[kernel-sec-discuss] r2084 - active retired
Moritz Muehlenhoff
jmm at alioth.debian.org
Sun Dec 12 11:56:40 UTC 2010
Author: jmm
Date: 2010-12-12 11:56:40 +0000 (Sun, 12 Dec 2010)
New Revision: 2084
Added:
retired/CVE-2010-2963
retired/CVE-2010-3067
retired/CVE-2010-3084
retired/CVE-2010-3296
retired/CVE-2010-3297
retired/CVE-2010-3310
retired/CVE-2010-3432
retired/CVE-2010-3442
retired/CVE-2010-3448
retired/CVE-2010-3698
Removed:
active/CVE-2010-2963
active/CVE-2010-3067
active/CVE-2010-3084
active/CVE-2010-3296
active/CVE-2010-3297
active/CVE-2010-3310
active/CVE-2010-3432
active/CVE-2010-3442
active/CVE-2010-3448
active/CVE-2010-3698
Log:
retire more issues
Deleted: active/CVE-2010-2963
===================================================================
--- active/CVE-2010-2963 2010-12-11 16:54:42 UTC (rev 2083)
+++ active/CVE-2010-2963 2010-12-12 11:56:40 UTC (rev 2084)
@@ -1,10 +0,0 @@
-Candidate: CVE-2010-2963
-Description: v4l: VIDIOCSMICROCODE arbitrary write
-References:
-Notes:
-Bugs:
-upstream: released (2.6.36) [3e645d6]
-2.6.32-upstream-stable: released (2.6.32.25)
-linux-2.6: released (2.6.32-26)
-2.6.26-lenny-security: released (2.6.26-26lenny1) [bugfix/all/v4l1-fix-compat-microcode-loading-translation.patch]
-2.6.32-squeeze-security: released (2.6.32-26)
Deleted: active/CVE-2010-3067
===================================================================
--- active/CVE-2010-3067 2010-12-11 16:54:42 UTC (rev 2083)
+++ active/CVE-2010-3067 2010-12-12 11:56:40 UTC (rev 2084)
@@ -1,11 +0,0 @@
-Candidate: CVE-2010-3067
-Description: fs/aio.c integer overflow
-References:
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3067
-Notes:
-Bugs:
-upstream: released (2.6.36-rc5) [75e1c70f]
-2.6.32-upstream-stable: released (2.6.32.23)
-linux-2.6: released (2.6.32-24)
-2.6.26-lenny-security: released (2.6.26-26lenny1) [bugfix/all/aio-check-for-multiplication-overflow-in-do_io_submit.patch]
-2.6.32-squeeze-security: released (2.6.32-24)
Deleted: active/CVE-2010-3084
===================================================================
--- active/CVE-2010-3084 2010-12-11 16:54:42 UTC (rev 2083)
+++ active/CVE-2010-3084 2010-12-12 11:56:40 UTC (rev 2084)
@@ -1,12 +0,0 @@
-Candidate: cve-2010-3084
-Description: niu buffer overflow for ETHTOOL_GRXCLSRLALL
-References:
- https://bugzilla.redhat.com/show_bug.cgi?id=632069
-Notes:
- commit ee9c5cfa
-Bugs:
-upstream: released (2.6.36-rc4)
-2.6.32-upstream-stable:
-linux-2.6: released (2.6.32-25) [bugfix/all/niu-fix-kernel-buffer-overflow-for-ETHTOOL_GRXCLSRLALL.patch]
-2.6.26-lenny-security: N/A "vulnerable code not added until 2d96cf8 in 2.6.30"
-2.6.32-squeeze-security: released (2.6.32-25) [bugfix/all/niu-fix-kernel-buffer-overflow-for-ETHTOOL_GRXCLSRLALL.patch]
Deleted: active/CVE-2010-3296
===================================================================
--- active/CVE-2010-3296 2010-12-11 16:54:42 UTC (rev 2083)
+++ active/CVE-2010-3296 2010-12-12 11:56:40 UTC (rev 2084)
@@ -1,12 +0,0 @@
-Candidate: cve-2010-3296
-Description: drivers/net/cxgb3/cxgb3_main.c reading uninitialized stack memory
-References:
- https://bugzilla.redhat.com/633149
-Notes:
- jmm> 49c37c0334a9b85d30ab3d6b5d1acb05ef2ef6de
-Bugs:
-upstream: released (2.6.36-rc5)
-2.6.32-upstream-stable: released (2.6.32.23)
-linux-2.6: released (2.6.32-24)
-2.6.26-lenny-security: released (2.6.26-26lenny1) [bugfix/all/cxgb3-prevent-reading-uninitialized-stack-memory.patch]
-2.6.32-squeeze-security: released (2.6.32-24)
Deleted: active/CVE-2010-3297
===================================================================
--- active/CVE-2010-3297 2010-12-11 16:54:42 UTC (rev 2083)
+++ active/CVE-2010-3297 2010-12-12 11:56:40 UTC (rev 2084)
@@ -1,12 +0,0 @@
-Candidate: CVE-2010-3297
-Description: drivers/net/eql.c: reading uninitialized stack memory
-References:
- https://bugzilla.redhat.com/633145
-Notes:
- jmm> 44467187dc22fdd33a1a06ea0ba86ce20be3fe3c
-Bugs:
-upstream: released (2.6.36-rc5)
-2.6.32-upstream-stable: released (2.6.32.23)
-linux-2.6: released (2.6.32-24)
-2.6.26-lenny-security: released (2.6.26-26lenny1) [bugfix/all/net-eql-prevent-reading-uninitialized-stack-memory.patch]
-2.6.32-squeeze-security: released (2.6.32-24)
Deleted: active/CVE-2010-3310
===================================================================
--- active/CVE-2010-3310 2010-12-11 16:54:42 UTC (rev 2083)
+++ active/CVE-2010-3310 2010-12-12 11:56:40 UTC (rev 2084)
@@ -1,14 +0,0 @@
-Candidate: CVE-2010-3310
-Description:
-References:
- http://www.openwall.com/lists/oss-security/2010/09/21/1
- http://marc.info/?l=linux-netdev&m=128502238927086&w=2
-Notes:
- jmm> 9828e6e6e3f19efcb476c567b9999891d051f52f
- jmm> submitted for 2.6.32.x stable
-Bugs:
-upstream: released (2.6.36-rc6)
-2.6.32-upstream-stable: released (2.6.32.25)
-linux-2.6: released (2.6.32-25) [bugfix/all/rose-fix-signedness-issues-wrt-digi-count.patch]
-2.6.26-lenny-security: released (2.6.26-26lenny1) [bugfix/all/rose-fix-signedness-issues-wrt-digi-count.patch]
-2.6.32-squeeze-security: released (2.6.32-25) [bugfix/all/rose-fix-signedness-issues-wrt-digi-count.patch]
Deleted: active/CVE-2010-3432
===================================================================
--- active/CVE-2010-3432 2010-12-11 16:54:42 UTC (rev 2083)
+++ active/CVE-2010-3432 2010-12-12 11:56:40 UTC (rev 2084)
@@ -1,15 +0,0 @@
-Candidate: CVE-2010-3432
-Description:
- sctp_packet_config() is called when getting the packet ready for appending of
- chunks. The function should not touch the current state, since it's possible
- to ping-pong between two transports when sending, and that can result packet
- corruption followed by skb overlfow crash.
-References:
- 4bdab43323b459900578b200a4b8cf9713ac8fab
-Notes:
-Bugs:
-upstream: released (2.6.36-rc5)
-2.6.32-upstream-stable: released (2.6.32.23)
-linux-2.6: released (2.6.32-24)
-2.6.26-lenny-security: released (2.6.26-26lenny1) [bugfix/all/sctp-do-not-reset-the-packet-during-sctp_packet_config.patch]
-2.6.32-squeeze-security: released (2.6.32-24)
Deleted: active/CVE-2010-3442
===================================================================
--- active/CVE-2010-3442 2010-12-11 16:54:42 UTC (rev 2083)
+++ active/CVE-2010-3442 2010-12-12 11:56:40 UTC (rev 2084)
@@ -1,24 +0,0 @@
-Candidate: CVE-2010-3442
-Description:
- > On 09/29/2010 03:01 PM, Marcus Meissner wrote:
- > > On Wed, Sep 29, 2010 at 02:49:52PM +0800, Eugene Teo wrote:
- > >> Reported by Dan Rosenberg. The snd_ctl_new() function in
- > >> sound/core/control.c allocates space for a snd_kcontrol struct by
- > >> performing arithmetic operations on a user-provided size without
- > >> checking for integer overflow. If a user provides a large enough size
- > >> an overflow will occur, the allocated chunk will be too small, and a
- > >> second user-influenced value will be written repeatedly past the bounds
- > >> of this chunk. This code is reachable by unprivileged users who have
- > >> permission to open a /dev/snd/controlC* device (on many distros, this is
- > >> group "audio") via the SNDRV_CTL_IOCTL_ELEM_ADD and
- > >> SNDRV_CTL_IOCTL_ELEM_REPLACE ioctls.
-References:
- http://git.kernel.org/?p=linux/kernel/git/tiwai/sound-2.6.git;a=commitdiff;h=5591bf07225523600450edd9e6ad258bb877b779
-Notes:
- jmm> 5591bf07225523600450edd9e6ad258bb877b779
-Bugs:
-upstream: released (2.6.36)
-2.6.32-upstream-stable: released (2.6.32.25)
-linux-2.6: released (2.6.32-25) [bugfix/all/alsa-prevent-heap-corruption-in-snd_ctl_new.patch]
-2.6.26-lenny-security: released (2.6.26-26lenny1) [bugfix/all/alsa-prevent-heap-corruption-in-snd_ctl_new.patch]
-2.6.32-squeeze-security: released (2.6.32-25) [bugfix/all/alsa-prevent-heap-corruption-in-snd_ctl_new.patch]
Deleted: active/CVE-2010-3448
===================================================================
--- active/CVE-2010-3448 2010-12-11 16:54:42 UTC (rev 2083)
+++ active/CVE-2010-3448 2010-12-12 11:56:40 UTC (rev 2084)
@@ -1,11 +0,0 @@
-Candidate: CVE-2010-3448
-Description:
-References:
- jmm> b525c06cdbd8a3963f0173ccd23f9147d4c384b5
-Notes:
-Bugs: 565790
-upstream: released (2.6.34)
-2.6.32-upstream-stable: released (2.6.32.12)
-linux-2.6: released (2.6.32-12)
-2.6.26-lenny-security: released (2.6.26-26lenny1) [bugfix/x86/thinkpad-acpi-lock-down-video-output-state-access.patch]
-2.6.32-squeeze-security: released (2.6.32-12)
Deleted: active/CVE-2010-3698
===================================================================
--- active/CVE-2010-3698 2010-12-11 16:54:42 UTC (rev 2083)
+++ active/CVE-2010-3698 2010-12-12 11:56:40 UTC (rev 2084)
@@ -1,10 +0,0 @@
-Candidate: CVE-2010-3698
-Description: KVM: fs/gs reload oops with invalid ldt
-References:
-Notes:
-Bugs:
-upstream: released (2.6.36) [9581d442b9058d3699b4be568b6e5eae38a41493]
-2.6.32-upstream-stable: released (2.6.32.26)
-linux-2.6: released (2.6.32-28) [bugfix/all/stable/2.6.32.26.patch]
-2.6.26-lenny-security: N/A "code not present"
-2.6.32-squeeze-security: released (2.6.32-28) [bugfix/all/stable/2.6.32.26.patch]
Copied: retired/CVE-2010-2963 (from rev 2079, active/CVE-2010-2963)
===================================================================
--- retired/CVE-2010-2963 (rev 0)
+++ retired/CVE-2010-2963 2010-12-12 11:56:40 UTC (rev 2084)
@@ -0,0 +1,10 @@
+Candidate: CVE-2010-2963
+Description: v4l: VIDIOCSMICROCODE arbitrary write
+References:
+Notes:
+Bugs:
+upstream: released (2.6.36) [3e645d6]
+2.6.32-upstream-stable: released (2.6.32.25)
+linux-2.6: released (2.6.32-26)
+2.6.26-lenny-security: released (2.6.26-26lenny1) [bugfix/all/v4l1-fix-compat-microcode-loading-translation.patch]
+2.6.32-squeeze-security: released (2.6.32-26)
Copied: retired/CVE-2010-3067 (from rev 2079, active/CVE-2010-3067)
===================================================================
--- retired/CVE-2010-3067 (rev 0)
+++ retired/CVE-2010-3067 2010-12-12 11:56:40 UTC (rev 2084)
@@ -0,0 +1,11 @@
+Candidate: CVE-2010-3067
+Description: fs/aio.c integer overflow
+References:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3067
+Notes:
+Bugs:
+upstream: released (2.6.36-rc5) [75e1c70f]
+2.6.32-upstream-stable: released (2.6.32.23)
+linux-2.6: released (2.6.32-24)
+2.6.26-lenny-security: released (2.6.26-26lenny1) [bugfix/all/aio-check-for-multiplication-overflow-in-do_io_submit.patch]
+2.6.32-squeeze-security: released (2.6.32-24)
Copied: retired/CVE-2010-3084 (from rev 2079, active/CVE-2010-3084)
===================================================================
--- retired/CVE-2010-3084 (rev 0)
+++ retired/CVE-2010-3084 2010-12-12 11:56:40 UTC (rev 2084)
@@ -0,0 +1,12 @@
+Candidate: cve-2010-3084
+Description: niu buffer overflow for ETHTOOL_GRXCLSRLALL
+References:
+ https://bugzilla.redhat.com/show_bug.cgi?id=632069
+Notes:
+ commit ee9c5cfa
+Bugs:
+upstream: released (2.6.36-rc4)
+2.6.32-upstream-stable:
+linux-2.6: released (2.6.32-25) [bugfix/all/niu-fix-kernel-buffer-overflow-for-ETHTOOL_GRXCLSRLALL.patch]
+2.6.26-lenny-security: N/A "vulnerable code not added until 2d96cf8 in 2.6.30"
+2.6.32-squeeze-security: released (2.6.32-25) [bugfix/all/niu-fix-kernel-buffer-overflow-for-ETHTOOL_GRXCLSRLALL.patch]
Copied: retired/CVE-2010-3296 (from rev 2079, active/CVE-2010-3296)
===================================================================
--- retired/CVE-2010-3296 (rev 0)
+++ retired/CVE-2010-3296 2010-12-12 11:56:40 UTC (rev 2084)
@@ -0,0 +1,12 @@
+Candidate: cve-2010-3296
+Description: drivers/net/cxgb3/cxgb3_main.c reading uninitialized stack memory
+References:
+ https://bugzilla.redhat.com/633149
+Notes:
+ jmm> 49c37c0334a9b85d30ab3d6b5d1acb05ef2ef6de
+Bugs:
+upstream: released (2.6.36-rc5)
+2.6.32-upstream-stable: released (2.6.32.23)
+linux-2.6: released (2.6.32-24)
+2.6.26-lenny-security: released (2.6.26-26lenny1) [bugfix/all/cxgb3-prevent-reading-uninitialized-stack-memory.patch]
+2.6.32-squeeze-security: released (2.6.32-24)
Copied: retired/CVE-2010-3297 (from rev 2079, active/CVE-2010-3297)
===================================================================
--- retired/CVE-2010-3297 (rev 0)
+++ retired/CVE-2010-3297 2010-12-12 11:56:40 UTC (rev 2084)
@@ -0,0 +1,12 @@
+Candidate: CVE-2010-3297
+Description: drivers/net/eql.c: reading uninitialized stack memory
+References:
+ https://bugzilla.redhat.com/633145
+Notes:
+ jmm> 44467187dc22fdd33a1a06ea0ba86ce20be3fe3c
+Bugs:
+upstream: released (2.6.36-rc5)
+2.6.32-upstream-stable: released (2.6.32.23)
+linux-2.6: released (2.6.32-24)
+2.6.26-lenny-security: released (2.6.26-26lenny1) [bugfix/all/net-eql-prevent-reading-uninitialized-stack-memory.patch]
+2.6.32-squeeze-security: released (2.6.32-24)
Copied: retired/CVE-2010-3310 (from rev 2079, active/CVE-2010-3310)
===================================================================
--- retired/CVE-2010-3310 (rev 0)
+++ retired/CVE-2010-3310 2010-12-12 11:56:40 UTC (rev 2084)
@@ -0,0 +1,14 @@
+Candidate: CVE-2010-3310
+Description:
+References:
+ http://www.openwall.com/lists/oss-security/2010/09/21/1
+ http://marc.info/?l=linux-netdev&m=128502238927086&w=2
+Notes:
+ jmm> 9828e6e6e3f19efcb476c567b9999891d051f52f
+ jmm> submitted for 2.6.32.x stable
+Bugs:
+upstream: released (2.6.36-rc6)
+2.6.32-upstream-stable: released (2.6.32.25)
+linux-2.6: released (2.6.32-25) [bugfix/all/rose-fix-signedness-issues-wrt-digi-count.patch]
+2.6.26-lenny-security: released (2.6.26-26lenny1) [bugfix/all/rose-fix-signedness-issues-wrt-digi-count.patch]
+2.6.32-squeeze-security: released (2.6.32-25) [bugfix/all/rose-fix-signedness-issues-wrt-digi-count.patch]
Copied: retired/CVE-2010-3432 (from rev 2079, active/CVE-2010-3432)
===================================================================
--- retired/CVE-2010-3432 (rev 0)
+++ retired/CVE-2010-3432 2010-12-12 11:56:40 UTC (rev 2084)
@@ -0,0 +1,15 @@
+Candidate: CVE-2010-3432
+Description:
+ sctp_packet_config() is called when getting the packet ready for appending of
+ chunks. The function should not touch the current state, since it's possible
+ to ping-pong between two transports when sending, and that can result packet
+ corruption followed by skb overlfow crash.
+References:
+ 4bdab43323b459900578b200a4b8cf9713ac8fab
+Notes:
+Bugs:
+upstream: released (2.6.36-rc5)
+2.6.32-upstream-stable: released (2.6.32.23)
+linux-2.6: released (2.6.32-24)
+2.6.26-lenny-security: released (2.6.26-26lenny1) [bugfix/all/sctp-do-not-reset-the-packet-during-sctp_packet_config.patch]
+2.6.32-squeeze-security: released (2.6.32-24)
Copied: retired/CVE-2010-3442 (from rev 2079, active/CVE-2010-3442)
===================================================================
--- retired/CVE-2010-3442 (rev 0)
+++ retired/CVE-2010-3442 2010-12-12 11:56:40 UTC (rev 2084)
@@ -0,0 +1,24 @@
+Candidate: CVE-2010-3442
+Description:
+ > On 09/29/2010 03:01 PM, Marcus Meissner wrote:
+ > > On Wed, Sep 29, 2010 at 02:49:52PM +0800, Eugene Teo wrote:
+ > >> Reported by Dan Rosenberg. The snd_ctl_new() function in
+ > >> sound/core/control.c allocates space for a snd_kcontrol struct by
+ > >> performing arithmetic operations on a user-provided size without
+ > >> checking for integer overflow. If a user provides a large enough size
+ > >> an overflow will occur, the allocated chunk will be too small, and a
+ > >> second user-influenced value will be written repeatedly past the bounds
+ > >> of this chunk. This code is reachable by unprivileged users who have
+ > >> permission to open a /dev/snd/controlC* device (on many distros, this is
+ > >> group "audio") via the SNDRV_CTL_IOCTL_ELEM_ADD and
+ > >> SNDRV_CTL_IOCTL_ELEM_REPLACE ioctls.
+References:
+ http://git.kernel.org/?p=linux/kernel/git/tiwai/sound-2.6.git;a=commitdiff;h=5591bf07225523600450edd9e6ad258bb877b779
+Notes:
+ jmm> 5591bf07225523600450edd9e6ad258bb877b779
+Bugs:
+upstream: released (2.6.36)
+2.6.32-upstream-stable: released (2.6.32.25)
+linux-2.6: released (2.6.32-25) [bugfix/all/alsa-prevent-heap-corruption-in-snd_ctl_new.patch]
+2.6.26-lenny-security: released (2.6.26-26lenny1) [bugfix/all/alsa-prevent-heap-corruption-in-snd_ctl_new.patch]
+2.6.32-squeeze-security: released (2.6.32-25) [bugfix/all/alsa-prevent-heap-corruption-in-snd_ctl_new.patch]
Copied: retired/CVE-2010-3448 (from rev 2079, active/CVE-2010-3448)
===================================================================
--- retired/CVE-2010-3448 (rev 0)
+++ retired/CVE-2010-3448 2010-12-12 11:56:40 UTC (rev 2084)
@@ -0,0 +1,11 @@
+Candidate: CVE-2010-3448
+Description:
+References:
+ jmm> b525c06cdbd8a3963f0173ccd23f9147d4c384b5
+Notes:
+Bugs: 565790
+upstream: released (2.6.34)
+2.6.32-upstream-stable: released (2.6.32.12)
+linux-2.6: released (2.6.32-12)
+2.6.26-lenny-security: released (2.6.26-26lenny1) [bugfix/x86/thinkpad-acpi-lock-down-video-output-state-access.patch]
+2.6.32-squeeze-security: released (2.6.32-12)
Copied: retired/CVE-2010-3698 (from rev 2079, active/CVE-2010-3698)
===================================================================
--- retired/CVE-2010-3698 (rev 0)
+++ retired/CVE-2010-3698 2010-12-12 11:56:40 UTC (rev 2084)
@@ -0,0 +1,10 @@
+Candidate: CVE-2010-3698
+Description: KVM: fs/gs reload oops with invalid ldt
+References:
+Notes:
+Bugs:
+upstream: released (2.6.36) [9581d442b9058d3699b4be568b6e5eae38a41493]
+2.6.32-upstream-stable: released (2.6.32.26)
+linux-2.6: released (2.6.32-28) [bugfix/all/stable/2.6.32.26.patch]
+2.6.26-lenny-security: N/A "code not present"
+2.6.32-squeeze-security: released (2.6.32-28) [bugfix/all/stable/2.6.32.26.patch]
More information about the kernel-sec-discuss
mailing list