[kernel-sec-discuss] r5715 - active
Ben Hutchings
benh at moszumanska.debian.org
Sun Nov 12 18:14:36 UTC 2017
Author: benh
Date: 2017-11-12 18:14:35 +0000 (Sun, 12 Nov 2017)
New Revision: 5715
Modified:
active/CVE-2017-16643
active/CVE-2017-16644
active/CVE-2017-16645
active/CVE-2017-16646
active/CVE-2017-16647
active/CVE-2017-16648
active/CVE-2017-16649
active/CVE-2017-16650
Log:
Fill in status for new issues
Modified: active/CVE-2017-16643
===================================================================
--- active/CVE-2017-16643 2017-11-11 20:23:09 UTC (rev 5714)
+++ active/CVE-2017-16643 2017-11-12 18:14:35 UTC (rev 5715)
@@ -1,12 +1,14 @@
Description: Input: gtco - fix potential out-of-bound access
References:
Notes:
+ bwh> Introduced in 2.6.21 by commit a19ceb56cbd1 "USB Input: Added kernel
+ bwh> module to support all GTCO CalComp USB InterWrite School products"
Bugs:
upstream: released (4.14-rc7) [a50829479f58416a013a4ccca791336af3c584c7]
4.9-upstream-stable: released (4.9.60) [52f65e35c2b85908fa66cfc265be4e3fd88744a3]
-3.16-upstream-stable:
-3.2-upstream-stable:
+3.16-upstream-stable: needed
+3.2-upstream-stable: needed
sid: pending (4.13.12-1)
-4.9-stretch-security:
-3.16-jessie-security:
-3.2-wheezy-security:
+4.9-stretch-security: needed
+3.16-jessie-security: needed
+3.2-wheezy-security: needed
Modified: active/CVE-2017-16644
===================================================================
--- active/CVE-2017-16644 2017-11-11 20:23:09 UTC (rev 5714)
+++ active/CVE-2017-16644 2017-11-12 18:14:35 UTC (rev 5715)
@@ -2,12 +2,18 @@
References:
https://patchwork.kernel.org/patch/9966135/
Notes:
+ bwh> I believe this CVE is for passing a zeroed work_struct to
+ bwh> flush_work(), leading to an oops (denial of service). That
+ bwh> was introduced in 4.8 by commit 5612e191ca1f "[media] hdpvr:
+ bwh> Remove deprecated create_singlethread_workqueue". The patch
+ bwh> fixing this also fixes memory leaks on the failure path which
+ bwh> have been present for much longer.
Bugs:
-upstream:
-4.9-upstream-stable:
-3.16-upstream-stable:
-3.2-upstream-stable:
-sid:
-4.9-stretch-security:
-3.16-jessie-security:
-3.2-wheezy-security:
+upstream: needed
+4.9-upstream-stable: needed
+3.16-upstream-stable: N/A "Vulnerable code not present"
+3.2-upstream-stable: N/A "Vulnerable code not present"
+sid: needed
+4.9-stretch-security: needed
+3.16-jessie-security: N/A "Vulnerable code not present"
+3.2-wheezy-security: N/A "Vulnerable code not present"
Modified: active/CVE-2017-16645
===================================================================
--- active/CVE-2017-16645 2017-11-11 20:23:09 UTC (rev 5714)
+++ active/CVE-2017-16645 2017-11-12 18:14:35 UTC (rev 5715)
@@ -1,12 +1,14 @@
Description: Input: ims-psu - check if CDC union descriptor is sane
References:
Notes:
+ bwh> Introduced in 3.10 by commit 628329d52474 "Input: add IMS Passenger
+ bwh> Control Unit driver".
Bugs:
upstream: released (4.14-rc6) [ea04efee7635c9120d015dcdeeeb6988130cb67a]
-4.9-upstream-stable:
-3.16-upstream-stable:
-3.2-upstream-stable:
-sid:
-4.9-stretch-security:
-3.16-jessie-security:
-3.2-wheezy-security:
+4.9-upstream-stable: needed
+3.16-upstream-stable: needed
+3.2-upstream-stable: N/A "Vulnerable code not present"
+sid: needed
+4.9-stretch-security: needed
+3.16-jessie-security: needed
+3.2-wheezy-security: N/A "Vulnerable code not present"
Modified: active/CVE-2017-16646
===================================================================
--- active/CVE-2017-16646 2017-11-11 20:23:09 UTC (rev 5714)
+++ active/CVE-2017-16646 2017-11-12 18:14:35 UTC (rev 5715)
@@ -2,12 +2,14 @@
References:
https://patchwork.linuxtv.org/patch/45291/
Notes:
+ bwh> Introduced in 3.17 by commit 8abe4a0a3f6d "[media] dib7000: export just
+ bwh> one symbol".
Bugs:
-upstream:
-4.9-upstream-stable:
-3.16-upstream-stable:
-3.2-upstream-stable:
-sid:
-4.9-stretch-security:
-3.16-jessie-security:
-3.2-wheezy-security:
+upstream: needed
+4.9-upstream-stable: needed
+3.16-upstream-stable: N/A "Vulnerable code not present"
+3.2-upstream-stable: N/A "Vulnerable code not present"
+sid: needed
+4.9-stretch-security: needed
+3.16-jessie-security: N/A "Vulnerable code not present"
+3.2-wheezy-security: N/A "Vulnerable code not present"
Modified: active/CVE-2017-16647
===================================================================
--- active/CVE-2017-16647 2017-11-11 20:23:09 UTC (rev 5714)
+++ active/CVE-2017-16647 2017-11-12 18:14:35 UTC (rev 5715)
@@ -2,12 +2,13 @@
References:
https://patchwork.ozlabs.org/patch/834686/
Notes:
+ bwh> Introduced in 4.9 by commit d9fe64e51114 "net: asix: Add in_pm parameter".
Bugs:
-upstream:
-4.9-upstream-stable:
-3.16-upstream-stable:
-3.2-upstream-stable:
-sid:
-4.9-stretch-security:
-3.16-jessie-security:
-3.2-wheezy-security:
+upstream: needed
+4.9-upstream-stable: needed
+3.16-upstream-stable: N/A "Vulnerable code not present"
+3.2-upstream-stable: N/A "Vulnerable code not present"
+sid: needed
+4.9-stretch-security: needed
+3.16-jessie-security: N/A "Vulnerable code not present"
+3.2-wheezy-security: N/A "Vulnerable code not present"
Modified: active/CVE-2017-16648
===================================================================
--- active/CVE-2017-16648 2017-11-11 20:23:09 UTC (rev 5714)
+++ active/CVE-2017-16648 2017-11-12 18:14:35 UTC (rev 5715)
@@ -2,12 +2,14 @@
References:
https://patchwork.kernel.org/patch/10046189/
Notes:
+ bwh> Introduced in 4.14-rc6 by commit ead666000a5f "media: dvb_frontend:
+ bwh> only use kref after initialized".
Bugs:
-upstream:
-4.9-upstream-stable:
-3.16-upstream-stable:
-3.2-upstream-stable:
-sid:
-4.9-stretch-security:
-3.16-jessie-security:
-3.2-wheezy-security:
+upstream: needed
+4.9-upstream-stable: N/A "Vulnerable code not present"
+3.16-upstream-stable: N/A "Vulnerable code not present"
+3.2-upstream-stable: N/A "Vulnerable code not present"
+sid: N/A "Vulnerable code not present"
+4.9-stretch-security: N/A "Vulnerable code not present"
+3.16-jessie-security: N/A "Vulnerable code not present"
+3.2-wheezy-security: N/A "Vulnerable code not present"
Modified: active/CVE-2017-16649
===================================================================
--- active/CVE-2017-16649 2017-11-11 20:23:09 UTC (rev 5714)
+++ active/CVE-2017-16649 2017-11-12 18:14:35 UTC (rev 5715)
@@ -2,12 +2,14 @@
References:
https://patchwork.ozlabs.org/patch/834771/
Notes:
+ bwh> Probably introduced in 2.6.19 by commit a99c19492a80 "USB: usbnet - Add
+ bwh> unlink_rx_urbs() call to allow for Jumbo Frames".
Bugs:
-upstream:
-4.9-upstream-stable:
-3.16-upstream-stable:
-3.2-upstream-stable:
-sid:
-4.9-stretch-security:
-3.16-jessie-security:
-3.2-wheezy-security:
+upstream: needed
+4.9-upstream-stable: needed
+3.16-upstream-stable: needed
+3.2-upstream-stable: needed
+sid: needed
+4.9-stretch-security: needed
+3.16-jessie-security: needed
+3.2-wheezy-security: needed
Modified: active/CVE-2017-16650
===================================================================
--- active/CVE-2017-16650 2017-11-11 20:23:09 UTC (rev 5714)
+++ active/CVE-2017-16650 2017-11-12 18:14:35 UTC (rev 5715)
@@ -2,12 +2,14 @@
References:
https://patchwork.ozlabs.org/patch/834770/
Notes:
+ bwh> Introduced in 3.4 by commit 423ce8caab7e "net: usb: qmi_wwan: New driver
+ bwh> for Huawei QMI based WWAN devices".
Bugs:
-upstream:
-4.9-upstream-stable:
-3.16-upstream-stable:
-3.2-upstream-stable:
-sid:
-4.9-stretch-security:
-3.16-jessie-security:
-3.2-wheezy-security:
+upstream: needed
+4.9-upstream-stable: needed
+3.16-upstream-stable: needed
+3.2-upstream-stable: N/A "Vulnerable code not present"
+sid: needed
+4.9-stretch-security: needed
+3.16-jessie-security: needed
+3.2-wheezy-security: N/A "Vulnerable code not present"
More information about the kernel-sec-discuss
mailing list