[kernel-sec-discuss] r2535 - active

Ben Hutchings benh at alioth.debian.org
Tue Nov 1 14:49:50 UTC 2011 

Author: benh
Date: 2011-11-01 14:49:49 +0000 (Tue, 01 Nov 2011)
New Revision: 2535

Modified:
   active/CVE-2011-4077
   active/CVE-2011-4081
   active/CVE-2011-4097
Log:
Note pending fixes in sid

Modified: active/CVE-2011-4077
===================================================================
--- active/CVE-2011-4077	2011-11-01 14:49:21 UTC (rev 2534)
+++ active/CVE-2011-4077	2011-11-01 14:49:49 UTC (rev 2535)
@@ -3,9 +3,11 @@
  https://bugzilla.redhat.com/show_bug.cgi?id=749156
  http://oss.sgi.com/archives/xfs/2011-10/msg00345.html
 Notes:
+ Proposed patch doesn't seem to fix the bug, due to possible integer
+ overflow.
 Bugs:
 upstream: needed
 2.6.32-upstream-stable: needed
-sid: needed
+sid: pending (3.0.0-6) [bugfix/all/xfs-fix-memory-corruption-in-xfs_readlink.patch, bugfix/all/xfs-fix-memory-corruption-in-xfs_readlink-2.patch]
 2.6.26-lenny-security: 
 2.6.32-squeeze-security: needed

Modified: active/CVE-2011-4081
===================================================================
--- active/CVE-2011-4081	2011-11-01 14:49:21 UTC (rev 2534)
+++ active/CVE-2011-4081	2011-11-01 14:49:49 UTC (rev 2535)
@@ -4,10 +4,11 @@
  https://secunia.com/advisories/46584/
  https://bugs.gentoo.org/show_bug.cgi?id=388581
 Notes:
- http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=7ed47b7d142ec99ad6880bbbec51e9f12b3af74c
+ Not sure if this is exploitable without AF_ALG sockets.  Upstream
+ change was cc'd to stable for 2.6.37+.
 Bugs:
-upstream: needed
+upstream: released (3.1) [7ed47b7d142ec99ad6880bbbec51e9f12b3af74c]
 2.6.32-upstream-stable: needed
-sid: needed
+sid: pending (3.0.0-6) [bugfix/all/stable/3.0.8.patch]
 2.6.26-lenny-security: N/A "CRYPTO_GHASH Introduced in 2.6.32"
 2.6.32-squeeze-security: needed

Modified: active/CVE-2011-4097
===================================================================
--- active/CVE-2011-4097	2011-11-01 14:49:21 UTC (rev 2534)
+++ active/CVE-2011-4097	2011-11-01 14:49:49 UTC (rev 2535)
@@ -5,6 +5,6 @@
 Bugs:
 upstream: needed
 2.6.32-upstream-stable: N/A "Introduced in 2.6.39"
-sid: needed
+sid: pending (3.0.0-6) [bugfix/all/oom-fix-integer-overflow-of-points-in-oom_badness.patch]
 2.6.26-lenny-security: N/A "Introduced in 2.6.39"
 2.6.32-squeeze-security: N/A "Introduced in 2.6.39"

More information about the kernel-sec-discuss mailing list