Ubuntu kernel updates

git-svn-id: svn+ssh://svn.debian.org/svn/kernel-sec@1066 e094ebfe-e918-0410-adfb-c712417f3574
author: Kees Cook <kees@outflux.net> 2007-12-19 01:39:51 +0000
committer: Kees Cook <kees@outflux.net> 2007-12-19 01:39:51 +0000
commit: e58c55fce0b45d07070b6bf06bd56e914842758c (patch)
tree: 8945e98789c0e9363a467fdcbaafc3eeb9928b23
parent: 697de24c22ce73cb764b72b8034ca4c2b35013e6 (diff)
9 files changed, 53 insertions, 16 deletions
diff --git a/active/CVE-2006-6058 b/active/CVE-2006-6058
index d848cd28..7582e472 100644
--- a/active/CVE-2006-6058
+++ b/active/CVE-2006-6058
@@ -13,6 +13,10 @@ Description:
  function. NOTE: this issue might be due to an integer overflow or signedness
  error.
 Ubuntu-Description: 
+ The minix filesystem did not properly validate certain filesystem values.
+ If a local attacker could trick the system into attempting to mount a
+ corrupted minix filesystem, the kernel could be made to hang for long
+ periods of time, resulting in a denial of service.
 Notes: 
  dannf> ignored for sarge for now - only applies under very rare circumstances
         and don't know if there's an upstream fix
@@ -28,6 +32,6 @@ linux-2.6: released (2.6.23-1) [bugfix/2.6.23.7.patch]
 2.6.8-sarge-security: ignored
 2.4.27-sarge-security: ignored
 2.6.15-dapper-security: pending (2.6.15-29.61)
-2.6.17-edgy-security: pending (2.6.17.1-12.42)
-2.6.20-feisty-security: pending (2.6.20-16.33)
-2.6.22-gutsy-security: pending (2.6.22-14.47)
+2.6.17-edgy-security: released (2.6.17.1-12.42)
+2.6.20-feisty-security: released (2.6.20-16.33)
+2.6.22-gutsy-security: released (2.6.22-14.47)
diff --git a/active/CVE-2007-4133 b/active/CVE-2007-4133
index c56cb80c..68f19ae4 100644
--- a/active/CVE-2007-4133
+++ b/active/CVE-2007-4133
@@ -3,7 +3,15 @@ References:
  http://git.kernel.org/gitweb.cgi?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=856fc29505556cf263f3dcda2533cf3766c14ab6
  https://bugzilla.redhat.com/show_bug.cgi?id=253926
 Description: 
+ The (1) hugetlb_vmtruncate_list and (2) hugetlb_vmtruncate functions
+ in fs/hugetlbfs/inode.c in the Linux kernel before 2.6.19-rc4 perform
+ certain prio_tree calculations using HPAGE_SIZE instead of PAGE_SIZE
+ units, which allows local users to cause a denial of service (panic)
+ via unspecified vectors.
 Ubuntu-Description: 
+ Certain calculations in the hugetlb code were not correct.  A local
+ attacker could exploit this to cause a kernel panic, leading to a denial
+ of service.
 Notes: 
  jmm> 2.4 doesn't contain hugetlbfs
 Bugs: 
@@ -13,6 +21,6 @@ linux-2.6: released (2.6.20-1)
 2.6.8-sarge-security: 
 2.4.27-sarge-security: N/A
 2.6.15-dapper-security: pending (2.6.15-29.61)
-2.6.17-edgy-security: pending (2.6.17.1-12.42)
+2.6.17-edgy-security: released (2.6.17.1-12.42)
 2.6.20-feisty-security: N/A
 2.6.22-gutsy-security: N/A
diff --git a/active/CVE-2007-4567 b/active/CVE-2007-4567
index c5bca8dc..986a9078 100644
--- a/active/CVE-2007-4567
+++ b/active/CVE-2007-4567
@@ -4,6 +4,11 @@ References:
  http://bugzilla.kernel.org/show_bug.cgi?id=8450
 Description: 
 Ubuntu-Description: 
+ Eric Sesterhenn and Victor Julien discovered that the hop-by-hop IPv6
+ extended header was not correctly validated.  If a system was configured
+ for IPv6, a remote attacker could send a specially crafted IPv6 packet
+ and cause the kernel to panic, leading to a denial of service.  This
+ was only vulnerable in Ubuntu 7.04.
 Notes: 
  kees> introduced in 2.6.20, fixed in 2.6.22
 Bugs: 
@@ -14,5 +19,5 @@ linux-2.6:
 2.4.27-sarge-security: N/A
 2.6.15-dapper-security: N/A
 2.6.17-edgy-security: N/A
-2.6.20-feisty-security: pending (2.6.20-2.6.20-16.33)
+2.6.20-feisty-security: released (2.6.20-2.6.20-16.33)
 2.6.22-gutsy-security: N/A
diff --git a/active/CVE-2007-4849 b/active/CVE-2007-4849
index 98935417..8844c754 100644
--- a/active/CVE-2007-4849
+++ b/active/CVE-2007-4849
@@ -11,6 +11,8 @@ Description:
  restricted files or directories after a remount of a filesystem, related to "legacy
  modes" and an inconsistency between dentry permissions and inode permissions.
 Ubuntu-Description: 
+ Permissions were not correctly stored on JFFS2 ACLs.  For systems using
+ ACLs on JFFS2, a local attacker may gain access to private files.
 Notes: 
  jmm> ACL support was introduced in 2.6.17 with commit aa98d7cf59b5b0764d3502662053489585faf2fe, marking
  jmm> earlier Debian releases as N/A
@@ -22,5 +24,5 @@ linux-2.6: needed
 2.4.27-sarge-security: N/A
 2.6.15-dapper-security: N/A
 2.6.17-edgy-security: N/A
-2.6.20-feisty-security: pending (2.6.20-16.33)
-2.6.22-gutsy-security: pending (2.6.22-14.47)
+2.6.20-feisty-security: released (2.6.20-16.33)
+2.6.22-gutsy-security: released (2.6.22-14.47)
diff --git a/active/CVE-2007-4997 b/active/CVE-2007-4997
index ae43997c..01f1780e 100644
--- a/active/CVE-2007-4997
+++ b/active/CVE-2007-4997
@@ -4,6 +4,10 @@ References:
  http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.23.y.git;a=commitdiff;h=04045f98e0457aba7d4e6736f37eed189c48a5f7
 Description: 
 Ubuntu-Description: 
+ Chris Evans discovered that the 802.11 network stack did not correctly
+ handle certain QOS frames.  A remote attacker on the local wireless network
+ could send specially crafted packets that would panic the kernel, resulting
+ in a denial of service.
 Notes: 
  > The summary is that an evil 80211 frame can crash out a victim's
  > machine. It only applies to drivers using the 80211 wireless code, and
@@ -19,6 +23,6 @@ linux-2.6: needed
 2.6.8-sarge-security: N/A
 2.4.27-sarge-security: N/A
 2.6.15-dapper-security: pending (2.6.15-29.61)
-2.6.17-edgy-security: pending (2.6.17.1-12.42)
-2.6.20-feisty-security: pending (2.6.20-16.33)
-2.6.22-gutsy-security: pending (2.6.22-14.47)
+2.6.17-edgy-security: released (2.6.17.1-12.42)
+2.6.20-feisty-security: released (2.6.20-16.33)
+2.6.22-gutsy-security: released (2.6.22-14.47)
diff --git a/active/CVE-2007-5093 b/active/CVE-2007-5093
index d10018e7..0fac893d 100644
--- a/active/CVE-2007-5093
+++ b/active/CVE-2007-5093
@@ -17,6 +17,10 @@ Description:
  the disconnect is invoked. NOTE: this rarely crosses privilege boundaries,
  unless the attacker can convince the victim to unplug the affected device.
 Ubuntu-Description: 
+ The Philips USB Webcam driver did not correctly handle disconnects.
+ If a local attacker tricked another user into disconnecting a webcam
+ unsafely, the kernel could hang or consume CPU resources, leading to
+ a denial of service.
 Notes: 
  kees> debug regression was fixed in http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.22.y.git;a=commitdiff;h=a3a066bffd7754e6d40c48972e698352f6cd6c4e
 Bugs: 
@@ -26,6 +30,6 @@ linux-2.6:
 2.6.8-sarge-security: 
 2.4.27-sarge-security: 
 2.6.15-dapper-security: pending (2.6.15-29.61)
-2.6.17-edgy-security: pending (2.6.17.1-12.42)
-2.6.20-feisty-security: pending (2.6.20-16.33)
+2.6.17-edgy-security: released (2.6.17.1-12.42)
+2.6.20-feisty-security: released (2.6.20-16.33)
 2.6.22-gutsy-security: N/A
diff --git a/active/CVE-2007-5500 b/active/CVE-2007-5500
index 6ca73739..6faf71ea 100644
--- a/active/CVE-2007-5500
+++ b/active/CVE-2007-5500
@@ -4,6 +4,10 @@ References:
 Description: 
  wait_task_stopped: Check p->exit_state instead of TASK_TRACED
 Ubuntu-Description: 
+ Scott James Remnant discovered that the waitid function could be made
+ to hang the system.  A local attacker could execute a specially crafted
+ program which would leave the system unresponsive, resulting in a denial
+ of service.
 Notes: 
  kees> 2.6.15 does not actually lock up -- it just spins in userspace
  jmm> This was introduced with commit 14bf01bb0599c89fc7f426d20353b76e12555308
@@ -15,6 +19,6 @@ linux-2.6: released (2.6.23-1)
 2.6.8-sarge-security: N/A
 2.4.27-sarge-security: N/A
 2.6.15-dapper-security: pending (2.6.15-29.61)
-2.6.17-edgy-security: pending (2.6.17.1-12.42)
-2.6.20-feisty-security: pending (2.6.20-16.33)
-2.6.22-gutsy-security: pending (2.6.22-14.47)
+2.6.17-edgy-security: released (2.6.17.1-12.42)
+2.6.20-feisty-security: released (2.6.20-16.33)
+2.6.22-gutsy-security: released (2.6.22-14.47)
diff --git a/active/CVE-2007-5501 b/active/CVE-2007-5501
index ff8414dc..8da4bfac 100644
--- a/active/CVE-2007-5501
+++ b/active/CVE-2007-5501
@@ -3,6 +3,10 @@ References:
  http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=96a2d41a3e495734b63bff4e5dd0112741b93b38
 Description: 
 Ubuntu-Description: 
+ Ilpo Järvinen discovered that it might be possible for the TCP stack
+ to panic the kernel when receiving a crafted ACK response.  Only Ubuntu
+ 7.10 contained the vulnerable code, and it is believed not to have
+ been exploitable.
 Notes: 
  dannf> Jan Lieskovsky pointed out that tcp_write_queue_head() was introduced
  dannf> in 2.6.21-git1
@@ -15,4 +19,4 @@ linux-2.6: released (2.6.23-1)
 2.6.15-dapper-security: N/A
 2.6.17-edgy-security: N/A
 2.6.20-feisty-security: N/A
-2.6.22-gutsy-security: pending (2.6.22-14.47)
+2.6.22-gutsy-security: released (2.6.22-14.47)
diff --git a/scripts/ubuntu-usn-desc b/scripts/ubuntu-usn-desc
index 9894a9e8..c1b07d2c 100755
--- a/scripts/ubuntu-usn-desc
+++ b/scripts/ubuntu-usn-desc
@@ -18,6 +18,8 @@ def wrap(text, width):
                  )
 
 for cve in sys.argv[1:]:
+    if cve == "--cve":
+        continue
     desc = deb822.deb822(file(cve))['Ubuntu-Description'].strip()
     if len(sys.argv[1:])!=1:
         desc += " (%s)"%cve
author	Kees Cook <kees@outflux.net>	2007-12-19 01:39:51 +0000
committer	Kees Cook <kees@outflux.net>	2007-12-19 01:39:51 +0000
commit	e58c55fce0b45d07070b6bf06bd56e914842758c (patch)
tree	8945e98789c0e9363a467fdcbaafc3eeb9928b23
parent	697de24c22ce73cb764b72b8034ca4c2b35013e6 (diff)