diff options
| author | Ben Hutchings <ben@decadent.org.uk> | 2019-09-18 21:04:46 +0100 |
|---|---|---|
| committer | Ben Hutchings <ben@decadent.org.uk> | 2019-09-18 21:08:37 +0100 |
| commit | ab2907c0d93e0822d323fada0d37358f3ce7fab2 (patch) | |
| tree | 24e0a494e56e73dfaff3e129d08d7df1d5f7a528 | |
| parent | 42cdcd5941805770ac46723fbd39482e552bd08a (diff) | |
Fill in status for most issues
32 files changed, 212 insertions, 166 deletions
diff --git a/active/CVE-2018-21008 b/active/CVE-2018-21008 index bbd223d7..2441d74d 100644 --- a/active/CVE-2018-21008 +++ b/active/CVE-2018-21008 @@ -1,12 +1,13 @@ Description: rsi: add fix for crash during assertions References: Notes: + bwh> Apparently introduced in 3.15 when rsi driver was added. Bugs: upstream: released (4.18-rc1) [abd39c6ded9db53aa44c2540092bdd5fb6590fa8] 4.19-upstream-stable: N/A "Fixed before branching point" -4.9-upstream-stable: -3.16-upstream-stable: +4.9-upstream-stable: needed +3.16-upstream-stable: needed sid: released (4.18.6-1) 4.19-buster-security: N/A "Fixed before branching point" -4.9-stretch-security: -3.16-jessie-security: +4.9-stretch-security: needed +3.16-jessie-security: needed diff --git a/active/CVE-2019-0136 b/active/CVE-2019-0136 index b006d4f4..84342e1c 100644 --- a/active/CVE-2019-0136 +++ b/active/CVE-2019-0136 @@ -9,8 +9,8 @@ Bugs: upstream: released (v5.2-rc6) [588f7d39b3592a36fb7702ae3b8bdd9be4621e2f, 79c92ca42b5a3e0ea172ea2ce8df8e125af237da] 4.19-upstream-stable: released (4.19.56) [0e879ef1cb5baddebe1f12a9a3940a87d8e61558, 1e1007ac47d85dacf6d45821a2870b6268499700] 4.9-upstream-stable: released (4.9.185) [9f0f5ff93ed0205a90f11103e9937f3c0417cd4b] -3.16-upstream-stable: +3.16-upstream-stable: needed sid: released (5.2.6-1) 4.19-buster-security: released (4.19.67-1) 4.9-stretch-security: released (4.9.185-1) -3.16-jessie-security: +3.16-jessie-security: needed diff --git a/active/CVE-2019-14814 b/active/CVE-2019-14814 index 5a8af1a8..bed85b92 100644 --- a/active/CVE-2019-14814 +++ b/active/CVE-2019-14814 @@ -3,12 +3,14 @@ References: https://www.openwall.com/lists/oss-security/2019/08/28/1 https://lore.kernel.org/linux-wireless/20190828020751.13625-1-huangwenabc@gmail.com/ Notes: + bwh> Introduced in 3.7 by commit a3c2c4f6d8bc "mwifiex: parse rate info + bwh> for AP". Bugs: upstream: released (5.3) [7caac62ed598a196d6ddf8d9c121e12e082cac3a] -4.19-upstream-stable: -4.9-upstream-stable: -3.16-upstream-stable: -sid: -4.19-buster-security: -4.9-stretch-security: -3.16-jessie-security: +4.19-upstream-stable: needed +4.9-upstream-stable: needed +3.16-upstream-stable: needed +sid: needed +4.19-buster-security: needed +4.9-stretch-security: needed +3.16-jessie-security: needed diff --git a/active/CVE-2019-14815 b/active/CVE-2019-14815 index 65061875..afa63218 100644 --- a/active/CVE-2019-14815 +++ b/active/CVE-2019-14815 @@ -3,12 +3,14 @@ References: https://www.openwall.com/lists/oss-security/2019/08/28/1 https://lore.kernel.org/linux-wireless/20190828020751.13625-1-huangwenabc@gmail.com/ Notes: + bwh> Introduced in 4.10 by commit 113630b581d6 "mwifiex: vendor_ie length + bwh> check for parse WMM IEs". Bugs: upstream: released (5.3) [7caac62ed598a196d6ddf8d9c121e12e082cac3a] -4.19-upstream-stable: -4.9-upstream-stable: -3.16-upstream-stable: -sid: -4.19-buster-security: -4.9-stretch-security: -3.16-jessie-security: +4.19-upstream-stable: needed +4.9-upstream-stable: N/A "Vulnerability introduced later" +3.16-upstream-stable: N/A "Vulnerability introduced later" +sid: needed +4.19-buster-security: needed +4.9-stretch-security: N/A "Vulnerability introduced later" +3.16-jessie-security: N/A "Vulnerability introduced later" diff --git a/active/CVE-2019-14816 b/active/CVE-2019-14816 index 0ca5a9ab..a878bb7b 100644 --- a/active/CVE-2019-14816 +++ b/active/CVE-2019-14816 @@ -3,12 +3,14 @@ References: https://www.openwall.com/lists/oss-security/2019/08/28/1 https://lore.kernel.org/linux-wireless/20190828020751.13625-1-huangwenabc@gmail.com/ Notes: + bwh> Introduced in 3.6 by commit 2152fe9c2fa4 "mwifiex: parse WPS IEs from + bwh> beacon_data". Bugs: upstream: released (5.3) [7caac62ed598a196d6ddf8d9c121e12e082cac3a] -4.19-upstream-stable: -4.9-upstream-stable: -3.16-upstream-stable: -sid: -4.19-buster-security: -4.9-stretch-security: -3.16-jessie-security: +4.19-upstream-stable: needed +4.9-upstream-stable: needed +3.16-upstream-stable: needed +sid: needed +4.19-buster-security: needed +4.9-stretch-security: needed +3.16-jessie-security: needed diff --git a/active/CVE-2019-15030 b/active/CVE-2019-15030 index 48252541..b03a35cb 100644 --- a/active/CVE-2019-15030 +++ b/active/CVE-2019-15030 @@ -13,8 +13,8 @@ Bugs: upstream: released (5.3-rc8) [8205d5d98ef7f155de211f5e2eb6ca03d95a5a60] 4.19-upstream-stable: released (4.19.73) [47a0f70d7d9ac3d6b1a96b312d07bc67af3834e9] 4.9-upstream-stable: released (4.9.193) [acdf558ef62ceb71938d87f5b700b7ecc0bbee90] -3.16-upstream-stable: +3.16-upstream-stable: N/A "Vulnerable code not present" sid: needed 4.19-buster-security: needed 4.9-stretch-security: needed -3.16-jessie-security: +3.16-jessie-security: N/A "Vulnerable code not present" diff --git a/active/CVE-2019-15292 b/active/CVE-2019-15292 index d8876f13..4d3019cc 100644 --- a/active/CVE-2019-15292 +++ b/active/CVE-2019-15292 @@ -5,8 +5,8 @@ Bugs: upstream: released (5.1-rc1) [6377f787aeb945cae7abbb6474798de129e1f3ac] 4.19-upstream-stable: released (4.19.36) [6c42507f426b40c63e8eb98ce6dd4afbc7efcdb5] 4.9-upstream-stable: released (4.9.170) [057a0da1899f00a4ac9a4c4c452cf2cf652bdbf0] -3.16-upstream-stable: +3.16-upstream-stable: needed sid: released (4.19.37-1) 4.19-buster-security: N/A "Fixed before branching point" 4.9-stretch-security: released (4.9.184-1) -3.16-jessie-security: +3.16-jessie-security: needed diff --git a/active/CVE-2019-15504 b/active/CVE-2019-15504 index 9ff405f0..0f944807 100644 --- a/active/CVE-2019-15504 +++ b/active/CVE-2019-15504 @@ -4,12 +4,13 @@ References: Notes: carnil> Possibly introduced only with a1854fae1414 ("rsi: improve RX carnil> packet handling in USB interface") in 4.17-rc1. + bwh> I agree that commit a1854fae1414 introduced this. Bugs: upstream: released (5.3) [8b51dc7291473093c821195c4b6af85fadedbc2f] 4.19-upstream-stable: needed -4.9-upstream-stable: -3.16-upstream-stable: +4.9-upstream-stable: N/A "Vulnerability introduced later" +3.16-upstream-stable: N/A "Vulnerability introduced later" sid: needed 4.19-buster-security: needed -4.9-stretch-security: -3.16-jessie-security: +4.9-stretch-security: N/A "Vulnerability introduced later" +3.16-jessie-security: N/A "Vulnerability introduced later" diff --git a/active/CVE-2019-15505 b/active/CVE-2019-15505 index e2177d83..34ae57cf 100644 --- a/active/CVE-2019-15505 +++ b/active/CVE-2019-15505 @@ -4,12 +4,13 @@ References: https://lore.kernel.org/linux-media/20190821104408.w7krumcglxo6fz5q@gofer.mess.org/ https://lore.kernel.org/lkml/b9b256cb-95f2-5fa1-9956-5a602a017c11@gmail.com/ Notes: + bwh> Apparently introduced in 2.6.39 when technisat-usb2 driver was added. Bugs: -upstream: -4.19-upstream-stable: -4.9-upstream-stable: -3.16-upstream-stable: -sid: -4.19-buster-security: -4.9-stretch-security: -3.16-jessie-security: +upstream: needed +4.19-upstream-stable: needed +4.9-upstream-stable: needed +3.16-upstream-stable: needed +sid: needed +4.19-buster-security: needed +4.9-stretch-security: needed +3.16-jessie-security: needed diff --git a/active/CVE-2019-15807 b/active/CVE-2019-15807 index cea6c058..3bca27c6 100644 --- a/active/CVE-2019-15807 +++ b/active/CVE-2019-15807 @@ -5,8 +5,8 @@ Bugs: upstream: released (5.2-rc3) [3b0541791453fbe7f42867e310e0c9eb6295364d] 4.19-upstream-stable: released (4.19.54) [114e8135ae0031556ead1bcb67249ecb84b804de] 4.9-upstream-stable: released (4.9.183) [1d28cf14a89c400fa55f6f9a9a4ca3bc34094b34] -3.16-upstream-stable: +3.16-upstream-stable: needed sid: released (5.2.6-1) 4.19-buster-security: released (4.19.67-1) 4.9-stretch-security: released (4.9.184-1) -3.16-jessie-security: +3.16-jessie-security: needed diff --git a/active/CVE-2019-15902 b/active/CVE-2019-15902 index a810841a..917c6f21 100644 --- a/active/CVE-2019-15902 +++ b/active/CVE-2019-15902 @@ -6,8 +6,8 @@ Bugs: upstream: N/A "Issue specific to backports to stable trees" 4.19-upstream-stable: released (4.19.70) [b307f99dca5ab33edc1e04b9b479bcb0852ff85f] 4.9-upstream-stable: released (4.9.191) [69f692bb7e684592aaba779299bc576626d414b4] -3.16-upstream-stable: +3.16-upstream-stable: N/A "Bug never introduced" sid: needed 4.19-buster-security: pending (4.19.67-2+deb10u1) [bugfix/x86/x86-ptrace-fix-up-botched-merge-of-spectrev1-fix.patch] 4.9-stretch-security: needed -3.16-jessie-security: +3.16-jessie-security: N/A "Bug never introduced" diff --git a/active/CVE-2019-15917 b/active/CVE-2019-15917 index 96397271..96ed651c 100644 --- a/active/CVE-2019-15917 +++ b/active/CVE-2019-15917 @@ -1,12 +1,15 @@ Description: Bluetooth: hci_ldisc: Postpone HCI_UART_PROTO_READY bit set in hci_uart_set_proto() References: Notes: + bwh> Maybe introduced in 4.7 by commit 84cb3df02aea "Bluetooth: hci_ldisc: + bwh> Fix null pointer derefence in case of early data", but I suspect a + bwh> similar issue existed before that too. Bugs: upstream: released (5.1-rc1) [56897b217a1d0a91c9920cb418d6b3fe922f590a] 4.19-upstream-stable: released (4.19.32) [e365b94086f9dec02ddfcc193dcad72858c6d973] -4.9-upstream-stable: -3.16-upstream-stable: +4.9-upstream-stable: needed +3.16-upstream-stable: needed sid: released (4.19.37-1) 4.19-buster-security: N/A "Fixed before branching point" -4.9-stretch-security: -3.16-jessie-security: +4.9-stretch-security: needed +3.16-jessie-security: needed diff --git a/active/CVE-2019-15918 b/active/CVE-2019-15918 index e1451791..feac87dd 100644 --- a/active/CVE-2019-15918 +++ b/active/CVE-2019-15918 @@ -1,12 +1,14 @@ Description: cifs: Fix lease buffer length error References: Notes: + bwh> Introduced in 4.14 by commit 9764c02fcbad "SMB3: Add support for + bwh> multidialect negotiate (SMB2.1 and later)". Bugs: upstream: released (5.1-rc6) [b57a55e2200ede754e4dc9cce4ba9402544b9365] 4.19-upstream-stable: released (4.19.73) [4061e662c8e9f5fb796b05fd2ab58fed8cd16d59] -4.9-upstream-stable: -3.16-upstream-stable: +4.9-upstream-stable: N/A "Vulnerability introduced later" +3.16-upstream-stable: N/A "Vulnerability introduced later" sid: released (5.2.6-1) 4.19-buster-security: needed -4.9-stretch-security: -3.16-jessie-security: +4.9-stretch-security: N/A "Vulnerability introduced later" +3.16-jessie-security: N/A "Vulnerability introduced later" diff --git a/active/CVE-2019-15919 b/active/CVE-2019-15919 index 48ac91ff..8bd34418 100644 --- a/active/CVE-2019-15919 +++ b/active/CVE-2019-15919 @@ -1,12 +1,14 @@ Description: cifs: Fix use-after-free in SMB2_write References: Notes: + bwh> Introduced in 4.18 by commit eccb4422cf97 "smb3: Add ftrace tracepoints + bwh> for improved SMB3 debugging". Bugs: upstream: released (5.1-rc6) [6a3eb3360667170988f8a6477f6686242061488a] 4.19-upstream-stable: released (4.19.37) [8fb89b43b65fcd35f15d982712904b96fc64c68a] -4.9-upstream-stable: -3.16-upstream-stable: +4.9-upstream-stable: N/A "Vulnerable code not present" +3.16-upstream-stable: N/A "Vulnerable code not present" sid: released (4.19.37-1) 4.19-buster-security: N/A "Fixed before branching point" -4.9-stretch-security: -3.16-jessie-security: +4.9-stretch-security: N/A "Vulnerable code not present" +3.16-jessie-security: N/A "Vulnerable code not present" diff --git a/active/CVE-2019-15920 b/active/CVE-2019-15920 index 6e598807..3c1b1e54 100644 --- a/active/CVE-2019-15920 +++ b/active/CVE-2019-15920 @@ -6,12 +6,14 @@ Notes: carnil> instance and introduced further issue. Same issue is present as carnil> well for the 4.19 series where the issue needed a followup in carnil> 4.19.38. + bwh> Introduced in 4.18 by commit eccb4422cf97 "smb3: Add ftrace tracepoints + bwh> for improved SMB3 debugging". Bugs: upstream: released (5.1-rc6) [088aaf17aa79300cab14dbee2569c58cfafd7d6e] 4.19-upstream-stable: released (4.19.37) [c69330a855ab4342d304f67f8c1e7d1fa2686bec], released (4.19.38) [d5bf783a09a06c81ca4783054355f1d243e124e7] -4.9-upstream-stable: -3.16-upstream-stable: +4.9-upstream-stable: N/A "Vulnerable code not present" +3.16-upstream-stable: N/A "Vulnerable code not present" sid: released (5.2.6-1) 4.19-buster-security: released (4.19.67-1) -4.9-stretch-security: -3.16-jessie-security: +4.9-stretch-security: N/A "Vulnerable code not present" +3.16-jessie-security: N/A "Vulnerable code not present" diff --git a/active/CVE-2019-15922 b/active/CVE-2019-15922 index 01dbfc9d..1500a7d2 100644 --- a/active/CVE-2019-15922 +++ b/active/CVE-2019-15922 @@ -7,10 +7,10 @@ Notes: carnil> released version if confirmed. Bugs: upstream: released (5.1-rc4) [58ccd2d31e502c37e108b285bf3d343eb00c235b] -4.19-upstream-stable: -4.9-upstream-stable: -3.16-upstream-stable: -sid: released (5.2.6-1) -4.19-buster-security: -4.9-stretch-security: -3.16-jessie-security: +4.19-upstream-stable: N/A "Vulnerability introduced later" +4.9-upstream-stable: N/A "Vulnerability introduced later" +3.16-upstream-stable: N/A "Vulnerability introduced later" +sid: N/A "Vulnerability never present" +4.19-buster-security: N/A "Vulnerability introduced later" +4.9-stretch-security: N/A "Vulnerability introduced later" +3.16-jessie-security: N/A "Vulnerability introduced later" diff --git a/active/CVE-2019-15923 b/active/CVE-2019-15923 index 470aff99..657110d7 100644 --- a/active/CVE-2019-15923 +++ b/active/CVE-2019-15923 @@ -8,10 +8,10 @@ Notes: carnil> be affected (would need correction of sid entry). Bugs: upstream: released (5.1-rc4) [f0d1762554014ce0ae347b9f0d088f2c157c8c72] -4.19-upstream-stable: -4.9-upstream-stable: -3.16-upstream-stable: -sid: released (5.2.6-1) -4.19-buster-security: -4.9-stretch-security: -3.16-jessie-security: +4.19-upstream-stable: N/A "Vulnerability introduced later" +4.9-upstream-stable: N/A "Vulnerability introduced later" +3.16-upstream-stable: N/A "Vulnerability introduced later" +sid: N/A "Vulnerability never present" +4.19-buster-security: N/A "Vulnerability introduced later" +4.9-stretch-security: N/A "Vulnerability introduced later" +3.16-jessie-security: N/A "Vulnerability introduced later" diff --git a/active/CVE-2019-15924 b/active/CVE-2019-15924 index b5288469..fb4221fe 100644 --- a/active/CVE-2019-15924 +++ b/active/CVE-2019-15924 @@ -1,12 +1,13 @@ Description: fm10k: Fix a potential NULL pointer dereference References: Notes: + bwh> Apparently introduced in 3.18 when fm10k driver was added. Bugs: upstream: released (5.1-rc4) [01ca667133d019edc9f0a1f70a272447c84ec41f] 4.19-upstream-stable: released (4.19.38) [9b9b0df4e7882638e53c55e8f556aa78915418b9] 4.9-upstream-stable: released (4.9.172) [0648cd7304cfba4fe4959f133e4bdf00f2909059] -3.16-upstream-stable: +3.16-upstream-stable: N/A "Vulnerable code not present" sid: released (5.2.6-1) 4.19-buster-security: released (4.19.67-1) 4.9-stretch-security: released (4.9.184-1) -3.16-jessie-security: +3.16-jessie-security: N/A "Vulnerable code not present" diff --git a/active/CVE-2019-15926 b/active/CVE-2019-15926 index 85e89a76..4cf8aa70 100644 --- a/active/CVE-2019-15926 +++ b/active/CVE-2019-15926 @@ -1,12 +1,13 @@ Description: ath6kl: add some bounds checking References: Notes: + bwh> Apparently introduced in 3.2 when ath6kl driver was added. Bugs: upstream: released (5.3-rc1) [5d6751eaff672ea77642e74e92e6c0ac7f9709ab] 4.19-upstream-stable: released (4.19.61) [83c911f4bd6846397017aa38c32dd18dc532f754] 4.9-upstream-stable: released (4.9.187) [8e8b0ba1dc67d1cba76ac9cada76ae3a9732d1e3] -3.16-upstream-stable: +3.16-upstream-stable: needed sid: released (5.2.6-1) 4.19-buster-security: released (4.19.67-1) 4.9-stretch-security: released (4.9.189-1) -3.16-jessie-security: +3.16-jessie-security: needed diff --git a/active/CVE-2019-16089 b/active/CVE-2019-16089 index 93316767..6d547c4a 100644 --- a/active/CVE-2019-16089 +++ b/active/CVE-2019-16089 @@ -2,12 +2,14 @@ Description: nbd_genl_status: null check for nla_nest_start References: https://lore.kernel.org/patchwork/patch/1106884/ Notes: + bwh> Introduced in 4.12 by commit 47d902b90a32 "nbd: add a status netlink + bwh> command". Probably not exploitable in most configurations. Bugs: -upstream: -4.19-upstream-stable: -4.9-upstream-stable: -3.16-upstream-stable: -sid: -4.19-buster-security: -4.9-stretch-security: -3.16-jessie-security: +upstream: needed +4.19-upstream-stable: needed +4.9-upstream-stable: N/A "Vulnerable code not present" +3.16-upstream-stable: N/A "Vulnerable code not present" +sid: needed +4.19-buster-security: needed +4.9-stretch-security: N/A "Vulnerable code not present" +3.16-jessie-security: N/A "Vulnerable code not present" diff --git a/active/CVE-2019-16229 b/active/CVE-2019-16229 index db4438f2..18eb0151 100644 --- a/active/CVE-2019-16229 +++ b/active/CVE-2019-16229 @@ -3,12 +3,14 @@ References: https://lkml.org/lkml/2019/9/9/487 https://lore.kernel.org/lkml/CADJ_3a8WFrs5NouXNqS5WYe7rebFP+_A5CheeqAyD_p7DFJJcg@mail.gmail.com/ Notes: + bwh> Requires memory allocation failure during device probe, so unlikely to + bwh> be exploitable, and then it's only a local DoS. Bugs: -upstream: -4.19-upstream-stable: -4.9-upstream-stable: -3.16-upstream-stable: -sid: -4.19-buster-security: -4.9-stretch-security: -3.16-jessie-security: +upstream: ignored "Minor issue" +4.19-upstream-stable: ignored "Minor issue" +4.9-upstream-stable: ignored "Minor issue" +3.16-upstream-stable: ignored "Minor issue" +sid: ignored "Minor issue" +4.19-buster-security: ignored "Minor issue" +4.9-stretch-security: ignored "Minor issue" +3.16-jessie-security: ignored "Minor issue" diff --git a/active/CVE-2019-16230 b/active/CVE-2019-16230 index 1a8f254f..da74f2ff 100644 --- a/active/CVE-2019-16230 +++ b/active/CVE-2019-16230 @@ -3,12 +3,14 @@ References: https://lkml.org/lkml/2019/9/9/487 https://lore.kernel.org/lkml/CADJ_3a8WFrs5NouXNqS5WYe7rebFP+_A5CheeqAyD_p7DFJJcg@mail.gmail.com/ Notes: + bwh> Requires memory allocation failure during device probe, so unlikely to + bwh> be exploitable, and then it's only a local DoS. Bugs: -upstream: -4.19-upstream-stable: -4.9-upstream-stable: -3.16-upstream-stable: -sid: -4.19-buster-security: -4.9-stretch-security: -3.16-jessie-security: +upstream: ignored "Minor issue" +4.19-upstream-stable: ignored "Minor issue" +4.9-upstream-stable: ignored "Minor issue" +3.16-upstream-stable: ignored "Minor issue" +sid: ignored "Minor issue" +4.19-buster-security: ignored "Minor issue" +4.9-stretch-security: ignored "Minor issue" +3.16-jessie-security: ignored "Minor issue" diff --git a/active/CVE-2019-16231 b/active/CVE-2019-16231 index 52ebb55d..06522ba7 100644 --- a/active/CVE-2019-16231 +++ b/active/CVE-2019-16231 @@ -3,12 +3,14 @@ References: https://lkml.org/lkml/2019/9/9/487 https://lore.kernel.org/lkml/CADJ_3a8WFrs5NouXNqS5WYe7rebFP+_A5CheeqAyD_p7DFJJcg@mail.gmail.com/ Notes: + bwh> Requires memory allocation failure during device probe, so unlikely to + bwh> be exploitable, and then it's only a local DoS. Bugs: -upstream: -4.19-upstream-stable: -4.9-upstream-stable: -3.16-upstream-stable: -sid: -4.19-buster-security: -4.9-stretch-security: -3.16-jessie-security: +upstream: ignored "Minor issue" +4.19-upstream-stable: ignored "Minor issue" +4.9-upstream-stable: ignored "Minor issue" +3.16-upstream-stable: ignored "Minor issue" +sid: ignored "Minor issue" +4.19-buster-security: ignored "Minor issue" +4.9-stretch-security: ignored "Minor issue" +3.16-jessie-security: ignored "Minor issue" diff --git a/active/CVE-2019-16232 b/active/CVE-2019-16232 index ac9bb5fa..448ff75e 100644 --- a/active/CVE-2019-16232 +++ b/active/CVE-2019-16232 @@ -3,12 +3,14 @@ References: https://lkml.org/lkml/2019/9/9/487 https://lore.kernel.org/lkml/CADJ_3a8WFrs5NouXNqS5WYe7rebFP+_A5CheeqAyD_p7DFJJcg@mail.gmail.com/ Notes: + bwh> Requires memory allocation failure during device probe, so unlikely to + bwh> be exploitable, and then it's only a local DoS. Bugs: -upstream: -4.19-upstream-stable: -4.9-upstream-stable: -3.16-upstream-stable: -sid: -4.19-buster-security: -4.9-stretch-security: -3.16-jessie-security: +upstream: ignored "Minor issue" +4.19-upstream-stable: ignored "Minor issue" +4.9-upstream-stable: ignored "Minor issue" +3.16-upstream-stable: ignored "Minor issue" +sid: ignored "Minor issue" +4.19-buster-security: ignored "Minor issue" +4.9-stretch-security: ignored "Minor issue" +3.16-jessie-security: ignored "Minor issue" diff --git a/active/CVE-2019-16233 b/active/CVE-2019-16233 index 195ef825..255cf486 100644 --- a/active/CVE-2019-16233 +++ b/active/CVE-2019-16233 @@ -3,12 +3,14 @@ References: https://lkml.org/lkml/2019/9/9/487 https://lore.kernel.org/lkml/CADJ_3a8WFrs5NouXNqS5WYe7rebFP+_A5CheeqAyD_p7DFJJcg@mail.gmail.com/ Notes: + bwh> Requires memory allocation failure during device probe, so unlikely to + bwh> be exploitable, and then it's only a local DoS. Bugs: -upstream: -4.19-upstream-stable: -4.9-upstream-stable: -3.16-upstream-stable: -sid: -4.19-buster-security: -4.9-stretch-security: -3.16-jessie-security: +upstream: ignored "Minor issue" +4.19-upstream-stable: ignored "Minor issue" +4.9-upstream-stable: ignored "Minor issue" +3.16-upstream-stable: ignored "Minor issue" +sid: ignored "Minor issue" +4.19-buster-security: ignored "Minor issue" +4.9-stretch-security: ignored "Minor issue" +3.16-jessie-security: ignored "Minor issue" diff --git a/active/CVE-2019-16234 b/active/CVE-2019-16234 index a11cfbc7..ba316e64 100644 --- a/active/CVE-2019-16234 +++ b/active/CVE-2019-16234 @@ -3,12 +3,14 @@ References: https://lkml.org/lkml/2019/9/9/487 https://lore.kernel.org/lkml/CADJ_3a8WFrs5NouXNqS5WYe7rebFP+_A5CheeqAyD_p7DFJJcg@mail.gmail.com/ Notes: + bwh> Requires memory allocation failure during device probe, so unlikely to + bwh> be exploitable, and then it's only a local DoS. Bugs: -upstream: -4.19-upstream-stable: -4.9-upstream-stable: -3.16-upstream-stable: -sid: -4.19-buster-security: -4.9-stretch-security: -3.16-jessie-security: +upstream: ignored "Minor issue" +4.19-upstream-stable: ignored "Minor issue" +4.9-upstream-stable: ignored "Minor issue" +3.16-upstream-stable: ignored "Minor issue" +sid: ignored "Minor issue" +4.19-buster-security: ignored "Minor issue" +4.9-stretch-security: ignored "Minor issue" +3.16-jessie-security: ignored "Minor issue" diff --git a/active/CVE-2019-2181 b/active/CVE-2019-2181 index 604497a9..809472f1 100644 --- a/active/CVE-2019-2181 +++ b/active/CVE-2019-2181 @@ -2,12 +2,14 @@ Description: binder: check for overflow when alloc for security context References: https://source.android.com/security/bulletin/pixel/2019-09-01 Notes: + bwh> Introduced in 5.1 by commit ec74136ded79 "binder: create node flag + bwh> to request sender's security context". Bugs: upstream: released (v5.2-rc1) [0b0509508beff65c1d50541861bc0d4973487dc5] -4.19-upstream-stable: -4.9-upstream-stable: -3.16-upstream-stable: +4.19-upstream-stable: N/A "Vulnerable code not present" +4.9-upstream-stable: N/A "Vulnerable code not present" +3.16-upstream-stable: N/A "Vulnerable code not present" sid: released (5.2.6-1) -4.19-buster-security: -4.9-stretch-security: -3.16-jessie-security: +4.19-buster-security: N/A "Vulnerable code not present" +4.9-stretch-security: N/A "Vulnerable code not present" +3.16-jessie-security: N/A "Vulnerable code not present" diff --git a/active/CVE-2019-2182 b/active/CVE-2019-2182 index cf575d03..95f0f13c 100644 --- a/active/CVE-2019-2182 +++ b/active/CVE-2019-2182 @@ -7,9 +7,9 @@ Notes: Bugs: upstream: released (v4.16-rc3) [15122ee2c515a253b0c66a3e618bc7ebe35105eb] 4.19-upstream-stable: N/A "Fixed before branching point" -4.9-upstream-stable: -3.16-upstream-stable: +4.9-upstream-stable: needed +3.16-upstream-stable: N/A "Vulnerable code not present" sid: released (4.16.5-1) 4.19-buster-security: N/A "Fixed before branching point" -4.9-stretch-security: -3.16-jessie-security: +4.9-stretch-security: needed +3.16-jessie-security: N/A "Vulnerable code not present" diff --git a/active/CVE-2019-9245 b/active/CVE-2019-9245 index 009dc0e2..6037b11f 100644 --- a/active/CVE-2019-9245 +++ b/active/CVE-2019-9245 @@ -1,12 +1,13 @@ Description: f2fs: sanity check of xattr entry size References: Notes: + bwh> Apparently introduced in 3.8 when f2fs was added. Bugs: upstream: released (5.0-rc1) [64beba0558fce7b59e9a8a7afd77290e82a22163] 4.19-upstream-stable: released (4.19.14) [5036fcd9b14516f62efae6ed0c42dfbb9798b643] -4.9-upstream-stable: -3.16-upstream-stable: +4.9-upstream-stable: needed +3.16-upstream-stable: needed sid: released (4.19.16-1) 4.19-buster-security: N/A "Fixed before branching point" -4.9-stretch-security: -3.16-jessie-security: +4.9-stretch-security: needed +3.16-jessie-security: needed diff --git a/active/CVE-2019-9445 b/active/CVE-2019-9445 index 37af7bbd..6d0f276c 100644 --- a/active/CVE-2019-9445 +++ b/active/CVE-2019-9445 @@ -1,15 +1,21 @@ -Description: +Description: Out-of-bounds read in f2fs References: https://source.android.com/security/bulletin/pixel/2019-09-01 https://android-review.googlesource.com/c/kernel/common/+/864649 Notes: carnil> Not fully clear (to me) which specific commit is meant. + bwh> The CVE description mentions an "out-of bounds read", so the most + bwh> likely fix seemed to be commit 64beba0558fc "f2fs: sanity check of + bwh> xattr entry size". However that addresses CVE-2019-9245. The + bwh> other candidate I could see was commit 720db068634c "f2fs: check + bwh> if file namelen exceeds max value". + bwh> Apparently introduced in 3.8 when f2fs was added. Bugs: -upstream: -4.19-upstream-stable: -4.9-upstream-stable: -3.16-upstream-stable: -sid: -4.19-buster-security: -4.9-stretch-security: -3.16-jessie-security: +upstream: released (5.1-rc1) [720db068634c91553a8e1d9a0fcd8c7050e06d2b] +4.19-upstream-stable: needed +4.9-upstream-stable: needed +3.16-upstream-stable: needed +sid: released (5.2.6-1) +4.19-buster-security: needed +4.9-stretch-security: needed +3.16-jessie-security: needed diff --git a/active/CVE-2019-9453 b/active/CVE-2019-9453 index 679b7575..2c3b90eb 100644 --- a/active/CVE-2019-9453 +++ b/active/CVE-2019-9453 @@ -2,12 +2,13 @@ Description: f2fs: fix to avoid accessing xattr across the boundary References: https://source.android.com/security/bulletin/pixel/2019-09-01 Notes: + bwh> Apparently introduced in 3.8 when f2fs was added. Bugs: upstream: released (5.2-rc1) [2777e654371dd4207a3a7f4fb5fa39550053a080] 4.19-upstream-stable: released (4.19.53) [ae3787d433f7b87ebf6b916e524c6e280e4e5804] -4.9-upstream-stable: -3.16-upstream-stable: +4.9-upstream-stable: needed +3.16-upstream-stable: needed sid: released (5.2.6-1) 4.19-buster-security: released (4.19.67-1) -4.9-stretch-security: -3.16-jessie-security: +4.9-stretch-security: needed +3.16-jessie-security: needed diff --git a/active/CVE-2019-9455 b/active/CVE-2019-9455 index ea9cba7d..f19e1a60 100644 --- a/active/CVE-2019-9455 +++ b/active/CVE-2019-9455 @@ -2,12 +2,14 @@ Description: media: videobuf2-v4l2: drop WARN_ON in vb2_warn_zero_bytesused() References: https://source.android.com/security/bulletin/pixel/2019-09-01 Notes: + bwh> Introduced in 4.1 by commit f61bf13b6a07 "[media] vb2: add + bwh> allow_zero_bytesused flag to the vb2_queue struct". Bugs: upstream: released (5.0-rc1) [5e99456c20f712dcc13d9f6ca4278937d5367355] 4.19-upstream-stable: released (4.19.31) [573d423a9bd76b396954ddf847ff24d97658453d] 4.9-upstream-stable: released (4.9.165) [7f422aa63d5a0905232455a8953cd9bc02eab4da] -3.16-upstream-stable: +3.16-upstream-stable: N/A "Vulnerable code not present" sid: released (4.19.37-1) 4.19-buster-security: N/A "Fixed before branching point" 4.9-stretch-security: released (4.9.168-1) -3.16-jessie-security: +3.16-jessie-security: N/A "Vulnerable code not present" |