[kernel-sec-discuss] r2212 - active retired
Moritz Muehlenhoff
jmm at alioth.debian.org
Mon Mar 7 08:59:45 UTC 2011
Author: jmm
Date: 2011-03-07 08:59:45 +0000 (Mon, 07 Mar 2011)
New Revision: 2212
Added:
retired/CVE-2010-3437
retired/CVE-2010-3705
retired/CVE-2010-4158
Removed:
active/CVE-2010-3437
active/CVE-2010-3705
active/CVE-2010-4158
Log:
retire three issues
Deleted: active/CVE-2010-3437
===================================================================
--- active/CVE-2010-3437 2011-03-03 12:49:44 UTC (rev 2211)
+++ active/CVE-2010-3437 2011-03-07 08:59:45 UTC (rev 2212)
@@ -1,27 +0,0 @@
-Candidate: CVE-2010-3437
-Description:
- > ----- "Eugene Teo" <eugeneteo at kernel.sg> wrote:
- > As Dan Rosenberg explained in the patch commit: The PKT_CTRL_CMD_STATUS
- > device ioctl retrieves a pointer to a pktcdvd_device from the global
- > pkt_devs array. The index into this array is provided directly by the
- >
- > user and is a signed integer, so the comparison to ensure that it falls
- > within the bounds of this array will fail when provided with a
- > negative index.
- >
- > This can be used to read arbitrary kernel memory or cause a crash due to
- > an invalid pointer dereference. This can be exploited by users with
- > permission to open /dev/pktcdvd/control (on many distributions, this is
- > readable by group "cdrom").
-References:
- https://bugzilla.redhat.com/show_bug.cgi?id=638085
-Notes:
- exploit: http://jon.oberheide.org/files/cve-2010-3437.c
- only an info disclosure, but seems to be able to dump any/all kernel memory
- jmm> Submitted for 2.6.32.x on 2010-01-10.
-Bugs:
-upstream: released (2.6.36-rc6) [252a52aa4fa22a668f019e55b3aac3ff71ec1c29]
-2.6.32-upstream-stable: released (2.6.32.30)
-linux-2.6: released (2.6.32-25) [bugfix/all/fix-pktcdvd-ioctl-dev_minor-range-check.patch]
-2.6.26-lenny-security: released (2.6.26-26lenny1) [bugfix/all/fix-pktcdvd-ioctl-dev_minor-range-check.patch]
-2.6.32-squeeze-security: released (2.6.32-25) [bugfix/all/fix-pktcdvd-ioctl-dev_minor-range-check.patch]
Deleted: active/CVE-2010-3705
===================================================================
--- active/CVE-2010-3705 2011-03-03 12:49:44 UTC (rev 2211)
+++ active/CVE-2010-3705 2011-03-07 08:59:45 UTC (rev 2212)
@@ -1,14 +0,0 @@
-Candidate: CVE-2010-3705
-Description:
- sctp out-of-bounds issue
-References:
- http://marc.info/?l=linux-kernel&m=128596992418814&w=2
- http://git.kernel.org/?p=linux/kernel/git/davem/net-2.6.git;a=commitdiff;h=51e97a12bef19b7e43199fc153cf9bd5f2140362
-Notes:
- jmm> Submitted for stable 2011-01-06
-Bugs:
-upstream: released (2.6.36) [51e97a12bef19b7e43199fc153cf9bd5f2140362]
-2.6.32-upstream-stable: released (2.6.32.30)
-linux-2.6: released (2.6.32-25) [bugfix/all/sctp-fix-out-of-bounds-reading-in-sctp_assoc_get_hmac.patch]
-2.6.26-lenny-security: released (2.6.26-26lenny1) [bugfix/all/sctp-fix-out-of-bounds-reading-in-sctp_asoc_get_hmac.patch]
-2.6.32-squeeze-security: released (2.6.32-25) [bugfix/all/sctp-fix-out-of-bounds-reading-in-sctp_assoc_get_hmac.patch]
Deleted: active/CVE-2010-4158
===================================================================
--- active/CVE-2010-4158 2011-03-03 12:49:44 UTC (rev 2211)
+++ active/CVE-2010-4158 2011-03-07 08:59:45 UTC (rev 2212)
@@ -1,14 +0,0 @@
-Candidate: CVE-2010-4158
-Description: socket filters infoleak
-References:
- http://www.spinics.net/lists/netdev/msg146361.html
- https://bugzilla.redhat.com/show_bug.cgi?id=651698
- http://lists.grok.org.uk/pipermail/full-disclosure/2010-November/077321.html
-Notes:
- jmm> pushed to 2.6.32 stable on 2011-01-11
-Bugs:
-upstream: released (2.6.37-rc2) [57fe93b374a6b8711995c2d466c502af9f3a08bb]
-2.6.32-upstream-stable: released (2.6.32.30)
-linux-2.6: released (2.6.32-29) [bugfix/all/filter-make-sure-filters-dont-read-uninitialized-memory.patch]
-2.6.26-lenny-security: released (2.6.26-26lenny2) [bugfix/all/filter-make-sure-filters-dont-read-uninitialized-memory.patch]
-2.6.32-squeeze-security: released (2.6.32-29) [bugfix/all/filter-make-sure-filters-dont-read-uninitialized-memory.patch]
Copied: retired/CVE-2010-3437 (from rev 2211, active/CVE-2010-3437)
===================================================================
--- retired/CVE-2010-3437 (rev 0)
+++ retired/CVE-2010-3437 2011-03-07 08:59:45 UTC (rev 2212)
@@ -0,0 +1,27 @@
+Candidate: CVE-2010-3437
+Description:
+ > ----- "Eugene Teo" <eugeneteo at kernel.sg> wrote:
+ > As Dan Rosenberg explained in the patch commit: The PKT_CTRL_CMD_STATUS
+ > device ioctl retrieves a pointer to a pktcdvd_device from the global
+ > pkt_devs array. The index into this array is provided directly by the
+ >
+ > user and is a signed integer, so the comparison to ensure that it falls
+ > within the bounds of this array will fail when provided with a
+ > negative index.
+ >
+ > This can be used to read arbitrary kernel memory or cause a crash due to
+ > an invalid pointer dereference. This can be exploited by users with
+ > permission to open /dev/pktcdvd/control (on many distributions, this is
+ > readable by group "cdrom").
+References:
+ https://bugzilla.redhat.com/show_bug.cgi?id=638085
+Notes:
+ exploit: http://jon.oberheide.org/files/cve-2010-3437.c
+ only an info disclosure, but seems to be able to dump any/all kernel memory
+ jmm> Submitted for 2.6.32.x on 2010-01-10.
+Bugs:
+upstream: released (2.6.36-rc6) [252a52aa4fa22a668f019e55b3aac3ff71ec1c29]
+2.6.32-upstream-stable: released (2.6.32.30)
+linux-2.6: released (2.6.32-25) [bugfix/all/fix-pktcdvd-ioctl-dev_minor-range-check.patch]
+2.6.26-lenny-security: released (2.6.26-26lenny1) [bugfix/all/fix-pktcdvd-ioctl-dev_minor-range-check.patch]
+2.6.32-squeeze-security: released (2.6.32-25) [bugfix/all/fix-pktcdvd-ioctl-dev_minor-range-check.patch]
Property changes on: retired/CVE-2010-3437
___________________________________________________________________
Added: svn:mergeinfo
+
Copied: retired/CVE-2010-3705 (from rev 2211, active/CVE-2010-3705)
===================================================================
--- retired/CVE-2010-3705 (rev 0)
+++ retired/CVE-2010-3705 2011-03-07 08:59:45 UTC (rev 2212)
@@ -0,0 +1,14 @@
+Candidate: CVE-2010-3705
+Description:
+ sctp out-of-bounds issue
+References:
+ http://marc.info/?l=linux-kernel&m=128596992418814&w=2
+ http://git.kernel.org/?p=linux/kernel/git/davem/net-2.6.git;a=commitdiff;h=51e97a12bef19b7e43199fc153cf9bd5f2140362
+Notes:
+ jmm> Submitted for stable 2011-01-06
+Bugs:
+upstream: released (2.6.36) [51e97a12bef19b7e43199fc153cf9bd5f2140362]
+2.6.32-upstream-stable: released (2.6.32.30)
+linux-2.6: released (2.6.32-25) [bugfix/all/sctp-fix-out-of-bounds-reading-in-sctp_assoc_get_hmac.patch]
+2.6.26-lenny-security: released (2.6.26-26lenny1) [bugfix/all/sctp-fix-out-of-bounds-reading-in-sctp_asoc_get_hmac.patch]
+2.6.32-squeeze-security: released (2.6.32-25) [bugfix/all/sctp-fix-out-of-bounds-reading-in-sctp_assoc_get_hmac.patch]
Property changes on: retired/CVE-2010-3705
___________________________________________________________________
Added: svn:mergeinfo
+
Copied: retired/CVE-2010-4158 (from rev 2211, active/CVE-2010-4158)
===================================================================
--- retired/CVE-2010-4158 (rev 0)
+++ retired/CVE-2010-4158 2011-03-07 08:59:45 UTC (rev 2212)
@@ -0,0 +1,14 @@
+Candidate: CVE-2010-4158
+Description: socket filters infoleak
+References:
+ http://www.spinics.net/lists/netdev/msg146361.html
+ https://bugzilla.redhat.com/show_bug.cgi?id=651698
+ http://lists.grok.org.uk/pipermail/full-disclosure/2010-November/077321.html
+Notes:
+ jmm> pushed to 2.6.32 stable on 2011-01-11
+Bugs:
+upstream: released (2.6.37-rc2) [57fe93b374a6b8711995c2d466c502af9f3a08bb]
+2.6.32-upstream-stable: released (2.6.32.30)
+linux-2.6: released (2.6.32-29) [bugfix/all/filter-make-sure-filters-dont-read-uninitialized-memory.patch]
+2.6.26-lenny-security: released (2.6.26-26lenny2) [bugfix/all/filter-make-sure-filters-dont-read-uninitialized-memory.patch]
+2.6.32-squeeze-security: released (2.6.32-29) [bugfix/all/filter-make-sure-filters-dont-read-uninitialized-memory.patch]
Property changes on: retired/CVE-2010-4158
___________________________________________________________________
Added: svn:mergeinfo
+
More information about the kernel-sec-discuss
mailing list