[kernel-sec-discuss] r2212 - active retired

Moritz Muehlenhoff jmm at alioth.debian.org
Mon Mar 7 08:59:45 UTC 2011 

Author: jmm
Date: 2011-03-07 08:59:45 +0000 (Mon, 07 Mar 2011)
New Revision: 2212

Added:
   retired/CVE-2010-3437
   retired/CVE-2010-3705
   retired/CVE-2010-4158
Removed:
   active/CVE-2010-3437
   active/CVE-2010-3705
   active/CVE-2010-4158
Log:
retire three issues


Deleted: active/CVE-2010-3437
===================================================================
--- active/CVE-2010-3437	2011-03-03 12:49:44 UTC (rev 2211)
+++ active/CVE-2010-3437	2011-03-07 08:59:45 UTC (rev 2212)
@@ -1,27 +0,0 @@
-Candidate: CVE-2010-3437
-Description: 
- > ----- "Eugene Teo" <eugeneteo at kernel.sg> wrote:
- > As Dan Rosenberg explained in the patch commit: The PKT_CTRL_CMD_STATUS 
- > device ioctl retrieves a pointer to a pktcdvd_device from the global 
- > pkt_devs array.  The index into this array is provided directly by the
- > 
- > user and is a signed integer, so the comparison to ensure that it falls 
- > within the bounds of this array will fail when provided with a
- > negative index.
- > 
- > This can be used to read arbitrary kernel memory or cause a crash due to 
- > an invalid pointer dereference.  This can be exploited by users with 
- > permission to open /dev/pktcdvd/control (on many distributions, this is 
- > readable by group "cdrom").
-References:
- https://bugzilla.redhat.com/show_bug.cgi?id=638085
-Notes:
- exploit: http://jon.oberheide.org/files/cve-2010-3437.c
- only an info disclosure, but seems to be able to dump any/all kernel memory
- jmm> Submitted for 2.6.32.x on 2010-01-10.
-Bugs:
-upstream: released (2.6.36-rc6) [252a52aa4fa22a668f019e55b3aac3ff71ec1c29]
-2.6.32-upstream-stable: released (2.6.32.30)
-linux-2.6: released (2.6.32-25) [bugfix/all/fix-pktcdvd-ioctl-dev_minor-range-check.patch]
-2.6.26-lenny-security: released (2.6.26-26lenny1) [bugfix/all/fix-pktcdvd-ioctl-dev_minor-range-check.patch]
-2.6.32-squeeze-security: released (2.6.32-25) [bugfix/all/fix-pktcdvd-ioctl-dev_minor-range-check.patch]

Deleted: active/CVE-2010-3705
===================================================================
--- active/CVE-2010-3705	2011-03-03 12:49:44 UTC (rev 2211)
+++ active/CVE-2010-3705	2011-03-07 08:59:45 UTC (rev 2212)
@@ -1,14 +0,0 @@
-Candidate: CVE-2010-3705
-Description:
- sctp out-of-bounds issue
-References:
- http://marc.info/?l=linux-kernel&m=128596992418814&w=2
- http://git.kernel.org/?p=linux/kernel/git/davem/net-2.6.git;a=commitdiff;h=51e97a12bef19b7e43199fc153cf9bd5f2140362
-Notes:
- jmm> Submitted for stable 2011-01-06
-Bugs:
-upstream: released (2.6.36) [51e97a12bef19b7e43199fc153cf9bd5f2140362]
-2.6.32-upstream-stable: released (2.6.32.30)
-linux-2.6: released (2.6.32-25) [bugfix/all/sctp-fix-out-of-bounds-reading-in-sctp_assoc_get_hmac.patch]
-2.6.26-lenny-security: released (2.6.26-26lenny1) [bugfix/all/sctp-fix-out-of-bounds-reading-in-sctp_asoc_get_hmac.patch]
-2.6.32-squeeze-security: released (2.6.32-25) [bugfix/all/sctp-fix-out-of-bounds-reading-in-sctp_assoc_get_hmac.patch]

Deleted: active/CVE-2010-4158
===================================================================
--- active/CVE-2010-4158	2011-03-03 12:49:44 UTC (rev 2211)
+++ active/CVE-2010-4158	2011-03-07 08:59:45 UTC (rev 2212)
@@ -1,14 +0,0 @@
-Candidate: CVE-2010-4158
-Description: socket filters infoleak
-References:
- http://www.spinics.net/lists/netdev/msg146361.html
- https://bugzilla.redhat.com/show_bug.cgi?id=651698
- http://lists.grok.org.uk/pipermail/full-disclosure/2010-November/077321.html
-Notes:
- jmm> pushed to 2.6.32 stable on 2011-01-11
-Bugs:
-upstream: released (2.6.37-rc2) [57fe93b374a6b8711995c2d466c502af9f3a08bb]
-2.6.32-upstream-stable: released (2.6.32.30)
-linux-2.6: released (2.6.32-29) [bugfix/all/filter-make-sure-filters-dont-read-uninitialized-memory.patch]
-2.6.26-lenny-security: released (2.6.26-26lenny2) [bugfix/all/filter-make-sure-filters-dont-read-uninitialized-memory.patch]
-2.6.32-squeeze-security: released (2.6.32-29) [bugfix/all/filter-make-sure-filters-dont-read-uninitialized-memory.patch]

Copied: retired/CVE-2010-3437 (from rev 2211, active/CVE-2010-3437)
===================================================================
--- retired/CVE-2010-3437	                        (rev 0)
+++ retired/CVE-2010-3437	2011-03-07 08:59:45 UTC (rev 2212)
@@ -0,0 +1,27 @@
+Candidate: CVE-2010-3437
+Description: 
+ > ----- "Eugene Teo" <eugeneteo at kernel.sg> wrote:
+ > As Dan Rosenberg explained in the patch commit: The PKT_CTRL_CMD_STATUS 
+ > device ioctl retrieves a pointer to a pktcdvd_device from the global 
+ > pkt_devs array.  The index into this array is provided directly by the
+ > 
+ > user and is a signed integer, so the comparison to ensure that it falls 
+ > within the bounds of this array will fail when provided with a
+ > negative index.
+ > 
+ > This can be used to read arbitrary kernel memory or cause a crash due to 
+ > an invalid pointer dereference.  This can be exploited by users with 
+ > permission to open /dev/pktcdvd/control (on many distributions, this is 
+ > readable by group "cdrom").
+References:
+ https://bugzilla.redhat.com/show_bug.cgi?id=638085
+Notes:
+ exploit: http://jon.oberheide.org/files/cve-2010-3437.c
+ only an info disclosure, but seems to be able to dump any/all kernel memory
+ jmm> Submitted for 2.6.32.x on 2010-01-10.
+Bugs:
+upstream: released (2.6.36-rc6) [252a52aa4fa22a668f019e55b3aac3ff71ec1c29]
+2.6.32-upstream-stable: released (2.6.32.30)
+linux-2.6: released (2.6.32-25) [bugfix/all/fix-pktcdvd-ioctl-dev_minor-range-check.patch]
+2.6.26-lenny-security: released (2.6.26-26lenny1) [bugfix/all/fix-pktcdvd-ioctl-dev_minor-range-check.patch]
+2.6.32-squeeze-security: released (2.6.32-25) [bugfix/all/fix-pktcdvd-ioctl-dev_minor-range-check.patch]


Property changes on: retired/CVE-2010-3437
___________________________________________________________________
Added: svn:mergeinfo
   + 

Copied: retired/CVE-2010-3705 (from rev 2211, active/CVE-2010-3705)
===================================================================
--- retired/CVE-2010-3705	                        (rev 0)
+++ retired/CVE-2010-3705	2011-03-07 08:59:45 UTC (rev 2212)
@@ -0,0 +1,14 @@
+Candidate: CVE-2010-3705
+Description:
+ sctp out-of-bounds issue
+References:
+ http://marc.info/?l=linux-kernel&m=128596992418814&w=2
+ http://git.kernel.org/?p=linux/kernel/git/davem/net-2.6.git;a=commitdiff;h=51e97a12bef19b7e43199fc153cf9bd5f2140362
+Notes:
+ jmm> Submitted for stable 2011-01-06
+Bugs:
+upstream: released (2.6.36) [51e97a12bef19b7e43199fc153cf9bd5f2140362]
+2.6.32-upstream-stable: released (2.6.32.30)
+linux-2.6: released (2.6.32-25) [bugfix/all/sctp-fix-out-of-bounds-reading-in-sctp_assoc_get_hmac.patch]
+2.6.26-lenny-security: released (2.6.26-26lenny1) [bugfix/all/sctp-fix-out-of-bounds-reading-in-sctp_asoc_get_hmac.patch]
+2.6.32-squeeze-security: released (2.6.32-25) [bugfix/all/sctp-fix-out-of-bounds-reading-in-sctp_assoc_get_hmac.patch]


Property changes on: retired/CVE-2010-3705
___________________________________________________________________
Added: svn:mergeinfo
   + 

Copied: retired/CVE-2010-4158 (from rev 2211, active/CVE-2010-4158)
===================================================================
--- retired/CVE-2010-4158	                        (rev 0)
+++ retired/CVE-2010-4158	2011-03-07 08:59:45 UTC (rev 2212)
@@ -0,0 +1,14 @@
+Candidate: CVE-2010-4158
+Description: socket filters infoleak
+References:
+ http://www.spinics.net/lists/netdev/msg146361.html
+ https://bugzilla.redhat.com/show_bug.cgi?id=651698
+ http://lists.grok.org.uk/pipermail/full-disclosure/2010-November/077321.html
+Notes:
+ jmm> pushed to 2.6.32 stable on 2011-01-11
+Bugs:
+upstream: released (2.6.37-rc2) [57fe93b374a6b8711995c2d466c502af9f3a08bb]
+2.6.32-upstream-stable: released (2.6.32.30)
+linux-2.6: released (2.6.32-29) [bugfix/all/filter-make-sure-filters-dont-read-uninitialized-memory.patch]
+2.6.26-lenny-security: released (2.6.26-26lenny2) [bugfix/all/filter-make-sure-filters-dont-read-uninitialized-memory.patch]
+2.6.32-squeeze-security: released (2.6.32-29) [bugfix/all/filter-make-sure-filters-dont-read-uninitialized-memory.patch]


Property changes on: retired/CVE-2010-4158
___________________________________________________________________
Added: svn:mergeinfo
   +

More information about the kernel-sec-discuss mailing list