC (rev 1197)
@@ -0,0 +1,21 @@
+Candidate: CVE-2007-6206
+Description:
+ Linux kernel 2.4.x and 2.6.x up to 2.6.24-rc3, and possibly other versions,
+ does not change the UID of a core dump file if it exists before a root process
+ creates a core dump in the same location, which might allow local users to
+ obtain sensitive information.
+References:
+ http://bugzilla.kernel.org/show_bug.cgi?id=3043
+ http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=c46f739dd39db3b07ab5deb4e3ec81e1c04a91af
+Ubuntu-Description:
+Notes:
+Bugs:
+upstream: pending (2.6.24)
+linux-2.6: needed
+2.6.18-etch-security: released (2.6.18.dfsg.1-13etch6) [bugfix/coredump-only-to-same-uid.patch]
+2.6.8-sarge-security: released (2.6.8-17sarge1) [coredump-only-to-same-uid.dpatch]
+2.4.27-sarge-security: released (2.4.27-10sarge6) [253_coredump-only-to-same-uid.diff]
+2.6.15-dapper-security: released (2.6.15-51.65)
+2.6.17-edgy-security: released (2.6.17.1-12.43)
+2.6.20-feisty-security: released (2.6.20-16.34)
+2.6.22-gutsy-security: released (2.6.22-14.48)
Property changes on: retired/CVE-2007-6206
___________________________________________________________________
Name: svn:mergeinfo
+
Copied: retired/CVE-2007-6417 (from rev 1196, active/CVE-2007-6417)
===================================================================
--- retired/CVE-2007-6417 (rev 0)
+++ retired/CVE-2007-6417 2008-07-20 21:58:00 UTC (rev 1197)
@@ -0,0 +1,23 @@
+Candidate: CVE-2007-6417
+Description:
+ The shmem_getpage function (mm/shmem.c) in Linux kernel 2.6.11 through 2.6.23 does
+ not properly clear allocated memory in some rare circumstances, which might allow
+ local users to read sensitive kernel data or cause a denial of service (crash).
+References:
+ http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e84e2e132c9c66d8498e7710d4ea532d1feaaac5
+ http://marc.info/?l=linux-kernel&m=119627664702379&w=2
+ http://marc.info/?l=linux-kernel&m=119743651829347&w=2
+ http://marc.info/?l=linux-kernel&m=119769771026243&w=2
+Ubuntu-Description:
+Notes:
+ dannf> Commit log suggests this was a regression introduced in 2.6.11
+Bugs:
+upstream: released (2.6.22.15, 2.6.23.10, 2.6.24-rc4) [e84e2e132c9c66d8498e7710d4ea532d1feaaac5]
+linux-2.6: released (2.6.23-2) [bugfix/all/2.6.23.10]
+2.6.18-etch-security: released (2.6.18.dfsg.1-13etch6) [bugfix/tmpfs-restore-clear_highpage.patch]
+2.6.8-sarge-security: N/A
+2.4.27-sarge-security: N/A
+2.6.15-dapper-security: released (2.6.15-51.65)
+2.6.17-edgy-security: released (2.6.17.1-12.43)
+2.6.20-feisty-security: released (2.6.20-16.34)
+2.6.22-gutsy-security: released (2.6.22-14.48)
Property changes on: retired/CVE-2007-6417
___________________________________________________________________
Name: svn:mergeinfo
+
Copied: retired/CVE-2007-6694 (from rev 1196, active/CVE-2007-6694)
===================================================================
--- retired/CVE-2007-6694 (rev 0)
+++ retired/CVE-2007-6694 2008-07-20 21:58:00 UTC (rev 1197)
@@ -0,0 +1,28 @@
+Candidate: CVE-2007-6694
+Description:
+ The chrp_show_cpuinfo function (chrp/setup.c) in Linux kernel 2.4.21
+ through 2.6.18-53, when running on PowerPC, might allow local users
+ to cause a denial of service (crash) via unknown vectors that cause
+ the of_get_property function to fail, which triggers a NULL pointer
+ dereference.
+References:
+ http://marc.info/?l=linux-kernel&m=119576191029571&w=2
+Ubuntu-Description:
+ It was discovered that PowerPC kernels did not correctly handle reporting
+ certain system details. By requesting a specific set of information,
+ a local attacker could cause a system crash resulting in a denial
+ of service.
+Notes:
+ jmm> This appears more of a regular bug with a specific piece of hw
+ jmm> than a security problem. Do we support the chrp POWER platform?
+Bugs:
+upstream:
+linux-2.6:
+2.6.18-etch-security: released (2.6.18.dfsg.1-18etch2) [bugfix/powerpc-chrp-null-deref.patch]
+2.6.8-sarge-security: released (2.6.8-17sarge2) [powerpc-chrp-null-deref.dpatch]
+2.4.27-sarge-security: released (2.4.27-10sarge6) [265_powerpc-chrp-null-deref.diff]
+2.6.15-dapper-security: released (2.6.15-52.67)
+2.6.17-edgy-security: ignored (EOL)
+2.6.20-feisty-security: released (2.6.20-17.36)
+2.6.22-gutsy-security: released (2.6.22-15.54)
+2.6.24-hardy-security: released (2.6.24-19.34)
Property changes on: retired/CVE-2007-6694
___________________________________________________________________
Name: svn:mergeinfo
+
Copied: retired/CVE-2007-6712 (from rev 1196, active/CVE-2007-6712)
===================================================================
--- retired/CVE-2007-6712 (rev 0)
+++ retired/CVE-2007-6712 2008-07-20 21:58:00 UTC (rev 1197)
@@ -0,0 +1,19 @@
+Candidate: CVE-2007-6712
+Description:
+ Integer overflow in the hrtimer_forward function (hrtimer.c) in Linux
+ kernel 2.6.21-rc4, when running on 64-bit systems, allows local users to
+ cause a denial of service (infinite loop) via a timer with a large expiry
+ value, which causes the timer to always be expired.
+References:
+ http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=5a7780e725d1bb4c3094fcc12f1c5c5faea1e988
+Ubuntu-Description:
+Notes:
+Bugs:
+upstream:
+linux-2.6:
+2.6.18-etch-security: released (2.6.18.dfsg.1-18etch5) [bugfix/hrtimer-prevent-overrun.patch, bugfix/ktime-fix-MTIME_SEC_MAX-on-32-bit.patch]
+2.6.24-etchnhalf-security: N/A
+2.6.15-dapper-security: N/A
+2.6.20-feisty-security: released (2.6.20-17.36)
+2.6.22-gutsy-security: released (2.6.22-15.54)
+2.6.24-hardy-security: N/A
Property changes on: retired/CVE-2007-6712
___________________________________________________________________
Name: svn:mergeinfo
+
Copied: retired/CVE-2008-0001 (from rev 1196, active/CVE-2008-0001)
===================================================================
--- retired/CVE-2008-0001 (rev 0)
+++ retired/CVE-2008-0001 2008-07-20 21:58:00 UTC (rev 1197)
@@ -0,0 +1,16 @@
+Candidate: CVE-2008-0001
+Description:
+References:
+ http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=974a9f0b47da74e28f68b9c8645c3786aa5ace1a
+Ubuntu-Description:
+Notes:
+Bugs:
+upstream: released (2.6.23.14, 2.6.24-rc8)
+linux-2.6: released (2.6.24-1)
+2.6.18-etch-security: released (2.6.18.dfsg.1-17etch1) [bugfix/vfs-use-access-mode-flag.patch]
+2.6.8-sarge-security: N/A
+2.4.27-sarge-security: N/A
+2.6.15-dapper-security: released (2.6.15-51.65)
+2.6.17-edgy-security: released (2.6.17.1-12.43)
+2.6.20-feisty-security: released (2.6.20-16.34)
+2.6.22-gutsy-security: released (2.6.22-14.48)
Property changes on: retired/CVE-2008-0001
___________________________________________________________________
Name: svn:mergeinfo
+
Copied: retired/CVE-2008-0007 (from rev 1196, active/CVE-2008-0007)
===================================================================
--- retired/CVE-2008-0007 (rev 0)
+++ retired/CVE-2008-0007 2008-07-20 21:58:00 UTC (rev 1197)
@@ -0,0 +1,23 @@
+Candidate: CVE-2008-0007
+Description:
+ Linux kernel before 2.6.22.17, when using certain drivers that register
+ a fault handler that does not perform range checks, allows local users
+ to access kernel memory via an out-of-range offset.
+References:
+Ubuntu-Description:
+ It was discovered that some device driver fault handlers did not
+ correctly verify memory ranges. A local attacker could exploit this
+ to access sensitive kernel memory, possibly leading to a loss of privacy.
+Notes:
+Bugs:
+upstream: released (2.6.24.1)
+linux-2.6: released (2.6.24-4)
+2.6.18-etch-security: released (2.6.18.dfsg.1-18etch2) [bugfix/mmap-VM_DONTEXPAND.patch]
+2.6.24-etchnhalf-security: released (2.6.24-4) [bugfix/all/stable/2.6.24.1.patch]
+2.6.8-sarge-security: released (2.6.8-17sarge1) [mmap-VM_DONTEXPAND.dpatch]
+2.4.27-sarge-security: released (2.4.27-10sarge6) [264_mmap-VM_DONTEXPAND.diff]
+2.6.15-dapper-security: released (2.6.15-52.67)
+2.6.17-edgy-security: ignored (EOL)
+2.6.20-feisty-security: released (2.6.20-17.36)
+2.6.22-gutsy-security: released (2.6.22-15.54)
+2.6.24-hardy-security: N/A
Property changes on: retired/CVE-2008-0007
___________________________________________________________________
Name: svn:mergeinfo
+
Copied: retired/CVE-2008-0009 (from rev 1196, active/CVE-2008-0009)
===================================================================
--- retired/CVE-2008-0009 (rev 0)
+++ retired/CVE-2008-0009 2008-07-20 21:58:00 UTC (rev 1197)
@@ -0,0 +1,17 @@
+Candidate: CVE-2008-0009
+Description:
+References:
+Ubuntu-Description:
+Notes:
+Bugs:
+upstream: released (2.6.24.1)
+linux-2.6: released (2.6.24-4)
+2.6.18-etch-security: N/A
+2.6.24-etchnhalf-security: released (2.6.24-4) [bugfix/all/stable/2.6.24.1.patch]
+2.6.8-sarge-security: N/A
+2.4.27-sarge-security: N/A
+2.6.15-dapper-security: N/A
+2.6.17-edgy-security: ignored (EOL)
+2.6.20-feisty-security: N/A
+2.6.22-gutsy-security: N/A
+2.6.24-hardy-security: N/A
Property changes on: retired/CVE-2008-0009
___________________________________________________________________
Name: svn:mergeinfo
+
Copied: retired/CVE-2008-0010 (from rev 1196, active/CVE-2008-0010)
===================================================================
--- retired/CVE-2008-0010 (rev 0)
+++ retired/CVE-2008-0010 2008-07-20 21:58:00 UTC (rev 1197)
@@ -0,0 +1,16 @@
+Candidate: CVE-2008-0010
+Description:
+References:
+Ubuntu-Description:
+Notes:
+Bugs:
+upstream: released (2.6.24.1)
+linux-2.6: released (2.6.24-4)
+2.6.18-etch-security: released (2.6.18.dfsg.1-18etch1)
+2.6.24-etchnhalf-security: released (2.6.24-4) [bugfix/all/stable/2.6.24.1.patch]
+2.6.8-sarge-security: N/A
+2.4.27-sarge-security: N/A
+2.6.15-dapper-security: N/A
+2.6.17-edgy-security: ignored (EOL)
+2.6.20-feisty-security: N/A
+2.6.22-gutsy-security: N/A
Property changes on: retired/CVE-2008-0010
___________________________________________________________________
Name: svn:mergeinfo
+
Copied: retired/CVE-2008-0163 (from rev 1196, active/CVE-2008-0163)
===================================================================
--- retired/CVE-2008-0163 (rev 0)
+++ retired/CVE-2008-0163 2008-07-20 21:58:00 UTC (rev 1197)
@@ -0,0 +1,17 @@
+Candidate: CVE-2008-0163
+Description:
+References:
+Ubuntu-Description:
+Notes:
+Bugs:
+upstream: N/A
+linux-2.6:
+2.6.18-etch-security: released (2.6.18.dfsg.1-18etch1)
+2.6.24-etchnhalf-security: N/A "no vserver support"
+2.6.8-sarge-security: N/A
+2.4.27-sarge-security: N/A
+2.6.15-dapper-security: N/A
+2.6.17-edgy-security: ignored (EOL)
+2.6.20-feisty-security: N/A
+2.6.22-gutsy-security: N/A
+2.6.24-hardy-security: N/A
Property changes on: retired/CVE-2008-0163
___________________________________________________________________
Name: svn:mergeinfo
+
Copied: retired/CVE-2008-0352 (from rev 1196, active/CVE-2008-0352)
===================================================================
--- retired/CVE-2008-0352 (rev 0)
+++ retired/CVE-2008-0352 2008-07-20 21:58:00 UTC (rev 1197)
@@ -0,0 +1,25 @@
+Candidate: CVE-2008-0352
+Description:
+ The Linux kernel 2.6.20 through 2.6.21.1 allows remote attackers to cause a
+ denial of service (panic) via a certain IPv6 packet, possibly involving the
+ Jumbo Payload hop-by-hop option
+References:
+ http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.21.2
+Ubuntu-Description:
+Notes:
+ jmm> 08a6507044dd70c326de3ea484fd6d29b8101f17
+ jmm> http://bugzilla.kernel.org/show_bug.cgi?id=8450
+ dannf> Looks like this isn't an issue before
+ a11d206d0f88e092419877c7f706cafb5e1c2e57
+ Which appeared between 2.6.19 and 2.6.20
+ kees> this is a dup of CVE-2007-4567
+Bugs:
+upstream: released (2.6.21.2)
+linux-2.6: released (2.6.22-1)
+2.6.18-etch-security: N/A
+2.6.8-sarge-security: N/A
+2.4.27-sarge-security: N/A
+2.6.15-dapper-security: N/A
+2.6.17-edgy-security: ignored (EOL)
+2.6.20-feisty-security: N/A (dup of CVE-2007-4567)
+2.6.22-gutsy-security: N/A
Property changes on: retired/CVE-2008-0352
___________________________________________________________________
Name: svn:mergeinfo
+
Copied: retired/CVE-2008-0600 (from rev 1196, active/CVE-2008-0600)
===================================================================
--- retired/CVE-2008-0600 (rev 0)
+++ retired/CVE-2008-0600 2008-07-20 21:58:00 UTC (rev 1197)
@@ -0,0 +1,22 @@
+Candidate: CVE-2008-0600
+Description:
+ The vmsplice_to_pipe function in Linux kernel 2.6.17 through 2.6.24.1
+ does not validate a certain userspace pointer before dereference, which
+ allows local users to gain root privileges via crafted arguments in
+ a vmsplice system call, a different vulnerability than CVE-2008-0009
+ and CVE-2008-0010.
+References:
+Ubuntu-Description:
+Notes:
+Bugs:
+upstream: released (2.6.24.2)
+linux-2.6: released (2.6.24-4)
+2.6.18-etch-security: released (2.6.18.dfsg.1-18etch1)
+2.6.24-etchnhalf-security: released (2.6.24-4) [bugfix/all/stable/2.6.24.2.patch]
+2.6.8-sarge-security: N/A
+2.4.27-sarge-security: N/A
+2.6.15-dapper-security: N/A
+2.6.17-edgy-security: released (2.6.17.1-12.44)
+2.6.20-feisty-security: released (2.6.20-16.35)
+2.6.22-gutsy-security: released (2.6.22-14.52)
+2.6.24-hardy-security: N/A
Property changes on: retired/CVE-2008-0600
___________________________________________________________________
Name: svn:mergeinfo
+
Copied: retired/CVE-2008-1294 (from rev 1196, active/CVE-2008-1294)
===================================================================
--- retired/CVE-2008-1294 (rev 0)
+++ retired/CVE-2008-1294 2008-07-20 21:58:00 UTC (rev 1197)
@@ -0,0 +1,27 @@
+Candidate: CVE-2008-1294
+Description:
+ Linux kernel 2.6.17, and other versions before 2.6.22, does not check
+ when a user attempts to set RLIMIT_CPU to 0 until after the change is
+ made, which allows local users to bypass intended resource limits.
+References:
+Ubuntu-Description:
+ It was discovered that CPU resource limits could be bypassed.
+ A malicious local user could exploit this to avoid administratively
+ imposed resource limits.
+Notes:
+ https://launchpad.net/bugs/107209
+ http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=419706
+ http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=9926e4c74300c4b31dee007298c6475d33369df0
+ kees> for pre-2.6.17 kernels, two additional commits are needed:
+ kees> ec9e16bacdba1da1ee15dd162384e22df5c87e09
+ kees> e0661111e5441995f7a69dc4336c9f131cb9bc58
+Bugs:
+upstream:
+linux-2.6:
+2.6.18-etch-security: released (2.6.18.dfsg.1-18etch2) [bugfix/RLIMIT_CPU-earlier-checking.patch]
+2.6.24-etchnhalf-security: N/A
+2.6.15-dapper-security: released (2.6.15-52.67)
+2.6.17-edgy-security: ignored (EOL)
+2.6.20-feisty-security: released (2.6.20-17.36)
+2.6.22-gutsy-security: N/A
+2.6.24-hardy-security: N/A
Property changes on: retired/CVE-2008-1294
___________________________________________________________________
Name: svn:mergeinfo
+
Copied: retired/CVE-2008-1375 (from rev 1196, active/CVE-2008-1375)
===================================================================
--- retired/CVE-2008-1375 (rev 0)
+++ retired/CVE-2008-1375 2008-07-20 21:58:00 UTC (rev 1197)
@@ -0,0 +1,23 @@
+Candidate: CVE-2008-1375
+Description:
+ dnotify race
+References:
+ http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=214b7049a7929f03bbd2786aaef04b8b79db34e2
+Ubuntu-Description:
+ A race condition was discovered between dnotify fcntl() and close() in
+ the kernel. If a local attacker performed malicious dnotify requests,
+ they could cause memory consumption leading to a denial of service,
+ or possibly send arbitrary signals to any process.
+Notes:
+ kees> ABI changer due to header addition?
+ kees> http://svn.debian.org/wsvn/kernel/dists/etch-security/linux-2.6/debian/patches/bugfix/dnotify-race-avoid-abi-change.patch?op=file&rev=0&sc=0
+Bugs:
+upstream: released (2.6.26-rc1)
+linux-2.6: released (2.6.25-2)
+2.6.18-etch-security: released (2.6.18.dfsg.1-18etch2) [bugfix/dnotify-race.patch]
+2.6.24-etchnhalf-security: released (2.6.24-6~etchnhalf.2) [bugfix/all/stable/2.6.24.6.patch]
+2.6.15-dapper-security: released (2.6.15-52.67)
+2.6.17-edgy-security: ignored (EOL)
+2.6.20-feisty-security: released (2.6.20-17.36)
+2.6.22-gutsy-security: released (2.6.22-15.54)
+2.6.24-hardy-security: released (2.6.24-19.34)
Property changes on: retired/CVE-2008-1375
___________________________________________________________________
Name: svn:mergeinfo
+
Copied: retired/CVE-2008-1615 (from rev 1196, active/CVE-2008-1615)
===================================================================
--- retired/CVE-2008-1615 (rev 0)
+++ retired/CVE-2008-1615 2008-07-20 21:58:00 UTC (rev 1197)
@@ -0,0 +1,18 @@
+Candidate: CVE-2008-1615
+Description:
+ Linux kernel 2.6.18, and possibly other versions, when running on AMD64
+ architectures, allows local users to cause a denial of service (crash)
+ via certain ptrace calls.
+References:
+Ubuntu-Description:
+Notes:
+ kees> http://marc.info/?l=linux-kernel&m=120219781932243
+Bugs:
+upstream:
+linux-2.6:
+2.6.18-etch-security: released (2.6.18.dfsg.1-18etch5) [bugfix/amd64-cs-corruption.patch]
+2.6.24-etchnhalf-security: released (2.6.24-6~etchnhalf.3) [bugfix/amd64-cs-corruption.patch]
+2.6.15-dapper-security: pending
+2.6.20-feisty-security: pending
+2.6.22-gutsy-security: pending
+2.6.24-hardy-security: pending
Property changes on: retired/CVE-2008-1615
___________________________________________________________________
Name: svn:mergeinfo
+
Copied: retired/CVE-2008-1669 (from rev 1196, active/CVE-2008-1669)
===================================================================
--- retired/CVE-2008-1669 (rev 0)
+++ retired/CVE-2008-1669 2008-07-20 21:58:00 UTC (rev 1197)
@@ -0,0 +1,20 @@
+Candidate: CVE-2008-1669
+Description:
+ "add rcu_read_lock() to fs/locks.c and fix fcntl store/load"
+References:
+Ubuntu-Description:
+ On SMP systems, a race condition existed in fcntl(). Local attackers
+ could perform malicious locks, causing system crashes and leading to
+ a denial of service.
+Notes:
+ kees> http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=0b2bac2f1ea0d33a3621b27ca68b9ae760fca2e9
+ kees> linux-2.6.24.y: 0bbbae3bfd732f6c4d6b2a67121d77bf6b1c7f70
+Bugs:
+upstream: released (2.6.24.7, 2.6.25.2)
+linux-2.6: released (2.6.25-2)
+2.6.18-etch-security: released (2.6.18.dfsg.1-18etch4) [bugfix/fcntl_setlk-close-race.patch]
+2.6.24-etchnhalf-security: released (2.6.24-6~etchnhalf.2) [bugfix/all/stable/2.6.24.7.patch]
+2.6.15-dapper-security: released (2.6.15-52.67)
+2.6.20-feisty-security: released (2.6.20-17.36)
+2.6.22-gutsy-security: released (2.6.22-15.54)
+2.6.24-hardy-security: released (2.6.24-19.34)
Property changes on: retired/CVE-2008-1669
___________________________________________________________________
Name: svn:mergeinfo
+
Copied: retired/CVE-2008-1675 (from rev 1196, active/CVE-2008-1675)
===================================================================
--- retired/CVE-2008-1675 (rev 0)
+++ retired/CVE-2008-1675 2008-07-20 21:58:00 UTC (rev 1197)
@@ -0,0 +1,20 @@
+Candidate: CVE-2008-1675
+Description:
+References:
+ http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.24.y.git;a=commitdiff;h=a30678eb8ce99a7b4c716ad41c8c10a04d731127
+ http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.24.y.git;a=commitdiff;h=f1b6098616f329d26199f278f228a7b27d36558d
+Ubuntu-Description:
+ The tehuti network driver did not correctly handle certain IO functions.
+ A local attacker could perform malicious requests to the driver,
+ potentially accessing kernel memory, leading to privilege escalation
+ or access to private system information.
+Notes:
+Bugs:
+upstream: released (2.6.24.6)
+linux-2.6: released (2.6.24-7)
+2.6.18-etch-security: N/A
+2.6.24-etchnhalf-security: released (linux-2.6.24 2.6.24-6~etchnhalf.2) [bugfix/all/stable/2.6.24.6.patch]
+2.6.15-dapper-security: N/A
+2.6.20-feisty-security: N/A
+2.6.22-gutsy-security: N/A
+2.6.24-hardy-security: released (2.6.24-19.34)
Property changes on: retired/CVE-2008-1675
___________________________________________________________________
Name: svn:mergeinfo
+
Copied: retired/block-all-signals-race (from rev 1196, active/block-all-signals-race)
===================================================================
--- retired/block-all-signals-race (rev 0)
+++ retired/block-all-signals-race 2008-07-20 21:58:00 UTC (rev 1197)
@@ -0,0 +1,17 @@
+Candidate: Needed
+References:
+ http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff_plain;h=c70d3d703ad94727dab2a3664aeee33d71e00715
+ http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff_plain;h=9ac95f2f90e022c16d293d7978faddf7e779a1a9
+ http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff_plain;h=1ff0be1534839dabec85f6d16dc36734f4e158bf
+ http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff_plain;h=21b4da78c941f292f6daf87abb562d6285216e51
+Description:
+ Race in copy_signhand()/do_sigaction that lets you create small processes that
+ block all signals, including SIGKILL.
+Notes:
+Bugs:
+upstream:
+linux-2.6: pending (2.6.15.5)
+2.6.8-sarge-security:
+2.4.27-sarge-security:
+2.6.18-etch-security: N/A
+
Property changes on: retired/block-all-signals-race
___________________________________________________________________
Name: svn:mergeinfo
+
More information about the kernel-sec-discuss
mailing list