r4318 - in people/horms: . patch_notes

Thu Oct 6 10:27:19 UTC 2005

Author: horms
Date: 2005-10-06 10:27:18 +0000 (Thu, 06 Oct 2005)
New Revision: 4318

Added:
   people/horms/patch_notes/
   people/horms/patch_notes/2.6.13.1
   people/horms/patch_notes/2.6.13.2
   people/horms/patch_notes/2.6.13.3
   people/horms/patch_notes/newcve-2005-09-30
Log:
Add my patch notes somewhere public

Added: people/horms/patch_notes/2.6.13.1
===================================================================

--- people/horms/patch_notes/2.6.13.1	2005-10-06 10:25:01 UTC (rev 4317)
+++ people/horms/patch_notes/2.6.13.1	2005-10-06 10:27:18 UTC (rev 4318)
@@ -0,0 +1,77 @@
+arge:..6.13.1
+URL: http://www.kernel.org/git/?p=linux/kernel/git/chrisw/stable-queue.git;a=tree;h=202331d4d642e1a5062afb067b81211bf1b6c8cf;hb=f15e7ac28ffe32c1e0e07d41fe792bac02913713;f=2.6.13.1
+
+Description: Kconfig: saa7134-dvb must select tda1004x
+File: saa7134-dvb-must-select-tda1004x.patch
+Security: No
+2.6.12: applied
+2.6.8-sarge: not applicable; driver not present in 2.6.12
+2.6.8-sarge-security: not applicable; see above; not a security patch
+
+Description: aacraid bad BUG_ON fix
+File: aacraid-bad-BUG_ON-fix.patch
+Security: No
+2.6.12: not applicable; introduced in the variable FIB code that
+        was introduced between 2.6.12 and 2.6.13. Linus's Git tree
+	7c00ffa314bf0fb0e23858bbebad33b48b6abbb9
+2.6.8-sarge: not applicable; see above
+2.6.8-sarge-security: not applicable; see above; not a security patch
+
+Description: Fix PCI ROM mapping
+File: fix-pci-rom-mapping.patch
+Security: No
+2.6.12: applied
+2.6.8-sarge: not applicable
+2.6.8-sarge-security: not applicable; see above; not a security patch
+
+Description: [i386] pci_assign_unassigned_resources() update
+File: pci_assign_unassigned_resources-update.patch
+Security: No
+2.6.12: not applicable; introduced between 2.6.12 and 2.6.13
+2.6.8-sarge: not applicable; see above
+2.6.8-sarge-security: not applicable; see above; not a security patch
+
+Description: 2.6.13 breaks libpcap (and tcpdump)
+File: fix-socket-filter-regression.patch
+Security: No
+2.6.12: applied rediff
+2.6.8-sarge: not applicable;
+2.6.8-sarge-security: not applicable; not a security patch
+
+Description: [SECURITY] Fix boundary check in standard multi-block cipher processors
+File: ipsec-oops-fix.patch
+Security: Maybe; Could be a local DoS
+Reference: http://bugzilla.kernel.org/show_bug.cgi?id=5194 (down)
+2.6.12: not applicable; introduced between 2.6.12 and 2.6.13
+2.6.8-sarge: not applicable; see above
+2.6.8-sarge-security: not applicable; see above; not a security patch
+
+Description: Use SA_SHIRQ in sparc specific code.
+File: sparc-request_irq-in-RTC-fix.patch
+Security: No
+2.6.12: applied
+2.6.8-sarge: applied
+2.6.8-sarge-security: not a security patch
+
+Description: Reassembly trim not clearing CHECKSUM_HW
+File: ipv4-fragmentation-csum-handling.patch
+Security: No
+2.6.12: applied
+2.6.8-sarge: applied
+2.6.8-sarge-security: not a security patch
+
+Description: [SECURITY] 32bit sendmsg() flaw. 
+             See CAN-2005-2490
+File: sendmsg-stackoverflow.patch
+Security: Yes; CAN-2005-2490
+2.6.12: applied
+2.6.8-sarge: applied
+2.6.8-sarge-security: not a security patch
+
+Description: [SECURITY] raw_sendmsg DoS. 
+             See CAN-2005-2492
+File: sendmsg-DoS.patch
+Security: Yes; CAN-2005-2492
+2.6.12: applied
+2.6.8-sarge: not applicable
+2.6.8-sarge-security: not applicable

Added: people/horms/patch_notes/2.6.13.2
===================================================================
--- people/horms/patch_notes/2.6.13.2	2005-10-06 10:25:01 UTC (rev 4317)
+++ people/horms/patch_notes/2.6.13.2	2005-10-06 10:27:18 UTC (rev 4318)
@@ -0,0 +1,82 @@
+2.6.13.2
+URL: http://www.kernel.org/git/?p=linux/kernel/git/chrisw/stable-queue.git;a=tree;h=0a3c0657b4270443336144ae79b095240e6aedea;hb=f15e7ac28ffe32c1e0e07d41fe792bac02913713;f=2.6.13.2
+
+Description: [SECURITY] lost fput in 32bit ioctl on x86-64
+File: lost-fput-in-32bit-ioctl-on-x86-64.patch
+Security: Yes; local DoS
+2.6.12: applied
+2.6.8-sarge: applied
+2.6.8-sarge-security: applied
+
+Description: [SECURITY] lost sockfd_put() in routing_ioctl()
+File: lost-sockfd_put-in-32bit-compat-routing_ioctl.patch
+Security: Yes; local DoS
+2.6.12: applied
+2.6.8-sarge: applied
+2.6.8-sarge-security: applied
+
+Description: forcedeth: Initialize link settings in every nv_open()
+File: forcedeth-init-link-settings-in-nv_open.patch
+Security: No
+2.6.12: applied
+2.6.8-sarge: applied
+2.6.8-sarge-security: not a security patch
+
+Description: hpt366: write the full 4 bytes of ROM address, not just low 1 byte
+File: hpt366-write-dword-not-byte-for-ROM-resource.patch
+Security: No
+2.6.12: not applicable; seems to have been introduced between 2.6.12 and 2.6.13
+2.6.8-sarnot applicable; seems to have been introduced between 2.6.12 and 2.6.13ge: 
+2.6.8-sarge-security: not applicable; seems to have been introduced between 2.6.12 and 2.6.13; not a security patch
+
+Description: Sun GEM ethernet: enable and map PCI ROM properly
+File: sungem-enable-and-map-pci-rom-properly.patch
+Security: No
+2.6.12: applied; #322734
+2.6.8-sarge: applied
+2.6.8-sarge-security: not a security patch
+
+Description: Sun HME: enable and map PCI ROM properly
+File: sunhme-enable-and-map-pci-rom-properly.patch
+Security: No
+2.6.12: applied
+2.6.8-sarge: applied
+2.6.8-sarge-security: not a security patch
+
+Description: Fix DHCP + MASQUERADE problem
+File: netfilter-fix-dhcp-masquerade-problem.patch
+Security: No
+2.6.12: not applicable; introduced between 2.6.12 and 2.6.13
+2.6.8-sarge: not applicable; introduced between 2.6.12 and 2.6.13
+2.6.8-sarge-security: not applicable; introduced between 2.6.12 and 2.6.13; not a security patch
+
+Description: jfs_delete_inode must call clear_inode
+File: jfs_delete_inode-must-call-clear_inode.patch
+Security: No
+2.6.12: not applicable; introduced between 2.6.12 and 2.6.13
+2.6.8-sarge: not applicable; introduced between 2.6.12 and 2.6.13
+2.6.8-sarge-security: not applicable; introduced between 2.6.12 and 2.6.13; not a security patch
+
+Description: Fix MPOL_F_VERIFY
+File: fix-MPOL_F_VERIFY.patch
+Security: No
+2.6.12: applied; backported to use verify_pages() instead of check_pgd_range()
+                 Alternative is to pre-patch with
+		 91612e0df20a52f61db3cac280c153311b36df7a from upstream,
+		 but it is rather large
+2.6.8-sarge: applied; backported to use verify_pages() instead of check_pgd_range()
+2.6.8-sarge-security: not a security patch
+
+Description: Fix up more strange byte writes to the PCI_ROM_ADDRESS config word
+File: fix-more-byte-to-dword-writes-to-PCI_ROM_ADDRESS-config-word.patch
+Security: No
+2.6.12: applied
+2.6.8-sarge: applied
+2.6.8-sarge-security: not a security patch
+
+Description: USB: ftdi_sio: custom baud rate fix
+File: usb-ftdi_sio-baud-fix.patch
+Security: No
+2.6.12: not applicable; introduced between 2.6.12 and 2.6.13
+2.6.8-sarnot applicable; seems to have been introduced between 2.6.12 and 2.6.13ge: 
+2.6.8-sarge-security: not applicable; seems to have been introduced between 2.6.12 and 2.6.13; not a security patch

Added: people/horms/patch_notes/2.6.13.3
===================================================================
--- people/horms/patch_notes/2.6.13.3	2005-10-06 10:25:01 UTC (rev 4317)
+++ people/horms/patch_notes/2.6.13.3	2005-10-06 10:27:18 UTC (rev 4318)
@@ -0,0 +1,51 @@
+2.6.13.3
+URL: http://www.kernel.org/git/?p=linux/kernel/git/chrisw/stable-queue.git;a=tree;h=44d5a5efaa970c35b0f1a4a099843bba4e375025;hb=1de3edce9f33b2555d27cbe50bbafe734085eeab;f=2.6.13.3
+
+Description: yenta oops fix
+File: yenta-oops-fix.patch
+Security: No
+2.6.8-sarge: applied
+2.6.8-sarge-security: not a security patch
+
+Description: Fix fs/exec.c:788 (de_thread()) BUG_ON
+File: fix-de_thread-BUG_ON.patch
+Security: No
+2.6.8-sarge: applied backport
+2.6.8-sarge-security: not a security patch
+
+Description: fix IPv6 per-socket multicast filtering in exact-match case
+File: ipv6-fix-per-socket-multicast-filtering.patch
+Security: No
+2.6.8-sarge: applied backport
+2.6.8-sarge-security: not a security patch
+
+Description: ipvs: ip_vs_ftp breaks connections using persistence
+File: ipvs-ip_vs_ftp-breaks-connections.patch
+Security: No
+2.6.8-sarge: applied
+2.6.8-sarge-security: not a security patch
+
+Description: uml: Fix x86_64 page leak
+File: uml-fix-x86_64-page-leak.patch
+Security: No
+2.6.8-sarge: not applicable
+2.6.8-sarge-security: not applicable; not a security patch
+
+Description: skge: set mac address oops with bonding
+File: skge-set-mac-address-oops-with-bonding.patch
+Security: No
+2.6.8-sarge: not applicable
+2.6.8-sarge-security: not applicable; not a security patch
+
+Description: tcp: set default congestion control correctly for incoming connections
+File: tcp-set-default-congestion-control-correctly.patch
+Security: No
+2.6.8-sarge: not applicable
+2.6.8-sarge-security: not applicable; not a security patch
+
+Description: [TCP]: Don't over-clamp window in tcp_clamp_window()
+File: tcp-dont-over-clamp-window-in-tcp_clamp_window.patch
+Security: No
+2.6.8-sarge: applied
+2.6.8-sarge-security: not a security patch
+

Added: people/horms/patch_notes/newcve-2005-09-30
===================================================================
--- people/horms/patch_notes/newcve-2005-09-30	2005-10-06 10:25:01 UTC (rev 4317)
+++ people/horms/patch_notes/newcve-2005-09-30	2005-10-06 10:27:18 UTC (rev 4318)
@@ -0,0 +1,463 @@
+======================================================
+Candidate: CAN-2005-1768
+URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1768
+Final-Decision:
+Interim-Decision:
+Modified:
+Proposed:
+Assigned: 20050531
+Category: SF
+Reference: BUGTRAQ:20050711 [ Suresec Advisories ] - Linux kernel ia32 compatibility (ia64/x86-64)
+Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=112110120216116&w=2
+Reference: MISC:http://www.suresec.org/advisories/adv4.pdf
+
+Race condition in the ia32 compatibility code for the execve system
+call in Linux kernel 2.4 before 2.4.31 and 2.6 before 2.6.6 allows
+local users to cause a denial of service (kernel panic) and possibly
+execute arbitrary code via a concurrent thread that increments a
+pointer count after the nargs function has counted the pointers, but
+before the count is copied from user space to kernel space, which
+leads to a buffer overflow.
+
+
+
+
+======================================================
+Candidate: CAN-2005-2548
+URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2548
+Final-Decision:
+Interim-Decision:
+Modified:
+Proposed:
+Assigned: 20050812
+Category: SF
+Reference: CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=309308
+
+vlan_dev.c in Linux kernel 2.6.8 allows remote attackers to cause a
+denial of service (kernel oops from null dereference) via certain UDP
+packets that lead to a function call with the wrong argument, as
+demonstrated using snmpwalk on snmpd.
+
+
+
+======================================================
+Candidate: CAN-2005-2553
+URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2553
+Final-Decision:
+Interim-Decision:
+Modified:
+Proposed:
+Assigned: 20050812
+Category: SF
+Reference: CONFIRM:http://lkml.org/lkml/2005/1/5/245
+Reference: CONFIRM:http://linux.bkbits.net:8080/linux-2.4/cset@41dd3455GwQPufrGvBJjcUOXQa3WXA
+
+The find_target function in ptrace32.c in the Linux kernel 2.4.x
+before 2.4.29 does not properly handle a NULL return value from
+another function, which allows local users to cause a denial of
+service (kernel crash/oops) by running a 32-bit ltrace program with
+the -i option on a 64-bit executable program.
+
+
+
+======================================================
+Candidate: CAN-2005-2098
+URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2098
+Final-Decision:
+Interim-Decision:
+Modified:
+Proposed:
+Assigned: 20050630
+Category: SF
+Reference: CONFIRM:http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.12.5
+Reference: UBUNTU:USN-169-1
+Reference: URL:http://www.ubuntulinux.org/support/documentation/usn/usn-169-1
+Reference: SECUNIA:16355
+Reference: URL:http://secunia.com/advisories/16355/
+
+The KEYCTL_JOIN_SESSION_KEYRING operation in the Linux kernel before
+2.6.12.5 contains an error path that does not properly release the
+session management semaphore, which allows local users or remote
+attackers to cause a denial of service (semaphore hang) via a new
+session keyring (1) with an empty name string, (2) with a long name
+string, (3) with the key quota reached, or (4) ENOMEM.
+
+
+
+======================================================
+Candidate: CAN-2005-2099
+URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2099
+Final-Decision:
+Interim-Decision:
+Modified:
+Proposed:
+Assigned: 20050630
+Category: SF
+Reference: CONFIRM:http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.12.5
+Reference: UBUNTU:USN-169-1
+Reference: URL:http://www.ubuntulinux.org/support/documentation/usn/usn-169-1
+Reference: SECUNIA:16355
+Reference: URL:http://secunia.com/advisories/16355/
+
+The Linux kernel before 2.6.12.5 does not properly destroy a keyring
+that is not instantiated properly, which allows local users or remote
+attackers to cause a denial of service (kernel oops) via a keyring
+with a payload that is not empty, which causes the creation to fail,
+leading toa null dereference in the keyring destructor.
+
+
+
+======================================================
+Candidate: CAN-2005-2457
+URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2457
+Final-Decision:
+Interim-Decision:
+Modified:
+Proposed:
+Assigned: 20050804
+Category: SF
+Reference: CONFIRM:http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.12.5
+Reference: UBUNTU:USN-169-1
+Reference: URL:http://www.ubuntulinux.org/support/documentation/usn/usn-169-1
+Reference: BID:14614
+Reference: URL:http://www.securityfocus.com/bid/14614
+Reference: SECUNIA:16355
+Reference: URL:http://secunia.com/advisories/16355/
+
+The driver for compressed ISO file systems (zisofs) in the Linux
+kernel before 2.6.12.5 allows local users and remote attackers to
+cause a denial of service (kernel crash) via a crafted compressed ISO
+file system.
+
+
+
+======================================================
+Candidate: CAN-2005-2458
+URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2458
+Final-Decision:
+Interim-Decision:
+Modified:
+Proposed:
+Assigned: 20050805
+Category: SF
+Reference: MLIST:[bug-gnu-utils] 19990625 Re: bug in gzip: segfault when doing "gzip -t" on a broken file
+Reference: URL:http://sources.redhat.com/ml/bug-gnu-utils/1999-06/msg00183.html
+Reference: CONFIRM:http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.12.5
+Reference: UBUNTU:USN-169-1
+Reference: URL:http://www.ubuntulinux.org/support/documentation/usn/usn-169-1
+Reference: SECUNIA:16355
+Reference: URL:http://secunia.com/advisories/16355/
+
+inflate.c in the zlib routines in the Linux kernel before 2.6.12.5
+allows remote attackers to cause a denial of service (kernel crash)
+via a compressed file with "improper tables".
+
+
+
+======================================================
+Candidate: CAN-2005-2459
+URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2459
+Final-Decision:
+Interim-Decision:
+Modified:
+Proposed:
+Assigned: 20050805
+Category: SF
+Reference: MISC:http://bugs.gentoo.org/show_bug.cgi?id=94584
+Reference: CONFIRM:http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.12.5
+Reference: UBUNTU:USN-169-1
+Reference: URL:http://www.ubuntulinux.org/support/documentation/usn/usn-169-1
+Reference: SECUNIA:16355
+Reference: URL:http://secunia.com/advisories/16355/
+
+The huft_build function in inflate.c in the zlib routines in the Linux
+kernel before 2.6.12.5 returns the wrong value, which allows remote
+attackers to cause a denial of service (kernel crash) via a certain
+compressed file that leads to a null pointer dereference, a different
+vulnerbility than CAN-2005-2458.
+
+
+
+
+======================================================
+Candidate: CAN-2005-2872
+URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2872
+Final-Decision:
+Interim-Decision:
+Modified:
+Proposed:
+Assigned: 20050909
+Category: SF
+Reference: CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=322237
+Reference:
+CONFIRM:http://www.kernel.org/git/?p=linux/kernel/git/chrisw/lsm-2.6.git;a=commit;h=bcfff0b471a60df350338bcd727fc9b8a6aa54b2
+
+The ipt_recent kernel module (ipt_recent.c) in Linux kernel before
+2.6.12, when running on 64-bit processors such as AMD64, allows remote
+attackers to cause a denial of service (kernel panic) via certain
+attacks such as SSH brute force, which leads to memset calls using a
+length based on the u_int32_t type, acting on an array of unsigned
+long elements, a different vulnerability than CAN-2005-2873.
+
+
+
+======================================================
+Candidate: CAN-2005-2873
+URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2873
+Final-Decision:
+Interim-Decision:
+Modified:
+Proposed:
+Assigned: 20050909
+Category: SF
+Reference: MISC:http://blog.blackdown.de/2005/05/09/fixing-the-ipt_recent-netfilter-module/
+
+The ipt_recent kernel module (ipt_recent.c) in Linux kernel 2.6.12 and
+earlier does not properly perform certain time tests when the jiffies
+value is greater than LONG_MAX, which can cause ipt_recent netfilter
+rules to block too early, a different vulnerability than
+CAN-2005-2872.
+
+
+
+======================================================
+Candidate: CAN-2005-1913
+URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1913
+Final-Decision:
+Interim-Decision:
+Modified:
+Proposed:
+Assigned: 20050608
+Category: SF
+Reference: CONFIRM:http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.12.1
+Reference: UBUNTU:USN-178-1
+Reference: URL:http://www.ubuntu.com/usn/usn-178-1
+Reference: BID:14054
+Reference: URL:http://www.securityfocus.com/bid/14054
+Reference: SECUNIA:15786
+Reference: URL:http://secunia.com/advisories/15786/
+Reference: XF:kernel-subthread-dos(21138)
+Reference: URL:http://xforce.iss.net/xforce/xfdb/21138
+
+The Linux kernel 2.6 before 2.6.12.1 allows local users to cause a
+denial of service (kernel panic) via a non group-leader thread
+executing a different program than was pending in itimer, which causes
+the signal to be delivered to the old group-leader task, which does
+not exist.
+
+
+
+======================================================
+Candidate: CAN-2005-2490
+URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2490
+Final-Decision:
+Interim-Decision:
+Modified:
+Proposed:
+Assigned: 20050808
+Category: SF
+Reference: MISC:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=166248
+Reference: CONFIRM:http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.13.1
+Reference: UBUNTU:USN-178-1
+Reference: URL:http://www.ubuntu.com/usn/usn-178-1
+Reference: BID:14785
+Reference: URL:http://www.securityfocus.com/bid/14785
+Reference: SECUNIA:16747
+Reference: URL:http://secunia.com/advisories/16747/
+Reference: XF:kernel-sendmsg-bo(22217)
+Reference: URL:http://xforce.iss.net/xforce/xfdb/22217
+
+Stack-based buffer overflow in the sendmsg function call in the Linux
+kernel 2.6 before 2.6.13.1 allows local users execute arbitrary code
+by calling sendmsg and modifying the message contents in another
+thread.
+
+
+
+======================================================
+Candidate: CAN-2005-2492
+URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2492
+Final-Decision:
+Interim-Decision:
+Modified:
+Proposed:
+Assigned: 20050808
+Category: SF
+Reference: MISC:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=166830
+Reference: CONFIRM:http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.13.1
+Reference: UBUNTU:USN-178-1
+Reference: URL:http://www.ubuntu.com/usn/usn-178-1
+Reference: BID:14787
+Reference: URL:http://www.securityfocus.com/bid/14787
+Reference: SECUNIA:16747
+Reference: URL:http://secunia.com/advisories/16747/
+Reference: XF:kernel-rawsendmsg-obtain-information(22218)
+Reference: URL:http://xforce.iss.net/xforce/xfdb/22218
+
+The raw_sendmsg function in the Linux kernel 2.6 before 2.6.13.1
+allows local users to cause a denial of service (change hardware
+state) or read from arbitrary memory via crafted input.
+
+
+
+======================================================
+Candidate: CAN-2005-3044
+URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3044
+Final-Decision:
+Interim-Decision:
+Modified:
+Proposed:
+Assigned: 20050922
+Category: SF
+Reference: CONFIRM:http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.13.2
+
+Multiple vulnerabilities in Linux kernel before 2.6.13.2 allow loal
+users to cause a denial of service (kernel OOPS from null dereference)
+via (1) fput in a 32-bit ioctl on 64-bit x86 systems or (2) sockfd_put
+in the 32-bit routing_ioctl function on 64-bit systems.
+
+
+======================================================
+Candidate: CAN-2005-3053
+URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3053
+Final-Decision:
+Interim-Decision:
+Modified:
+Proposed:
+Assigned: 20050926
+Category: SF
+Reference: CONFIRM:http://linux.bkbits.net:8080/linux-2.6/cset@42eef8b09C5r6iI0LuMe5Uy3k05c5g
+
+The sys_set_mempolicy function in mempolicy.c in Linux kernel 2.6.x
+allows local users to cause a denial of service (kernel BUG()) via a
+negative first argument.
+
+
+
+
+======================================================
+Candidate: CAN-2005-3055
+URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3055
+Final-Decision:
+Interim-Decision:
+Modified:
+Proposed:
+Assigned: 20050926
+Category: SF
+Reference: MLIST:[linux-kernel] 20050925 [BUG/PATCH/RFC] Oops while completing async USB via usbdevio
+Reference: URL:http://marc.theaimsgroup.com/?l=linux-kernel&m=112766129313883
+
+Linux kernel 2.6.8 to 2.6.14-rc2 allows local users to cause a denial
+of service (kernel OOPS) via a userspace process that issues a USB
+Request Block (URB) to a USB device and terminates before the URB is
+finished, which leads to a stale pointer reference.
+
+
+======================================================
+Candidate: CAN-2005-3105
+URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3105
+Final-Decision: 
+Interim-Decision: 
+Modified: 
+Proposed: 
+Assigned: 20050930
+Category: SF
+Reference: MISC:http://www.intel.com/cd/ids/developer/asmo-na/eng/215766.htm
+Reference: MISC:http://cache-www.intel.com/cd/00/00/21/57/215792_215792.pdf
+Reference: CONFIRM:http://linux.bkbits.net:8080/linux-2.6/cset@4248d4019z8HvgrPAji51TKrWiV2uw?nav=index.html|src/|src/mm|related/mm/mprotect.c
+
+The mrpotect code (mprotect.c) in Linux 2.6 on Itanium IA64 Montecito
+processors does not properly maintain cache coherency as required by
+the architecture, which allows local users to cause a denial of
+service and possibly corrupt data by modifying PTE protections.
+
+
+
+======================================================
+Candidate: CAN-2005-3106
+URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3106
+Final-Decision: 
+Interim-Decision: 
+Modified: 
+Proposed: 
+Assigned: 20050930
+Category: SF
+Reference: CONFIRM:http://linux.bkbits.net:8080/linux-2.6/diffs/fs/exec.c@1.156?nav=index.html|src/|src/fs|hist/fs/exec.c
+
+Race condition in Linux 2.6, when threads are sharing memory mapping
+via CLONE_VM (such as linuxthreads and vfork), might allow local users
+to cause a denial of service (deadlock) by triggering a core dump
+while waiting for a thread that has just performed an exec.
+
+
+
+======================================================
+Candidate: CAN-2005-3107
+URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3107
+Final-Decision: 
+Interim-Decision: 
+Modified: 
+Proposed: 
+Assigned: 20050930
+Category: SF
+Reference: CONFIRM:http://www.kernel.org/pub/linux/kernel/people/akpm/patches/2.6/2.6.11-rc1/2.6.11-rc1-mm1/broken-out/fix-coredump_wait-deadlock-with-ptracer-tracee-on-shared-mm.patch
+Reference: CONFIRM:http://linux.bkbits.net:8080/linux-2.6/diffs/fs/exec.c@1.155?nav=index.html|src/|src/fs|hist/fs/exec.c
+
+fs/exec.c in Linux 2.6, when one thread is tracing another thread that
+shares the same memory map, might allow local users to cause a denial
+of service (deadlock) by forcing a core dump when the traced thread is
+in the TASK_TRACED state.
+
+
+
+======================================================
+Candidate: CAN-2005-3108
+URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3108
+Final-Decision: 
+Interim-Decision: 
+Modified: 
+Proposed: 
+Assigned: 20050930
+Category: SF
+Reference: CONFIRM:http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=93ef70a217637ade3f335303a112b22a134a1ec2
+
+mm/ioremap.c in Linux 2.6 on 64-bit x86 systems allows local users to
+cause a denial of service or an information leak via an iremap on a
+certain memory map that causes the iounmap to perform a lookup of a
+page that does not exist.
+
+
+
+======================================================
+Candidate: CAN-2005-3109
+URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3109
+Final-Decision: 
+Interim-Decision: 
+Modified: 
+Proposed: 
+Assigned: 20050930
+Category: SF
+Reference: CONFIRM:http://www.kernel.org/git/gitweb.cgi?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=945b092011c6af71a0107be96e119c8c08776f3f
+
+The HFS and HFS+ (hfsplus) modules in Linux 2.6 allows attackers to
+cause a denial of service (oops) by using hfsplus to mount a
+filesystem that is not hfsplus.
+
+
+
+======================================================
+Candidate: CAN-2005-3110
+URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3110
+Final-Decision: 
+Interim-Decision: 
+Modified: 
+Proposed: 
+Assigned: 20050930
+Category: SF
+Reference: CONFIRM:http://sourceforge.net/mailarchive/forum.php?thread_id=6800453&forum_id=8572
+
+Race condition in ebtables netfilter module (ebtables.c) in Linux 2.6,
+when running on an SMP system that is operating under a heavy load,
+might allow remote attackers to cause a denial of service (crash) via
+a series of packets that cause a value to be modified after it has
+been read but before it has been locked.


