r4388 - in people/horms/patch_notes: . 2.6-stable cve

Simon Horman horms at costa.debian.org
Tue Oct 11 02:08:01 UTC 2005


Author: horms
Date: 2005-10-11 02:08:00 +0000 (Tue, 11 Oct 2005)
New Revision: 4388

Added:
   people/horms/patch_notes/2.6-stable/
   people/horms/patch_notes/2.6-stable/2.6.13.1
   people/horms/patch_notes/2.6-stable/2.6.13.2
   people/horms/patch_notes/2.6-stable/2.6.13.3
   people/horms/patch_notes/cve/
   people/horms/patch_notes/cve/CAN-2005-1768
   people/horms/patch_notes/cve/CAN-2005-1913
   people/horms/patch_notes/cve/CAN-2005-2098
   people/horms/patch_notes/cve/CAN-2005-2099
   people/horms/patch_notes/cve/CAN-2005-2457
   people/horms/patch_notes/cve/CAN-2005-2458
   people/horms/patch_notes/cve/CAN-2005-2459
   people/horms/patch_notes/cve/CAN-2005-2490
   people/horms/patch_notes/cve/CAN-2005-2492
   people/horms/patch_notes/cve/CAN-2005-2548
   people/horms/patch_notes/cve/CAN-2005-2553
   people/horms/patch_notes/cve/CAN-2005-2872
   people/horms/patch_notes/cve/CAN-2005-2873
   people/horms/patch_notes/cve/CAN-2005-3044
   people/horms/patch_notes/cve/CAN-2005-3053
   people/horms/patch_notes/cve/CAN-2005-3055
   people/horms/patch_notes/cve/CAN-2005-3105
   people/horms/patch_notes/cve/CAN-2005-3106
   people/horms/patch_notes/cve/CAN-2005-3107
   people/horms/patch_notes/cve/CAN-2005-3108
   people/horms/patch_notes/cve/CAN-2005-3109
   people/horms/patch_notes/cve/CAN-2005-3110
Removed:
   people/horms/patch_notes/2.6.13.1
   people/horms/patch_notes/2.6.13.2
   people/horms/patch_notes/2.6.13.3
   people/horms/patch_notes/newcve-2005-09-30
Log:
Break out CVEs, separate CVE and 2.6-stable patch notes into separate directories

Copied: people/horms/patch_notes/2.6-stable/2.6.13.1 (from rev 4347, people/horms/patch_notes/2.6.13.1)

Copied: people/horms/patch_notes/2.6-stable/2.6.13.2 (from rev 4347, people/horms/patch_notes/2.6.13.2)

Copied: people/horms/patch_notes/2.6-stable/2.6.13.3 (from rev 4318, people/horms/patch_notes/2.6.13.3)

Deleted: people/horms/patch_notes/2.6.13.1
===================================================================
--- people/horms/patch_notes/2.6.13.1	2005-10-10 22:11:21 UTC (rev 4387)
+++ people/horms/patch_notes/2.6.13.1	2005-10-11 02:08:00 UTC (rev 4388)
@@ -1,94 +0,0 @@
-arge:..6.13.1
-URL: http://www.kernel.org/git/?p=linux/kernel/git/chrisw/stable-queue.git;a=tree;h=202331d4d642e1a5062afb067b81211bf1b6c8cf;hb=f15e7ac28ffe32c1e0e07d41fe792bac02913713;f=2.6.13.1
-
-Description: Kconfig: saa7134-dvb must select tda1004x
-File: saa7134-dvb-must-select-tda1004x.patch
-Security: No
-2.6.13: fixed in 2.6.13-1: linux-2.6.13.1.patch
-2.6.12: applied
-2.6.8-sarge: not applicable; driver not present in 2.6.12
-2.6.8-sarge-security: not applicable; see above; not a security patch
-
-Description: aacraid bad BUG_ON fix
-File: aacraid-bad-BUG_ON-fix.patch
-Security: No
-2.6.13: fixed in 2.6.13-1: linux-2.6.13.1.patch
-2.6.12: not applicable; introduced in the variable FIB code that
-        was introduced between 2.6.12 and 2.6.13. Linus's Git tree
-	7c00ffa314bf0fb0e23858bbebad33b48b6abbb9
-2.6.8-sarge: not applicable; see above
-2.6.8-sarge-security: not applicable; see above; not a security patch
-
-Description: Fix PCI ROM mapping
-File: fix-pci-rom-mapping.patch
-Security: No
-2.6.13: fixed in 2.6.13-1: linux-2.6.13.1.patch
-2.6.12: applied
-2.6.8-sarge: not applicable
-2.6.8-sarge-security: not applicable; see above; not a security patch
-
-Description: [i386] pci_assign_unassigned_resources() update
-File: pci_assign_unassigned_resources-update.patch
-Security: No
-2.6.13: fixed in 2.6.13-1: linux-2.6.13.1.patch
-2.6.12: not applicable; introduced between 2.6.12 and 2.6.13
-2.6.8-sarge: not applicable; see above
-2.6.8-sarge-security: not applicable; see above; not a security patch
-
-Description: 2.6.13 breaks libpcap (and tcpdump)
-File: fix-socket-filter-regression.patch
-Security: No
-2.6.13: fixed in 2.6.13-1: linux-2.6.13.1.patch
-2.6.12: applied rediff
-2.6.8-sarge: not applicable;
-2.6.8-sarge-security: not applicable; not a security patch
-
-Description: [SECURITY] Fix boundary check in standard multi-block cipher processors
-File: ipsec-oops-fix.patch
-Security: Maybe; Could be a local DoS
-2.6.13: fixed in 2.6.13-1: linux-2.6.13.1.patch
-Reference: http://bugzilla.kernel.org/show_bug.cgi?id=5194 (down)
-2.6.12: not applicable; introduced between 2.6.12 and 2.6.13
-2.6.8-sarge: not applicable; see above
-2.6.8-sarge-security: not applicable; see above; not a security patch
-
-Description: Use SA_SHIRQ in sparc specific code.
-File: sparc-request_irq-in-RTC-fix.patch
-Security: No
-2.6.13: fixed in 2.6.13-1: linux-2.6.13.1.patch
-2.6.12: applied
-2.6.8-sarge: applied
-2.6.8-sarge-security: not a security patch
-
-Description: Reassembly trim not clearing CHECKSUM_HW
-File: ipv4-fragmentation-csum-handling.patch
-Security: No
-2.6.13: fixed in 2.6.13-1: linux-2.6.13.1.patch
-2.6.12: applied
-2.6.8-sarge: applied
-2.6.8-sarge-security: not a security patch
-
-Description: [SECURITY] 32bit sendmsg() flaw. 
-             See CAN-2005-2490
-File: sendmsg-stackoverflow.patch
-Security: Yes; CAN-2005-2490
-2.6.13: fixed in 2.6.13-1: linux-2.6.13.1.patch
-2.6.13: fixed in 2.6.13-1
-2.6.12: fixed in 2.6.12-7
-2.6.8-sarge: applied
-2.6.8-sarge-security: applied
-2.4.27-sid/sarge: not applicable
-2.4.27-sarge-security: not applicable
-
-Description: [SECURITY] raw_sendmsg DoS. 
-             See CAN-2005-2492
-File: sendmsg-DoS.patch
-Security: Yes; CAN-2005-2492
-2.6.13: fixed in 2.6.13-1: linux-2.6.13.1.patch
-2.6.13: fixed in 2.6.13-1
-2.6.12: fixed in 2.6.12-7
-2.6.8-sarge: not applicable
-2.6.8-sarge-security: not applicable
-2.4.27-sid/sarge: not applicable
-2.4.27-sarge-security: not applicable
-

Deleted: people/horms/patch_notes/2.6.13.2
===================================================================
--- people/horms/patch_notes/2.6.13.2	2005-10-10 22:11:21 UTC (rev 4387)
+++ people/horms/patch_notes/2.6.13.2	2005-10-11 02:08:00 UTC (rev 4388)
@@ -1,95 +0,0 @@
-2.6.13.2
-URL: http://www.kernel.org/git/?p=linux/kernel/git/chrisw/stable-queue.git;a=tree;h=0a3c0657b4270443336144ae79b095240e6aedea;hb=f15e7ac28ffe32c1e0e07d41fe792bac02913713;f=2.6.13.2
-
-Description: [SECURITY] lost fput in 32bit ioctl on x86-64
-File: lost-fput-in-32bit-ioctl-on-x86-64.patch
-Security: Yes; local DoS; CAN-2005-3044
-2.6.13: fixed in 2.6.13-1: linux-2.6.13.2.patch
-2.6.12: fixed in 2.6.12-7: lost-fput-in-32bit-ioctl-on-x86-64.patch
-2.6.8-sarge: in svn: lost-fput-in-32bit-ioctl-on-x86-64.dpatch
-2.6.8-sarge-security: in svn: lost-fput-in-32bit-ioctl-on-x86-64.dpatch
-2.4.27-sid/sarge: code is vulnerable but there is no amd64 for 2.4 in Sarge
-2.4.27-sarge-security: vulnerable but there is no amd64 for 2.4 in Sarge
-
-Description: [SECURITY] lost sockfd_put() in routing_ioctl()
-File: lost-sockfd_put-in-32bit-compat-routing_ioctl.patch
-Security: Yes; local DoS
-2.6.13: fixed in 2.6.13-1: linux-2.6.13.2.patch
-2.6.12: applied
-2.6.8-sarge: applied
-2.6.8-sarge-security: applied
-
-Description: forcedeth: Initialize link settings in every nv_open()
-File: forcedeth-init-link-settings-in-nv_open.patch
-Security: No
-2.6.13: fixed in 2.6.13-1: linux-2.6.13.2.patch
-2.6.12: applied
-2.6.8-sarge: applied
-2.6.8-sarge-security: not a security patch
-
-Description: hpt366: write the full 4 bytes of ROM address, not just low 1 byte
-File: hpt366-write-dword-not-byte-for-ROM-resource.patch
-Security: No
-2.6.13: fixed in 2.6.13-1: linux-2.6.13.2.patch
-2.6.12: not applicable; seems to have been introduced between 2.6.12 and 2.6.13
-2.6.8-sarnot applicable; seems to have been introduced between 2.6.12 and 2.6.13ge: 
-2.6.8-sarge-security: not applicable; seems to have been introduced between 2.6.12 and 2.6.13; not a security patch
-
-Description: Sun GEM ethernet: enable and map PCI ROM properly
-File: sungem-enable-and-map-pci-rom-properly.patch
-Security: No
-2.6.13: fixed in 2.6.13-1: linux-2.6.13.2.patch
-2.6.12: applied; #322734
-2.6.8-sarge: applied
-2.6.8-sarge-security: not a security patch
-
-Description: Sun HME: enable and map PCI ROM properly
-File: sunhme-enable-and-map-pci-rom-properly.patch
-Security: No
-2.6.13: fixed in 2.6.13-1: linux-2.6.13.2.patch
-2.6.12: applied
-2.6.8-sarge: applied
-2.6.8-sarge-security: not a security patch
-
-Description: Fix DHCP + MASQUERADE problem
-File: netfilter-fix-dhcp-masquerade-problem.patch
-Security: No
-2.6.13: fixed in 2.6.13-1: linux-2.6.13.2.patch
-2.6.12: not applicable; introduced between 2.6.12 and 2.6.13
-2.6.8-sarge: not applicable; introduced between 2.6.12 and 2.6.13
-2.6.8-sarge-security: not applicable; introduced between 2.6.12 and 2.6.13; not a security patch
-
-Description: jfs_delete_inode must call clear_inode
-File: jfs_delete_inode-must-call-clear_inode.patch
-Security: No
-2.6.13: fixed in 2.6.13-1: linux-2.6.13.2.patch
-2.6.12: not applicable; introduced between 2.6.12 and 2.6.13
-2.6.8-sarge: not applicable; introduced between 2.6.12 and 2.6.13
-2.6.8-sarge-security: not applicable; introduced between 2.6.12 and 2.6.13; not a security patch
-
-Description: Fix MPOL_F_VERIFY
-File: fix-MPOL_F_VERIFY.patch
-Security: No
-2.6.13: fixed in 2.6.13-1: linux-2.6.13.2.patch
-2.6.12: applied; backported to use verify_pages() instead of check_pgd_range()
-                 Alternative is to pre-patch with
-		 91612e0df20a52f61db3cac280c153311b36df7a from upstream,
-		 but it is rather large
-2.6.8-sarge: applied; backported to use verify_pages() instead of check_pgd_range()
-2.6.8-sarge-security: not a security patch
-
-Description: Fix up more strange byte writes to the PCI_ROM_ADDRESS config word
-File: fix-more-byte-to-dword-writes-to-PCI_ROM_ADDRESS-config-word.patch
-Security: No
-2.6.13: fixed in 2.6.13-1: linux-2.6.13.2.patch
-2.6.12: applied
-2.6.8-sarge: applied
-2.6.8-sarge-security: not a security patch
-
-Description: USB: ftdi_sio: custom baud rate fix
-File: usb-ftdi_sio-baud-fix.patch
-Security: No
-2.6.13: fixed in 2.6.13-1: linux-2.6.13.2.patch
-2.6.12: not applicable; introduced between 2.6.12 and 2.6.13
-2.6.8-sarnot applicable; seems to have been introduced between 2.6.12 and 2.6.13ge: 
-2.6.8-sarge-security: not applicable; seems to have been introduced between 2.6.12 and 2.6.13; not a security patch

Deleted: people/horms/patch_notes/2.6.13.3
===================================================================
--- people/horms/patch_notes/2.6.13.3	2005-10-10 22:11:21 UTC (rev 4387)
+++ people/horms/patch_notes/2.6.13.3	2005-10-11 02:08:00 UTC (rev 4388)
@@ -1,51 +0,0 @@
-2.6.13.3
-URL: http://www.kernel.org/git/?p=linux/kernel/git/chrisw/stable-queue.git;a=tree;h=44d5a5efaa970c35b0f1a4a099843bba4e375025;hb=1de3edce9f33b2555d27cbe50bbafe734085eeab;f=2.6.13.3
-
-Description: yenta oops fix
-File: yenta-oops-fix.patch
-Security: No
-2.6.8-sarge: applied
-2.6.8-sarge-security: not a security patch
-
-Description: Fix fs/exec.c:788 (de_thread()) BUG_ON
-File: fix-de_thread-BUG_ON.patch
-Security: No
-2.6.8-sarge: applied backport
-2.6.8-sarge-security: not a security patch
-
-Description: fix IPv6 per-socket multicast filtering in exact-match case
-File: ipv6-fix-per-socket-multicast-filtering.patch
-Security: No
-2.6.8-sarge: applied backport
-2.6.8-sarge-security: not a security patch
-
-Description: ipvs: ip_vs_ftp breaks connections using persistence
-File: ipvs-ip_vs_ftp-breaks-connections.patch
-Security: No
-2.6.8-sarge: applied
-2.6.8-sarge-security: not a security patch
-
-Description: uml: Fix x86_64 page leak
-File: uml-fix-x86_64-page-leak.patch
-Security: No
-2.6.8-sarge: not applicable
-2.6.8-sarge-security: not applicable; not a security patch
-
-Description: skge: set mac address oops with bonding
-File: skge-set-mac-address-oops-with-bonding.patch
-Security: No
-2.6.8-sarge: not applicable
-2.6.8-sarge-security: not applicable; not a security patch
-
-Description: tcp: set default congestion control correctly for incoming connections
-File: tcp-set-default-congestion-control-correctly.patch
-Security: No
-2.6.8-sarge: not applicable
-2.6.8-sarge-security: not applicable; not a security patch
-
-Description: [TCP]: Don't over-clamp window in tcp_clamp_window()
-File: tcp-dont-over-clamp-window-in-tcp_clamp_window.patch
-Security: No
-2.6.8-sarge: applied
-2.6.8-sarge-security: not a security patch
-

Added: people/horms/patch_notes/cve/CAN-2005-1768
===================================================================
--- people/horms/patch_notes/cve/CAN-2005-1768	2005-10-10 22:11:21 UTC (rev 4387)
+++ people/horms/patch_notes/cve/CAN-2005-1768	2005-10-11 02:08:00 UTC (rev 4388)
@@ -0,0 +1,33 @@
+======================================================
+Candidate: CAN-2005-1768
+URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1768
+Final-Decision:
+Interim-Decision:
+Modified:
+Proposed:
+Assigned: 20050531
+Category: SF
+Reference: BUGTRAQ:20050711 [ Suresec Advisories ] - Linux kernel ia32 compatibility (ia64/x86-64)
+Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=112110120216116&w=2
+Reference: MISC:http://www.suresec.org/advisories/adv4.pdf
+
+Race condition in the ia32 compatibility code for the execve system
+call in Linux kernel 2.4 before 2.4.31 and 2.6 before 2.6.6 allows
+local users to cause a denial of service (kernel panic) and possibly
+execute arbitrary code via a concurrent thread that increments a
+pointer count after the nargs function has counted the pointers, but
+before the count is copied from user space to kernel space, which
+leads to a buffer overflow.
+
+Notes by Horms:
+upstream: 2.4.31 / 2.6.6
+2.6.13: not vulnerable
+2.6.12: not vulnerable
+2.6.8-sarge: not vulnerable
+2.6.8-sarge-security: not vulnerable
+2.4.27-sid/sarge: fixed in 2.4.27-11: 167_arch-ia64-x86_64_execve.diff (note 2.4 is not supported for amd64)
+2.4.27-sarge-security: fixed in 2.4.27-10sarge1: 167_arch-ia64-x86_64_execve.diff (note 2.4 is not supported for amd64)
+
+
+
+

Added: people/horms/patch_notes/cve/CAN-2005-1913
===================================================================
--- people/horms/patch_notes/cve/CAN-2005-1913	2005-10-10 22:11:21 UTC (rev 4387)
+++ people/horms/patch_notes/cve/CAN-2005-1913	2005-10-11 02:08:00 UTC (rev 4388)
@@ -0,0 +1,33 @@
+======================================================
+Candidate: CAN-2005-1913
+URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1913
+Final-Decision:
+Interim-Decision:
+Modified:
+Proposed:
+Assigned: 20050608
+Category: SF
+Reference: CONFIRM:http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.12.1
+Reference: UBUNTU:USN-178-1
+Reference: URL:http://www.ubuntu.com/usn/usn-178-1
+Reference: BID:14054
+Reference: URL:http://www.securityfocus.com/bid/14054
+Reference: SECUNIA:15786
+Reference: URL:http://secunia.com/advisories/15786/
+Reference: XF:kernel-subthread-dos(21138)
+Reference: URL:http://xforce.iss.net/xforce/xfdb/21138
+
+The Linux kernel 2.6 before 2.6.12.1 allows local users to cause a
+denial of service (kernel panic) via a non group-leader thread
+executing a different program than was pending in itimer, which causes
+the signal to be delivered to the old group-leader task, which does
+not exist.
+
+Notes Horms:
+upstream: 2.6.12.1
+2.6.12: fixed in 2.6.12-1: linux-2.6.12.1.patch
+2.6.8-sarge: not applicable
+2.6.8-sarge-security: not applicable
+2.4.27-sid/sarge: not applicable
+2.4.27-sarge-security: not applicable
+

Added: people/horms/patch_notes/cve/CAN-2005-2098
===================================================================
--- people/horms/patch_notes/cve/CAN-2005-2098	2005-10-10 22:11:21 UTC (rev 4387)
+++ people/horms/patch_notes/cve/CAN-2005-2098	2005-10-11 02:08:00 UTC (rev 4388)
@@ -0,0 +1,33 @@
+======================================================
+Candidate: CAN-2005-2098
+URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2098
+Final-Decision:
+Interim-Decision:
+Modified:
+Proposed:
+Assigned: 20050630
+Category: SF
+Reference: CONFIRM:http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.12.5
+Reference: UBUNTU:USN-169-1
+Reference: URL:http://www.ubuntulinux.org/support/documentation/usn/usn-169-1
+Reference: SECUNIA:16355
+Reference: URL:http://secunia.com/advisories/16355/
+
+The KEYCTL_JOIN_SESSION_KEYRING operation in the Linux kernel before
+2.6.12.5 contains an error path that does not properly release the
+session management semaphore, which allows local users or remote
+attackers to cause a denial of service (semaphore hang) via a new
+session keyring (1) with an empty name string, (2) with a long name
+string, (3) with the key quota reached, or (4) ENOMEM.
+
+Notes by Horms:
+upstream: 2.6.12.5
+2.6.13: not vulnerable
+2.6.12: fixed in 2.6.12-3: linux-2.6.12.5.patch
+2.6.8-sarge: not vulnerable
+2.6.8-sarge-security: not vulnerable
+2.4.27-sid/sarge: not vulnerable
+2.4.27-sarge-security: not vulnerable
+
+
+

Added: people/horms/patch_notes/cve/CAN-2005-2099
===================================================================
--- people/horms/patch_notes/cve/CAN-2005-2099	2005-10-10 22:11:21 UTC (rev 4387)
+++ people/horms/patch_notes/cve/CAN-2005-2099	2005-10-11 02:08:00 UTC (rev 4388)
@@ -0,0 +1,31 @@
+======================================================
+Candidate: CAN-2005-2099
+URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2099
+Final-Decision:
+Interim-Decision:
+Modified:
+Proposed:
+Assigned: 20050630
+Category: SF
+Reference: CONFIRM:http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.12.5
+Reference: UBUNTU:USN-169-1
+Reference: URL:http://www.ubuntulinux.org/support/documentation/usn/usn-169-1
+Reference: SECUNIA:16355
+Reference: URL:http://secunia.com/advisories/16355/
+
+The Linux kernel before 2.6.12.5 does not properly destroy a keyring
+that is not instantiated properly, which allows local users or remote
+attackers to cause a denial of service (kernel oops) via a keyring
+with a payload that is not empty, which causes the creation to fail,
+leading toa null dereference in the keyring destructor.
+
+Notes by Horms:
+upstream: 2.6.12.5
+2.6.13: not vulnerable
+2.6.12: fixed in 2.6.12-3: linux-2.6.12.5.patch
+2.6.8-sarge: not vulnerable
+2.6.8-sarge-security: not vulnerable
+2.4.27-sid/sarge: not vulnerable
+2.4.27-sarge-security: not vulnerable
+
+

Added: people/horms/patch_notes/cve/CAN-2005-2457
===================================================================
--- people/horms/patch_notes/cve/CAN-2005-2457	2005-10-10 22:11:21 UTC (rev 4387)
+++ people/horms/patch_notes/cve/CAN-2005-2457	2005-10-11 02:08:00 UTC (rev 4388)
@@ -0,0 +1,32 @@
+======================================================
+Candidate: CAN-2005-2457
+URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2457
+Final-Decision:
+Interim-Decision:
+Modified:
+Proposed:
+Assigned: 20050804
+Category: SF
+Reference: CONFIRM:http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.12.5
+Reference: UBUNTU:USN-169-1
+Reference: URL:http://www.ubuntulinux.org/support/documentation/usn/usn-169-1
+Reference: BID:14614
+Reference: URL:http://www.securityfocus.com/bid/14614
+Reference: SECUNIA:16355
+Reference: URL:http://secunia.com/advisories/16355/
+
+The driver for compressed ISO file systems (zisofs) in the Linux
+kernel before 2.6.12.5 allows local users and remote attackers to
+cause a denial of service (kernel crash) via a crafted compressed ISO
+file system.
+
+Notes by Horms:
+upstream: 2.6.12.5
+2.6.13: not vulnerable
+2.6.12: fixed in 2.6.12-3: linux-2.6.12.5.patch
+2.6.8-sarge: in svn: zisofs.dpatch
+2.6.8-sarge-security: in svn: zisofs.diff
+2.4.27-sid/sarge: in svn: zisofs-2.diff
+2.4.27-sarge-security: in svn: zisofs-2.diff
+
+

Added: people/horms/patch_notes/cve/CAN-2005-2458
===================================================================
--- people/horms/patch_notes/cve/CAN-2005-2458	2005-10-10 22:11:21 UTC (rev 4387)
+++ people/horms/patch_notes/cve/CAN-2005-2458	2005-10-11 02:08:00 UTC (rev 4388)
@@ -0,0 +1,33 @@
+======================================================
+Candidate: CAN-2005-2458
+URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2458
+Final-Decision:
+Interim-Decision:
+Modified:
+Proposed:
+Assigned: 20050805
+Category: SF
+Reference: MLIST:[bug-gnu-utils] 19990625 Re: bug in gzip: segfault when doing "gzip -t" on a broken file
+Reference: URL:http://sources.redhat.com/ml/bug-gnu-utils/1999-06/msg00183.html
+Reference: CONFIRM:http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.12.5
+Reference: UBUNTU:USN-169-1
+Reference: URL:http://www.ubuntulinux.org/support/documentation/usn/usn-169-1
+Reference: SECUNIA:16355
+Reference: URL:http://secunia.com/advisories/16355/
+
+inflate.c in the zlib routines in the Linux kernel before 2.6.12.5
+allows remote attackers to cause a denial of service (kernel crash)
+via a compressed file with "improper tables".
+y}
+
+Notes by Horms:
+upstream: 2.6.12.5
+2.6.13: not vulnerable
+2.6.12: fixed in 2.6.12-3: linux-2.6.12.5.patch
+2.6.8-sarge: in svn: linux-zlib-fixes.dpatch
+2.6.8-sarge-security: fixed in 2.6.8-16sarge1: linux-zlib-fixes.dpatch
+2.4.27-sid/sarge: fixed in 2.4.27-11: 182_linux-zlib-fixes.diff
+2.4.27-sarge-security: fixed in 2.4.27-10sarge1: 182_linux-zlib-fixes.diff
+
+
+

Added: people/horms/patch_notes/cve/CAN-2005-2459
===================================================================
--- people/horms/patch_notes/cve/CAN-2005-2459	2005-10-10 22:11:21 UTC (rev 4387)
+++ people/horms/patch_notes/cve/CAN-2005-2459	2005-10-11 02:08:00 UTC (rev 4388)
@@ -0,0 +1,33 @@
+======================================================
+Candidate: CAN-2005-2459
+URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2459
+Final-Decision:
+Interim-Decision:
+Modified:
+Proposed:
+Assigned: 20050805
+Category: SF
+Reference: MISC:http://bugs.gentoo.org/show_bug.cgi?id=94584
+Reference: CONFIRM:http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.12.5
+Reference: UBUNTU:USN-169-1
+Reference: URL:http://www.ubuntulinux.org/support/documentation/usn/usn-169-1
+Reference: SECUNIA:16355
+Reference: URL:http://secunia.com/advisories/16355/
+
+The huft_build function in inflate.c in the zlib routines in the Linux
+kernel before 2.6.12.5 returns the wrong value, which allows remote
+attackers to cause a denial of service (kernel crash) via a certain
+compressed file that leads to a null pointer dereference, a different
+vulnerbility than CAN-2005-2458.
+
+Notes by Horms:
+upstream: not vulnerable (a bogus fix was applied in 2.6.12.5 and reverted in 2.6.12.6)
+http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.12.6
+2.6.13: not vulnerable
+2.6.12: not vulnerable
+2.6.8-sarge: not vulnerable
+2.6.8-sarge-security: not vulnerable
+2.4.27-sid/sarge: in svn: not vulnerable
+2.4.27-sarge-security: not vulnerable
+
+

Added: people/horms/patch_notes/cve/CAN-2005-2490
===================================================================
--- people/horms/patch_notes/cve/CAN-2005-2490	2005-10-10 22:11:21 UTC (rev 4387)
+++ people/horms/patch_notes/cve/CAN-2005-2490	2005-10-11 02:08:00 UTC (rev 4388)
@@ -0,0 +1,34 @@
+======================================================
+Candidate: CAN-2005-2490
+URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2490
+Final-Decision:
+Interim-Decision:
+Modified:
+Proposed:
+Assigned: 20050808
+Category: SF
+Reference: MISC:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=166248
+Reference: CONFIRM:http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.13.1
+Reference: UBUNTU:USN-178-1
+Reference: URL:http://www.ubuntu.com/usn/usn-178-1
+Reference: BID:14785
+Reference: URL:http://www.securityfocus.com/bid/14785
+Reference: SECUNIA:16747
+Reference: URL:http://secunia.com/advisories/16747/
+Reference: XF:kernel-sendmsg-bo(22217)
+Reference: URL:http://xforce.iss.net/xforce/xfdb/22217
+
+Stack-based buffer overflow in the sendmsg function call in the Linux
+kernel 2.6 before 2.6.13.1 allows local users execute arbitrary code
+by calling sendmsg and modifying the message contents in another
+thread.
+
+Notes Horms:
+upstream: 2.6.13.1
+2.6.13: fixed in 2.6.13-1: linux-2.6.13.1.patch
+2.6.12: fixed in 2.6.12-7: sendmsg-stackoverflow.patch
+2.6.8-sarge: applied
+2.6.8-sarge-security: applied
+2.4.27-sid/sarge: not applicable
+2.4.27-sarge-security: not applicable
+

Added: people/horms/patch_notes/cve/CAN-2005-2492
===================================================================
--- people/horms/patch_notes/cve/CAN-2005-2492	2005-10-10 22:11:21 UTC (rev 4387)
+++ people/horms/patch_notes/cve/CAN-2005-2492	2005-10-11 02:08:00 UTC (rev 4388)
@@ -0,0 +1,33 @@
+======================================================
+Candidate: CAN-2005-2492
+URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2492
+Final-Decision:
+Interim-Decision:
+Modified:
+Proposed:
+Assigned: 20050808
+Category: SF
+Reference: MISC:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=166830
+Reference: CONFIRM:http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.13.1
+Reference: UBUNTU:USN-178-1
+Reference: URL:http://www.ubuntu.com/usn/usn-178-1
+Reference: BID:14787
+Reference: URL:http://www.securityfocus.com/bid/14787
+Reference: SECUNIA:16747
+Reference: URL:http://secunia.com/advisories/16747/
+Reference: XF:kernel-rawsendmsg-obtain-information(22218)
+Reference: URL:http://xforce.iss.net/xforce/xfdb/22218
+
+The raw_sendmsg function in the Linux kernel 2.6 before 2.6.13.1
+allows local users to cause a denial of service (change hardware
+state) or read from arbitrary memory via crafted input.
+
+Notes Horms:
+upstream: 2.6.13.1
+2.6.13: fixed in 2.6.13-1: linux-2.6.13.1.patch
+2.6.12: fixed in 2.6.12-7: sendmsg-DoS.patch
+2.6.8-sarge: not applicable
+2.6.8-sarge-security: not applicable
+2.4.27-sid/sarge: not applicable
+2.4.27-sarge-security: not applicable
+

Added: people/horms/patch_notes/cve/CAN-2005-2548
===================================================================
--- people/horms/patch_notes/cve/CAN-2005-2548	2005-10-10 22:11:21 UTC (rev 4387)
+++ people/horms/patch_notes/cve/CAN-2005-2548	2005-10-11 02:08:00 UTC (rev 4388)
@@ -0,0 +1,27 @@
+======================================================
+Candidate: CAN-2005-2548
+URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2548
+Final-Decision:
+Interim-Decision:
+Modified:
+Proposed:
+Assigned: 20050812
+Category: SF
+Reference: CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=309308
+
+vlan_dev.c in Linux kernel 2.6.8 allows remote attackers to cause a
+denial of service (kernel oops from null dereference) via certain UDP
+packets that lead to a function call with the wrong argument, as
+demonstrated using snmpwalk on snmpd.
+
+Notes by Horms:
+upstream: 2.4.29
+2.6.13: not vulnerable
+2.6.12: not vulnerable
+2.6.8-sarge: in svn: vlan-mii-ioctl.dpatch
+2.6.8-sarge-security: fixed in 2.6.8-16sarge1: vlan-mii-ioctl.dpatch
+2.4.27-sid/sarge: not vulnerable
+2.4.27-sarge-security: not vulnerable
+
+
+

Added: people/horms/patch_notes/cve/CAN-2005-2553
===================================================================
--- people/horms/patch_notes/cve/CAN-2005-2553	2005-10-10 22:11:21 UTC (rev 4387)
+++ people/horms/patch_notes/cve/CAN-2005-2553	2005-10-11 02:08:00 UTC (rev 4388)
@@ -0,0 +1,29 @@
+======================================================
+Candidate: CAN-2005-2553
+URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2553
+Final-Decision:
+Interim-Decision:
+Modified:
+Proposed:
+Assigned: 20050812
+Category: SF
+Reference: CONFIRM:http://lkml.org/lkml/2005/1/5/245
+Reference: CONFIRM:http://linux.bkbits.net:8080/linux-2.4/cset@41dd3455GwQPufrGvBJjcUOXQa3WXA
+
+The find_target function in ptrace32.c in the Linux kernel 2.4.x
+before 2.4.29 does not properly handle a NULL return value from
+another function, which allows local users to cause a denial of
+service (kernel crash/oops) by running a 32-bit ltrace program with
+the -i option on a 64-bit executable program.
+
+Notes by Horms:
+upstream: 2.4.29
+2.6.13: not vulnerable
+2.6.12: not vulnerable
+2.6.8-sarge: not vulnerable
+2.6.8-sarge-security: not vulnerable
+2.4.27-sid/sarge: in svn: 184_arch-x86_64-ia32-ptrace32-oops.diff
+2.4.27-sarge-security: in svn: 184_arch-x86_64-ia32-ptrace32-oops.diff
+
+
+

Added: people/horms/patch_notes/cve/CAN-2005-2872
===================================================================
--- people/horms/patch_notes/cve/CAN-2005-2872	2005-10-10 22:11:21 UTC (rev 4387)
+++ people/horms/patch_notes/cve/CAN-2005-2872	2005-10-11 02:08:00 UTC (rev 4388)
@@ -0,0 +1,32 @@
+======================================================
+Candidate: CAN-2005-2872
+URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2872
+Final-Decision:
+Interim-Decision:
+Modified:
+Proposed:
+Assigned: 20050909
+Category: SF
+Reference: CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=322237
+Reference:
+CONFIRM:http://www.kernel.org/git/?p=linux/kernel/git/chrisw/lsm-2.6.git;a=commit;h=bcfff0b471a60df350338bcd727fc9b8a6aa54b2
+
+The ipt_recent kernel module (ipt_recent.c) in Linux kernel before
+2.6.12, when running on 64-bit processors such as AMD64, allows remote
+attackers to cause a denial of service (kernel panic) via certain
+attacks such as SSH brute force, which leads to memset calls using a
+length based on the u_int32_t type, acting on an array of unsigned
+long elements, a different vulnerability than CAN-2005-2873.
+
+Notes by Horms:
+upstream: 2.6.12
+2.6.13: not vulnerable
+2.6.12: not vulnerable
+2.6.8-sarge: in svn: net-ipv4-netfilter-ip_recent-last_pkts.dpatch
+2.6.8-sarge-security: in svn: net-ipv4-netfilter-ip_recent-last_pkts.dpatch
+2.4.27-sid/sarge: fixed in 2.4.27-11:179_net-ipv4-netfilter-ip_recent-last_pkts.diff
+2.4.27-sarge-security: in svn: 179_net-ipv4-netfilter-ip_recent-last_pkts.diff
+
+
+
+

Added: people/horms/patch_notes/cve/CAN-2005-2873
===================================================================
--- people/horms/patch_notes/cve/CAN-2005-2873	2005-10-10 22:11:21 UTC (rev 4387)
+++ people/horms/patch_notes/cve/CAN-2005-2873	2005-10-11 02:08:00 UTC (rev 4388)
@@ -0,0 +1,28 @@
+======================================================
+Candidate: CAN-2005-2873
+URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2873
+Final-Decision:
+Interim-Decision:
+Modified:
+Proposed:
+Assigned: 20050909
+Category: SF
+Reference: MISC:http://blog.blackdown.de/2005/05/09/fixing-the-ipt_recent-netfilter-module/
+
+The ipt_recent kernel module (ipt_recent.c) in Linux kernel 2.6.12 and
+earlier does not properly perform certain time tests when the jiffies
+value is greater than LONG_MAX, which can cause ipt_recent netfilter
+rules to block too early, a different vulnerability than
+CAN-2005-2872.
+
+Notes by horms:
+No patch that is acceptable upstream is available
+http://lists.debian.org/debian-kernel/2005/09/msg00257.html
+upstream: vulnerable
+2.6.13: vulnerable: #332381
+2.6.12: vulnerable: #332381
+2.6.8-sarge: vulnerable: #332231
+2.6.8-sarge-security: vulnerable: #332231
+2.4.27-sid/sarge: vulnerable: #332228
+2.4.27-sarge-security: vulnerable: #332228
+

Added: people/horms/patch_notes/cve/CAN-2005-3044
===================================================================
--- people/horms/patch_notes/cve/CAN-2005-3044	2005-10-10 22:11:21 UTC (rev 4387)
+++ people/horms/patch_notes/cve/CAN-2005-3044	2005-10-11 02:08:00 UTC (rev 4388)
@@ -0,0 +1,27 @@
+======================================================
+Candidate: CAN-2005-3044
+URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3044
+Final-Decision:
+Interim-Decision:
+Modified:
+Proposed:
+Assigned: 20050922
+Category: SF
+Reference: CONFIRM:http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.13.2
+
+Multiple vulnerabilities in Linux kernel before 2.6.13.2 allow loal
+users to cause a denial of service (kernel OOPS from null dereference)
+via (1) fput in a 32-bit ioctl on 64-bit x86 systems or (2) sockfd_put
+in the 32-bit routing_ioctl function on 64-bit systems.
+
+Notes Horms:
+http://lkml.org/lkml/2005/9/30/218
+upstream: 2.6.13.2
+2.6.13: fixed in 2.6.13-1: linux-2.6.13.2.patch
+2.6.12: fixed in 2.6.12-7: lost-fput-in-32bit-ioctl-on-x86-64.patch
+2.6.8-sarge: in svn: lost-fput-in-32bit-ioctl-on-x86-64.dpatch
+2.6.8-sarge-security: in svn: lost-fput-in-32bit-ioctl-on-x86-64.dpatch
+2.4.27-sid/sarge: code is vulnerable but there is no amd64 for 2.4 in Sarge
+2.4.27-sarge-security: vulnerable but there is no amd64 for 2.4 in Sarge
+
+

Added: people/horms/patch_notes/cve/CAN-2005-3053
===================================================================
--- people/horms/patch_notes/cve/CAN-2005-3053	2005-10-10 22:11:21 UTC (rev 4387)
+++ people/horms/patch_notes/cve/CAN-2005-3053	2005-10-11 02:08:00 UTC (rev 4388)
@@ -0,0 +1,24 @@
+======================================================
+Candidate: CAN-2005-3053
+URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3053
+Final-Decision:
+Interim-Decision:
+Modified:
+Proposed:
+Assigned: 20050926
+Category: SF
+Reference: CONFIRM:http://linux.bkbits.net:8080/linux-2.6/cset@42eef8b09C5r6iI0LuMe5Uy3k05c5g
+
+The sys_set_mempolicy function in mempolicy.c in Linux kernel 2.6.x
+allows local users to cause a denial of service (kernel BUG()) via a
+negative first argument.
+
+Notes Horms:
+http://lkml.org/lkml/2005/9/30/218
+upstream: 2.6.12.5
+2.6.12: fixed in 2.6.12-3
+2.6.8-sarge: in svn: mempolicy-check-mode.dpatch
+2.6.8-sarge-security: in svn: mempolicy-check-mode.dpatch
+2.4.27-sid/sarge: not applicable
+2.4.27-sarge-security: not applicable
+

Added: people/horms/patch_notes/cve/CAN-2005-3055
===================================================================
--- people/horms/patch_notes/cve/CAN-2005-3055	2005-10-10 22:11:21 UTC (rev 4387)
+++ people/horms/patch_notes/cve/CAN-2005-3055	2005-10-11 02:08:00 UTC (rev 4388)
@@ -0,0 +1,27 @@
+======================================================
+Candidate: CAN-2005-3055
+URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3055
+Final-Decision:
+Interim-Decision:
+Modified:
+Proposed:
+Assigned: 20050926
+Category: SF
+Reference: MLIST:[linux-kernel] 20050925 [BUG/PATCH/RFC] Oops while completing async USB via usbdevio
+Reference: URL:http://marc.theaimsgroup.com/?l=linux-kernel&m=112766129313883
+
+Linux kernel 2.6.8 to 2.6.14-rc2 allows local users to cause a denial
+of service (kernel OOPS) via a userspace process that issues a USB
+Request Block (URB) to a USB device and terminates before the URB is
+finished, which leads to a stale pointer reference.
+
+Notes Horms:
+http://lkml.org/lkml/2005/9/30/218
+upstream: pending
+2.6.13: vulnerable: #330287
+2.6.12: vulnerable: #330287
+2.6.8-sarge: vulnerable: #332596
+2.6.8-sarge-security: vulnerable: #332596
+2.4.27-sid/sarge: not applicable
+2.4.27-sarge-security: not applicable
+

Added: people/horms/patch_notes/cve/CAN-2005-3105
===================================================================
--- people/horms/patch_notes/cve/CAN-2005-3105	2005-10-10 22:11:21 UTC (rev 4387)
+++ people/horms/patch_notes/cve/CAN-2005-3105	2005-10-11 02:08:00 UTC (rev 4388)
@@ -0,0 +1,32 @@
+======================================================
+Candidate: CAN-2005-3105
+URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3105
+Final-Decision: 
+Interim-Decision: 
+Modified: 
+Proposed: 
+Assigned: 20050930
+Category: SF
+Reference: MISC:http://www.intel.com/cd/ids/developer/asmo-na/eng/215766.htm
+Reference: MISC:http://cache-www.intel.com/cd/00/00/21/57/215792_215792.pdf
+Reference: CONFIRM:http://linux.bkbits.net:8080/linux-2.6/cset@4248d4019z8HvgrPAji51TKrWiV2uw?nav=index.html|src/|src/mm|related/mm/mprotect.c
+
+The mrpotect code (mprotect.c) in Linux 2.6 on Itanium IA64 Montecito
+processors does not properly maintain cache coherency as required by
+the architecture, which allows local users to cause a denial of
+service and possibly corrupt data by modifying PTE protections.
+
+Extra information from Moritz Muehlenhof:
+ia64 Montecito CPU do not maintain cache coherency correctly, which can be
+exploited by a local DoS.
+http://linux.bkbits.net:8080/linux-2.6/cset@4248d4019z8HvgrPAji51TKrWiV2uw?nav=index.html|src/|src/mm|related/mm/mprotect.c
+
+Notes from Micah and Horms:
+upstream: fixed
+2.6.13: not vulnerable
+2.6.12: not vulnerable
+2.6.8-sarge: in svn: mckinley_icache.dpatch
+2.6.8-sarge-security: fixed in 2.6.8-16sarge1: mckinley_icache.dpatch
+2.4.27-sid/sarge: vulnerable: #332569
+2.4.27-sarge-security: vulnerable: #332569
+

Added: people/horms/patch_notes/cve/CAN-2005-3106
===================================================================
--- people/horms/patch_notes/cve/CAN-2005-3106	2005-10-10 22:11:21 UTC (rev 4387)
+++ people/horms/patch_notes/cve/CAN-2005-3106	2005-10-11 02:08:00 UTC (rev 4388)
@@ -0,0 +1,31 @@
+======================================================
+Candidate: CAN-2005-3106
+URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3106
+Final-Decision: 
+Interim-Decision: 
+Modified: 
+Proposed: 
+Assigned: 20050930
+Category: SF
+Reference: CONFIRM:http://linux.bkbits.net:8080/linux-2.6/diffs/fs/exec.c@1.156?nav=index.html|src/|src/fs|hist/fs/exec.c
+
+Race condition in Linux 2.6, when threads are sharing memory mapping
+via CLONE_VM (such as linuxthreads and vfork), might allow local users
+to cause a denial of service (deadlock) by triggering a core dump
+while waiting for a thread that has just performed an exec.
+
+Extra information from Moritz Muehlenhof:
+CAN-2005-3106:
+DoS through race condition in processes that share a memory mapping through
+CLONE_VM
+http://linux.bkbits.net:8080/linux-2.6/diffs/fs/exec.c@1.156?nav=index.html|src/|src/fs|hist/fs/exec.c
+
+Notes from Micah and Horms:
+upstream: 2.6.11
+2.6.13: not vulnerable
+2.6.13: not vulnerable
+2.6.8-sarge: in svn: fs-exec-ptrace-core-exec-race.dpatch
+2.6.8-sarge-security: fixed in 2.6.8-16sarge1: fs-exec-ptrace-core-exec-race.dpatch
+2.4.27-sid/sarge: not implemented
+2.4.27-sarge-security: not implemented
+

Added: people/horms/patch_notes/cve/CAN-2005-3107
===================================================================
--- people/horms/patch_notes/cve/CAN-2005-3107	2005-10-10 22:11:21 UTC (rev 4387)
+++ people/horms/patch_notes/cve/CAN-2005-3107	2005-10-11 02:08:00 UTC (rev 4388)
@@ -0,0 +1,31 @@
+======================================================
+Candidate: CAN-2005-3107
+URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3107
+Final-Decision: 
+Interim-Decision: 
+Modified: 
+Proposed: 
+Assigned: 20050930
+Category: SF
+Reference: CONFIRM:http://www.kernel.org/pub/linux/kernel/people/akpm/patches/2.6/2.6.11-rc1/2.6.11-rc1-mm1/broken-out/fix-coredump_wait-deadlock-with-ptracer-tracee-on-shared-mm.patch
+Reference: CONFIRM:http://linux.bkbits.net:8080/linux-2.6/diffs/fs/exec.c@1.155?nav=index.html|src/|src/fs|hist/fs/exec.c
+
+fs/exec.c in Linux 2.6, when one thread is tracing another thread that
+shares the same memory map, might allow local users to cause a denial
+of service (deadlock) by forcing a core dump when the traced thread is
+in the TASK_TRACED state.
+
+Extra information from Moritz Muehlenhof:
+Local DoS through threads tracing each other by forcing a core dump, while the traced
+thread is in TASK_TRACED state.
+http://www.kernel.org/pub/linux/kernel/people/akpm/patches/2.6/2.6.11-rc1/2.6.11-rc1-mm1/broken-out/fix-coredump_wait-deadlock-with-ptracer-tracee-on-shared-mm.patch
+
+Notes from Micah and Horms:
+upstream: 2.6.11
+2.6.13: not vulnerable
+2.6.13: not vulnerable
+2.6.8-sarge: in svn: fs-exec-ptrace-deadlock.dpatch
+2.6.8-sarge-security: fixed in 2.6.8-16sarge1: fs-exec-ptrace-deadlock.dpatch
+2.4.27-sid/sarge: not vulnerable
+2.4.27-sarge-security: not vulnerable
+

Added: people/horms/patch_notes/cve/CAN-2005-3108
===================================================================
--- people/horms/patch_notes/cve/CAN-2005-3108	2005-10-10 22:11:21 UTC (rev 4387)
+++ people/horms/patch_notes/cve/CAN-2005-3108	2005-10-11 02:08:00 UTC (rev 4388)
@@ -0,0 +1,30 @@
+======================================================
+Candidate: CAN-2005-3108
+URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3108
+Final-Decision: 
+Interim-Decision: 
+Modified: 
+Proposed: 
+Assigned: 20050930
+Category: SF
+Reference: CONFIRM:http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=93ef70a217637ade3f335303a112b22a134a1ec2
+
+mm/ioremap.c in Linux 2.6 on 64-bit x86 systems allows local users to
+cause a denial of service or an information leak via an iremap on a
+certain memory map that causes the iounmap to perform a lookup of a
+page that does not exist.
+
+Extra information from Moritz Muehlenhof:
+DoS and potential information leak in ioremap (seemingly specific to amd64)
+http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=93ef70a217637ade3f335303a112b22a134a1ec2 
+
+Notes from Horms:
+Fixed in:
+upstream: 2.6.11.12
+2.6.13: not vulnerable
+2.6.12: not vulnerable
+2.6.8-sarge: applied to svn: arch-x86_64-mm-ioremap-page-lookup.dpatch
+2.6.8-sarge-security: fixed in 2.6.8-16sarge1: arch-x86_64-mm-ioremap-page-lookup.dpatch
+2.4.27-sid/sarge: not implemented
+2.4.27-sarge-security: not implemented
+

Added: people/horms/patch_notes/cve/CAN-2005-3109
===================================================================
--- people/horms/patch_notes/cve/CAN-2005-3109	2005-10-10 22:11:21 UTC (rev 4387)
+++ people/horms/patch_notes/cve/CAN-2005-3109	2005-10-11 02:08:00 UTC (rev 4388)
@@ -0,0 +1,29 @@
+======================================================
+Candidate: CAN-2005-3109
+URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3109
+Final-Decision: 
+Interim-Decision: 
+Modified: 
+Proposed: 
+Assigned: 20050930
+Category: SF
+Reference: CONFIRM:http://www.kernel.org/git/gitweb.cgi?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=945b092011c6af71a0107be96e119c8c08776f3f
+
+The HFS and HFS+ (hfsplus) modules in Linux 2.6 allows attackers to
+cause a denial of service (oops) by using hfsplus to mount a
+filesystem that is not hfsplus.
+
+Extra information from Moritz Muehlenhof:
+Local DoS through oops by mounting a non-HFS+ filesystem as HFS+.
+
+
+Notes from Horms:
+Fixed in:
+upstream: 2.6.11.12
+2.6.13: not vulnerable
+2.6.12: not vulnerable
+2.6.8-sarge: applied to svn: fs-hfs-oops-and-leak.dpatch
+2.6.8-sarge-security: fixed in 2.6.8-16sarge1: fs-hfs-oops-and-leak.dpatch
+2.4.27-sid/sarge: asking upstream: http://lkml.org/lkml/2005/10/7/3/index.html
+2.4.27-sarge-security: asking upstream: http://lkml.org/lkml/2005/10/7/3/index.html
+

Added: people/horms/patch_notes/cve/CAN-2005-3110
===================================================================
--- people/horms/patch_notes/cve/CAN-2005-3110	2005-10-10 22:11:21 UTC (rev 4387)
+++ people/horms/patch_notes/cve/CAN-2005-3110	2005-10-11 02:08:00 UTC (rev 4388)
@@ -0,0 +1,31 @@
+======================================================
+Candidate: CAN-2005-3110
+URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3110
+Final-Decision: 
+Interim-Decision: 
+Modified: 
+Proposed: 
+Assigned: 20050930
+Category: SF
+Reference: CONFIRM:http://sourceforge.net/mailarchive/forum.php?thread_id=6800453&forum_id=8572
+
+Race condition in ebtables netfilter module (ebtables.c) in Linux 2.6,
+when running on an SMP system that is operating under a heavy load,
+might allow remote attackers to cause a denial of service (crash) via
+a series of packets that cause a value to be modified after it has
+been read but before it has been locked.
+
+Extra information from Moritz Muehlenhof:
+DoS on SMP, potentially 2.4 and 2.6
+http://sourceforge.net/mailarchive/forum.php?thread_id=6800453&forum_id=8572
+
+Notes from Horms:
+Fixed in:
+upstream: 2.6.11.11
+2.6.13: not vulnerable
+2.6.12: not vulnerable
+2.6.8-sarge: not applicable: net-bridge-netfilter-etables-smp-race.dpatch
+2.6.8-sarge-security: fixed in 2.6.8-16sarge1: net-bridge-netfilter-etables-smp-race.dpatch
+2.4.27-sid/sarge: not applicable
+2.4.27-sarge-security: not applicable
+

Deleted: people/horms/patch_notes/newcve-2005-09-30
===================================================================
--- people/horms/patch_notes/newcve-2005-09-30	2005-10-10 22:11:21 UTC (rev 4387)
+++ people/horms/patch_notes/newcve-2005-09-30	2005-10-11 02:08:00 UTC (rev 4388)
@@ -1,675 +0,0 @@
-======================================================
-Candidate: CAN-2005-1768
-URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1768
-Final-Decision:
-Interim-Decision:
-Modified:
-Proposed:
-Assigned: 20050531
-Category: SF
-Reference: BUGTRAQ:20050711 [ Suresec Advisories ] - Linux kernel ia32 compatibility (ia64/x86-64)
-Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=112110120216116&w=2
-Reference: MISC:http://www.suresec.org/advisories/adv4.pdf
-
-Race condition in the ia32 compatibility code for the execve system
-call in Linux kernel 2.4 before 2.4.31 and 2.6 before 2.6.6 allows
-local users to cause a denial of service (kernel panic) and possibly
-execute arbitrary code via a concurrent thread that increments a
-pointer count after the nargs function has counted the pointers, but
-before the count is copied from user space to kernel space, which
-leads to a buffer overflow.
-
-Notes by Horms:
-upstream: 2.4.31 / 2.6.6
-2.6.13: not vulnerable
-2.6.12: not vulnerable
-2.6.8-sarge: not vulnerable
-2.6.8-sarge-security: not vulnerable
-2.4.27-sid/sarge: fixed in 2.4.27-11: 167_arch-ia64-x86_64_execve.diff (note 2.4 is not supported for amd64)
-2.4.27-sarge-security: fixed in 2.4.27-10sarge1: 167_arch-ia64-x86_64_execve.diff (note 2.4 is not supported for amd64)
-
-
-
-
-======================================================
-Candidate: CAN-2005-2548
-URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2548
-Final-Decision:
-Interim-Decision:
-Modified:
-Proposed:
-Assigned: 20050812
-Category: SF
-Reference: CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=309308
-
-vlan_dev.c in Linux kernel 2.6.8 allows remote attackers to cause a
-denial of service (kernel oops from null dereference) via certain UDP
-packets that lead to a function call with the wrong argument, as
-demonstrated using snmpwalk on snmpd.
-
-Notes by Horms:
-upstream: 2.4.29
-2.6.13: not vulnerable
-2.6.12: not vulnerable
-2.6.8-sarge: in svn: vlan-mii-ioctl.dpatch
-2.6.8-sarge-security: fixed in 2.6.8-16sarge1: vlan-mii-ioctl.dpatch
-2.4.27-sid/sarge: not vulnerable
-2.4.27-sarge-security: not vulnerable
-
-
-
-======================================================
-Candidate: CAN-2005-2553
-URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2553
-Final-Decision:
-Interim-Decision:
-Modified:
-Proposed:
-Assigned: 20050812
-Category: SF
-Reference: CONFIRM:http://lkml.org/lkml/2005/1/5/245
-Reference: CONFIRM:http://linux.bkbits.net:8080/linux-2.4/cset@41dd3455GwQPufrGvBJjcUOXQa3WXA
-
-The find_target function in ptrace32.c in the Linux kernel 2.4.x
-before 2.4.29 does not properly handle a NULL return value from
-another function, which allows local users to cause a denial of
-service (kernel crash/oops) by running a 32-bit ltrace program with
-the -i option on a 64-bit executable program.
-
-Notes by Horms:
-upstream: 2.4.29
-2.6.13: not vulnerable
-2.6.12: not vulnerable
-2.6.8-sarge: not vulnerable
-2.6.8-sarge-security: not vulnerable
-2.4.27-sid/sarge: in svn: 184_arch-x86_64-ia32-ptrace32-oops.diff (2.4.27-12)
-2.4.27-sarge-security: in svn: 184_arch-x86_64-ia32-ptrace32-oops.diff (2.4.27-10sarge2)
-
-
-
-======================================================
-Candidate: CAN-2005-2098
-URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2098
-Final-Decision:
-Interim-Decision:
-Modified:
-Proposed:
-Assigned: 20050630
-Category: SF
-Reference: CONFIRM:http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.12.5
-Reference: UBUNTU:USN-169-1
-Reference: URL:http://www.ubuntulinux.org/support/documentation/usn/usn-169-1
-Reference: SECUNIA:16355
-Reference: URL:http://secunia.com/advisories/16355/
-
-The KEYCTL_JOIN_SESSION_KEYRING operation in the Linux kernel before
-2.6.12.5 contains an error path that does not properly release the
-session management semaphore, which allows local users or remote
-attackers to cause a denial of service (semaphore hang) via a new
-session keyring (1) with an empty name string, (2) with a long name
-string, (3) with the key quota reached, or (4) ENOMEM.
-
-Notes by Horms:
-upstream: 2.6.12.5
-2.6.13: not vulnerable
-2.6.12: fixed in 2.6.12-3: linux-2.6.12.5.patch
-2.6.8-sarge: not vulnerable
-2.6.8-sarge-security: not vulnerable
-2.4.27-sid/sarge: not vulnerable
-2.4.27-sarge-security: not vulnerable
-
-
-
-======================================================
-Candidate: CAN-2005-2099
-URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2099
-Final-Decision:
-Interim-Decision:
-Modified:
-Proposed:
-Assigned: 20050630
-Category: SF
-Reference: CONFIRM:http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.12.5
-Reference: UBUNTU:USN-169-1
-Reference: URL:http://www.ubuntulinux.org/support/documentation/usn/usn-169-1
-Reference: SECUNIA:16355
-Reference: URL:http://secunia.com/advisories/16355/
-
-The Linux kernel before 2.6.12.5 does not properly destroy a keyring
-that is not instantiated properly, which allows local users or remote
-attackers to cause a denial of service (kernel oops) via a keyring
-with a payload that is not empty, which causes the creation to fail,
-leading toa null dereference in the keyring destructor.
-
-Notes by Horms:
-upstream: 2.6.12.5
-2.6.13: not vulnerable
-2.6.12: fixed in 2.6.12-3: linux-2.6.12.5.patch
-2.6.8-sarge: not vulnerable
-2.6.8-sarge-security: not vulnerable
-2.4.27-sid/sarge: not vulnerable
-2.4.27-sarge-security: not vulnerable
-
-
-======================================================
-Candidate: CAN-2005-2457
-URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2457
-Final-Decision:
-Interim-Decision:
-Modified:
-Proposed:
-Assigned: 20050804
-Category: SF
-Reference: CONFIRM:http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.12.5
-Reference: UBUNTU:USN-169-1
-Reference: URL:http://www.ubuntulinux.org/support/documentation/usn/usn-169-1
-Reference: BID:14614
-Reference: URL:http://www.securityfocus.com/bid/14614
-Reference: SECUNIA:16355
-Reference: URL:http://secunia.com/advisories/16355/
-
-The driver for compressed ISO file systems (zisofs) in the Linux
-kernel before 2.6.12.5 allows local users and remote attackers to
-cause a denial of service (kernel crash) via a crafted compressed ISO
-file system.
-
-Notes by Horms:
-upstream: 2.6.12.5
-2.6.13: not vulnerable
-2.6.12: fixed in 2.6.12-3: linux-2.6.12.5.patch
-2.6.8-sarge: in svn: zisofs.dpatch
-2.6.8-sarge-security: in svn: zisofs.diff (2.6.8-16sarge2)
-2.4.27-sid/sarge: in svn: zisofs-2.diff (2.4.27-12)
-2.4.27-sarge-security: in svn: zisofs-2.diff (2.4.27-10sarge2)
-
-
-======================================================
-Candidate: CAN-2005-2458
-URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2458
-Final-Decision:
-Interim-Decision:
-Modified:
-Proposed:
-Assigned: 20050805
-Category: SF
-Reference: MLIST:[bug-gnu-utils] 19990625 Re: bug in gzip: segfault when doing "gzip -t" on a broken file
-Reference: URL:http://sources.redhat.com/ml/bug-gnu-utils/1999-06/msg00183.html
-Reference: CONFIRM:http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.12.5
-Reference: UBUNTU:USN-169-1
-Reference: URL:http://www.ubuntulinux.org/support/documentation/usn/usn-169-1
-Reference: SECUNIA:16355
-Reference: URL:http://secunia.com/advisories/16355/
-
-inflate.c in the zlib routines in the Linux kernel before 2.6.12.5
-allows remote attackers to cause a denial of service (kernel crash)
-via a compressed file with "improper tables".
-y}
-
-Notes by Horms:
-upstream: 2.6.12.5
-2.6.13: not vulnerable
-2.6.12: fixed in 2.6.12-3: linux-2.6.12.5.patch
-2.6.8-sarge: in svn: linux-zlib-fixes.dpatch
-2.6.8-sarge-security: fixed in 2.6.8-16sarge1: linux-zlib-fixes.dpatch
-2.4.27-sid/sarge: fixed in 2.4.27-11: 182_linux-zlib-fixes.diff
-2.4.27-sarge-security: fixed in 2.4.27-10sarge1: 182_linux-zlib-fixes.diff
-
-
-
-======================================================
-Candidate: CAN-2005-2459
-URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2459
-Final-Decision:
-Interim-Decision:
-Modified:
-Proposed:
-Assigned: 20050805
-Category: SF
-Reference: MISC:http://bugs.gentoo.org/show_bug.cgi?id=94584
-Reference: CONFIRM:http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.12.5
-Reference: UBUNTU:USN-169-1
-Reference: URL:http://www.ubuntulinux.org/support/documentation/usn/usn-169-1
-Reference: SECUNIA:16355
-Reference: URL:http://secunia.com/advisories/16355/
-
-The huft_build function in inflate.c in the zlib routines in the Linux
-kernel before 2.6.12.5 returns the wrong value, which allows remote
-attackers to cause a denial of service (kernel crash) via a certain
-compressed file that leads to a null pointer dereference, a different
-vulnerbility than CAN-2005-2458.
-
-Notes by Horms:
-upstream: not vulnerable (a bogus fix was applied in 2.6.12.5 and reverted in 2.6.12.6)
-http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.12.6
-2.6.13: not vulnerable
-2.6.12: not vulnerable
-2.6.8-sarge: not vulnerable
-2.6.8-sarge-security: not vulnerable
-2.4.27-sid/sarge: in svn: not vulnerable
-2.4.27-sarge-security: not vulnerable
-
-
-======================================================
-Candidate: CAN-2005-2872
-URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2872
-Final-Decision:
-Interim-Decision:
-Modified:
-Proposed:
-Assigned: 20050909
-Category: SF
-Reference: CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=322237
-Reference:
-CONFIRM:http://www.kernel.org/git/?p=linux/kernel/git/chrisw/lsm-2.6.git;a=commit;h=bcfff0b471a60df350338bcd727fc9b8a6aa54b2
-
-The ipt_recent kernel module (ipt_recent.c) in Linux kernel before
-2.6.12, when running on 64-bit processors such as AMD64, allows remote
-attackers to cause a denial of service (kernel panic) via certain
-attacks such as SSH brute force, which leads to memset calls using a
-length based on the u_int32_t type, acting on an array of unsigned
-long elements, a different vulnerability than CAN-2005-2873.
-
-Notes by Horms:
-upstream: 2.6.12
-2.6.13: not vulnerable
-2.6.12: not vulnerable
-2.6.8-sarge: in svn: net-ipv4-netfilter-ip_recent-last_pkts.dpatch
-2.6.8-sarge-security: in svn: net-ipv4-netfilter-ip_recent-last_pkts.dpatch
-2.4.27-sid/sarge: fixed in 2.4.27-11:179_net-ipv4-netfilter-ip_recent-last_pkts.diff
-2.4.27-sarge-security: in svn: 179_net-ipv4-netfilter-ip_recent-last_pkts.diff
-
-
-
-
-======================================================
-Candidate: CAN-2005-2873
-URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2873
-Final-Decision:
-Interim-Decision:
-Modified:
-Proposed:
-Assigned: 20050909
-Category: SF
-Reference: MISC:http://blog.blackdown.de/2005/05/09/fixing-the-ipt_recent-netfilter-module/
-
-The ipt_recent kernel module (ipt_recent.c) in Linux kernel 2.6.12 and
-earlier does not properly perform certain time tests when the jiffies
-value is greater than LONG_MAX, which can cause ipt_recent netfilter
-rules to block too early, a different vulnerability than
-CAN-2005-2872.
-
-Notes by horms:
-No patch that is acceptable upstream is available
-http://lists.debian.org/debian-kernel/2005/09/msg00257.html
-upstream: vulnerable
-2.6.13: vulnerable: #332381
-2.6.12: vulnerable: #332381
-2.6.8-sarge: vulnerable: #332231
-2.6.8-sarge-security: vulnerable: #332231
-2.4.27-sid/sarge: vulnerable: #332228
-2.4.27-sarge-security: vulnerable: #332228
-
-======================================================
-Candidate: CAN-2005-1913
-URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1913
-Final-Decision:
-Interim-Decision:
-Modified:
-Proposed:
-Assigned: 20050608
-Category: SF
-Reference: CONFIRM:http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.12.1
-Reference: UBUNTU:USN-178-1
-Reference: URL:http://www.ubuntu.com/usn/usn-178-1
-Reference: BID:14054
-Reference: URL:http://www.securityfocus.com/bid/14054
-Reference: SECUNIA:15786
-Reference: URL:http://secunia.com/advisories/15786/
-Reference: XF:kernel-subthread-dos(21138)
-Reference: URL:http://xforce.iss.net/xforce/xfdb/21138
-
-The Linux kernel 2.6 before 2.6.12.1 allows local users to cause a
-denial of service (kernel panic) via a non group-leader thread
-executing a different program than was pending in itimer, which causes
-the signal to be delivered to the old group-leader task, which does
-not exist.
-
-Notes Horms:
-upstream: 2.6.12.1
-2.6.12: fixed in 2.6.12-1: linux-2.6.12.1.patch
-2.6.8-sarge: not applicable
-2.6.8-sarge-security: not applicable
-2.4.27-sid/sarge: not applicable
-2.4.27-sarge-security: not applicable
-
-======================================================
-Candidate: CAN-2005-2490
-URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2490
-Final-Decision:
-Interim-Decision:
-Modified:
-Proposed:
-Assigned: 20050808
-Category: SF
-Reference: MISC:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=166248
-Reference: CONFIRM:http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.13.1
-Reference: UBUNTU:USN-178-1
-Reference: URL:http://www.ubuntu.com/usn/usn-178-1
-Reference: BID:14785
-Reference: URL:http://www.securityfocus.com/bid/14785
-Reference: SECUNIA:16747
-Reference: URL:http://secunia.com/advisories/16747/
-Reference: XF:kernel-sendmsg-bo(22217)
-Reference: URL:http://xforce.iss.net/xforce/xfdb/22217
-
-Stack-based buffer overflow in the sendmsg function call in the Linux
-kernel 2.6 before 2.6.13.1 allows local users execute arbitrary code
-by calling sendmsg and modifying the message contents in another
-thread.
-
-Notes Horms:
-upstream: 2.6.13.1
-2.6.13: fixed in 2.6.13-1: linux-2.6.13.1.patch
-2.6.12: fixed in 2.6.12-7: sendmsg-stackoverflow.patch
-2.6.8-sarge: sendmsg-stackoverflow.patch 
-2.6.8-sarge-security: sendmsg-stackoverflow.patch (2.6.8-16sarge2)
-2.4.27-sid/sarge: not applicable
-2.4.27-sarge-security: not applicable
-
-======================================================
-Candidate: CAN-2005-2492
-URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2492
-Final-Decision:
-Interim-Decision:
-Modified:
-Proposed:
-Assigned: 20050808
-Category: SF
-Reference: MISC:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=166830
-Reference: CONFIRM:http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.13.1
-Reference: UBUNTU:USN-178-1
-Reference: URL:http://www.ubuntu.com/usn/usn-178-1
-Reference: BID:14787
-Reference: URL:http://www.securityfocus.com/bid/14787
-Reference: SECUNIA:16747
-Reference: URL:http://secunia.com/advisories/16747/
-Reference: XF:kernel-rawsendmsg-obtain-information(22218)
-Reference: URL:http://xforce.iss.net/xforce/xfdb/22218
-
-The raw_sendmsg function in the Linux kernel 2.6 before 2.6.13.1
-allows local users to cause a denial of service (change hardware
-state) or read from arbitrary memory via crafted input.
-
-Notes Horms:
-upstream: 2.6.13.1
-2.6.13: fixed in 2.6.13-1: linux-2.6.13.1.patch
-2.6.12: fixed in 2.6.12-7: sendmsg-DoS.patch
-2.6.8-sarge: not applicable
-2.6.8-sarge-security: not applicable
-2.4.27-sid/sarge: not applicable
-2.4.27-sarge-security: not applicable
-
-======================================================
-Candidate: CAN-2005-3044
-URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3044
-Final-Decision:
-Interim-Decision:
-Modified:
-Proposed:
-Assigned: 20050922
-Category: SF
-Reference: CONFIRM:http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.13.2
-
-Multiple vulnerabilities in Linux kernel before 2.6.13.2 allow loal
-users to cause a denial of service (kernel OOPS from null dereference)
-via (1) fput in a 32-bit ioctl on 64-bit x86 systems or (2) sockfd_put
-in the 32-bit routing_ioctl function on 64-bit systems.
-
-Notes Horms:
-http://lkml.org/lkml/2005/9/30/218
-upstream: 2.6.13.2
-2.6.13: fixed in 2.6.13-1: linux-2.6.13.2.patch
-2.6.12: fixed in 2.6.12-7: lost-fput-in-32bit-ioctl-on-x86-64.patch
-2.6.8-sarge: in svn: lost-fput-in-32bit-ioctl-on-x86-64.dpatch
-2.6.8-sarge-security: in svn: lost-fput-in-32bit-ioctl-on-x86-64.dpatch (2.6.8-16sarge2)
-2.4.27-sid/sarge: code is vulnerable but there is no amd64 for 2.4 in Sarge
-2.4.27-sarge-security: vulnerable but there is no amd64 for 2.4 in Sarge
-
-
-======================================================
-Candidate: CAN-2005-3053
-URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3053
-Final-Decision:
-Interim-Decision:
-Modified:
-Proposed:
-Assigned: 20050926
-Category: SF
-Reference: CONFIRM:http://linux.bkbits.net:8080/linux-2.6/cset@42eef8b09C5r6iI0LuMe5Uy3k05c5g
-
-The sys_set_mempolicy function in mempolicy.c in Linux kernel 2.6.x
-allows local users to cause a denial of service (kernel BUG()) via a
-negative first argument.
-
-Notes Horms:
-http://lkml.org/lkml/2005/9/30/218
-upstream: 2.6.12.5
-2.6.12: fixed in 2.6.12-3
-2.6.8-sarge: in svn: mempolicy-check-mode.dpatch
-2.6.8-sarge-security: in svn: mempolicy-check-mode.dpatch (2.6.8-16sarge2)
-2.4.27-sid/sarge: not applicable
-2.4.27-sarge-security: not applicable
-
-======================================================
-Candidate: CAN-2005-3055
-URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3055
-Final-Decision:
-Interim-Decision:
-Modified:
-Proposed:
-Assigned: 20050926
-Category: SF
-Reference: MLIST:[linux-kernel] 20050925 [BUG/PATCH/RFC] Oops while completing async USB via usbdevio
-Reference: URL:http://marc.theaimsgroup.com/?l=linux-kernel&m=112766129313883
-
-Linux kernel 2.6.8 to 2.6.14-rc2 allows local users to cause a denial
-of service (kernel OOPS) via a userspace process that issues a USB
-Request Block (URB) to a USB device and terminates before the URB is
-finished, which leads to a stale pointer reference.
-
-Notes Horms:
-http://lkml.org/lkml/2005/9/30/218
-upstream: pending
-2.6.13: vulnerable: #330287
-2.6.12: vulnerable: #330287
-2.6.8-sarge: vulnerable: #332596
-2.6.8-sarge-security: vulnerable: #332596
-2.4.27-sid/sarge: not applicable
-2.4.27-sarge-security: not applicable
-
-
-======================================================
-Candidate: CAN-2005-3105
-URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3105
-Final-Decision: 
-Interim-Decision: 
-Modified: 
-Proposed: 
-Assigned: 20050930
-Category: SF
-Reference: MISC:http://www.intel.com/cd/ids/developer/asmo-na/eng/215766.htm
-Reference: MISC:http://cache-www.intel.com/cd/00/00/21/57/215792_215792.pdf
-Reference: CONFIRM:http://linux.bkbits.net:8080/linux-2.6/cset@4248d4019z8HvgrPAji51TKrWiV2uw?nav=index.html|src/|src/mm|related/mm/mprotect.c
-
-The mrpotect code (mprotect.c) in Linux 2.6 on Itanium IA64 Montecito
-processors does not properly maintain cache coherency as required by
-the architecture, which allows local users to cause a denial of
-service and possibly corrupt data by modifying PTE protections.
-
-Extra information from Moritz Muehlenhof:
-ia64 Montecito CPU do not maintain cache coherency correctly, which can be
-exploited by a local DoS.
-http://linux.bkbits.net:8080/linux-2.6/cset@4248d4019z8HvgrPAji51TKrWiV2uw?nav=index.html|src/|src/mm|related/mm/mprotect.c
-
-Notes from Micah and Horms:
-upstream: fixed
-2.6.13: not vulnerable
-2.6.12: not vulnerable
-2.6.8-sarge: in svn: mckinley_icache.dpatch
-2.6.8-sarge-security: fixed in mckinley_icache.dpatch (2.6.8-16sarge1)
-2.4.27-sid/sarge: vulnerable: #332569
-2.4.27-sarge-security: vulnerable: #332569
-
-
-======================================================
-Candidate: CAN-2005-3106
-URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3106
-Final-Decision: 
-Interim-Decision: 
-Modified: 
-Proposed: 
-Assigned: 20050930
-Category: SF
-Reference: CONFIRM:http://linux.bkbits.net:8080/linux-2.6/diffs/fs/exec.c@1.156?nav=index.html|src/|src/fs|hist/fs/exec.c
-
-Race condition in Linux 2.6, when threads are sharing memory mapping
-via CLONE_VM (such as linuxthreads and vfork), might allow local users
-to cause a denial of service (deadlock) by triggering a core dump
-while waiting for a thread that has just performed an exec.
-
-Extra information from Moritz Muehlenhof:
-CAN-2005-3106:
-DoS through race condition in processes that share a memory mapping through
-CLONE_VM
-http://linux.bkbits.net:8080/linux-2.6/diffs/fs/exec.c@1.156?nav=index.html|src/|src/fs|hist/fs/exec.c
-
-Notes from Micah and Horms:
-upstream: 2.6.11
-2.6.13: not vulnerable
-2.6.13: not vulnerable
-2.6.8-sarge: in svn: fs-exec-ptrace-core-exec-race.dpatch (2.6.8-16sarge1)
-2.6.8-sarge-security: fixed in 2.6.8-16sarge1: fs-exec-ptrace-core-exec-race.dpatch
-2.4.27-sid/sarge: not implemented
-2.4.27-sarge-security: not implemented
-
-======================================================
-Candidate: CAN-2005-3107
-URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3107
-Final-Decision: 
-Interim-Decision: 
-Modified: 
-Proposed: 
-Assigned: 20050930
-Category: SF
-Reference: CONFIRM:http://www.kernel.org/pub/linux/kernel/people/akpm/patches/2.6/2.6.11-rc1/2.6.11-rc1-mm1/broken-out/fix-coredump_wait-deadlock-with-ptracer-tracee-on-shared-mm.patch
-Reference: CONFIRM:http://linux.bkbits.net:8080/linux-2.6/diffs/fs/exec.c@1.155?nav=index.html|src/|src/fs|hist/fs/exec.c
-
-fs/exec.c in Linux 2.6, when one thread is tracing another thread that
-shares the same memory map, might allow local users to cause a denial
-of service (deadlock) by forcing a core dump when the traced thread is
-in the TASK_TRACED state.
-
-Extra information from Moritz Muehlenhof:
-Local DoS through threads tracing each other by forcing a core dump, while the traced
-thread is in TASK_TRACED state.
-http://www.kernel.org/pub/linux/kernel/people/akpm/patches/2.6/2.6.11-rc1/2.6.11-rc1-mm1/broken-out/fix-coredump_wait-deadlock-with-ptracer-tracee-on-shared-mm.patch
-
-Notes from Micah and Horms:
-upstream: 2.6.11
-2.6.13: not vulnerable
-2.6.13: not vulnerable
-2.6.8-sarge: in svn: fs-exec-ptrace-deadlock.dpatch
-2.6.8-sarge-security: fixed in fs-exec-ptrace-deadlock.dpatch (2.6.8-16sarge1)
-2.4.27-sid/sarge: not vulnerable
-2.4.27-sarge-security: not vulnerable
-
-======================================================
-Candidate: CAN-2005-3108
-URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3108
-Final-Decision: 
-Interim-Decision: 
-Modified: 
-Proposed: 
-Assigned: 20050930
-Category: SF
-Reference: CONFIRM:http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=93ef70a217637ade3f335303a112b22a134a1ec2
-
-mm/ioremap.c in Linux 2.6 on 64-bit x86 systems allows local users to
-cause a denial of service or an information leak via an iremap on a
-certain memory map that causes the iounmap to perform a lookup of a
-page that does not exist.
-
-Extra information from Moritz Muehlenhof:
-DoS and potential information leak in ioremap (seemingly specific to amd64)
-http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=93ef70a217637ade3f335303a112b22a134a1ec2 
-
-Notes from Horms:
-Fixed in:
-upstream: 2.6.11.12
-2.6.13: not vulnerable
-2.6.12: not vulnerable
-2.6.8-sarge: applied to svn: arch-x86_64-mm-ioremap-page-lookup.dpatch
-2.6.8-sarge-security: fixed in arch-x86_64-mm-ioremap-page-lookup.dpatch (2.6.8-16sarge1)
-2.4.27-sid/sarge: not implemented
-2.4.27-sarge-security: not implemented
-
-
-======================================================
-Candidate: CAN-2005-3109
-URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3109
-Final-Decision: 
-Interim-Decision: 
-Modified: 
-Proposed: 
-Assigned: 20050930
-Category: SF
-Reference: CONFIRM:http://www.kernel.org/git/gitweb.cgi?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=945b092011c6af71a0107be96e119c8c08776f3f
-
-The HFS and HFS+ (hfsplus) modules in Linux 2.6 allows attackers to
-cause a denial of service (oops) by using hfsplus to mount a
-filesystem that is not hfsplus.
-
-Extra information from Moritz Muehlenhof:
-Local DoS through oops by mounting a non-HFS+ filesystem as HFS+.
-
-
-Notes from Horms:
-Fixed in:
-upstream: 2.6.11.12
-2.6.13: not vulnerable
-2.6.12: not vulnerable
-2.6.8-sarge: applied to svn: fs-hfs-oops-and-leak.dpatch
-2.6.8-sarge-security: fixed in fs-hfs-oops-and-leak.dpatch (2.6.8-16sarge1)
-2.4.27-sid/sarge: asking upstream: http://lkml.org/lkml/2005/10/7/3/index.html
-2.4.27-sarge-security: asking upstream: http://lkml.org/lkml/2005/10/7/3/index.html
-
-======================================================
-Candidate: CAN-2005-3110
-URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3110
-Final-Decision: 
-Interim-Decision: 
-Modified: 
-Proposed: 
-Assigned: 20050930
-Category: SF
-Reference: CONFIRM:http://sourceforge.net/mailarchive/forum.php?thread_id=6800453&forum_id=8572
-
-Race condition in ebtables netfilter module (ebtables.c) in Linux 2.6,
-when running on an SMP system that is operating under a heavy load,
-might allow remote attackers to cause a denial of service (crash) via
-a series of packets that cause a value to be modified after it has
-been read but before it has been locked.
-
-Extra information from Moritz Muehlenhof:
-DoS on SMP, potentially 2.4 and 2.6
-http://sourceforge.net/mailarchive/forum.php?thread_id=6800453&forum_id=8572
-
-Notes from Horms:
-Fixed in:
-upstream: 2.6.11.11
-2.6.13: not vulnerable
-2.6.12: not vulnerable
-2.6.8-sarge: not applicable: net-bridge-netfilter-etables-smp-race.dpatch
-2.6.8-sarge-security: fixed in net-bridge-netfilter-etables-smp-race.dpatch (2.6.8-16sarge1)
-2.4.27-sid/sarge: not applicable
-2.4.27-sarge-security: not applicable




More information about the Kernel-svn-changes mailing list