[kernel-sec-discuss] r5025 - active retired

Salvatore Bonaccorso carnil at moszumanska.debian.org
Mon Feb 27 07:34:54 UTC 2017 

Author: carnil
Date: 2017-02-27 07:34:54 +0000 (Mon, 27 Feb 2017)
New Revision: 5025

Added:
   retired/CVE-2017-2583
   retired/CVE-2017-2584
   retired/CVE-2017-2618
   retired/CVE-2017-5549
   retired/CVE-2017-5551
   retired/CVE-2017-5970
Removed:
   active/CVE-2017-2583
   active/CVE-2017-2584
   active/CVE-2017-2618
   active/CVE-2017-5549
   active/CVE-2017-5551
   active/CVE-2017-5970
Log:
Retire some CVEs fixed everywhere

Deleted: active/CVE-2017-2583
===================================================================
--- active/CVE-2017-2583	2017-02-27 07:32:59 UTC (rev 5024)
+++ active/CVE-2017-2583	2017-02-27 07:34:54 UTC (rev 5025)
@@ -1,12 +0,0 @@
-Description: KVM: x86: fix emulation of "MOV SS, null selector"
-References:
-Notes:
- Introduced in 3.6-rc1 with 79d5b4c3cd809c770d4bf9812635647016c56011
-Bugs:
-upstream: released (4.10-rc4) [33ab91103b3415e12457e3104f0e4517ce12d0f3]
-4.9-upstream-stable: released (4.9.5) [7718ffcf9a64830bbae148432f625346cde2f2d6]
-3.16-upstream-stable: released (3.16.41) [kvm-x86-fix-emulation-of-mov-ss-null-selector.patch]
-3.2-upstream-stable: N/A "Vulnerable code introduced in 3.6-rc1 with 79d5b4c3cd809c770d4bf9812635647016c56011"
-sid: released (4.9.6-1)
-3.16-jessie-security: released (3.16.39-1+deb8u1) [bugfix/x86/kvm-x86-fix-emulation-of-mov-ss-null-selector.patch]
-3.2-wheezy-security: N/A "Vulnerable code not present"

Deleted: active/CVE-2017-2584
===================================================================
--- active/CVE-2017-2584	2017-02-27 07:32:59 UTC (rev 5024)
+++ active/CVE-2017-2584	2017-02-27 07:34:54 UTC (rev 5025)
@@ -1,16 +0,0 @@
-Description: kvm: use after free in complete_emulated_mmio
-References:
- https://www.spinics.net/lists/kvm/msg143571.html
-Notes:
- carnil> Introduced in 3.6-rc1 with 96051572c819194c37a8367624b285be10297eca,
- carnil> but after 4.10-rc1 with 283c95d0e3891b64087706b344a4b545d04a6e62
- carnil> also exploitable for kernel memory write.
-Bugs:
- https://bugzilla.redhat.com/show_bug.cgi?id=1413001
-upstream: released (4.10-rc4) [129a72a0d3c8e139a04512325384fe5ac119e74d]
-4.9-upstream-stable: released (4.9.5) [736e77c07fba8b49cead504b885a82ce52c0ff10]
-3.16-upstream-stable: released (3.16.41) [kvm-x86-introduce-segmented_write_std.patch]
-3.2-upstream-stable: N/A "Vulnerable code introduced in 3.6-rc1 with 96051572c819194c37a8367624b285be10297eca"
-sid: released (4.9.6-1)
-3.16-jessie-security: released (3.16.39-1+deb8u1) [bugfix/x86/kvm-x86-introduce-segmented_write_std.patch]
-3.2-wheezy-security: N/A "Vulnerable code not present"

Deleted: active/CVE-2017-2618
===================================================================
--- active/CVE-2017-2618	2017-02-27 07:32:59 UTC (rev 5024)
+++ active/CVE-2017-2618	2017-02-27 07:34:54 UTC (rev 5025)
@@ -1,20 +0,0 @@
-Description: selinux: fix off-by-one in setprocattr 
-References:
-Notes:
- carnil> Possibly introduced in 3.5-rc1 with d6ea83ec6864e9297fa8b00ec3dae183413a90e3
- bwh> The off-by-one error was introduced in Linux 2.6.12 (just before
- bwh> the switch to git), as a (very minor) information leak.  The above
- bwh> commit increased the security impact - writing exactly "\n" can
- bwh> result in a buffer under-read and oops, which is what this CVE
- bwh> describes.  Later, commit bb646cdb12e7 "proc_pid_attr_write():
- bwh> switch to memdup_user()" reduced the buffer size so there is also
- bwh> a buffer over-read.  However, I think that has no additional impact
- bwh> since even SLOB pads heap allocations to at least 2 bytes.
-Bugs:
-upstream: released (4.10-rc8) [0c461cb727d146c9ef2d3e86214f498b78b7d125]
-4.9-upstream-stable: released (4.9.10) [6cbaf7b94373743deb42fd410173aab81f8945fe]
-3.16-upstream-stable: released (3.16.41) [selinux-fix-off-by-one-in-setprocattr.patch]
-3.2-upstream-stable: N/A "Vulnerable code not present"
-sid: released (4.9.10-1)
-3.16-jessie-security: released (3.16.39-1+deb8u1) [bugfix/all/selinux-fix-off-by-one-in-setprocattr.patch]
-3.2-wheezy-security: N/A "Vulnerable code not present"

Deleted: active/CVE-2017-5549
===================================================================
--- active/CVE-2017-5549	2017-02-27 07:32:59 UTC (rev 5024)
+++ active/CVE-2017-5549	2017-02-27 07:34:54 UTC (rev 5025)
@@ -1,11 +0,0 @@
-Description: USB: serial: kl5kusb105: fix line-state error handling
-References:
-Notes:
-Bugs:
-upstream: released (4.10-rc4) [146cc8a17a3b4996f6805ee5c080e7101277c410]
-4.9-upstream-stable: released (4.9.5) [58ede4beda662c4e1681fee4fae2174028a1a841]
-3.16-upstream-stable: released (3.16.41) [usb-serial-kl5kusb105-fix-line-state-error-handling.patch]
-3.2-upstream-stable: released (3.2.86) [usb-serial-kl5kusb105-fix-line-state-error-handling.patch]
-sid: released (4.9.6-1)
-3.16-jessie-security: released (3.16.39-1+deb8u1) [bugfix/all/usb-serial-kl5kusb105-fix-line-state-error-handling.patch]
-3.2-wheezy-security: released (3.2.84-2) [bugfix/all/usb-serial-kl5kusb105-fix-line-state-error-handling.patch]

Deleted: active/CVE-2017-5551
===================================================================
--- active/CVE-2017-5551	2017-02-27 07:32:59 UTC (rev 5024)
+++ active/CVE-2017-5551	2017-02-27 07:34:54 UTC (rev 5025)
@@ -1,11 +0,0 @@
-Description: sgid bit not cleared on tmpfs
-References:
-Notes:
-Bugs:
-upstream: released (4.10-rc4) [497de07d89c1410d76a15bec2bb41f24a2a89f31]
-4.9-upstream-stable: released (4.9.6) [782b361c93062f083bbc9a78928498218f950399]
-3.16-upstream-stable: released (3.16.41) [tmpfs-clear-s_isgid-when-setting-posix-acls.patch]
-3.2-upstream-stable: N/A "Backported fix for CVE-2016-7097 already covered this"
-sid: released (4.9.6-1)
-3.16-jessie-security: released (3.16.39-1+deb8u1) [bugfix/all/tmpfs-clear-s_isgid-when-setting-posix-acls.patch]
-3.2-wheezy-security: N/A "Backported fix for CVE-2016-7097 already covered this"

Deleted: active/CVE-2017-5970
===================================================================
--- active/CVE-2017-5970	2017-02-27 07:32:59 UTC (rev 5024)
+++ active/CVE-2017-5970	2017-02-27 07:34:54 UTC (rev 5025)
@@ -1,13 +0,0 @@
-Description: ipv4: Invalid IP options could cause skb->dst drop
-References:
- http://seclists.org/oss-sec/2017/q1/414
- https://patchwork.ozlabs.org/patch/724136/
-Notes:
-Bugs:
-upstream: released (4.10-rc8) [34b2cef20f19c87999fff3da4071e66937db9644]
-4.9-upstream-stable: released (4.9.11) [f5b54446630a973e1f27b68599366bbd0ac53066]
-3.16-upstream-stable: released (3.16.41) [ipv4-keep-skb-dst-around-in-presence-of-ip-options.patch]
-3.2-upstream-stable: N/A "Vulnerable code introduced in 3.3-rc1 with d826eb14ecef3574b6b3be55e5f4329f4a76fbf3"
-sid: released (4.9.10-1) [bugfix/all/ipv4-keep-skb-dst-around-in-presence-of-IP-options.patch]
-3.16-jessie-security: released (3.16.39-1+deb8u1) [bugfix/all/ipv4-keep-skb-dst-around-in-presence-of-ip-options.patch]
-3.2-wheezy-security: N/A "Vulnerable code not present"

Copied: retired/CVE-2017-2583 (from rev 5024, active/CVE-2017-2583)
===================================================================
--- retired/CVE-2017-2583	                        (rev 0)
+++ retired/CVE-2017-2583	2017-02-27 07:34:54 UTC (rev 5025)
@@ -0,0 +1,12 @@
+Description: KVM: x86: fix emulation of "MOV SS, null selector"
+References:
+Notes:
+ Introduced in 3.6-rc1 with 79d5b4c3cd809c770d4bf9812635647016c56011
+Bugs:
+upstream: released (4.10-rc4) [33ab91103b3415e12457e3104f0e4517ce12d0f3]
+4.9-upstream-stable: released (4.9.5) [7718ffcf9a64830bbae148432f625346cde2f2d6]
+3.16-upstream-stable: released (3.16.41) [kvm-x86-fix-emulation-of-mov-ss-null-selector.patch]
+3.2-upstream-stable: N/A "Vulnerable code introduced in 3.6-rc1 with 79d5b4c3cd809c770d4bf9812635647016c56011"
+sid: released (4.9.6-1)
+3.16-jessie-security: released (3.16.39-1+deb8u1) [bugfix/x86/kvm-x86-fix-emulation-of-mov-ss-null-selector.patch]
+3.2-wheezy-security: N/A "Vulnerable code not present"

Copied: retired/CVE-2017-2584 (from rev 5024, active/CVE-2017-2584)
===================================================================
--- retired/CVE-2017-2584	                        (rev 0)
+++ retired/CVE-2017-2584	2017-02-27 07:34:54 UTC (rev 5025)
@@ -0,0 +1,16 @@
+Description: kvm: use after free in complete_emulated_mmio
+References:
+ https://www.spinics.net/lists/kvm/msg143571.html
+Notes:
+ carnil> Introduced in 3.6-rc1 with 96051572c819194c37a8367624b285be10297eca,
+ carnil> but after 4.10-rc1 with 283c95d0e3891b64087706b344a4b545d04a6e62
+ carnil> also exploitable for kernel memory write.
+Bugs:
+ https://bugzilla.redhat.com/show_bug.cgi?id=1413001
+upstream: released (4.10-rc4) [129a72a0d3c8e139a04512325384fe5ac119e74d]
+4.9-upstream-stable: released (4.9.5) [736e77c07fba8b49cead504b885a82ce52c0ff10]
+3.16-upstream-stable: released (3.16.41) [kvm-x86-introduce-segmented_write_std.patch]
+3.2-upstream-stable: N/A "Vulnerable code introduced in 3.6-rc1 with 96051572c819194c37a8367624b285be10297eca"
+sid: released (4.9.6-1)
+3.16-jessie-security: released (3.16.39-1+deb8u1) [bugfix/x86/kvm-x86-introduce-segmented_write_std.patch]
+3.2-wheezy-security: N/A "Vulnerable code not present"

Copied: retired/CVE-2017-2618 (from rev 5024, active/CVE-2017-2618)
===================================================================
--- retired/CVE-2017-2618	                        (rev 0)
+++ retired/CVE-2017-2618	2017-02-27 07:34:54 UTC (rev 5025)
@@ -0,0 +1,20 @@
+Description: selinux: fix off-by-one in setprocattr 
+References:
+Notes:
+ carnil> Possibly introduced in 3.5-rc1 with d6ea83ec6864e9297fa8b00ec3dae183413a90e3
+ bwh> The off-by-one error was introduced in Linux 2.6.12 (just before
+ bwh> the switch to git), as a (very minor) information leak.  The above
+ bwh> commit increased the security impact - writing exactly "\n" can
+ bwh> result in a buffer under-read and oops, which is what this CVE
+ bwh> describes.  Later, commit bb646cdb12e7 "proc_pid_attr_write():
+ bwh> switch to memdup_user()" reduced the buffer size so there is also
+ bwh> a buffer over-read.  However, I think that has no additional impact
+ bwh> since even SLOB pads heap allocations to at least 2 bytes.
+Bugs:
+upstream: released (4.10-rc8) [0c461cb727d146c9ef2d3e86214f498b78b7d125]
+4.9-upstream-stable: released (4.9.10) [6cbaf7b94373743deb42fd410173aab81f8945fe]
+3.16-upstream-stable: released (3.16.41) [selinux-fix-off-by-one-in-setprocattr.patch]
+3.2-upstream-stable: N/A "Vulnerable code not present"
+sid: released (4.9.10-1)
+3.16-jessie-security: released (3.16.39-1+deb8u1) [bugfix/all/selinux-fix-off-by-one-in-setprocattr.patch]
+3.2-wheezy-security: N/A "Vulnerable code not present"

Copied: retired/CVE-2017-5549 (from rev 5024, active/CVE-2017-5549)
===================================================================
--- retired/CVE-2017-5549	                        (rev 0)
+++ retired/CVE-2017-5549	2017-02-27 07:34:54 UTC (rev 5025)
@@ -0,0 +1,11 @@
+Description: USB: serial: kl5kusb105: fix line-state error handling
+References:
+Notes:
+Bugs:
+upstream: released (4.10-rc4) [146cc8a17a3b4996f6805ee5c080e7101277c410]
+4.9-upstream-stable: released (4.9.5) [58ede4beda662c4e1681fee4fae2174028a1a841]
+3.16-upstream-stable: released (3.16.41) [usb-serial-kl5kusb105-fix-line-state-error-handling.patch]
+3.2-upstream-stable: released (3.2.86) [usb-serial-kl5kusb105-fix-line-state-error-handling.patch]
+sid: released (4.9.6-1)
+3.16-jessie-security: released (3.16.39-1+deb8u1) [bugfix/all/usb-serial-kl5kusb105-fix-line-state-error-handling.patch]
+3.2-wheezy-security: released (3.2.84-2) [bugfix/all/usb-serial-kl5kusb105-fix-line-state-error-handling.patch]

Copied: retired/CVE-2017-5551 (from rev 5024, active/CVE-2017-5551)
===================================================================
--- retired/CVE-2017-5551	                        (rev 0)
+++ retired/CVE-2017-5551	2017-02-27 07:34:54 UTC (rev 5025)
@@ -0,0 +1,11 @@
+Description: sgid bit not cleared on tmpfs
+References:
+Notes:
+Bugs:
+upstream: released (4.10-rc4) [497de07d89c1410d76a15bec2bb41f24a2a89f31]
+4.9-upstream-stable: released (4.9.6) [782b361c93062f083bbc9a78928498218f950399]
+3.16-upstream-stable: released (3.16.41) [tmpfs-clear-s_isgid-when-setting-posix-acls.patch]
+3.2-upstream-stable: N/A "Backported fix for CVE-2016-7097 already covered this"
+sid: released (4.9.6-1)
+3.16-jessie-security: released (3.16.39-1+deb8u1) [bugfix/all/tmpfs-clear-s_isgid-when-setting-posix-acls.patch]
+3.2-wheezy-security: N/A "Backported fix for CVE-2016-7097 already covered this"

Copied: retired/CVE-2017-5970 (from rev 5024, active/CVE-2017-5970)
===================================================================
--- retired/CVE-2017-5970	                        (rev 0)
+++ retired/CVE-2017-5970	2017-02-27 07:34:54 UTC (rev 5025)
@@ -0,0 +1,13 @@
+Description: ipv4: Invalid IP options could cause skb->dst drop
+References:
+ http://seclists.org/oss-sec/2017/q1/414
+ https://patchwork.ozlabs.org/patch/724136/
+Notes:
+Bugs:
+upstream: released (4.10-rc8) [34b2cef20f19c87999fff3da4071e66937db9644]
+4.9-upstream-stable: released (4.9.11) [f5b54446630a973e1f27b68599366bbd0ac53066]
+3.16-upstream-stable: released (3.16.41) [ipv4-keep-skb-dst-around-in-presence-of-ip-options.patch]
+3.2-upstream-stable: N/A "Vulnerable code introduced in 3.3-rc1 with d826eb14ecef3574b6b3be55e5f4329f4a76fbf3"
+sid: released (4.9.10-1) [bugfix/all/ipv4-keep-skb-dst-around-in-presence-of-IP-options.patch]
+3.16-jessie-security: released (3.16.39-1+deb8u1) [bugfix/all/ipv4-keep-skb-dst-around-in-presence-of-ip-options.patch]
+3.2-wheezy-security: N/A "Vulnerable code not present"

More information about the kernel-sec-discuss mailing list