r4468 - people/micah

Sun Oct 16 00:59:00 UTC 2005

Author: dannf
Date: 2005-10-16 00:58:59 +0000 (Sun, 16 Oct 2005)
New Revision: 4468

Modified:
   people/micah/pending_CVE_requests
Log:
updates; i think this is complete now

Modified: people/micah/pending_CVE_requests
===================================================================

--- people/micah/pending_CVE_requests	2005-10-14 22:43:14 UTC (rev 4467)
+++ people/micah/pending_CVE_requests	2005-10-16 00:58:59 UTC (rev 4468)
@@ -63,23 +63,27 @@
 * sound-usb-usbaudio-unplug-oops.dpatch
     [Security] Prevent oops & dead keyboard on usb unplugging while the device
     is being used.
+URL: http://lkml.org/lkml/2005/5/23/152
+URL: http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=230cd5e24853ed4dd960461989b8ed0986d37a99
 TODO: How is this a security patch?
-TODO: URL
-TODO: CVE description
+dannf> I don't think it is; if you have physical access enough to unplug a keyboard, you could also smash
+dannf> the keyboard with a hammer and stick gum in the USB ports - this won't solve that problem.
+Draft CVE text:
+Detaching a USB keyboard in Linux 2.6 kernels prior to 2.6.12 may trigger an oops and leave the keyboard
+unusable until a reboot.
 
   * net-ipv4-ipvs-conn_tab-race.dpatch
     [Security] Fix race condition on ip_vs_conn_tab list modification
 Draft CVE text: 
 A race condition resulting in a potential DoS was discovered in
 ip_vs_conn_flush in 2.6 kernels earlier than 2.6.13 and 2.4 kernels
-earlier than 2.4.32 on SMP systems. A race condition
+earlier than 2.4.32-pre2 on SMP systems. A race condition
 exists involving the lock release and re-aquisition of the list
 iterator loop resulting in the connection pointer to be set to NULL
 and then subsequently dereferenced, resulting in an oops.
 URL: http://lkml.org/lkml/2005/6/23/249
 URL: http://lkml.org/lkml/2005/6/24/173
 URL: http://www.kernel.org/git/?p=linux/kernel/git/marcelo/linux-2.4.git;a=commit;h=e684f066dff5628bb61ad1912de6e8058b5b4c7d
-TODO: This isn't fixed in 2.4.31, but is in Marcello's 2.4 tree
 
 * asm-i386-mem-clobber.dpatch:
 Draft CVE text:
@@ -103,13 +107,21 @@
 * ppc32-time_offset-misuse.dpatch
 URL: http://www.kernel.org/git/?p=linux/kernel/git/gregkh/linux-2.6.12.y.git;a=commitdiff;h=8f399a7448e0b58eae969426f61b7e81d55d2639
 TODO: CVE text (how is this a security issue?)
+dannf: The only way I can see this as being a security issue is if somehow a malicious NTP server could take
+dannf: advantage of this to set time_offset to a value that somehow makes the system oops or something - but
+dannf: since it already checks to see if this is non-zero, I don't think that's likely.
 
 * netfilter-NAT-memory-corruption.dpatch
-TODO: CVE text (how is this a security issue?)
 fixed in 2.6.12.3
 URL: http://linux.bkbits.net:8080/linux-2.6/cset@1.3596.79.34?nav=index.html|src/|src/net|src/net/ipv4|src/net/ipv4/netfilter|related/net/ipv4/netfilter/ip_nat_proto_udp.c
+TODO: how is this a security issue?
+dannf> I'm not positive it is; but if it is, this description should do.
+Draft CVE Text:
+A potential memory corruption exists in the NAT code in Linux 2.6 kernels prior to 2.6.13.  The portptr
+pointing to the port in the conntrack tuple is declared static, which could result in memory corruption when
+two packets of the same protocol are NATed at the same time and one conntrack goes away.  A malicious machine
+on the same network could potential use this to initiate a DoS attack.
 
-
 * netfilter-ip_conntrack_untracked-refcount.dpatch
 TODO: CVE text (how is this a security issue?)
       dannf> I don't see how it is either
@@ -131,7 +143,6 @@
 URL: http://www.novell.com/linux/security/advisories/2005_18_kernel.html
 URL:
 http://acl.bestbits.at/pipermail/acl-devel/2005-February/001848.html
-TODO: CVE description (Debian specific?)
 Draft CVE Text:
 The ext2 and ext3 filesystems in Linux 2.6 kernels prior to 2.6.11 may mistake two xattr structures as being
 identical when they differ only by the e_name_index field.  This can lead to a situation where the


