[kernel-sec-discuss] r1590 - active retired
Moritz Muehlenhoff
jmm at alioth.debian.org
Thu Nov 12 22:21:16 UTC 2009
Author: jmm
Date: 2009-11-12 22:21:16 +0000 (Thu, 12 Nov 2009)
New Revision: 1590
Added:
retired/CVE-2008-3831
retired/CVE-2008-5300
retired/CVE-2009-1338
retired/CVE-2009-1883
retired/CVE-2009-2846
retired/CVE-2009-2847
retired/CVE-2009-2848
retired/CVE-2009-2849
retired/CVE-2009-2903
retired/CVE-2009-2908
retired/CVE-2009-2909
retired/CVE-2009-3001
retired/CVE-2009-3002
retired/CVE-2009-3228
retired/CVE-2009-3234
retired/CVE-2009-3238
retired/CVE-2009-3280
retired/CVE-2009-3623
retired/CVE-2009-3638
retired/CVE-2009-3722
Removed:
active/CVE-2008-3831
active/CVE-2008-5300
active/CVE-2009-1338
active/CVE-2009-1883
active/CVE-2009-2846
active/CVE-2009-2847
active/CVE-2009-2848
active/CVE-2009-2849
active/CVE-2009-2903
active/CVE-2009-2908
active/CVE-2009-2909
active/CVE-2009-3001
active/CVE-2009-3002
active/CVE-2009-3228
active/CVE-2009-3234
active/CVE-2009-3238
active/CVE-2009-3280
active/CVE-2009-3623
active/CVE-2009-3638
active/CVE-2009-3722
Log:
retire issues
Deleted: active/CVE-2008-3831
===================================================================
--- active/CVE-2008-3831 2009-11-12 22:15:33 UTC (rev 1589)
+++ active/CVE-2008-3831 2009-11-12 22:21:16 UTC (rev 1590)
@@ -1,17 +0,0 @@
-Candidate: CVE-2008-3831
-Description:
-References:
-Ubuntu-Description:
-Notes:
- jmm> 6dbfadaae00a1238c01a6a04b02cb484cd9072e7
-Bugs:
-upstream: released (2.6.28)
-linux-2.6: released (2.6.26-9) [bugfix/x86/i915-restrict-DRM_I915_HWS_ADDR.patch]
-2.6.18-etch-security: N/A "Vulnerable code not present"
-2.6.24-etch-security: released (2.6.24-6~etchnhalf.6) [bugfix/i915-restrict-DRM_I915_HWS_ADDR.patch]
-2.6.26-lenny-security: released (2.6.26-9) [bugfix/x86/i915-restrict-DRM_I915_HWS_ADDR.patch]
-2.6.15-dapper-security: N/A
-2.6.20-feisty-security: ignored (EOL)
-2.6.22-gutsy-security: released (2.6.22-15.59)
-2.6.24-hardy-security: released (2.6.24-21.43)
-2.6.27-intrepid-security: needed
Deleted: active/CVE-2008-5300
===================================================================
--- active/CVE-2008-5300 2009-11-12 22:15:33 UTC (rev 1589)
+++ active/CVE-2008-5300 2009-11-12 22:21:16 UTC (rev 1590)
@@ -1,14 +0,0 @@
-Candidate: CVE-2008-5300
-Description:
-References:
- http://marc.info/?l=linux-netdev&m=122721862313564&w=2
- http://marc.info/?l=linux-netdev&m=122765505415944&w=2
- https://bugzilla.redhat.com/show_bug.cgi?id=470201
-Ubuntu-Description:
-Notes:
-Bugs:
-upstream: released (2.6.28)
-linux-2.6: released (2.6.26-12) [bugfix/all/net-unix-gc-fix-soft-lockups-oom-issues.patch]
-2.6.18-etch-security: released (2.6.18.dfsg.1-23etch1) [bugfix/net-unix-gc-fix-soft-lockups-oom-issues.patch]
-2.6.24-etch-security: released (2.6.24-6~etchnhalf.7) [bugfix/net-unix-gc-fix-soft-lockups-oom-issues.patch]
-2.6.26-lenny-security: released (2.6.26-12) [bugfix/all/net-unix-gc-fix-soft-lockups-oom-issues.patch]
Deleted: active/CVE-2009-1338
===================================================================
--- active/CVE-2009-1338 2009-11-12 22:15:33 UTC (rev 1589)
+++ active/CVE-2009-1338 2009-11-12 22:21:16 UTC (rev 1590)
@@ -1,18 +0,0 @@
-Candidate: CVE-2009-1338
-Description:
-References:
- http://lwn.net/Articles/259217/
- https://bugzilla.redhat.com/show_bug.cgi?id=496031
- http://git.kernel.org/linus/d25141a818383b3c3b09f065698c544a7a0ec6e7
-Ubuntu-Description:
-Notes:
-Bugs:
-upstream: released (2.6.28-rc3) [d25141a818383b3c3b09f065698c544a7a0ec6e7]
-linux-2.6: released (2.6.29-1)
-2.6.18-etch-security: N/A
-2.6.24-etch-security: released (2.6.24-6~etchnhalf.8etch1) [bugfix/all/limit_kill_sig_-1_to_callers_namespace.patch, bugfix/all/pid-extend+fix-pid_vnr.patch]
-2.6.26-lenny-security: released (2.6.26-15lenny1) [bugfix/all/limit_kill_sig_-1_to_callers_namespace.patch]
-2.6.15-dapper-security:
-2.6.22-gutsy-security:
-2.6.24-hardy-security:
-2.6.27-intrepid-security:
Deleted: active/CVE-2009-1883
===================================================================
--- active/CVE-2009-1883 2009-11-12 22:15:33 UTC (rev 1589)
+++ active/CVE-2009-1883 2009-11-12 22:21:16 UTC (rev 1590)
@@ -1,13 +0,0 @@
-Candidate: CVE-2009-1883
-Description:
-References:
- http://www.openwall.com/lists/oss-security/2009/09/15/1
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-1883
-Ubuntu-Description:
-Notes:
-Bugs:
-upstream: N/A "vulnerable code not present"
-linux-2.6: N/A "vulnerable code not present"
-2.6.18-etch-security: released (2.6.18.dfsg.1-26etch1) [bugfix/s390/z90crypt-missing-cap-check.patch]
-2.6.24-etch-security: N/A "vulnerable code not present"
-2.6.26-lenny-security: N/A "vulnerable code not present"
Deleted: active/CVE-2009-2846
===================================================================
--- active/CVE-2009-2846 2009-11-12 22:15:33 UTC (rev 1589)
+++ active/CVE-2009-2846 2009-11-12 22:21:16 UTC (rev 1590)
@@ -1,18 +0,0 @@
-Candidate: CVE-2009-2846
-Description:
-Description:
- parisc: isa-eeprom missing lower bound check
- .
- loff_t is a signed type. If userspace passes a negative ppos, the
- "count" range check is weakened. If ppos is negative, the readb() later
- in the function will poke in random memory. Only affects if you are
- using a PA-RISC kernel with CONFIG_EISA set.
-References:
-Ubuntu-Description:
-Notes:
-Bugs:
-upstream: released (2.6.31-rc6) [6b4dbcd8]
-linux-2.6: released (2.6.30-6) [bugfix/parisc/isa-eeprom-fix-loff_t-usage.patch]
-2.6.18-etch-security: released (2.6.18.dfsg.1-24etch4) [bugfix/hppa/isa-eeprom-fix-loff_t-usage.patch]
-2.6.24-etch-security: released (2.6.24-6~etchnhalf.9etch1) [bugfix/hppa/isa-eeprom-fix-loff_t-usage.patch]
-2.6.26-lenny-security: released (2.6.26-19) [bugfix/parisc/isa-eeprom-fix-loff_t-usage.patch]
Deleted: active/CVE-2009-2847
===================================================================
--- active/CVE-2009-2847 2009-11-12 22:15:33 UTC (rev 1589)
+++ active/CVE-2009-2847 2009-11-12 22:21:16 UTC (rev 1590)
@@ -1,25 +0,0 @@
-Candidate: CVE-2009-2847
-Description:
- do_sigaltstack: avoid copying 'stack_t' as a structure to user space
-.
- Ulrich Drepper correctly points out that there is generally padding in
- the structure on 64-bit hosts, and that copying the structure from
- kernel to user space can leak information from the kernel stack in those
- padding bytes.
-.
- Avoid the whole issue by just copying the three members one by one
- instead, which also means that the function also can avoid the need for
- a stack frame. This also happens to match how we copy the new structure
- from user space, so it all even makes sense.
-References:
- http://git.kernel.org/linus/0083fc2c50e6c5127c2802ad323adf8143ab7856
- https://bugzilla.redhat.com/show_bug.cgi?id=515392
- http://milw0rm.com/exploits/9352
-Ubuntu-Description:
-Notes:
-Bugs:
-upstream: released (2.6.31-rc6) [0083fc2]
-linux-2.6: released (2.6.30-6) [bugfix/all/do_sigaltstack-avoid-copying-stack_t-as-a-structure-to-userspace.patch]
-2.6.18-etch-security: released (2.6.18.dfsg.1-24etch4) [bugfix/all/do_sigaltstack-avoid-copying-stack_t-as-a-structure-to-userspace.patch]
-2.6.24-etch-security: released (2.6.24-6~etchnhalf.9etch1) [bugfix/all/do_sigaltstack-avoid-copying-stack_t-as-a-structure-to-userspace.patch]
-2.6.26-lenny-security: released (2.6.26-19) [bugfix/all/do_sigaltstack-avoid-copying-stack_t-as-a-structure-to-userspace.patch]
Deleted: active/CVE-2009-2848
===================================================================
--- active/CVE-2009-2848 2009-11-12 22:15:33 UTC (rev 1589)
+++ active/CVE-2009-2848 2009-11-12 22:21:16 UTC (rev 1590)
@@ -1,14 +0,0 @@
-Candidate: CVE-2009-2848
-Description:
- execve must clear curent->child_tid
-References:
- https://bugzilla.redhat.com/show_bug.cgi?id=515423
- http://article.gmane.org/gmane.linux.kernel/871942
-Ubuntu-Description:
-Notes:
-Bugs:
-upstream: released (2.6.31) [9c8a8228d0827e0d91d28527209988f672f97d28]
-linux-2.6: released (2.6.31-1)
-2.6.18-etch-security: released (2.6.18.dfsg.1-24etch4) [bugfix/all/execve-must-clear-current-clear_child_tid.patch]
-2.6.24-etch-security: released (2.6.24-6~etchnhalf.9etch1) [bugfix/all/execve-must-clear-current-clear_child_tid.patch]
-2.6.26-lenny-security: released (2.6.26-19) [bugfix/all/execve-must-clear-current-clear_child_tid.patch]
Deleted: active/CVE-2009-2849
===================================================================
--- active/CVE-2009-2849 2009-11-12 22:15:33 UTC (rev 1589)
+++ active/CVE-2009-2849 2009-11-12 22:21:16 UTC (rev 1590)
@@ -1,15 +0,0 @@
-Candidate: CVE-2009-2849
-Description:
- md raid null pointer dereference (when sysfs available)
-References:
- http://xorl.wordpress.com/2009/07/21/linux-kernel-md-driver-null-pointer-dereference/
- http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.30.y.git;a=commit;h=3c92900d9a4afb176d3de335dc0da0198660a244
- http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=b8d966efd9a46a9a35beac50cbff6e30565125ef
-Ubuntu-Description:
-Notes:
-Bugs:
-upstream: released (2.6.30.2, 2.6.31-rc) [b8d966e]
-linux-2.6: released (2.6.30-4) [bugfix/all/stable/2.6.30.2.patch]
-2.6.18-etch-security: released (2.6.18.dfsg.1-24etch4) [bugfix/all/md-avoid-NULL-deref-with-suspend-sysfs-attribs.patch]
-2.6.24-etch-security: released (2.6.24-6~etchnhalf.9etch1) [bugfix/all/md-avoid-NULL-deref-with-suspend-sysfs-attribs.patch]
-2.6.26-lenny-security: released (2.6.26-19) [bugfix/all/md-avoid-NULL-deref-with-suspend-sysfs-attribs.patch]
Deleted: active/CVE-2009-2903
===================================================================
--- active/CVE-2009-2903 2009-11-12 22:15:33 UTC (rev 1589)
+++ active/CVE-2009-2903 2009-11-12 22:21:16 UTC (rev 1590)
@@ -1,25 +0,0 @@
-Candidate: CVE-2009-2903
-Description:
- The check for the ipddpN device in the handle_ip_over_ddp() function
- returns -NODEV to the atalk_rcv() function when the device does not
- exist. The atalk_rcv() function then directly returns that value to its
- caller. There is a missing call to kfree_skb() in these unaccepted
- IP-DDP datagram that can exhaust the kernel memory eventually. It
- affects Linux hosts with appletalk and ipddp modules loaded, that are
- attached to the same link. Thanks to Mark Smith for reporting this issue
- to us.
-References:
- http://git.kernel.org/?p=linux/kernel/git/davem/net-next-2.6.git;a=commit;h=ffcfb8db540ff879c2a85bf7e404954281443414
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-2903#c3
- http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=blob;f=Documentation/networking/ipddp.txt;h=661a5558dd8e928f15771c07ef34b3ee9cb81e57;hb=HEAD
- http://www.openwall.com/lists/oss-security/2009/08/30/1
- https://bugzilla.redhat.com/CVE-2009-2903#c0 and
- http://kbase.redhat.com/faq/docs/DOC-19069
-Ubuntu-Description:
-Notes:
-Bugs:
-upstream: released (2.6.32-rc1) [ffcfb8db540ff879c2a85bf7e404954281443414], released (2.6.31.4) [fb0e8709eef2d06ec5d5b1f30e043432a477c1fe]
-linux-2.6: released (2.6.31-1)
-2.6.18-etch-security: released (2.6.18.dfsg.1-26etch1)
-2.6.24-etch-security: released (2.6.24-6~etchnhalf.9etch1) [bugfix/all/appletalk-use-correct-returns-for-atalk_rcv.patch, bugfix/all/appletalk-fix-skb-leak-when-ipddp-interface-is-not-loaded.patch]
-2.6.26-lenny-security: released (2.6.26-19lenny1) [bugfix/all/appletalk-use-correct-returns-for-atalk_rcv.patch, bugfix/all/appletalk-fix-skb-leak-when-ipddp-interface-is-not-loaded.patch]
Deleted: active/CVE-2009-2908
===================================================================
--- active/CVE-2009-2908 2009-11-12 22:15:33 UTC (rev 1589)
+++ active/CVE-2009-2908 2009-11-12 22:21:16 UTC (rev 1590)
@@ -1,19 +0,0 @@
-Candidate: CVE-2009-2908
-Description:
- When calling vfs_unlink() on the lower dentry, d_delete() turns the
- dentry into a negative dentry when the d_count is 1. This eventually
- caused a NULL pointer deref when a read() or write() was done and the
- negative dentry's d_inode was dereferenced in
- ecryptfs_read_update_atime() or ecryptfs_getxattr().
-References:
- http://www.openwall.com/lists/oss-security/2009/10/06/1
- http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.31.y.git;a=commit;h=afc2b6932f48f200736d3e36ad66fee0ec733136
- https://bugzilla.redhat.com/show_bug.cgi?id=527534
-Notes:
- jmm> Introduced in 2.6.19
-Bugs:
-upstream: released (2.6.31.2) [afc2b6932f48f200736d3e36ad66fee0ec733136], released (2.6.32-rc3) [9c2d2056647790c5034d722bd24e9d913ebca73c]
-linux-2.6: released (2.6.31-1)
-2.6.18-etch-security: N/A
-2.6.24-etch-security: released (2.6.24-6~etchnhalf.9etch1) [bugfix/all/ecryptfs-prevent-lower-dentry-from-going-negative-during-unlink.patch]
-2.6.26-lenny-security: released (2.6.26-19lenny1) [bugfix/all/ecryptfs-prevent-lower-dentry-from-going-negative-during-unlink.patch]
Deleted: active/CVE-2009-2909
===================================================================
--- active/CVE-2009-2909 2009-11-12 22:15:33 UTC (rev 1589)
+++ active/CVE-2009-2909 2009-11-12 22:21:16 UTC (rev 1590)
@@ -1,14 +0,0 @@
-Candidate: CVE-2009-2909
-Description:
- incorrect signedness check in net ax25
-References:
- http://www.openwall.com/lists/oss-security/2009/10/07/2
- http://git.kernel.org/?p=linux/kernel/git/davem/net-2.6.git;a=commit;h=b7058842c940ad2c08dd829b21e5c92ebe3b8758
- http://article.gmane.org/gmane.linux.kernel/896907
-Notes:
-Bugs:
-upstream: released (2.6.30.9) [80a761c59bfe01de1deeb5fc66f5b7fbb3e1bfcf], pending (2.6.32-rc3) [b7058842c940ad2c08dd829b21e5c92ebe3b8758], released (2.6.31.2) [5c7fba322917ef91842676de55fba470bc2af5f3]
-linux-2.6: released (2.6.30-9) [bugfix/all/stable/2.6.30.9.patch], released (2.6.31-1)
-2.6.18-etch-security:
-2.6.24-etch-security: released (2.6.24-6~etchnhalf.9etch1) [bugfix/all/net-ax25-fix-signed-comparison-in-the-sockopt-handler.patch]
-2.6.26-lenny-security: released (2.6.26-19lenny1) [bugfix/all/net-ax25-fix-signed-comparison-in-the-sockopt-handler.patch]
Deleted: active/CVE-2009-3001
===================================================================
--- active/CVE-2009-3001 2009-11-12 22:15:33 UTC (rev 1589)
+++ active/CVE-2009-3001 2009-11-12 22:21:16 UTC (rev 1590)
@@ -1,19 +0,0 @@
-Candidate: CVE-2009-3001
-Description:
- The llc_ui_getname function in net/llc/af_llc.c in the Linux kernel
- 2.6.31-rc7 and earlier does not initialize a certain data structure,
- which allows local users to read the contents of some kernel memory
- locations by calling getsockname on an AF_LLC socket.
-References:
- https://bugzilla.redhat.com/show_bug.cgi?id=519305
- http://git.kernel.org/linus/28e9fc592cb8c7a43e4d3147b38be6032a0e81bc
- http://jon.oberheide.org/files/llc-getsockname-leak.c
-Ubuntu-Description:
-Notes:
- gilbert> minor info leak, so not very urgent
-Bugs:
-upstream: released (2.6.31-rc8) [28e9fc592cb8c7a43e4d3147b38be6032a0e81bc]
-linux-2.6: released (2.6.31-1~experimental.1)
-2.6.18-etch-security: released (2.6.18.dfsg.1-26etch1)
-2.6.24-etch-security: released (2.6.24-6~etchnhalf.9etch1) [bugfix/all/net-llc-zero-sockaddr_llc-struct.patch]
-2.6.26-lenny-security: released (2.6.26-19lenny1) [bugfix/all/net-llc-zero-sockaddr_llc-struct.patch]
Deleted: active/CVE-2009-3002
===================================================================
--- active/CVE-2009-3002 2009-11-12 22:15:33 UTC (rev 1589)
+++ active/CVE-2009-3002 2009-11-12 22:21:16 UTC (rev 1590)
@@ -1,25 +0,0 @@
-Candidate: CVE-2009-3002
-Description:
- The Linux kernel before 2.6.31-rc7 does not initialize certain data
- structures within getname functions, which allows local users to read
- the contents of some kernel memory locations by calling getsockname on
- (1) an AF_APPLETALK socket, related to the atalk_getname function in
- net/appletalk/ddp.c; (2) an AF_IRDA socket, related to the
- irda_getname function in net/irda/af_irda.c; (3) an AF_ECONET socket,
- related to the econet_getname function in net/econet/af_econet.c; (4)
- an AF_NETROM socket, related to the nr_getname function in
- net/netrom/af_netrom.c; (5) an AF_ROSE socket, related to the
- rose_getname function in net/rose/af_rose.c; or (6) a raw CAN socket,
- related to the raw_getname function in net/can/raw.c.
-References:
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3002
- https://bugzilla.redhat.com/show_bug.cgi?id=519305
-Ubuntu-Description:
-Notes:
- gilbert> these are just minor info leaks, so not really very urgent
-Bugs:
-upstream: released (2.6.31-rc7) [09384dfc76e526c3993c09c42e016372dc9dd22c,17ac2e9c58b69a1e25460a568eae1b0dc0188c25,80922bbb12a105f858a8f0abb879cb4302d0ecaa,e84b90ae5eb3c112d1f208964df1d8156a538289,f6b97b29513950bfbf621a83d85b6f86b39ec8db]
-linux-2.6: released (2.6.30-7) [bugfix/all/stable/2.6.30.6.patch]
-2.6.18-etch-security: released (2.6.18.dfsg.1-26etch1)
-2.6.24-etch-security: released (2.6.24-6~etchnhalf.9etch1) [bugfix/all/irda-fix-irda_getname-leak.patch, bugfix/all/rose-fix-rose_getname-leak.patch, bugfix/all/econet-fix-econet_getname-leak.patch, bugfix/all/netrom-fix-nr_getname-leak.patch]
-2.6.26-lenny-security: released (2.6.26-19lenny1) [bugfix/all/irda-fix-irda_getname-leak.patch, bugfix/all/rose-fix-rose_getname-leak.patch, bugfix/all/econet-fix-econet_getname-leak.patch, bugfix/all/can-fix-raw_getname-leak.patch, bugfix/all/netrom-fix-nr_getname-leak.patch]
Deleted: active/CVE-2009-3228
===================================================================
--- active/CVE-2009-3228 2009-11-12 22:15:33 UTC (rev 1589)
+++ active/CVE-2009-3228 2009-11-12 22:21:16 UTC (rev 1590)
@@ -1,27 +0,0 @@
-Candidate: CVE-2009-3228
-Description:
- The tc_fill_tclass function in net/sched/sch_api.c in the tc subsystem in the
- Linux kernel 2.4.x before 2.4.37.6 and 2.6.x before 2.6.31-rc9 does not initialize
- certain (1) tcm__pad1 and (2) tcm__pad2 structure members, which might allow
- local users to obtain sensitive information from kernel memory via unspecified
- vectors.
-References:
- http://www.openwall.com/lists/oss-security/2009/09/03/1
- http://www.openwall.com/lists/oss-security/2009/09/05/2
- http://www.openwall.com/lists/oss-security/2009/09/06/2
- http://www.openwall.com/lists/oss-security/2009/09/07/2
- http://www.openwall.com/lists/oss-security/2009/09/17/1
- http://www.openwall.com/lists/oss-security/2009/09/17/9
- http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.4.37.y.git;a=commit;h=096ed17f20affc2db0e307658c69
- http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=16ebb5e0b36ceadc8186f71d68b0c4f
- http://patchwork.ozlabs.org/patch/32830/
- http://www.kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4.37.6
- http://www.kernel.org/pub/linux/kernel/v2.6/testing/v2.6.31/ChangeLog-2.6.31-rc9
- https://bugzilla.redhat.com/show_bug.cgi?id=520990
-Notes:
-Bugs:
-upstream: released (2.6.31)
-linux-2.6: released (2.6.31-1)
-2.6.18-etch-security: released (2.6.18.dfsg.1-26etch1)
-2.6.24-etch-security: released (2.6.24-6~etchnhalf.9etch1) [bugfix/all/tc-fix-pad-leak.patch]
-2.6.26-lenny-security: released (2.6.26-19lenny2) [bugfix/all/tc-fix-pad-leak.patch]
Deleted: active/CVE-2009-3234
===================================================================
--- active/CVE-2009-3234 2009-11-12 22:15:33 UTC (rev 1589)
+++ active/CVE-2009-3234 2009-11-12 22:21:16 UTC (rev 1590)
@@ -1,20 +0,0 @@
-Candidate: CVE-2009-3234
-Description:
- "If we pass a big size data over perf_counter_open() syscall, the kernel
- will copy this data to a small buffer, it will cause kernel crash."
-References:
- http://www.openwall.com/lists/oss-security/2009/09/16/1
-Ubuntu-Description:
-Notes:
- kernel/perf_counter.c was introduced in commit 0793a61d (v2.6.31-rc1)
- brad spengler has working exploit code for this one, so high-urgency
-Bugs:
-upstream: released (2.6.31.1) [986ddf533c1dd6852196182084aefe1ca9eda34e], pending (2.6.32-rc2) [b3e62e3]
-linux-2.6: released (2.6.31-1)
-2.6.18-etch-security: N/A "vulnerable code not present"
-2.6.24-etch-security: N/A "vulnerable code not present"
-2.6.26-lenny-security: N/A "vulnerable code not present"
-2.6.15-dapper-security:
-2.6.22-gutsy-security:
-2.6.24-hardy-security:
-2.6.27-intrepid-security:
Deleted: active/CVE-2009-3238
===================================================================
--- active/CVE-2009-3238 2009-11-12 22:15:33 UTC (rev 1589)
+++ active/CVE-2009-3238 2009-11-12 22:21:16 UTC (rev 1590)
@@ -1,20 +0,0 @@
-Candidate: CVE-2009-3238
-Description:
- The get_random_int function in drivers/char/random.c in the Linux kernel before
- 2.6.30 produces insufficiently random numbers, which allows attackers to predict the
- return value, and possibly defeat protection mechanisms based on randomization, via
- vectors that leverage the function's tendency to "return the same value over and
- over again for long stretches of time."
-References:
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3238
- http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=8a0a9bd4db63bc45e3017bedeafbd88d0eb84d02
- http://patchwork.kernel.org/patch/21766/
- https://bugzilla.redhat.com/show_bug.cgi?id=499785
- https://bugzilla.redhat.com/show_bug.cgi?id=519692
-Notes:
-Bugs:
-upstream: released (2.6.30) [8a0a9bd4db63bc45e3017bedeafbd88d0eb84d02]
-linux-2.6: released (2.6.30-1)
-2.6.18-etch-security: released (2.6.18.dfsg.1-26etch1)
-2.6.24-etch-security: released (2.6.24-6~etchnhalf.9etch1) [bugfix/all/random-make-get_random_int-more-random.patch]
-2.6.26-lenny-security: released (2.6.26-19lenny2) [bugfix/all/random-make-get_random_int-more-random.patch]
Deleted: active/CVE-2009-3280
===================================================================
--- active/CVE-2009-3280 2009-11-12 22:15:33 UTC (rev 1589)
+++ active/CVE-2009-3280 2009-11-12 22:21:16 UTC (rev 1590)
@@ -1,16 +0,0 @@
-Candidate: CVE-2009-3280
-Description:
-References:
- http://www.openwall.com/lists/oss-security/2009/09/16/2
-Ubuntu-Description:
-Notes:
-Bugs:
-upstream: released (2.6.32-rc1, 2.6.30.8) [fcc6cb0c13555e78c2d47257b6d1b5e59b0c419a]
-linux-2.6: released (2.6.31-1)
-2.6.18-etch-security: N/A "vulnerable code not present"
-2.6.24-etch-security: N/A "vulnerable code not present"
-2.6.26-lenny-security: N/A "vulnerable code not present"
-2.6.15-dapper-security:
-2.6.22-gutsy-security:
-2.6.24-hardy-security:
-2.6.27-intrepid-security:
Deleted: active/CVE-2009-3623
===================================================================
--- active/CVE-2009-3623 2009-11-12 22:15:33 UTC (rev 1589)
+++ active/CVE-2009-3623 2009-11-12 22:21:16 UTC (rev 1590)
@@ -1,28 +0,0 @@
-Candidate: CVE-2009-3623
-Description:
- "On setting up the callback to the client, we attempt to use the same
- authentication flavor the client did. We find an rpc cred to use by
- calling rpcauth_lookup_credcache(), which assumes that the given
- authentication flavor has a credentials cache. However, this is not
- required to be true--in particular, auth_null does not use one.
- Instead, we should call the auth's lookup_cred() method.
- .
- Without this, a client attempting to mount using nfsv4 and auth_null
- triggers a null dereference."
- .
- The code was introduced in upstream commit 3cef9ab2 (v2.6.31-rc1),
- fixed in 886e3b7f (v2.6.32-rc1), and was later replaced by 80fc015b in
- the same version.
-References:
- http://article.gmane.org/gmane.linux.nfs/26513
- https://bugzilla.redhat.com/show_bug.cgi?id=530269
- http://git.kernel.org/linus/3cef9ab266a932899e756f7e1ea7a988a97bf3b2
- http://git.kernel.org/linus/886e3b7fe6054230c89ae078a09565ed183ecc73
- http://git.kernel.org/linus/80fc015bdfe1f5b870c1e1ee02d78e709523fee7
-Notes:
-Bugs:
-upstream: released (2.6.32-rc1), released (2.6.31.2) [b9703d921e254b499b300d652b4f35420176d509]
-linux-2.6: released (2.6.31-1)
-2.6.18-etch-security: N/A
-2.6.24-etch-security: N/A
-2.6.26-lenny-security: N/A
Deleted: active/CVE-2009-3638
===================================================================
--- active/CVE-2009-3638 2009-11-12 22:15:33 UTC (rev 1589)
+++ active/CVE-2009-3638 2009-11-12 22:21:16 UTC (rev 1590)
@@ -1,15 +0,0 @@
-Candidate: CVE-2009-3638
-Description:
- integer overflow in kvm_dev_ioctl_get_supported_cpuid()
-References:
- http://www.openwall.com/lists/oss-security/2009/10/23/5
- https://bugzilla.redhat.com/show_bug.cgi?id=530515
- http://git.kernel.org/linus/6a54435560efdab1a08f429a954df4d6c740bddf
-Notes:
- introduced in 2.6.25 (commit 0771671749b59a507b6da4efb931c44d9691e248)
-Bugs:
-upstream: released (2.6.32-rc4) [6a54435560efdab1a08f429a954df4d6c740bddf], released (2.6.31.4) [779632b438a79ab1ed1f0da390712b12db3b2a58]
-linux-2.6: released (2.6.31-1)
-2.6.18-etch-security: N/A "introduced in 2.6.25"
-2.6.24-etch-security: N/A "introduced in 2.6.25"
-2.6.26-lenny-security: released (2.6.26-19lenny2) [bugfix/x86/kvm-prevent-overflow-in-KVM_GET_SUPPORTED_CPUID.patch]
Deleted: active/CVE-2009-3722
===================================================================
--- active/CVE-2009-3722 2009-11-12 22:15:33 UTC (rev 1589)
+++ active/CVE-2009-3722 2009-11-12 22:21:16 UTC (rev 1590)
@@ -1,15 +0,0 @@
-Candidate:
-Description:
- Debug registers may only be accessed from cpl 0. Unfortunately, vmx will
- code to emulate the instruction even though it was issued from guest
- userspace, possibly leading to an unexpected trap later.
-References:
- http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.31.y.git;a=commitdiff;h=bd634611e589582bba636434af7fcbf782eceb42
-Ubuntu-Description:
-Notes:
-Bugs:
-upstream: released (2.6.31.1) [bd634611e589582bba636434af7fcbf782eceb42], released (2.6.32-rc1) [0a79b009525b160081d75cef5dbf45817956acf2]
-linux-2.6: released (2.6.31-1)
-2.6.18-etch-security: N/A "introduced in 2.6.30-rc1"
-2.6.24-etch-security: N/A "introduced in 2.6.30-rc1"
-2.6.26-lenny-security: N/A "introduced in 2.6.30-rc1"
Copied: retired/CVE-2008-3831 (from rev 1587, active/CVE-2008-3831)
===================================================================
--- retired/CVE-2008-3831 (rev 0)
+++ retired/CVE-2008-3831 2009-11-12 22:21:16 UTC (rev 1590)
@@ -0,0 +1,17 @@
+Candidate: CVE-2008-3831
+Description:
+References:
+Ubuntu-Description:
+Notes:
+ jmm> 6dbfadaae00a1238c01a6a04b02cb484cd9072e7
+Bugs:
+upstream: released (2.6.28)
+linux-2.6: released (2.6.26-9) [bugfix/x86/i915-restrict-DRM_I915_HWS_ADDR.patch]
+2.6.18-etch-security: N/A "Vulnerable code not present"
+2.6.24-etch-security: released (2.6.24-6~etchnhalf.6) [bugfix/i915-restrict-DRM_I915_HWS_ADDR.patch]
+2.6.26-lenny-security: released (2.6.26-9) [bugfix/x86/i915-restrict-DRM_I915_HWS_ADDR.patch]
+2.6.15-dapper-security: N/A
+2.6.20-feisty-security: ignored (EOL)
+2.6.22-gutsy-security: released (2.6.22-15.59)
+2.6.24-hardy-security: released (2.6.24-21.43)
+2.6.27-intrepid-security: needed
Copied: retired/CVE-2008-5300 (from rev 1586, active/CVE-2008-5300)
===================================================================
--- retired/CVE-2008-5300 (rev 0)
+++ retired/CVE-2008-5300 2009-11-12 22:21:16 UTC (rev 1590)
@@ -0,0 +1,14 @@
+Candidate: CVE-2008-5300
+Description:
+References:
+ http://marc.info/?l=linux-netdev&m=122721862313564&w=2
+ http://marc.info/?l=linux-netdev&m=122765505415944&w=2
+ https://bugzilla.redhat.com/show_bug.cgi?id=470201
+Ubuntu-Description:
+Notes:
+Bugs:
+upstream: released (2.6.28)
+linux-2.6: released (2.6.26-12) [bugfix/all/net-unix-gc-fix-soft-lockups-oom-issues.patch]
+2.6.18-etch-security: released (2.6.18.dfsg.1-23etch1) [bugfix/net-unix-gc-fix-soft-lockups-oom-issues.patch]
+2.6.24-etch-security: released (2.6.24-6~etchnhalf.7) [bugfix/net-unix-gc-fix-soft-lockups-oom-issues.patch]
+2.6.26-lenny-security: released (2.6.26-12) [bugfix/all/net-unix-gc-fix-soft-lockups-oom-issues.patch]
Copied: retired/CVE-2009-1338 (from rev 1584, active/CVE-2009-1338)
===================================================================
--- retired/CVE-2009-1338 (rev 0)
+++ retired/CVE-2009-1338 2009-11-12 22:21:16 UTC (rev 1590)
@@ -0,0 +1,18 @@
+Candidate: CVE-2009-1338
+Description:
+References:
+ http://lwn.net/Articles/259217/
+ https://bugzilla.redhat.com/show_bug.cgi?id=496031
+ http://git.kernel.org/linus/d25141a818383b3c3b09f065698c544a7a0ec6e7
+Ubuntu-Description:
+Notes:
+Bugs:
+upstream: released (2.6.28-rc3) [d25141a818383b3c3b09f065698c544a7a0ec6e7]
+linux-2.6: released (2.6.29-1)
+2.6.18-etch-security: N/A
+2.6.24-etch-security: released (2.6.24-6~etchnhalf.8etch1) [bugfix/all/limit_kill_sig_-1_to_callers_namespace.patch, bugfix/all/pid-extend+fix-pid_vnr.patch]
+2.6.26-lenny-security: released (2.6.26-15lenny1) [bugfix/all/limit_kill_sig_-1_to_callers_namespace.patch]
+2.6.15-dapper-security:
+2.6.22-gutsy-security:
+2.6.24-hardy-security:
+2.6.27-intrepid-security:
Copied: retired/CVE-2009-1883 (from rev 1589, active/CVE-2009-1883)
===================================================================
--- retired/CVE-2009-1883 (rev 0)
+++ retired/CVE-2009-1883 2009-11-12 22:21:16 UTC (rev 1590)
@@ -0,0 +1,13 @@
+Candidate: CVE-2009-1883
+Description:
+References:
+ http://www.openwall.com/lists/oss-security/2009/09/15/1
+ https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-1883
+Ubuntu-Description:
+Notes:
+Bugs:
+upstream: N/A "vulnerable code not present"
+linux-2.6: N/A "vulnerable code not present"
+2.6.18-etch-security: released (2.6.18.dfsg.1-26etch1) [bugfix/s390/z90crypt-missing-cap-check.patch]
+2.6.24-etch-security: N/A "vulnerable code not present"
+2.6.26-lenny-security: N/A "vulnerable code not present"
Copied: retired/CVE-2009-2846 (from rev 1589, active/CVE-2009-2846)
===================================================================
--- retired/CVE-2009-2846 (rev 0)
+++ retired/CVE-2009-2846 2009-11-12 22:21:16 UTC (rev 1590)
@@ -0,0 +1,18 @@
+Candidate: CVE-2009-2846
+Description:
+Description:
+ parisc: isa-eeprom missing lower bound check
+ .
+ loff_t is a signed type. If userspace passes a negative ppos, the
+ "count" range check is weakened. If ppos is negative, the readb() later
+ in the function will poke in random memory. Only affects if you are
+ using a PA-RISC kernel with CONFIG_EISA set.
+References:
+Ubuntu-Description:
+Notes:
+Bugs:
+upstream: released (2.6.31-rc6) [6b4dbcd8]
+linux-2.6: released (2.6.30-6) [bugfix/parisc/isa-eeprom-fix-loff_t-usage.patch]
+2.6.18-etch-security: released (2.6.18.dfsg.1-24etch4) [bugfix/hppa/isa-eeprom-fix-loff_t-usage.patch]
+2.6.24-etch-security: released (2.6.24-6~etchnhalf.9etch1) [bugfix/hppa/isa-eeprom-fix-loff_t-usage.patch]
+2.6.26-lenny-security: released (2.6.26-19) [bugfix/parisc/isa-eeprom-fix-loff_t-usage.patch]
Copied: retired/CVE-2009-2847 (from rev 1589, active/CVE-2009-2847)
===================================================================
--- retired/CVE-2009-2847 (rev 0)
+++ retired/CVE-2009-2847 2009-11-12 22:21:16 UTC (rev 1590)
@@ -0,0 +1,25 @@
+Candidate: CVE-2009-2847
+Description:
+ do_sigaltstack: avoid copying 'stack_t' as a structure to user space
+.
+ Ulrich Drepper correctly points out that there is generally padding in
+ the structure on 64-bit hosts, and that copying the structure from
+ kernel to user space can leak information from the kernel stack in those
+ padding bytes.
+.
+ Avoid the whole issue by just copying the three members one by one
+ instead, which also means that the function also can avoid the need for
+ a stack frame. This also happens to match how we copy the new structure
+ from user space, so it all even makes sense.
+References:
+ http://git.kernel.org/linus/0083fc2c50e6c5127c2802ad323adf8143ab7856
+ https://bugzilla.redhat.com/show_bug.cgi?id=515392
+ http://milw0rm.com/exploits/9352
+Ubuntu-Description:
+Notes:
+Bugs:
+upstream: released (2.6.31-rc6) [0083fc2]
+linux-2.6: released (2.6.30-6) [bugfix/all/do_sigaltstack-avoid-copying-stack_t-as-a-structure-to-userspace.patch]
+2.6.18-etch-security: released (2.6.18.dfsg.1-24etch4) [bugfix/all/do_sigaltstack-avoid-copying-stack_t-as-a-structure-to-userspace.patch]
+2.6.24-etch-security: released (2.6.24-6~etchnhalf.9etch1) [bugfix/all/do_sigaltstack-avoid-copying-stack_t-as-a-structure-to-userspace.patch]
+2.6.26-lenny-security: released (2.6.26-19) [bugfix/all/do_sigaltstack-avoid-copying-stack_t-as-a-structure-to-userspace.patch]
Copied: retired/CVE-2009-2848 (from rev 1589, active/CVE-2009-2848)
===================================================================
--- retired/CVE-2009-2848 (rev 0)
+++ retired/CVE-2009-2848 2009-11-12 22:21:16 UTC (rev 1590)
@@ -0,0 +1,14 @@
+Candidate: CVE-2009-2848
+Description:
+ execve must clear curent->child_tid
+References:
+ https://bugzilla.redhat.com/show_bug.cgi?id=515423
+ http://article.gmane.org/gmane.linux.kernel/871942
+Ubuntu-Description:
+Notes:
+Bugs:
+upstream: released (2.6.31) [9c8a8228d0827e0d91d28527209988f672f97d28]
+linux-2.6: released (2.6.31-1)
+2.6.18-etch-security: released (2.6.18.dfsg.1-24etch4) [bugfix/all/execve-must-clear-current-clear_child_tid.patch]
+2.6.24-etch-security: released (2.6.24-6~etchnhalf.9etch1) [bugfix/all/execve-must-clear-current-clear_child_tid.patch]
+2.6.26-lenny-security: released (2.6.26-19) [bugfix/all/execve-must-clear-current-clear_child_tid.patch]
Copied: retired/CVE-2009-2849 (from rev 1589, active/CVE-2009-2849)
===================================================================
--- retired/CVE-2009-2849 (rev 0)
+++ retired/CVE-2009-2849 2009-11-12 22:21:16 UTC (rev 1590)
@@ -0,0 +1,15 @@
+Candidate: CVE-2009-2849
+Description:
+ md raid null pointer dereference (when sysfs available)
+References:
+ http://xorl.wordpress.com/2009/07/21/linux-kernel-md-driver-null-pointer-dereference/
+ http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.30.y.git;a=commit;h=3c92900d9a4afb176d3de335dc0da0198660a244
+ http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=b8d966efd9a46a9a35beac50cbff6e30565125ef
+Ubuntu-Description:
+Notes:
+Bugs:
+upstream: released (2.6.30.2, 2.6.31-rc) [b8d966e]
+linux-2.6: released (2.6.30-4) [bugfix/all/stable/2.6.30.2.patch]
+2.6.18-etch-security: released (2.6.18.dfsg.1-24etch4) [bugfix/all/md-avoid-NULL-deref-with-suspend-sysfs-attribs.patch]
+2.6.24-etch-security: released (2.6.24-6~etchnhalf.9etch1) [bugfix/all/md-avoid-NULL-deref-with-suspend-sysfs-attribs.patch]
+2.6.26-lenny-security: released (2.6.26-19) [bugfix/all/md-avoid-NULL-deref-with-suspend-sysfs-attribs.patch]
Copied: retired/CVE-2009-2903 (from rev 1589, active/CVE-2009-2903)
===================================================================
--- retired/CVE-2009-2903 (rev 0)
+++ retired/CVE-2009-2903 2009-11-12 22:21:16 UTC (rev 1590)
@@ -0,0 +1,25 @@
+Candidate: CVE-2009-2903
+Description:
+ The check for the ipddpN device in the handle_ip_over_ddp() function
+ returns -NODEV to the atalk_rcv() function when the device does not
+ exist. The atalk_rcv() function then directly returns that value to its
+ caller. There is a missing call to kfree_skb() in these unaccepted
+ IP-DDP datagram that can exhaust the kernel memory eventually. It
+ affects Linux hosts with appletalk and ipddp modules loaded, that are
+ attached to the same link. Thanks to Mark Smith for reporting this issue
+ to us.
+References:
+ http://git.kernel.org/?p=linux/kernel/git/davem/net-next-2.6.git;a=commit;h=ffcfb8db540ff879c2a85bf7e404954281443414
+ https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-2903#c3
+ http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=blob;f=Documentation/networking/ipddp.txt;h=661a5558dd8e928f15771c07ef34b3ee9cb81e57;hb=HEAD
+ http://www.openwall.com/lists/oss-security/2009/08/30/1
+ https://bugzilla.redhat.com/CVE-2009-2903#c0 and
+ http://kbase.redhat.com/faq/docs/DOC-19069
+Ubuntu-Description:
+Notes:
+Bugs:
+upstream: released (2.6.32-rc1) [ffcfb8db540ff879c2a85bf7e404954281443414], released (2.6.31.4) [fb0e8709eef2d06ec5d5b1f30e043432a477c1fe]
+linux-2.6: released (2.6.31-1)
+2.6.18-etch-security: released (2.6.18.dfsg.1-26etch1)
+2.6.24-etch-security: released (2.6.24-6~etchnhalf.9etch1) [bugfix/all/appletalk-use-correct-returns-for-atalk_rcv.patch, bugfix/all/appletalk-fix-skb-leak-when-ipddp-interface-is-not-loaded.patch]
+2.6.26-lenny-security: released (2.6.26-19lenny1) [bugfix/all/appletalk-use-correct-returns-for-atalk_rcv.patch, bugfix/all/appletalk-fix-skb-leak-when-ipddp-interface-is-not-loaded.patch]
Copied: retired/CVE-2009-2908 (from rev 1589, active/CVE-2009-2908)
===================================================================
--- retired/CVE-2009-2908 (rev 0)
+++ retired/CVE-2009-2908 2009-11-12 22:21:16 UTC (rev 1590)
@@ -0,0 +1,19 @@
+Candidate: CVE-2009-2908
+Description:
+ When calling vfs_unlink() on the lower dentry, d_delete() turns the
+ dentry into a negative dentry when the d_count is 1. This eventually
+ caused a NULL pointer deref when a read() or write() was done and the
+ negative dentry's d_inode was dereferenced in
+ ecryptfs_read_update_atime() or ecryptfs_getxattr().
+References:
+ http://www.openwall.com/lists/oss-security/2009/10/06/1
+ http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.31.y.git;a=commit;h=afc2b6932f48f200736d3e36ad66fee0ec733136
+ https://bugzilla.redhat.com/show_bug.cgi?id=527534
+Notes:
+ jmm> Introduced in 2.6.19
+Bugs:
+upstream: released (2.6.31.2) [afc2b6932f48f200736d3e36ad66fee0ec733136], released (2.6.32-rc3) [9c2d2056647790c5034d722bd24e9d913ebca73c]
+linux-2.6: released (2.6.31-1)
+2.6.18-etch-security: N/A
+2.6.24-etch-security: released (2.6.24-6~etchnhalf.9etch1) [bugfix/all/ecryptfs-prevent-lower-dentry-from-going-negative-during-unlink.patch]
+2.6.26-lenny-security: released (2.6.26-19lenny1) [bugfix/all/ecryptfs-prevent-lower-dentry-from-going-negative-during-unlink.patch]
Copied: retired/CVE-2009-2909 (from rev 1589, active/CVE-2009-2909)
===================================================================
--- retired/CVE-2009-2909 (rev 0)
+++ retired/CVE-2009-2909 2009-11-12 22:21:16 UTC (rev 1590)
@@ -0,0 +1,14 @@
+Candidate: CVE-2009-2909
+Description:
+ incorrect signedness check in net ax25
+References:
+ http://www.openwall.com/lists/oss-security/2009/10/07/2
+ http://git.kernel.org/?p=linux/kernel/git/davem/net-2.6.git;a=commit;h=b7058842c940ad2c08dd829b21e5c92ebe3b8758
+ http://article.gmane.org/gmane.linux.kernel/896907
+Notes:
+Bugs:
+upstream: released (2.6.30.9) [80a761c59bfe01de1deeb5fc66f5b7fbb3e1bfcf], pending (2.6.32-rc3) [b7058842c940ad2c08dd829b21e5c92ebe3b8758], released (2.6.31.2) [5c7fba322917ef91842676de55fba470bc2af5f3]
+linux-2.6: released (2.6.30-9) [bugfix/all/stable/2.6.30.9.patch], released (2.6.31-1)
+2.6.18-etch-security:
+2.6.24-etch-security: released (2.6.24-6~etchnhalf.9etch1) [bugfix/all/net-ax25-fix-signed-comparison-in-the-sockopt-handler.patch]
+2.6.26-lenny-security: released (2.6.26-19lenny1) [bugfix/all/net-ax25-fix-signed-comparison-in-the-sockopt-handler.patch]
Copied: retired/CVE-2009-3001 (from rev 1589, active/CVE-2009-3001)
===================================================================
--- retired/CVE-2009-3001 (rev 0)
+++ retired/CVE-2009-3001 2009-11-12 22:21:16 UTC (rev 1590)
@@ -0,0 +1,19 @@
+Candidate: CVE-2009-3001
+Description:
+ The llc_ui_getname function in net/llc/af_llc.c in the Linux kernel
+ 2.6.31-rc7 and earlier does not initialize a certain data structure,
+ which allows local users to read the contents of some kernel memory
+ locations by calling getsockname on an AF_LLC socket.
+References:
+ https://bugzilla.redhat.com/show_bug.cgi?id=519305
+ http://git.kernel.org/linus/28e9fc592cb8c7a43e4d3147b38be6032a0e81bc
+ http://jon.oberheide.org/files/llc-getsockname-leak.c
+Ubuntu-Description:
+Notes:
+ gilbert> minor info leak, so not very urgent
+Bugs:
+upstream: released (2.6.31-rc8) [28e9fc592cb8c7a43e4d3147b38be6032a0e81bc]
+linux-2.6: released (2.6.31-1~experimental.1)
+2.6.18-etch-security: released (2.6.18.dfsg.1-26etch1)
+2.6.24-etch-security: released (2.6.24-6~etchnhalf.9etch1) [bugfix/all/net-llc-zero-sockaddr_llc-struct.patch]
+2.6.26-lenny-security: released (2.6.26-19lenny1) [bugfix/all/net-llc-zero-sockaddr_llc-struct.patch]
Copied: retired/CVE-2009-3002 (from rev 1589, active/CVE-2009-3002)
===================================================================
--- retired/CVE-2009-3002 (rev 0)
+++ retired/CVE-2009-3002 2009-11-12 22:21:16 UTC (rev 1590)
@@ -0,0 +1,25 @@
+Candidate: CVE-2009-3002
+Description:
+ The Linux kernel before 2.6.31-rc7 does not initialize certain data
+ structures within getname functions, which allows local users to read
+ the contents of some kernel memory locations by calling getsockname on
+ (1) an AF_APPLETALK socket, related to the atalk_getname function in
+ net/appletalk/ddp.c; (2) an AF_IRDA socket, related to the
+ irda_getname function in net/irda/af_irda.c; (3) an AF_ECONET socket,
+ related to the econet_getname function in net/econet/af_econet.c; (4)
+ an AF_NETROM socket, related to the nr_getname function in
+ net/netrom/af_netrom.c; (5) an AF_ROSE socket, related to the
+ rose_getname function in net/rose/af_rose.c; or (6) a raw CAN socket,
+ related to the raw_getname function in net/can/raw.c.
+References:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3002
+ https://bugzilla.redhat.com/show_bug.cgi?id=519305
+Ubuntu-Description:
+Notes:
+ gilbert> these are just minor info leaks, so not really very urgent
+Bugs:
+upstream: released (2.6.31-rc7) [09384dfc76e526c3993c09c42e016372dc9dd22c,17ac2e9c58b69a1e25460a568eae1b0dc0188c25,80922bbb12a105f858a8f0abb879cb4302d0ecaa,e84b90ae5eb3c112d1f208964df1d8156a538289,f6b97b29513950bfbf621a83d85b6f86b39ec8db]
+linux-2.6: released (2.6.30-7) [bugfix/all/stable/2.6.30.6.patch]
+2.6.18-etch-security: released (2.6.18.dfsg.1-26etch1)
+2.6.24-etch-security: released (2.6.24-6~etchnhalf.9etch1) [bugfix/all/irda-fix-irda_getname-leak.patch, bugfix/all/rose-fix-rose_getname-leak.patch, bugfix/all/econet-fix-econet_getname-leak.patch, bugfix/all/netrom-fix-nr_getname-leak.patch]
+2.6.26-lenny-security: released (2.6.26-19lenny1) [bugfix/all/irda-fix-irda_getname-leak.patch, bugfix/all/rose-fix-rose_getname-leak.patch, bugfix/all/econet-fix-econet_getname-leak.patch, bugfix/all/can-fix-raw_getname-leak.patch, bugfix/all/netrom-fix-nr_getname-leak.patch]
Copied: retired/CVE-2009-3228 (from rev 1589, active/CVE-2009-3228)
===================================================================
--- retired/CVE-2009-3228 (rev 0)
+++ retired/CVE-2009-3228 2009-11-12 22:21:16 UTC (rev 1590)
@@ -0,0 +1,27 @@
+Candidate: CVE-2009-3228
+Description:
+ The tc_fill_tclass function in net/sched/sch_api.c in the tc subsystem in the
+ Linux kernel 2.4.x before 2.4.37.6 and 2.6.x before 2.6.31-rc9 does not initialize
+ certain (1) tcm__pad1 and (2) tcm__pad2 structure members, which might allow
+ local users to obtain sensitive information from kernel memory via unspecified
+ vectors.
+References:
+ http://www.openwall.com/lists/oss-security/2009/09/03/1
+ http://www.openwall.com/lists/oss-security/2009/09/05/2
+ http://www.openwall.com/lists/oss-security/2009/09/06/2
+ http://www.openwall.com/lists/oss-security/2009/09/07/2
+ http://www.openwall.com/lists/oss-security/2009/09/17/1
+ http://www.openwall.com/lists/oss-security/2009/09/17/9
+ http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.4.37.y.git;a=commit;h=096ed17f20affc2db0e307658c69
+ http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=16ebb5e0b36ceadc8186f71d68b0c4f
+ http://patchwork.ozlabs.org/patch/32830/
+ http://www.kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4.37.6
+ http://www.kernel.org/pub/linux/kernel/v2.6/testing/v2.6.31/ChangeLog-2.6.31-rc9
+ https://bugzilla.redhat.com/show_bug.cgi?id=520990
+Notes:
+Bugs:
+upstream: released (2.6.31)
+linux-2.6: released (2.6.31-1)
+2.6.18-etch-security: released (2.6.18.dfsg.1-26etch1)
+2.6.24-etch-security: released (2.6.24-6~etchnhalf.9etch1) [bugfix/all/tc-fix-pad-leak.patch]
+2.6.26-lenny-security: released (2.6.26-19lenny2) [bugfix/all/tc-fix-pad-leak.patch]
Copied: retired/CVE-2009-3234 (from rev 1584, active/CVE-2009-3234)
===================================================================
--- retired/CVE-2009-3234 (rev 0)
+++ retired/CVE-2009-3234 2009-11-12 22:21:16 UTC (rev 1590)
@@ -0,0 +1,20 @@
+Candidate: CVE-2009-3234
+Description:
+ "If we pass a big size data over perf_counter_open() syscall, the kernel
+ will copy this data to a small buffer, it will cause kernel crash."
+References:
+ http://www.openwall.com/lists/oss-security/2009/09/16/1
+Ubuntu-Description:
+Notes:
+ kernel/perf_counter.c was introduced in commit 0793a61d (v2.6.31-rc1)
+ brad spengler has working exploit code for this one, so high-urgency
+Bugs:
+upstream: released (2.6.31.1) [986ddf533c1dd6852196182084aefe1ca9eda34e], pending (2.6.32-rc2) [b3e62e3]
+linux-2.6: released (2.6.31-1)
+2.6.18-etch-security: N/A "vulnerable code not present"
+2.6.24-etch-security: N/A "vulnerable code not present"
+2.6.26-lenny-security: N/A "vulnerable code not present"
+2.6.15-dapper-security:
+2.6.22-gutsy-security:
+2.6.24-hardy-security:
+2.6.27-intrepid-security:
Copied: retired/CVE-2009-3238 (from rev 1589, active/CVE-2009-3238)
===================================================================
--- retired/CVE-2009-3238 (rev 0)
+++ retired/CVE-2009-3238 2009-11-12 22:21:16 UTC (rev 1590)
@@ -0,0 +1,20 @@
+Candidate: CVE-2009-3238
+Description:
+ The get_random_int function in drivers/char/random.c in the Linux kernel before
+ 2.6.30 produces insufficiently random numbers, which allows attackers to predict the
+ return value, and possibly defeat protection mechanisms based on randomization, via
+ vectors that leverage the function's tendency to "return the same value over and
+ over again for long stretches of time."
+References:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3238
+ http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=8a0a9bd4db63bc45e3017bedeafbd88d0eb84d02
+ http://patchwork.kernel.org/patch/21766/
+ https://bugzilla.redhat.com/show_bug.cgi?id=499785
+ https://bugzilla.redhat.com/show_bug.cgi?id=519692
+Notes:
+Bugs:
+upstream: released (2.6.30) [8a0a9bd4db63bc45e3017bedeafbd88d0eb84d02]
+linux-2.6: released (2.6.30-1)
+2.6.18-etch-security: released (2.6.18.dfsg.1-26etch1)
+2.6.24-etch-security: released (2.6.24-6~etchnhalf.9etch1) [bugfix/all/random-make-get_random_int-more-random.patch]
+2.6.26-lenny-security: released (2.6.26-19lenny2) [bugfix/all/random-make-get_random_int-more-random.patch]
Copied: retired/CVE-2009-3280 (from rev 1584, active/CVE-2009-3280)
===================================================================
--- retired/CVE-2009-3280 (rev 0)
+++ retired/CVE-2009-3280 2009-11-12 22:21:16 UTC (rev 1590)
@@ -0,0 +1,16 @@
+Candidate: CVE-2009-3280
+Description:
+References:
+ http://www.openwall.com/lists/oss-security/2009/09/16/2
+Ubuntu-Description:
+Notes:
+Bugs:
+upstream: released (2.6.32-rc1, 2.6.30.8) [fcc6cb0c13555e78c2d47257b6d1b5e59b0c419a]
+linux-2.6: released (2.6.31-1)
+2.6.18-etch-security: N/A "vulnerable code not present"
+2.6.24-etch-security: N/A "vulnerable code not present"
+2.6.26-lenny-security: N/A "vulnerable code not present"
+2.6.15-dapper-security:
+2.6.22-gutsy-security:
+2.6.24-hardy-security:
+2.6.27-intrepid-security:
Copied: retired/CVE-2009-3623 (from rev 1584, active/CVE-2009-3623)
===================================================================
--- retired/CVE-2009-3623 (rev 0)
+++ retired/CVE-2009-3623 2009-11-12 22:21:16 UTC (rev 1590)
@@ -0,0 +1,28 @@
+Candidate: CVE-2009-3623
+Description:
+ "On setting up the callback to the client, we attempt to use the same
+ authentication flavor the client did. We find an rpc cred to use by
+ calling rpcauth_lookup_credcache(), which assumes that the given
+ authentication flavor has a credentials cache. However, this is not
+ required to be true--in particular, auth_null does not use one.
+ Instead, we should call the auth's lookup_cred() method.
+ .
+ Without this, a client attempting to mount using nfsv4 and auth_null
+ triggers a null dereference."
+ .
+ The code was introduced in upstream commit 3cef9ab2 (v2.6.31-rc1),
+ fixed in 886e3b7f (v2.6.32-rc1), and was later replaced by 80fc015b in
+ the same version.
+References:
+ http://article.gmane.org/gmane.linux.nfs/26513
+ https://bugzilla.redhat.com/show_bug.cgi?id=530269
+ http://git.kernel.org/linus/3cef9ab266a932899e756f7e1ea7a988a97bf3b2
+ http://git.kernel.org/linus/886e3b7fe6054230c89ae078a09565ed183ecc73
+ http://git.kernel.org/linus/80fc015bdfe1f5b870c1e1ee02d78e709523fee7
+Notes:
+Bugs:
+upstream: released (2.6.32-rc1), released (2.6.31.2) [b9703d921e254b499b300d652b4f35420176d509]
+linux-2.6: released (2.6.31-1)
+2.6.18-etch-security: N/A
+2.6.24-etch-security: N/A
+2.6.26-lenny-security: N/A
Copied: retired/CVE-2009-3638 (from rev 1589, active/CVE-2009-3638)
===================================================================
--- retired/CVE-2009-3638 (rev 0)
+++ retired/CVE-2009-3638 2009-11-12 22:21:16 UTC (rev 1590)
@@ -0,0 +1,15 @@
+Candidate: CVE-2009-3638
+Description:
+ integer overflow in kvm_dev_ioctl_get_supported_cpuid()
+References:
+ http://www.openwall.com/lists/oss-security/2009/10/23/5
+ https://bugzilla.redhat.com/show_bug.cgi?id=530515
+ http://git.kernel.org/linus/6a54435560efdab1a08f429a954df4d6c740bddf
+Notes:
+ introduced in 2.6.25 (commit 0771671749b59a507b6da4efb931c44d9691e248)
+Bugs:
+upstream: released (2.6.32-rc4) [6a54435560efdab1a08f429a954df4d6c740bddf], released (2.6.31.4) [779632b438a79ab1ed1f0da390712b12db3b2a58]
+linux-2.6: released (2.6.31-1)
+2.6.18-etch-security: N/A "introduced in 2.6.25"
+2.6.24-etch-security: N/A "introduced in 2.6.25"
+2.6.26-lenny-security: released (2.6.26-19lenny2) [bugfix/x86/kvm-prevent-overflow-in-KVM_GET_SUPPORTED_CPUID.patch]
Copied: retired/CVE-2009-3722 (from rev 1584, active/CVE-2009-3722)
===================================================================
--- retired/CVE-2009-3722 (rev 0)
+++ retired/CVE-2009-3722 2009-11-12 22:21:16 UTC (rev 1590)
@@ -0,0 +1,15 @@
+Candidate:
+Description:
+ Debug registers may only be accessed from cpl 0. Unfortunately, vmx will
+ code to emulate the instruction even though it was issued from guest
+ userspace, possibly leading to an unexpected trap later.
+References:
+ http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.31.y.git;a=commitdiff;h=bd634611e589582bba636434af7fcbf782eceb42
+Ubuntu-Description:
+Notes:
+Bugs:
+upstream: released (2.6.31.1) [bd634611e589582bba636434af7fcbf782eceb42], released (2.6.32-rc1) [0a79b009525b160081d75cef5dbf45817956acf2]
+linux-2.6: released (2.6.31-1)
+2.6.18-etch-security: N/A "introduced in 2.6.30-rc1"
+2.6.24-etch-security: N/A "introduced in 2.6.30-rc1"
+2.6.26-lenny-security: N/A "introduced in 2.6.30-rc1"
More information about the kernel-sec-discuss
mailing list