[kernel-sec-discuss] r5347 - active retired

Tue Jun 6 09:43:26 UTC 2017

Author: carnil
Date: 2017-06-06 09:43:25 +0000 (Tue, 06 Jun 2017)
New Revision: 5347

Added:
   retired/CVE-2016-2188
   retired/CVE-2016-9604
   retired/CVE-2017-2671
   retired/CVE-2017-7184
   retired/CVE-2017-7261
   retired/CVE-2017-7294
   retired/CVE-2017-7308
   retired/CVE-2017-7472
   retired/CVE-2017-7616
   retired/CVE-2017-7618
Removed:
   active/CVE-2016-2188
   active/CVE-2016-9604
   active/CVE-2017-2671
   active/CVE-2017-7184
   active/CVE-2017-7261
   active/CVE-2017-7294
   active/CVE-2017-7308
   active/CVE-2017-7472
   active/CVE-2017-7616
   active/CVE-2017-7618
Log:
Retire several CVEs

Deleted: active/CVE-2016-2188
===================================================================

--- active/CVE-2016-2188	2017-06-06 09:41:02 UTC (rev 5346)
+++ active/CVE-2016-2188	2017-06-06 09:43:25 UTC (rev 5347)
@@ -1,23 +0,0 @@
-Description: Kernel panic on invalid USB device descriptor (iowarrior driver)
-References:
- https://bugzilla.redhat.com/show_bug.cgi?id=1317018
- https://bugzilla.redhat.com/show_bug.cgi?id=1283390
- http://seclists.org/bugtraq/2016/Mar/87
- http://marc.info/?l=linux-usb&m=145796659429788&w=2
- https://git.kernel.org/linus/4ec0ef3a82125efc36173062a50624550a900ae0
- https://marc.info/?l=linux-usb&m=148890022313747
-Notes:
- bwh> Upstream fix (commit listed above) handles the case where there
- bwh> are zero endpoints, but not the case where there are some
- bwh> endpoints but none of the expected type.  So this is not really
- bwh> fixed anywhere yet.
- bwh> A second proposed fix was posted in March 2017 (second linux-usb
- bwh> message linked above).
-Bugs:
-upstream: released (4.11-rc2) [b7321e81fc369abe353cf094d4f0dc2fe11ab95f]
-4.9-upstream-stable: released (4.9.16) [653418adaf1026a10e0c2e4e29b7319610117b33]
-3.16-upstream-stable: released (3.16.44) [d2d603cf8fd51f0da5e4bc809d17824faa7630f7]
-3.2-upstream-stable: released (3.2.89) [6598f3d653a85dccfb4a472504ec6fd12cec8e42]
-sid: released (4.9.16-1)
-3.16-jessie-security: released (3.16.43-1) [bugfix/all/usb-iowarrior-fix-null-deref-at-probe.patch]
-3.2-wheezy-security: released (3.2.88-1) [bugfix/all/usb-iowarrior-fix-null-deref-at-probe.patch]

Deleted: active/CVE-2016-9604
===================================================================
--- active/CVE-2016-9604	2017-06-06 09:41:02 UTC (rev 5346)
+++ active/CVE-2016-9604	2017-06-06 09:43:25 UTC (rev 5347)
@@ -1,15 +0,0 @@
-Description: KEYS: Disallow keyrings beginning with '.' to be joined as session keyrings
-References:
-Notes:
- bwh> A similar issue was fixed in 3.17 by commit a4e3b8d79a5c
- bwh> "KEYS: special dot prefixed keyring name bug fix" (which wrongly
- bwh> removed another check - fixed by commit 54e2c2c1a9d6
- bwh> "KEYS: Reinstate EPERM for a key type name beginning with a '.'")
-Bugs:
-upstream: released (4.11-rc8) [ee8f844e3c5a73b999edf733df1c529d6503ec2f]
-4.9-upstream-stable: released (4.9.25) [a5c6e0a76817a3751f58d761aaff7c0b0c4001ff]
-3.16-upstream-stable: released (3.16.44) [41bd08bfce7c33e0d383e7678e6d6c7e8e041524]
-3.2-upstream-stable: released (3.2.89) [7488aaea277dc17eb12bda22c91332c804c62965]
-sid: released (4.9.25-1)
-3.16-jessie-security: released (3.16.43-1) [bugfix/all/keys-disallow-keyrings-beginning-with-.-to-be-joined.patch]
-3.2-wheezy-security: released (3.2.88-1) [bugfix/all/keys-disallow-keyrings-beginning-with-.-to-be-joined.patch]

Deleted: active/CVE-2017-2671
===================================================================
--- active/CVE-2017-2671	2017-06-06 09:41:02 UTC (rev 5346)
+++ active/CVE-2017-2671	2017-06-06 09:43:25 UTC (rev 5347)
@@ -1,14 +0,0 @@
-Description: Linux kernel ping socket / AF_LLC connect() sin_family race
-References:
- http://www.openwall.com/lists/oss-security/2017/03/24/6
- https://github.com/danieljiang0415/android_kernel_crash_poc
- https://twitter.com/danieljiang0415/status/845116665184497664
-Notes:
-Bugs:
-upstream: released (4.11-rc6) [43a6684519ab0a6c52024b5e25322476cabad893]
-4.9-upstream-stable: released (4.9.26) [e88a8e0a23c23e09858a4f5caeb106da972e7934]
-3.16-upstream-stable: released (3.16.44) [c3f18d2a809b563ef078130ab3758899625e4cfb]
-3.2-upstream-stable: released (3.2.89) [352651a0a07649e4ee03e294da069b5c3e42aae4]
-sid: released (4.9.25-1) [bugfix/all/ping-implement-proper-locking.patch]
-3.16-jessie-security: released (3.16.43-1) [bugfix/all/ping-implement-proper-locking.patch]
-3.2-wheezy-security: released (3.2.88-1) [bugfix/all/ping-implement-proper-locking.patch]

Deleted: active/CVE-2017-7184
===================================================================
--- active/CVE-2017-7184	2017-06-06 09:41:02 UTC (rev 5346)
+++ active/CVE-2017-7184	2017-06-06 09:43:25 UTC (rev 5347)
@@ -1,15 +0,0 @@
-Description: Missing range checks in xfrm_user allow heap buffer overflow and privilege escalation
-References:
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7184
-Notes:
- bwh> xfrm_user is only accessible with CAP_NET_ADMIN capability (in any
- bwh> user namespace).  So this is not exploitable by unprivileged users
- bwh> in a default Debian configuration.
-Bugs:
-upstream: released (4.11-rc5) [677e806da4d916052585301785d847c3b3e6186a, f843ee6dd019bcece3e74e76ad9df0155655d0df]
-4.9-upstream-stable: released (4.9.20) [64a5465799ee40e3d54d9da3037934cd4b7b502f, 79191ea36dc9be10a9c9b03d6b341ed2d2f76045]
-3.16-upstream-stable: released (3.16.44) [811f5600db1a0a9c4f1abad5017e09f43d7088f3, fda265baa45b630675359db3699bb68350c4b907]
-3.2-upstream-stable: released (3.2.89) [04dba730e9d4798184b4769f74ef14c20f8c6f9a, 4d09fd3505c59374e599a29918ca40059be3d554]
-sid: released (4.9.18-1) [bugfix/all/xfrm_user-validate-xfrm_msg_newae-xfrma_replay_esn_val-replay_window.patch, bugfix/all/xfrm_user-validate-xfrm_msg_newae-incoming-esn-size-harder.patch]
-3.16-jessie-security: released (3.16.43-1) [bugfix/all/xfrm_user-validate-xfrm_msg_newae-xfrma_replay_esn_val-replay_window.patch, bugfix/all/xfrm_user-validate-xfrm_msg_newae-incoming-esn-size-harder.patch]
-3.2-wheezy-security: released (3.2.88-1) [bugfix/all/xfrm_user-validate-xfrm_msg_newae-xfrma_replay_esn_val-replay_window.patch, bugfix/all/xfrm_user-validate-xfrm_msg_newae-incoming-esn-size-harder.patch]

Deleted: active/CVE-2017-7261
===================================================================
--- active/CVE-2017-7261	2017-06-06 09:41:02 UTC (rev 5346)
+++ active/CVE-2017-7261	2017-06-06 09:43:25 UTC (rev 5347)
@@ -1,19 +0,0 @@
-Description: drm/vmwgfx: check that number of mip levels is above zero
-References:
- https://lists.freedesktop.org/archives/dri-devel/2017-March/136814.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1435719
- https://marc.info/?t=149037004200005&r=1&w=2
- https://cgit.freedesktop.org/mesa/vmwgfx/commit/?id=e904061d2c8968429954be87ad1cc45526510812
-Notes:
- bwh> This seems to have been discovered independently by Murray
- bwh> McAllister, Vladis Dronov and Li Qiang, resulting in three
- bwh> slightly different fixes.  Murray McAllister's version was
- bwh> applied upstream.
-Bugs:
-upstream: released (4.11-rc6) [36274ab8c596f1240c606bb514da329add2a1bcd]
-4.9-upstream-stable: released (4.9.22) [73ab72517b61ce4b27ceddec47dd5d6edafb556a]
-3.16-upstream-stable: released (3.16.44) [61cabe967321767052498032178d56a1ea03a7bc]
-3.2-upstream-stable: released (3.2.89) [20996e6d81c907b10a5ab57c4172be97cb1a7de1]
-sid: released (4.9.18-1) [bugfix/x86/vmwgfx-null-pointer-dereference-in-vmw_surface_define_ioctl.patch]
-3.16-jessie-security: released (3.16.43-1) [bugfix/x86/vmwgfx-null-pointer-dereference-in-vmw_surface_define_ioctl.patch]
-3.2-wheezy-security: released (3.2.88-1) [bugfix/x86/vmwgfx-null-pointer-dereference-in-vmw_surface_define_ioctl.patch]

Deleted: active/CVE-2017-7294
===================================================================
--- active/CVE-2017-7294	2017-06-06 09:41:02 UTC (rev 5346)
+++ active/CVE-2017-7294	2017-06-06 09:43:25 UTC (rev 5347)
@@ -1,13 +0,0 @@
-Description: drm/vmwgfx: limit mip levels in vmw_surface_define_ioctl()
-References:
- https://bugzilla.redhat.com/show_bug.cgi?id=1436798
- https://lists.freedesktop.org/archives/dri-devel/2017-March/137094.html
-Notes:
-Bugs:
-upstream: released (4.11-rc6) [e7e11f99564222d82f0ce84bd521e57d78a6b678]
-4.9-upstream-stable: released (4.9.22) [4ddd24d54fedff301e8f020d7b9f70116383af31]
-3.16-upstream-stable: released (3.16.44) [629655f798b92fd309fdde494a3cfb8a37f807ad]
-3.2-upstream-stable: released (3.2.89) [c2e7959f2ea446a417bf2cdb79792575852d17bb]
-sid: released (4.9.18-1) [bugfix/x86/drm-vmwgfx-fix-integer-overflow-in-vmw_surface_define_ioctl.patch]
-3.16-jessie-security: released (3.16.43-1) [bugfix/x86/drm-vmwgfx-fix-integer-overflow-in-vmw_surface_define_ioctl.patch]
-3.2-wheezy-security: released (3.2.88-1) [bugfix/x86/drm-vmwgfx-fix-integer-overflow-in-vmw_surface_define_ioctl.patch]

Deleted: active/CVE-2017-7308
===================================================================
--- active/CVE-2017-7308	2017-06-06 09:41:02 UTC (rev 5346)
+++ active/CVE-2017-7308	2017-06-06 09:43:25 UTC (rev 5347)
@@ -1,20 +0,0 @@
-Description: AF_PACKET missing/incorrect range checks allow heap buffer overflow
-References:
- https://patchwork.ozlabs.org/patch/744811/
- https://patchwork.ozlabs.org/patch/744812/
- https://patchwork.ozlabs.org/patch/744813/
- https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-via-packet.html
-Notes:
- bwh> 3.2 is also missing an earlier related fix, commit dc808110bb62
- bwh> "packet: handle too big packets for PACKET_V3"
- nsl> only saw one of the commits in the 4.9 release
- carnil> which was 16fc98c2479f5477f2df220acd9cb53686e33f4c (in 4.9.23)
- carnil> the other two commits are in 4.9.26
-Bugs:
-upstream: released (4.11-rc6) [2b6867c2ce76c596676bec7d2d525af525fdc6e2, 8f8d28e4d6d815a391285e121c3a53a0b6cb9e7b, bcc5364bdcfe131e6379363f089e7b4108d35b70]
-4.9-upstream-stable: released (4.9.26) [16fc98c2479f5477f2df220acd9cb53686e33f4c, 10452124bac39411e92fc8910dd418648bbb78ac, 1f49c8cd2c9a53ea04bd86bce01247415d12aa26]
-3.16-upstream-stable: released (3.16.44) [a481ab4edd87bc2dc6f1fa9029866dd69c86fc5c, a318bc0bcec7f7867f1f1d8cef5ae6f25aa169a7, 7bb3f26487e578c2cb0567196ce93c008967a269]
-3.2-upstream-stable: released (3.2.89) [091a6de006536c50f8a30db60d994a5b083b1c7b, 1634172286550a62d8a0a98cf8bec5cd975fa09c, 96053b293c69c636d8d34fc569ac81fbf1118658]
-sid: released (4.9.18-1) [bugfix/all/net-packet-fix-overflow-in-check-for-priv-area-size.patch, bugfix/all/net-packet-fix-overflow-in-check-for-tp_frame_nr.patch, bugfix/all/net-packet-fix-overflow-in-check-for-tp_reserve.patch]
-3.16-jessie-security: released (3.16.43-1) [bugfix/all/net-packet-fix-overflow-in-check-for-priv-area-size.patch, bugfix/all/net-packet-fix-overflow-in-check-for-tp_frame_nr.patch, bugfix/all/net-packet-fix-overflow-in-check-for-tp_reserve.patch]
-3.2-wheezy-security: released (3.2.88-1) [bugfix/all/net-packet-fix-overflow-in-check-for-priv-area-size.patch, bugfix/all/net-packet-fix-overflow-in-check-for-tp_frame_nr.patch, bugfix/all/net-packet-fix-overflow-in-check-for-tp_reserve.patch]

Deleted: active/CVE-2017-7472
===================================================================
--- active/CVE-2017-7472	2017-06-06 09:41:02 UTC (rev 5346)
+++ active/CVE-2017-7472	2017-06-06 09:43:25 UTC (rev 5347)
@@ -1,16 +0,0 @@
-Description: keyctl_set_reqkey_keyring() leaks thread keyrings
-References:
- https://lkml.org/lkml/2017/4/1/235
- https://lkml.org/lkml/2017/4/3/724
-Notes:
- carnil> 'Fixes: d84f4f992cbd ("CRED: Inaugurate COW credentials")'
- carnil> which is first in 2.6.29-rc1
-Bugs:
- https://bugzilla.redhat.com/show_bug.cgi?id=1442086
-upstream: released (4.11-rc8) [c9f838d104fed6f2f61d68164712e3204bf5271b]
-4.9-upstream-stable: released (4.9.25) [174a74dbca2ddc7269c265598399c000e5b9b870]
-3.16-upstream-stable: released (3.16.44) [f7ce1014bc5e4bb42d6b9f5afb308f59534067ea]
-3.2-upstream-stable: released (3.2.89) [0ebd7208190d2f7b16fee3cea05665e212cebaab]
-sid: released (4.9.25-1)
-3.16-jessie-security: released (3.16.43-1) [bugfix/all/keys-fix-keyctl_set_reqkey_keyring-to-not-leak-threa.patch]
-3.2-wheezy-security: released (3.2.88-1) [bugfix/all/keys-fix-keyctl_set_reqkey_keyring-to-not-leak-threa.patch]

Deleted: active/CVE-2017-7616
===================================================================
--- active/CVE-2017-7616	2017-06-06 09:41:02 UTC (rev 5346)
+++ active/CVE-2017-7616	2017-06-06 09:43:25 UTC (rev 5347)
@@ -1,16 +0,0 @@
-Description: mm/mempolicy.c: fix error handling in set_mempolicy and mbind
-References:
- https://grsecurity.net/the_infoleak_that_mostly_wasnt.php
-Notes:
- bwh> As Brad Spengler notes, this doesn't affect amd64.  The compat
- bwh> wrappers are only used for swapping bitmap words on 64-bit
- bwh> architectures that are (or can be) big-endian.  Fixing this on
- bwh> wheezy was a (small) waste of time.
-Bugs:
-upstream: released (4.11-rc6) [cf01fb9985e8deb25ccf0ea54d916b8871ae0e62]
-4.9-upstream-stable: released (4.9.22) [cddab768d13469d1e254fb8c0e1629f93c8dfaca]
-3.16-upstream-stable: released (3.16.44) [4474624a1a496e4dc93a2cd49ea915d9c90d80e9]
-3.2-upstream-stable: released (3.2.89) [3f3b4a9db31af279e793229177b63ea201e24629]
-sid: released (4.9.25-1)
-3.16-jessie-security: released (3.16.43-1) [bugfix/all/mm-mempolicy.c-fix-error-handling-in-set_mempolicy-a.patch]
-3.2-wheezy-security: released (3.2.88-1) [bugfix/all/mm-mempolicy.c-fix-error-handling-in-set_mempolicy-a.patch]

Deleted: active/CVE-2017-7618
===================================================================
--- active/CVE-2017-7618	2017-06-06 09:41:02 UTC (rev 5346)
+++ active/CVE-2017-7618	2017-06-06 09:43:25 UTC (rev 5347)
@@ -1,17 +0,0 @@
-Description: crypto: ahash - Fix EINPROGRESS notification callback
-References:
- http://marc.info/?l=linux-crypto-vger&m=149181655623850&w=2
- https://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6.git/commit/?id=ef0579b64e93188710d48667cb5e014926af9f1b
-Notes:
- bwh> This depends on several earlier fixes to crypto/ahash.c, applied
- bwh> between 3.2 and 3.16.  It also breaks algif_aead, fixed by commit
- bwh> e6534aebb26e ("crypto: algif_aead - Fix bogus request dereference in
- bwh> completion function").
-Bugs:
-upstream: released (4.11-rc8) [ef0579b64e93188710d48667cb5e014926af9f1b]
-4.9-upstream-stable: released (4.9.24) [c10479591869177ae7ac0570b54ace6fbdeb57c2]
-3.16-upstream-stable: released (3.16.44) [13af702256f8b7d9bb51b86c982fe08e96c589c8]
-3.2-upstream-stable: released (3.2.89) [82ef3e7b16e777db114a0c3699b91134417fe8c9]
-sid: released (4.9.25-1)
-3.16-jessie-security: released (3.16.43-1) [bugfix/all/crypto-ahash-fix-einprogress-notification-callback.patch]
-3.2-wheezy-security: released (3.2.88-1) [bugfix/all/crypto-ahash-fix-einprogress-notification-callback.patch]

Copied: retired/CVE-2016-2188 (from rev 5346, active/CVE-2016-2188)
===================================================================
--- retired/CVE-2016-2188	                        (rev 0)
+++ retired/CVE-2016-2188	2017-06-06 09:43:25 UTC (rev 5347)
@@ -0,0 +1,23 @@
+Description: Kernel panic on invalid USB device descriptor (iowarrior driver)
+References:
+ https://bugzilla.redhat.com/show_bug.cgi?id=1317018
+ https://bugzilla.redhat.com/show_bug.cgi?id=1283390
+ http://seclists.org/bugtraq/2016/Mar/87
+ http://marc.info/?l=linux-usb&m=145796659429788&w=2
+ https://git.kernel.org/linus/4ec0ef3a82125efc36173062a50624550a900ae0
+ https://marc.info/?l=linux-usb&m=148890022313747
+Notes:
+ bwh> Upstream fix (commit listed above) handles the case where there
+ bwh> are zero endpoints, but not the case where there are some
+ bwh> endpoints but none of the expected type.  So this is not really
+ bwh> fixed anywhere yet.
+ bwh> A second proposed fix was posted in March 2017 (second linux-usb
+ bwh> message linked above).
+Bugs:
+upstream: released (4.11-rc2) [b7321e81fc369abe353cf094d4f0dc2fe11ab95f]
+4.9-upstream-stable: released (4.9.16) [653418adaf1026a10e0c2e4e29b7319610117b33]
+3.16-upstream-stable: released (3.16.44) [d2d603cf8fd51f0da5e4bc809d17824faa7630f7]
+3.2-upstream-stable: released (3.2.89) [6598f3d653a85dccfb4a472504ec6fd12cec8e42]
+sid: released (4.9.16-1)
+3.16-jessie-security: released (3.16.43-1) [bugfix/all/usb-iowarrior-fix-null-deref-at-probe.patch]
+3.2-wheezy-security: released (3.2.88-1) [bugfix/all/usb-iowarrior-fix-null-deref-at-probe.patch]

Copied: retired/CVE-2016-9604 (from rev 5346, active/CVE-2016-9604)
===================================================================
--- retired/CVE-2016-9604	                        (rev 0)
+++ retired/CVE-2016-9604	2017-06-06 09:43:25 UTC (rev 5347)
@@ -0,0 +1,15 @@
+Description: KEYS: Disallow keyrings beginning with '.' to be joined as session keyrings
+References:
+Notes:
+ bwh> A similar issue was fixed in 3.17 by commit a4e3b8d79a5c
+ bwh> "KEYS: special dot prefixed keyring name bug fix" (which wrongly
+ bwh> removed another check - fixed by commit 54e2c2c1a9d6
+ bwh> "KEYS: Reinstate EPERM for a key type name beginning with a '.'")
+Bugs:
+upstream: released (4.11-rc8) [ee8f844e3c5a73b999edf733df1c529d6503ec2f]
+4.9-upstream-stable: released (4.9.25) [a5c6e0a76817a3751f58d761aaff7c0b0c4001ff]
+3.16-upstream-stable: released (3.16.44) [41bd08bfce7c33e0d383e7678e6d6c7e8e041524]
+3.2-upstream-stable: released (3.2.89) [7488aaea277dc17eb12bda22c91332c804c62965]
+sid: released (4.9.25-1)
+3.16-jessie-security: released (3.16.43-1) [bugfix/all/keys-disallow-keyrings-beginning-with-.-to-be-joined.patch]
+3.2-wheezy-security: released (3.2.88-1) [bugfix/all/keys-disallow-keyrings-beginning-with-.-to-be-joined.patch]

Copied: retired/CVE-2017-2671 (from rev 5346, active/CVE-2017-2671)
===================================================================
--- retired/CVE-2017-2671	                        (rev 0)
+++ retired/CVE-2017-2671	2017-06-06 09:43:25 UTC (rev 5347)
@@ -0,0 +1,14 @@
+Description: Linux kernel ping socket / AF_LLC connect() sin_family race
+References:
+ http://www.openwall.com/lists/oss-security/2017/03/24/6
+ https://github.com/danieljiang0415/android_kernel_crash_poc
+ https://twitter.com/danieljiang0415/status/845116665184497664
+Notes:
+Bugs:
+upstream: released (4.11-rc6) [43a6684519ab0a6c52024b5e25322476cabad893]
+4.9-upstream-stable: released (4.9.26) [e88a8e0a23c23e09858a4f5caeb106da972e7934]
+3.16-upstream-stable: released (3.16.44) [c3f18d2a809b563ef078130ab3758899625e4cfb]
+3.2-upstream-stable: released (3.2.89) [352651a0a07649e4ee03e294da069b5c3e42aae4]
+sid: released (4.9.25-1) [bugfix/all/ping-implement-proper-locking.patch]
+3.16-jessie-security: released (3.16.43-1) [bugfix/all/ping-implement-proper-locking.patch]
+3.2-wheezy-security: released (3.2.88-1) [bugfix/all/ping-implement-proper-locking.patch]

Copied: retired/CVE-2017-7184 (from rev 5346, active/CVE-2017-7184)
===================================================================
--- retired/CVE-2017-7184	                        (rev 0)
+++ retired/CVE-2017-7184	2017-06-06 09:43:25 UTC (rev 5347)
@@ -0,0 +1,15 @@
+Description: Missing range checks in xfrm_user allow heap buffer overflow and privilege escalation
+References:
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7184
+Notes:
+ bwh> xfrm_user is only accessible with CAP_NET_ADMIN capability (in any
+ bwh> user namespace).  So this is not exploitable by unprivileged users
+ bwh> in a default Debian configuration.
+Bugs:
+upstream: released (4.11-rc5) [677e806da4d916052585301785d847c3b3e6186a, f843ee6dd019bcece3e74e76ad9df0155655d0df]
+4.9-upstream-stable: released (4.9.20) [64a5465799ee40e3d54d9da3037934cd4b7b502f, 79191ea36dc9be10a9c9b03d6b341ed2d2f76045]
+3.16-upstream-stable: released (3.16.44) [811f5600db1a0a9c4f1abad5017e09f43d7088f3, fda265baa45b630675359db3699bb68350c4b907]
+3.2-upstream-stable: released (3.2.89) [04dba730e9d4798184b4769f74ef14c20f8c6f9a, 4d09fd3505c59374e599a29918ca40059be3d554]
+sid: released (4.9.18-1) [bugfix/all/xfrm_user-validate-xfrm_msg_newae-xfrma_replay_esn_val-replay_window.patch, bugfix/all/xfrm_user-validate-xfrm_msg_newae-incoming-esn-size-harder.patch]
+3.16-jessie-security: released (3.16.43-1) [bugfix/all/xfrm_user-validate-xfrm_msg_newae-xfrma_replay_esn_val-replay_window.patch, bugfix/all/xfrm_user-validate-xfrm_msg_newae-incoming-esn-size-harder.patch]
+3.2-wheezy-security: released (3.2.88-1) [bugfix/all/xfrm_user-validate-xfrm_msg_newae-xfrma_replay_esn_val-replay_window.patch, bugfix/all/xfrm_user-validate-xfrm_msg_newae-incoming-esn-size-harder.patch]

Copied: retired/CVE-2017-7261 (from rev 5346, active/CVE-2017-7261)
===================================================================
--- retired/CVE-2017-7261	                        (rev 0)
+++ retired/CVE-2017-7261	2017-06-06 09:43:25 UTC (rev 5347)
@@ -0,0 +1,19 @@
+Description: drm/vmwgfx: check that number of mip levels is above zero
+References:
+ https://lists.freedesktop.org/archives/dri-devel/2017-March/136814.html
+ https://bugzilla.redhat.com/show_bug.cgi?id=1435719
+ https://marc.info/?t=149037004200005&r=1&w=2
+ https://cgit.freedesktop.org/mesa/vmwgfx/commit/?id=e904061d2c8968429954be87ad1cc45526510812
+Notes:
+ bwh> This seems to have been discovered independently by Murray
+ bwh> McAllister, Vladis Dronov and Li Qiang, resulting in three
+ bwh> slightly different fixes.  Murray McAllister's version was
+ bwh> applied upstream.
+Bugs:
+upstream: released (4.11-rc6) [36274ab8c596f1240c606bb514da329add2a1bcd]
+4.9-upstream-stable: released (4.9.22) [73ab72517b61ce4b27ceddec47dd5d6edafb556a]
+3.16-upstream-stable: released (3.16.44) [61cabe967321767052498032178d56a1ea03a7bc]
+3.2-upstream-stable: released (3.2.89) [20996e6d81c907b10a5ab57c4172be97cb1a7de1]
+sid: released (4.9.18-1) [bugfix/x86/vmwgfx-null-pointer-dereference-in-vmw_surface_define_ioctl.patch]
+3.16-jessie-security: released (3.16.43-1) [bugfix/x86/vmwgfx-null-pointer-dereference-in-vmw_surface_define_ioctl.patch]
+3.2-wheezy-security: released (3.2.88-1) [bugfix/x86/vmwgfx-null-pointer-dereference-in-vmw_surface_define_ioctl.patch]

Copied: retired/CVE-2017-7294 (from rev 5346, active/CVE-2017-7294)
===================================================================
--- retired/CVE-2017-7294	                        (rev 0)
+++ retired/CVE-2017-7294	2017-06-06 09:43:25 UTC (rev 5347)
@@ -0,0 +1,13 @@
+Description: drm/vmwgfx: limit mip levels in vmw_surface_define_ioctl()
+References:
+ https://bugzilla.redhat.com/show_bug.cgi?id=1436798
+ https://lists.freedesktop.org/archives/dri-devel/2017-March/137094.html
+Notes:
+Bugs:
+upstream: released (4.11-rc6) [e7e11f99564222d82f0ce84bd521e57d78a6b678]
+4.9-upstream-stable: released (4.9.22) [4ddd24d54fedff301e8f020d7b9f70116383af31]
+3.16-upstream-stable: released (3.16.44) [629655f798b92fd309fdde494a3cfb8a37f807ad]
+3.2-upstream-stable: released (3.2.89) [c2e7959f2ea446a417bf2cdb79792575852d17bb]
+sid: released (4.9.18-1) [bugfix/x86/drm-vmwgfx-fix-integer-overflow-in-vmw_surface_define_ioctl.patch]
+3.16-jessie-security: released (3.16.43-1) [bugfix/x86/drm-vmwgfx-fix-integer-overflow-in-vmw_surface_define_ioctl.patch]
+3.2-wheezy-security: released (3.2.88-1) [bugfix/x86/drm-vmwgfx-fix-integer-overflow-in-vmw_surface_define_ioctl.patch]

Copied: retired/CVE-2017-7308 (from rev 5346, active/CVE-2017-7308)
===================================================================
--- retired/CVE-2017-7308	                        (rev 0)
+++ retired/CVE-2017-7308	2017-06-06 09:43:25 UTC (rev 5347)
@@ -0,0 +1,20 @@
+Description: AF_PACKET missing/incorrect range checks allow heap buffer overflow
+References:
+ https://patchwork.ozlabs.org/patch/744811/
+ https://patchwork.ozlabs.org/patch/744812/
+ https://patchwork.ozlabs.org/patch/744813/
+ https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-via-packet.html
+Notes:
+ bwh> 3.2 is also missing an earlier related fix, commit dc808110bb62
+ bwh> "packet: handle too big packets for PACKET_V3"
+ nsl> only saw one of the commits in the 4.9 release
+ carnil> which was 16fc98c2479f5477f2df220acd9cb53686e33f4c (in 4.9.23)
+ carnil> the other two commits are in 4.9.26
+Bugs:
+upstream: released (4.11-rc6) [2b6867c2ce76c596676bec7d2d525af525fdc6e2, 8f8d28e4d6d815a391285e121c3a53a0b6cb9e7b, bcc5364bdcfe131e6379363f089e7b4108d35b70]
+4.9-upstream-stable: released (4.9.26) [16fc98c2479f5477f2df220acd9cb53686e33f4c, 10452124bac39411e92fc8910dd418648bbb78ac, 1f49c8cd2c9a53ea04bd86bce01247415d12aa26]
+3.16-upstream-stable: released (3.16.44) [a481ab4edd87bc2dc6f1fa9029866dd69c86fc5c, a318bc0bcec7f7867f1f1d8cef5ae6f25aa169a7, 7bb3f26487e578c2cb0567196ce93c008967a269]
+3.2-upstream-stable: released (3.2.89) [091a6de006536c50f8a30db60d994a5b083b1c7b, 1634172286550a62d8a0a98cf8bec5cd975fa09c, 96053b293c69c636d8d34fc569ac81fbf1118658]
+sid: released (4.9.18-1) [bugfix/all/net-packet-fix-overflow-in-check-for-priv-area-size.patch, bugfix/all/net-packet-fix-overflow-in-check-for-tp_frame_nr.patch, bugfix/all/net-packet-fix-overflow-in-check-for-tp_reserve.patch]
+3.16-jessie-security: released (3.16.43-1) [bugfix/all/net-packet-fix-overflow-in-check-for-priv-area-size.patch, bugfix/all/net-packet-fix-overflow-in-check-for-tp_frame_nr.patch, bugfix/all/net-packet-fix-overflow-in-check-for-tp_reserve.patch]
+3.2-wheezy-security: released (3.2.88-1) [bugfix/all/net-packet-fix-overflow-in-check-for-priv-area-size.patch, bugfix/all/net-packet-fix-overflow-in-check-for-tp_frame_nr.patch, bugfix/all/net-packet-fix-overflow-in-check-for-tp_reserve.patch]

Copied: retired/CVE-2017-7472 (from rev 5346, active/CVE-2017-7472)
===================================================================
--- retired/CVE-2017-7472	                        (rev 0)
+++ retired/CVE-2017-7472	2017-06-06 09:43:25 UTC (rev 5347)
@@ -0,0 +1,16 @@
+Description: keyctl_set_reqkey_keyring() leaks thread keyrings
+References:
+ https://lkml.org/lkml/2017/4/1/235
+ https://lkml.org/lkml/2017/4/3/724
+Notes:
+ carnil> 'Fixes: d84f4f992cbd ("CRED: Inaugurate COW credentials")'
+ carnil> which is first in 2.6.29-rc1
+Bugs:
+ https://bugzilla.redhat.com/show_bug.cgi?id=1442086
+upstream: released (4.11-rc8) [c9f838d104fed6f2f61d68164712e3204bf5271b]
+4.9-upstream-stable: released (4.9.25) [174a74dbca2ddc7269c265598399c000e5b9b870]
+3.16-upstream-stable: released (3.16.44) [f7ce1014bc5e4bb42d6b9f5afb308f59534067ea]
+3.2-upstream-stable: released (3.2.89) [0ebd7208190d2f7b16fee3cea05665e212cebaab]
+sid: released (4.9.25-1)
+3.16-jessie-security: released (3.16.43-1) [bugfix/all/keys-fix-keyctl_set_reqkey_keyring-to-not-leak-threa.patch]
+3.2-wheezy-security: released (3.2.88-1) [bugfix/all/keys-fix-keyctl_set_reqkey_keyring-to-not-leak-threa.patch]

Copied: retired/CVE-2017-7616 (from rev 5346, active/CVE-2017-7616)
===================================================================
--- retired/CVE-2017-7616	                        (rev 0)
+++ retired/CVE-2017-7616	2017-06-06 09:43:25 UTC (rev 5347)
@@ -0,0 +1,16 @@
+Description: mm/mempolicy.c: fix error handling in set_mempolicy and mbind
+References:
+ https://grsecurity.net/the_infoleak_that_mostly_wasnt.php
+Notes:
+ bwh> As Brad Spengler notes, this doesn't affect amd64.  The compat
+ bwh> wrappers are only used for swapping bitmap words on 64-bit
+ bwh> architectures that are (or can be) big-endian.  Fixing this on
+ bwh> wheezy was a (small) waste of time.
+Bugs:
+upstream: released (4.11-rc6) [cf01fb9985e8deb25ccf0ea54d916b8871ae0e62]
+4.9-upstream-stable: released (4.9.22) [cddab768d13469d1e254fb8c0e1629f93c8dfaca]
+3.16-upstream-stable: released (3.16.44) [4474624a1a496e4dc93a2cd49ea915d9c90d80e9]
+3.2-upstream-stable: released (3.2.89) [3f3b4a9db31af279e793229177b63ea201e24629]
+sid: released (4.9.25-1)
+3.16-jessie-security: released (3.16.43-1) [bugfix/all/mm-mempolicy.c-fix-error-handling-in-set_mempolicy-a.patch]
+3.2-wheezy-security: released (3.2.88-1) [bugfix/all/mm-mempolicy.c-fix-error-handling-in-set_mempolicy-a.patch]

Copied: retired/CVE-2017-7618 (from rev 5346, active/CVE-2017-7618)
===================================================================
--- retired/CVE-2017-7618	                        (rev 0)
+++ retired/CVE-2017-7618	2017-06-06 09:43:25 UTC (rev 5347)
@@ -0,0 +1,17 @@
+Description: crypto: ahash - Fix EINPROGRESS notification callback
+References:
+ http://marc.info/?l=linux-crypto-vger&m=149181655623850&w=2
+ https://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6.git/commit/?id=ef0579b64e93188710d48667cb5e014926af9f1b
+Notes:
+ bwh> This depends on several earlier fixes to crypto/ahash.c, applied
+ bwh> between 3.2 and 3.16.  It also breaks algif_aead, fixed by commit
+ bwh> e6534aebb26e ("crypto: algif_aead - Fix bogus request dereference in
+ bwh> completion function").
+Bugs:
+upstream: released (4.11-rc8) [ef0579b64e93188710d48667cb5e014926af9f1b]
+4.9-upstream-stable: released (4.9.24) [c10479591869177ae7ac0570b54ace6fbdeb57c2]
+3.16-upstream-stable: released (3.16.44) [13af702256f8b7d9bb51b86c982fe08e96c589c8]
+3.2-upstream-stable: released (3.2.89) [82ef3e7b16e777db114a0c3699b91134417fe8c9]
+sid: released (4.9.25-1)
+3.16-jessie-security: released (3.16.43-1) [bugfix/all/crypto-ahash-fix-einprogress-notification-callback.patch]
+3.2-wheezy-security: released (3.2.88-1) [bugfix/all/crypto-ahash-fix-einprogress-notification-callback.patch]


