[kernel-sec-discuss] r5268 - active retired

Salvatore Bonaccorso carnil at moszumanska.debian.org
Sat May 6 12:48:07 UTC 2017 

Author: carnil
Date: 2017-05-06 12:48:07 +0000 (Sat, 06 May 2017)
New Revision: 5268

Added:
   retired/CVE-2016-10200
   retired/CVE-2016-10208
   retired/CVE-2016-6213
   retired/CVE-2017-2647
   retired/CVE-2017-6951
   retired/CVE-2017-7273
Removed:
   active/CVE-2016-10200
   active/CVE-2016-10208
   active/CVE-2016-6213
   active/CVE-2017-2647
   active/CVE-2017-6951
   active/CVE-2017-7273
Log:
Retire CVEs fixed everywhere

Deleted: active/CVE-2016-10200
===================================================================
--- active/CVE-2016-10200	2017-05-06 12:00:29 UTC (rev 5267)
+++ active/CVE-2016-10200	2017-05-06 12:48:07 UTC (rev 5268)
@@ -1,11 +0,0 @@
-Description: Race in l2tp binding can lead to use-after-free
-References:
-Notes:
-Bugs:
-upstream: released (v4.9-rc7) [32c231164b762dddefa13af5a0101032c70b50ef]
-4.9-upstream-stable: N/A "Fixed before 4.9 LTS release"
-3.16-upstream-stable: released (3.16.40) [7c3ad0d86f80618c00a5d6a267080238185038f6]
-3.2-upstream-stable: released (3.2.88) [2147a17048314f069838aace1d08b8c719448b50]
-sid: released (4.8.15-1)
-3.16-jessie-security: released (3.16.43-1) [bugfix/all/l2tp-fix-racy-sock_zapped-flag-check-in-l2tp_ip-6-_b.patch]
-3.2-wheezy-security: released (3.2.88-1)

Deleted: active/CVE-2016-10208
===================================================================
--- active/CVE-2016-10208	2017-05-06 12:00:29 UTC (rev 5267)
+++ active/CVE-2016-10208	2017-05-06 12:48:07 UTC (rev 5268)
@@ -1,16 +0,0 @@
-Description: ext4 memory corruption
-References:
- https://bugzilla.suse.com/show_bug.cgi?id=1023377
- https://bugzilla.redhat.com/show_bug.cgi?id=1395190
- http://www.spinics.net/lists/linux-ext4/msg54572.html
-Notes:
- bwh> Initial upstream fix was too strict, causing a regression; see commit
- bwh> 2ba3e6e8afc9 ("ext4: fix fencepost in s_first_meta_bg validation")
-Bugs:
-upstream: released (4.10-rc1) [3a4b77cd47bb837b8557595ec7425f281f2ca1fe]
-4.9-upstream-stable: released (4.9.9) [13e6ef99d23b05807e7f8a72f45e3d8260b61570]
-3.16-upstream-stable: released (3.16.41) [cde863587b6809fdf61ea3c5391ecf06884b5516]
-3.2-upstream-stable: N/A "Introduced in 3.6-rc1 with 952fc18ef9ec707ebdc16c0786ec360295e5ff15"
-sid: released (4.9.10-1)
-3.16-jessie-security: released (3.16.43-1) [bugfix/all/ext4-validate-s_first_meta_bg-at-mount-time.patch]
-3.2-wheezy-security: N/A "Introduced in 3.6-rc1 with 952fc18ef9ec707ebdc16c0786ec360295e5ff15"

Deleted: active/CVE-2016-6213
===================================================================
--- active/CVE-2016-6213	2017-05-06 12:00:29 UTC (rev 5267)
+++ active/CVE-2016-6213	2017-05-06 12:48:07 UTC (rev 5268)
@@ -1,15 +0,0 @@
-Description:
-References:
- http://www.openwall.com/lists/oss-security/2016/07/13/6
- https://lkml.org/lkml/2016/8/28/269
-Notes:
- carnil> disputed if that should really have got a CVE, and in
- carnil> particular beeing assinged to src:linux
-Bugs:
-upstream: released (4.9-rc1) [d29216842a85c7970c536108e093963f02714498]
-4.9-upstream-stable: N/A "Fixed before branch point"
-3.16-upstream-stable: released (3.16.41) [b71f455440fd7ed03f088580b3a117352fc815dd]
-3.2-upstream-stable: N/A "Unprivileged users cannot manipulate mounts"
-sid: released (4.8.11-1) [bugfix/all/mnt-Add-a-per-mount-namespace-limit-on-the-number-of.patch]
-3.16-jessie-security: released (3.16.43-1) [bugfix/all/mnt-add-a-per-mount-namespace-limit-on-the-number-of.patch]
-3.2-wheezy-security: N/A "Unprivileged users cannot manipulate mounts"

Deleted: active/CVE-2017-2647
===================================================================
--- active/CVE-2017-2647	2017-05-06 12:00:29 UTC (rev 5267)
+++ active/CVE-2017-2647	2017-05-06 12:48:07 UTC (rev 5268)
@@ -1,20 +0,0 @@
-Description: Null pointer dereference in search_keyring
-References:
-Notes:
- carnil> Same fix as for CVE-2017-6951. But CVE-2017-6951 is for a NULL
- carnil> pointer dereference in th keyring_search_aux when type is "dead".
- carnil> CVE-2017-2647 is for a null pointer dereference in
- carnil> keyring_search_iterator
- bwh> The function that dereferences the null pointer depends on kernel
- bwh> version.  keyring_search_aux() was refactored after 3.2 so that
- bwh> part of it its logic is in keyring_search_iterator(), and that's
- bwh> where the null dereference is done.  But the issue is
- bwh> fundamentally the same.
-Bugs:
-upstream: released (3.18-rc1) [c06cfb08b88dfbe13be44a69ae2fdc3a7c902d81]
-4.9-upstream-stable: N/A "Fixed before branch point"
-3.16-upstream-stable: released (3.16.43) [c53ee259ad3da891e191dee7af119af340f9c01b]
-3.2-upstream-stable: released (3.2.88) [e2b41f761b086da2ec43b1cfea14ca0681cd08b0]
-sid: released (4.0.2-1)
-3.16-jessie-security: released (3.16.43-1)
-3.2-wheezy-security: released (3.2.88-1)

Deleted: active/CVE-2017-6951
===================================================================
--- active/CVE-2017-6951	2017-05-06 12:00:29 UTC (rev 5267)
+++ active/CVE-2017-6951	2017-05-06 12:48:07 UTC (rev 5268)
@@ -1,23 +0,0 @@
-Description: NULL pointer dereference in keyring_search_aux when type is "dead"
-References:
- https://www.spinics.net/lists/keyrings/msg01845.html
- https://www.spinics.net/lists/keyrings/msg01846.html
- https://www.spinics.net/lists/keyrings/msg01849.html
- https://www.spinics.net/lists/keyrings/msg01882.html
-Notes:
- carnil> Problem is said to not affect newer kernel, but
- carnil> the fixing commit needs to be found still which
- carnil> resolves the issue.
- bwh> I found it.
- carnil> There is c1644fe041ebaf6519f6809146a77c3ead9193af which changes
- carnil> name of the dead type to ".dead" to prevent user access.
- carnil> the equivalent commit for 4.9 is b2dd90e812f3f733b55f0bf4487032e53b487665
- carnil> which landed in 4.9.25
-Bugs:
-upstream: released (3.18-rc1) [c06cfb08b88dfbe13be44a69ae2fdc3a7c902d81]
-4.9-upstream-stable: N/A "Fixed before branch point"
-3.16-upstream-stable: released (3.16.43) [c53ee259ad3da891e191dee7af119af340f9c01b]
-3.2-upstream-stable: released (3.2.88) [e2b41f761b086da2ec43b1cfea14ca0681cd08b0]
-sid: released (4.0.2-1)
-3.16-jessie-security: released (3.16.43-1)
-3.2-wheezy-security: released (3.2.88-1)

Deleted: active/CVE-2017-7273
===================================================================
--- active/CVE-2017-7273	2017-05-06 12:00:29 UTC (rev 5267)
+++ active/CVE-2017-7273	2017-05-06 12:48:07 UTC (rev 5268)
@@ -1,11 +0,0 @@
-Description: HID: hid-cypress: validate length of report
-References:
-Notes:
-Bugs:
-upstream: released (4.10-rc4) [1ebb71143758f45dc0fa76e2f48429e13b16d110]
-4.9-upstream-stable: released (4.9.4) [2c867216c555f5897b327daed6240bfb9e489c97]
-3.16-upstream-stable: released (3.16.42) [60a990276a03f9a11d86017b1217f3698443c47b]
-3.2-upstream-stable: released (3.2.87) [4faec4a2ef5dd481682cc155cb9ea14ba2534b76]
-sid: released (4.9.6-1)
-3.16-jessie-security: released (3.16.43-1)
-3.2-wheezy-security: released (3.2.88-1)

Copied: retired/CVE-2016-10200 (from rev 5267, active/CVE-2016-10200)
===================================================================
--- retired/CVE-2016-10200	                        (rev 0)
+++ retired/CVE-2016-10200	2017-05-06 12:48:07 UTC (rev 5268)
@@ -0,0 +1,11 @@
+Description: Race in l2tp binding can lead to use-after-free
+References:
+Notes:
+Bugs:
+upstream: released (v4.9-rc7) [32c231164b762dddefa13af5a0101032c70b50ef]
+4.9-upstream-stable: N/A "Fixed before 4.9 LTS release"
+3.16-upstream-stable: released (3.16.40) [7c3ad0d86f80618c00a5d6a267080238185038f6]
+3.2-upstream-stable: released (3.2.88) [2147a17048314f069838aace1d08b8c719448b50]
+sid: released (4.8.15-1)
+3.16-jessie-security: released (3.16.43-1) [bugfix/all/l2tp-fix-racy-sock_zapped-flag-check-in-l2tp_ip-6-_b.patch]
+3.2-wheezy-security: released (3.2.88-1)

Copied: retired/CVE-2016-10208 (from rev 5267, active/CVE-2016-10208)
===================================================================
--- retired/CVE-2016-10208	                        (rev 0)
+++ retired/CVE-2016-10208	2017-05-06 12:48:07 UTC (rev 5268)
@@ -0,0 +1,16 @@
+Description: ext4 memory corruption
+References:
+ https://bugzilla.suse.com/show_bug.cgi?id=1023377
+ https://bugzilla.redhat.com/show_bug.cgi?id=1395190
+ http://www.spinics.net/lists/linux-ext4/msg54572.html
+Notes:
+ bwh> Initial upstream fix was too strict, causing a regression; see commit
+ bwh> 2ba3e6e8afc9 ("ext4: fix fencepost in s_first_meta_bg validation")
+Bugs:
+upstream: released (4.10-rc1) [3a4b77cd47bb837b8557595ec7425f281f2ca1fe]
+4.9-upstream-stable: released (4.9.9) [13e6ef99d23b05807e7f8a72f45e3d8260b61570]
+3.16-upstream-stable: released (3.16.41) [cde863587b6809fdf61ea3c5391ecf06884b5516]
+3.2-upstream-stable: N/A "Introduced in 3.6-rc1 with 952fc18ef9ec707ebdc16c0786ec360295e5ff15"
+sid: released (4.9.10-1)
+3.16-jessie-security: released (3.16.43-1) [bugfix/all/ext4-validate-s_first_meta_bg-at-mount-time.patch]
+3.2-wheezy-security: N/A "Introduced in 3.6-rc1 with 952fc18ef9ec707ebdc16c0786ec360295e5ff15"

Copied: retired/CVE-2016-6213 (from rev 5267, active/CVE-2016-6213)
===================================================================
--- retired/CVE-2016-6213	                        (rev 0)
+++ retired/CVE-2016-6213	2017-05-06 12:48:07 UTC (rev 5268)
@@ -0,0 +1,15 @@
+Description:
+References:
+ http://www.openwall.com/lists/oss-security/2016/07/13/6
+ https://lkml.org/lkml/2016/8/28/269
+Notes:
+ carnil> disputed if that should really have got a CVE, and in
+ carnil> particular beeing assinged to src:linux
+Bugs:
+upstream: released (4.9-rc1) [d29216842a85c7970c536108e093963f02714498]
+4.9-upstream-stable: N/A "Fixed before branch point"
+3.16-upstream-stable: released (3.16.41) [b71f455440fd7ed03f088580b3a117352fc815dd]
+3.2-upstream-stable: N/A "Unprivileged users cannot manipulate mounts"
+sid: released (4.8.11-1) [bugfix/all/mnt-Add-a-per-mount-namespace-limit-on-the-number-of.patch]
+3.16-jessie-security: released (3.16.43-1) [bugfix/all/mnt-add-a-per-mount-namespace-limit-on-the-number-of.patch]
+3.2-wheezy-security: N/A "Unprivileged users cannot manipulate mounts"

Copied: retired/CVE-2017-2647 (from rev 5267, active/CVE-2017-2647)
===================================================================
--- retired/CVE-2017-2647	                        (rev 0)
+++ retired/CVE-2017-2647	2017-05-06 12:48:07 UTC (rev 5268)
@@ -0,0 +1,20 @@
+Description: Null pointer dereference in search_keyring
+References:
+Notes:
+ carnil> Same fix as for CVE-2017-6951. But CVE-2017-6951 is for a NULL
+ carnil> pointer dereference in th keyring_search_aux when type is "dead".
+ carnil> CVE-2017-2647 is for a null pointer dereference in
+ carnil> keyring_search_iterator
+ bwh> The function that dereferences the null pointer depends on kernel
+ bwh> version.  keyring_search_aux() was refactored after 3.2 so that
+ bwh> part of it its logic is in keyring_search_iterator(), and that's
+ bwh> where the null dereference is done.  But the issue is
+ bwh> fundamentally the same.
+Bugs:
+upstream: released (3.18-rc1) [c06cfb08b88dfbe13be44a69ae2fdc3a7c902d81]
+4.9-upstream-stable: N/A "Fixed before branch point"
+3.16-upstream-stable: released (3.16.43) [c53ee259ad3da891e191dee7af119af340f9c01b]
+3.2-upstream-stable: released (3.2.88) [e2b41f761b086da2ec43b1cfea14ca0681cd08b0]
+sid: released (4.0.2-1)
+3.16-jessie-security: released (3.16.43-1)
+3.2-wheezy-security: released (3.2.88-1)

Copied: retired/CVE-2017-6951 (from rev 5267, active/CVE-2017-6951)
===================================================================
--- retired/CVE-2017-6951	                        (rev 0)
+++ retired/CVE-2017-6951	2017-05-06 12:48:07 UTC (rev 5268)
@@ -0,0 +1,23 @@
+Description: NULL pointer dereference in keyring_search_aux when type is "dead"
+References:
+ https://www.spinics.net/lists/keyrings/msg01845.html
+ https://www.spinics.net/lists/keyrings/msg01846.html
+ https://www.spinics.net/lists/keyrings/msg01849.html
+ https://www.spinics.net/lists/keyrings/msg01882.html
+Notes:
+ carnil> Problem is said to not affect newer kernel, but
+ carnil> the fixing commit needs to be found still which
+ carnil> resolves the issue.
+ bwh> I found it.
+ carnil> There is c1644fe041ebaf6519f6809146a77c3ead9193af which changes
+ carnil> name of the dead type to ".dead" to prevent user access.
+ carnil> the equivalent commit for 4.9 is b2dd90e812f3f733b55f0bf4487032e53b487665
+ carnil> which landed in 4.9.25
+Bugs:
+upstream: released (3.18-rc1) [c06cfb08b88dfbe13be44a69ae2fdc3a7c902d81]
+4.9-upstream-stable: N/A "Fixed before branch point"
+3.16-upstream-stable: released (3.16.43) [c53ee259ad3da891e191dee7af119af340f9c01b]
+3.2-upstream-stable: released (3.2.88) [e2b41f761b086da2ec43b1cfea14ca0681cd08b0]
+sid: released (4.0.2-1)
+3.16-jessie-security: released (3.16.43-1)
+3.2-wheezy-security: released (3.2.88-1)

Copied: retired/CVE-2017-7273 (from rev 5267, active/CVE-2017-7273)
===================================================================
--- retired/CVE-2017-7273	                        (rev 0)
+++ retired/CVE-2017-7273	2017-05-06 12:48:07 UTC (rev 5268)
@@ -0,0 +1,11 @@
+Description: HID: hid-cypress: validate length of report
+References:
+Notes:
+Bugs:
+upstream: released (4.10-rc4) [1ebb71143758f45dc0fa76e2f48429e13b16d110]
+4.9-upstream-stable: released (4.9.4) [2c867216c555f5897b327daed6240bfb9e489c97]
+3.16-upstream-stable: released (3.16.42) [60a990276a03f9a11d86017b1217f3698443c47b]
+3.2-upstream-stable: released (3.2.87) [4faec4a2ef5dd481682cc155cb9ea14ba2534b76]
+sid: released (4.9.6-1)
+3.16-jessie-security: released (3.16.43-1)
+3.2-wheezy-security: released (3.2.88-1)

More information about the kernel-sec-discuss mailing list