diff options
| author | dann frazier <dannf@debian.org> | 2006-08-17 00:25:50 +0000 |
|---|---|---|
| committer | dann frazier <dannf@debian.org> | 2006-08-17 00:25:50 +0000 |
| commit | 1f648ebf076cd147d77eafe1270a029bd3944269 (patch) | |
| tree | 01d97b698afef9f10b58cf863e94886d28290751 /active | |
| parent | f3581ec9b2d48c6103c22fecb46f713217d834e8 (diff) | |
rename the active issues directory from 'patch-tracking' to the more accurate 'active'
git-svn-id: svn+ssh://svn.debian.org/svn/kernel-sec@549 e094ebfe-e918-0410-adfb-c712417f3574
Diffstat (limited to 'active')
296 files changed, 9730 insertions, 0 deletions
diff --git a/active/00README b/active/00README new file mode 100644 index 00000000..1140cd2e --- /dev/null +++ b/active/00README @@ -0,0 +1,21 @@ +This directory serves as a mechanism for tracking the status of issues +across multiple kernel revisions. Today it is primarily used for +security issues. Each issue is described in an rfc-822 style format. + +New issues +---------- +To start tracking a new issue, svn copy 00boilerplate to a file with +a name that concisely identifies the issue. If a CVE ID has been +assigned, use the CVE ID as the filename. Take a look at 00example +to see the valid values for each of the fields. + +Tracking new trees +------------------ +Run the sync-pkg-list tool to automatically add fields for each of +the currently maintained kernels (those listed in 00pkglist): + $ ./scripts/sync-pkg-list -p 00pkglist ia64-buggy-preempt > tmp + $ mv tmp ia64-buggy-preempt + +CVE assignments +--------------- +If a CVE is later assigned to an issue, svn mv that file to the CVD ID. diff --git a/active/00boilerplate b/active/00boilerplate new file mode 100644 index 00000000..7df9f9aa --- /dev/null +++ b/active/00boilerplate @@ -0,0 +1,15 @@ +Candidate: +References: +Description: +Ubuntu-Description: +Notes: +Bugs: +upstream: +linux-2.6.16: +linux-2.6: +2.6.8-sarge-security: +2.4.27-sarge-security: +2.6.10-hoary-security: +2.6.12-breezy-security: +2.6.15-dapper-security: +2.6.17-edgy: diff --git a/active/00example b/active/00example new file mode 100644 index 00000000..914b13c0 --- /dev/null +++ b/active/00example @@ -0,0 +1,35 @@ +## Lines beginning with '##' are just for this example - they shouldn't be +## transferred to patch track files +## A list of valid fields for patch description files, with examples +Candidate: requested | needed | CAN/CVE-XXXX-XXXX | N/A +## See: http://cve.mitre.org/cve/refs/refkey.html for mitre's reference key to +## when adding to the References field +References: + CONFIRM:##URL## + MISC:##URL## +Description: + Summary of the issue + . + Might be used for requesting a CVE, or included in a DSA +Notes: + Notes for internal use by the kernel team +Bugs: 123456, 123457 +## per-tree status. +## pending: fix has been committed to svn +## released: we've cut a version with this fix in it +## needed: bug is applicable to this tree and needs a fix +## ignored: bug maybe applicable, but we're currently ignoring it - perhaps +## its too difficult to backport, or we think its a non-issue. +## justification should be noted in the "Notes" field +## An empty value means that someone needs to determine the relevancy for this tree +## +## +## status maybe followed by a version string in ()'s, and/or a patchname in []'s +## Prerequisite patches maybe listed in [] as well, even though they may not be +## directly part of the fix. +upstream: released (2.6.12, 2.4.29-rc3), pending (2.6.11.3) +linux-2.6: pending (2.6.12-9) +2.6.8-sarge-security: released (2.6.8-16sarge1) [patchname.patch, prerequisite.dpatch, prerequisite2.dpatch] +2.4.27-sarge-security: needed +2.4.27: N/A +2.4.18-woody-security: ignored diff --git a/active/00pkglist b/active/00pkglist new file mode 100644 index 00000000..82012abd --- /dev/null +++ b/active/00pkglist @@ -0,0 +1,3 @@ +linux-2.6 +2.6.8-sarge-security +2.4.27-sarge-security diff --git a/active/CVE-2002-0704 b/active/CVE-2002-0704 new file mode 100644 index 00000000..9e88a38b --- /dev/null +++ b/active/CVE-2002-0704 @@ -0,0 +1,47 @@ +Candidate: CVE-2002-0704 +References: + BUGTRAQ:20020508 [CARTSA-20020402] Linux Netfilter NAT/ICMP code information leak + REDHAT:RHSA-2002:086 + MANDRAKE:MDKSA-2002:030 + HP:HPSBTL0205-039 + XF: linux-netfilter-information-leak(9043) + BID:4699 +Description: + The Network Address Translation (NAT) capability for Netfilter ("iptables") + 1.2.6a and earlier leaks translated IP addresses in ICMP error messages. +Notes: + There's a patch here: + http://www.securityfocus.com/bid/4699 + But it doesn't appear to have gone upstream. It doesn't look like RedHat + or Mandrake fixed it either; instead, they suggest a workaround: + http://rhn.redhat.com/errata/RHSA-2002-086.html + http://archives.mandrivalinux.com/security-announce/2002-02/msg00025.html + . + dannf> We plan to "fix" this by recommending the workaround as well. + horms> I believe that this problem was fixed as part of the following + horms> patch that was incuded in 2.6.11 + horms> http://www.kernel.org/git/?p=linux/kernel/git/tglx/history.git;a=commitdiff;h=1e69ba3fa29b13fe5229d6e325aee91ae5abe298 + horms> However I believe a related bug was introduced by the following + horms> patch, also included in 2.6.11 + horms> http://www.kernel.org/git/?p=linux/kernel/git/tglx/history.git;a=commitdiff;h=8d5f3377d48c74df38990688f09e773887ba4eb5 + horms> This new bugs allows discloser of the IP address of intermedate + horms> hops between the NATing box and the NAT'd box. + horms> This is easily demonstrated using tcptraceroute + horms> 1 10.0.1.7 61.524 ms 93.081 ms 22.982 ms + horms> 2 192.168.1.254 72.099 ms 66.899 ms 67.599 ms + horms> 3 10.0.1.7 [open] 67.188 ms 105.974 ms 104.873 ms + horms> I also believe that pretty much all kernels disclose + horms> enough information to work out if DNAT is in use or not. + horms> I wrote a long mail about this to netfilter-devel and will + horms> put a link here when it shows up + horms> In the mean time: (Message-ID: <20060202113824.GA4399@verge.net.au>) + horms> Given this seems to be an ongoing suite of problems, with little + horms> hope of a final solution, I'm marking it as ignore for all + horms> woody and sarge kernels, many of which i have reproduced the + horms> problem on allong with upstream's 2.4 (~2.4.33-pre1) +Bugs: +upstream: released (2.6.11) +linux-2.6.16: N/A +linux-2.6: N/A +2.6.8-sarge-security: ignored (2.6.8-16sarge4) +2.4.27-sarge-security: ignored (2.4.27-10sarge4) diff --git a/active/CVE-2004-0813 b/active/CVE-2004-0813 new file mode 100644 index 00000000..6409c575 --- /dev/null +++ b/active/CVE-2004-0813 @@ -0,0 +1,27 @@ +Candidate: CVE-2004-0813 +References: + MISC:http://lkml.org/lkml/2004/7/30/147 + XF:linux-sgio-gain-privileges(17505) + URL:http://xforce.iss.net/xforce/xfdb/17505 +Description: + Unknown vulnerability in the SG_IO functionality in ide-cd allows local users + to bypass read-only access and perform unauthorized write and erase + operations. +Notes: + dannf> RedHat is still vulnerable, but there has been recent activity: + https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=133098 + dannf> I wonder if one of the patches listed for CVE-2004-1190 fixes this? + horms> I'm pretty sure this is fixed by the series of patches for SG_IO + added upstream in 2.6.8 and the immediately following period. + http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=300162 + That should clean things up for 2.6. + 2.4 doesn't suffer this problem exactly, unless + the permisions of /dev/sg* are botched. + Alan Cox seems to think that is bad, but I'm not so sure. + https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=133098 +Bugs: +upstream: fixed (2.6.10) +linux-2.6.16: N/A +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-14) +2.4.27-sarge-security: ignored (2.4.27-10sarge3) diff --git a/active/CVE-2004-0997 b/active/CVE-2004-0997 new file mode 100644 index 00000000..219a27c3 --- /dev/null +++ b/active/CVE-2004-0997 @@ -0,0 +1,25 @@ +Candidate: CVE-2004-0997 +References: +Description: +Notes: + Still marked **RESERVED** - this is from the kernel-source-2.4.19 changelog: + * Applied patch by Thiemo Seufer to fix local ptrace root in the MIPS + ptrace implementation [arch/mips/kernel/scall_o32.S, + arch/mips/tools/offset.c, arch/mips64/kernel/scall_64.S, + arch/mips64/kernel/scall_o32.S, CAN-2004-0997] + <dannf> ths: do you know if CVE-2004-0997 is fixed in 2.6? code is very + different from the 2.4.19 patch i have + <ths> dannf: Fixed long ago. +Bugs: +upstream: released +linux-2.6.16: N/A +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: ignored (2.4.27-10sarge3) +2.4.19-woody-security: released (2.4.19-4.woody3) +2.4.18-woody-security: released (2.4.18-14.4) +2.4.17-woody-security: released (2.4.17-1woody4) +2.4.16-woody-security: released (2.4.16-1woody3) +2.4.17-woody-security-hppa: released (32.5) +2.4.17-woody-security-ia64: released (011226.18) +2.4.18-woody-security-hppa: released (62.4) diff --git a/active/CVE-2004-1074 b/active/CVE-2004-1074 new file mode 100644 index 00000000..028b1dfe --- /dev/null +++ b/active/CVE-2004-1074 @@ -0,0 +1,39 @@ +Candidate: CVE-2004-1074 +References: + MLIST:[linux-kernel] 20041111 a.out issue + URL:http://marc.theaimsgroup.com/?l=linux-kernel&m=110021173607372&w=2 + CONECTIVA:CLA-2005:930 + URL:http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=000930 + FEDORA:FLSA:2336 + URL:https://bugzilla.fedora.us/show_bug.cgi?id=2336 + MANDRAKE:MDKSA-2005:022 + URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:022 + TRUSTIX:2005-0001 + URL:http://www.trustix.org/errata/2005/0001/ + BUGTRAQ:20041216 [USN-39-1] Linux amd64 kernel vulnerability + URL:http://marc.theaimsgroup.com/?l=bugtraq&m=110322596918807&w=2 + XF:linux-aout-binary-dos(18290) + URL:http://xforce.iss.net/xforce/xfdb/18290 +Description: + The binfmt functionality in the Linux kernel, when "memory overcommit" is + enabled, allows local users to cause a denial of service (kernel oops) via a + malformed a.out binary. +Notes: + From Joey's 2.4.18-14.4 changelog: + * Applied patch by Chris Wright to not insert overlapping regions in + setup_arg_pages() [fs/exec.c, associated to CAN-2004-1074] + * Applied patch by Chris Wright to fix error handling in do_brk() when + setting up bss in a.out [fs/binfmt_aout.c, CAN-2004-1074] +Bugs: +upstream: released (2.6.10) +linux-2.6.16: N/A +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-11) [binfmt-huge-vma-dos.dpatch, binfmt-huge-vma-dos2.dpatch] +2.4.27-sarge-security: released (2.4.27-7) [114-binfmt_aout-CVE-2004-1074.diff] +2.4.19-woody-security: released (2.4.19-4.woody3) +2.4.18-woody-security: released (2.4.18-14.4) +2.4.17-woody-security: released (2.4.17-1woody4) +2.4.16-woody-security: released (2.4.16-1woody3) +2.4.17-woody-security-hppa: released (32.5) +2.4.17-woody-security-ia64: released (011226.18) +2.4.18-woody-security-hppa: released (62.4) diff --git a/active/CVE-2004-1190 b/active/CVE-2004-1190 new file mode 100644 index 00000000..ec15150c --- /dev/null +++ b/active/CVE-2004-1190 @@ -0,0 +1,19 @@ +Candidate: CVE-2004-1190 +References: + http://www.novell.com/linux/security/advisories/2004_42_kernel.html + http://xforce.iss.net/xforce/xfdb/18370 +Description: + SUSE Linux before 9.1 and SUSE Linux Enterprise Server before 9 do not + properly check commands sent to CD devices that have been opened read-only, + which could allow local users to conduct unauthorized write activities to + modify the firmware of associated SCSI devices. + . + dannf> skipping for 2.4/sarge3 - not sure if 2.4 is affected, but we should + revisit +Notes: +Bugs: 300162 +upstream: released (2.6.10) +linux-2.6.16: N/A +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-14) [scsi-ioctl-cmd-warned.dpatch, scsi-ioctl-remove-dup.dpatch, scsi-ioctl-permit.dpatch, SG_IO-cap.dpatch, SG_IO-safe-commands-2.dpatch, SG_IO-safe-commands-3.dpatch, SG_IO-safe-commands-5.dpatch] +2.4.27-sarge-security: ignored (2.4.27-10sarge3) diff --git a/active/CVE-2004-2135 b/active/CVE-2004-2135 new file mode 100644 index 00000000..8c0dcd58 --- /dev/null +++ b/active/CVE-2004-2135 @@ -0,0 +1,23 @@ +Candidate: CVE-2004-2135 +References: + http://marc.theaimsgroup.com/?l=linux-kernel&m=107719798631935&w=2 + http://mareichelt.de/pub/notmine/diskenc.pdf + http://www.securiteam.com/exploits/5UP0P1PFPM.html + http://www.securityfocus.com/bid/13775 +Description: + cryptoloop on Linux kernel 2.6.x, when used on certain file systems with a + block size 1024 or greater, has certain "IV computation" weaknesses that + allow watermarked files to be detected without decryption. +Notes: + jmm> IIRC there was some serious flaming about the different disk encryption systems, + jmm> I'm not sure whether this has been addressed or how real it is + jmm> Plus, cryptoloop is marked DEPRECATED for a long time IIRC + jmm> It's not included in stock 2.4 kernels, but only available in kernel-patch-cryptoloop, + jmm> which is only part of sid and hasn't been shipped with neither Woody nor Sarge, so + jmm> I'm marking all these N/A +Bugs: +upstream: +linux-2.6.16: +linux-2.6: +2.6.8-sarge-security: ignored (2.6.8-16sarge4) +2.4.27-sarge-security: N/A diff --git a/active/CVE-2004-2136 b/active/CVE-2004-2136 new file mode 100644 index 00000000..247436ff --- /dev/null +++ b/active/CVE-2004-2136 @@ -0,0 +1,19 @@ +Candidate: CVE-2004-2136 +References: + http://marc.theaimsgroup.com/?l=linux-kernel&m=107719798631935&w=2 + http://mareichelt.de/pub/notmine/diskenc.pdf + http://www.securiteam.com/exploits/5UP0P1PFPM.html +Description: + dm-crypt on Linux kernel 2.6.x, when used on certain file systems with a + block size 1024 or greater, has certain "IV computation" weaknesses that + allow watermarked files to be detected without decryption. +Notes: + jmm> IIRC there was some serious flaming about the different disk encryption systems, + jmm> I'm not sure whether this has been addressed or how real it is + jmm> 2.4 doesn't have dm-crypt, though +Bugs: +upstream: +linux-2.6.16: +linux-2.6: +2.6.8-sarge-security: ignored (2.6.8-16sarge4) +2.4.27-sarge-security: N/A diff --git a/active/CVE-2004-2660 b/active/CVE-2004-2660 new file mode 100644 index 00000000..ce902436 --- /dev/null +++ b/active/CVE-2004-2660 @@ -0,0 +1,17 @@ +Candidate: CVE-2004-2660 +References: + CONFIRM:http://linux.bkbits.net:8080/linux-2.6/cset@4182a613oVsK0-8eCWpyYFrUf8rhLA + CONFIRM:http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.10 +Description: + Memory leak in direct-io.c in Linux kernel 2.6.x before 2.6.10 allows local + users to cause a denial of service (memory consumption) via certain O_DIRECT + (direct IO) write requests. +Notes: + jmm> This was only covered by MITRE in May 2006 + jmm> Vulnerable code not present in 2.4 +Bugs: +upstream: released (2.6.10) +linux-2.6.16: N/A +linux-2.6: N/A +2.6.8-sarge-security: pending (2.6.8-16sarge5) [direct-io-write-mem-leak.dpatch] +2.4.27-sarge-security: N/A diff --git a/active/CVE-2005-0109 b/active/CVE-2005-0109 new file mode 100644 index 00000000..fa6988a4 --- /dev/null +++ b/active/CVE-2005-0109 @@ -0,0 +1,50 @@ +Candidate: CVE-2005-0109 +References: + MISC:http://www.daemonology.net/papers/htt.pdf + MISC:http://www.daemonology.net/hyperthreading-considered-harmful/ + MLIST:[openbsd-misc] 20050304 Re: FreeBSD hiding security stuff + URL:http://marc.theaimsgroup.com/?l=openbsd-misc&m=110995101417256&w=2 + MLIST:[freebsd-security] 20050304 [Fwd: Re: FW:FreeBSD hiding security stuff] + URL:http://marc.theaimsgroup.com/?l=freebsd-security&m=110994370429609&w=2 + MLIST:[freebsd-hackers] 20050304 Re: FW:FreeBSD hiding security stuff + URL:http://marc.theaimsgroup.com/?l=freebsd-hackers&m=110994026421858&w=2 + MISC:http://www-1.ibm.com/support/docview.wss?uid=isg1SSRVHMCHMC_C081516_754 + FREEBSD:FreeBSD-SA-05:09 + SCO:SCOSA-2005.24 + URL:ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.24/SCOSA-2005.24.txt + SUNALERT:101739 + URL:http://sunsolve.sun.com/search/document.do?assetkey=1-26-101739-1 + CERT-VN:VU#911878 + URL:http://www.kb.cert.org/vuls/id/911878 + BID:12724 + URL:http://www.securityfocus.com/bid/12724 + FRSIRT:ADV-2005-0540 + URL:http://www.frsirt.com/english/advisories/2005/0540 + FRSIRT:ADV-2005-3002 + URL:http://www.frsirt.com/english/advisories/2005/3002 + SECTRACK:1013967 + URL:http://securitytracker.com/id?1013967 + SECUNIA:15348 + URL:http://secunia.com/advisories/15348 + SECUNIA:18165 + URL:http://secunia.com/advisories/18165 +Description: + Hyper-Threading technology, as used in FreeBSD and other operating systems + that are run on Intel Pentium and other processors, allows local users to use + a malicious thread to create covert channels, monitor the execution of other + threads, and obtain sensitive information such as cryptographic keys, via a + timing attack on memory cache misses. +Notes: + There's no upstream patch, but Ubuntu has included a patch that disables + HT by default, but allows users to turn it on again by booting w/ ht=on; + included here in the patch-tracker. + jmm> On linux-kernel nearly everyone disagreed that this a practical attack + jmm> Plus, I remember some fixes for OpenSSL, that would render the attack + jmm> impossible, so I think it might be wiser to fix this in OpenSSL? + jmm> What did other distributions like Red Hat, SuSE or OWL do? +Bugs: +upstream: +linux-2.6.16: +linux-2.6: +2.6.8-sarge-security: ignored (2.6.8-16sarge4) +2.4.27-sarge-security: ignored (2.4.27-10sarge4) diff --git a/active/CVE-2005-0109.patch b/active/CVE-2005-0109.patch new file mode 100644 index 00000000..09f07427 --- /dev/null +++ b/active/CVE-2005-0109.patch @@ -0,0 +1,96 @@ +diff -urN x/Documentation/kernel-parameters.txt y/Documentation/kernel-parameters.txt +--- x/Documentation/kernel-parameters.txt 2004-08-24 17:20:00.000000000 +1000 ++++ y/Documentation/kernel-parameters.txt 2005-05-19 20:25:10.000000000 +1000 +@@ -451,6 +451,10 @@ + hisax= [HW,ISDN] + See Documentation/isdn/README.HiSax. + ++ ht= [HW,IA-32,SMP] ++ ht=on: Enable Hyper Threading ++ ht=off: Disable Hyper Threading ++ + hugepages= [HW,IA-32,IA-64] Maximal number of HugeTLB pages. + + noirqbalance [IA-32,SMP,KNL] Disable kernel irq balancing +diff -urN x/arch/i386/Kconfig y/arch/i386/Kconfig +--- x/arch/i386/Kconfig 2005-04-06 20:07:04.000000000 +1000 ++++ y/arch/i386/Kconfig 2005-05-19 20:19:55.000000000 +1000 +@@ -1326,6 +1326,11 @@ + depends on SMP && !(X86_VISWS || X86_VOYAGER) + default y + ++config X86_HT_DISABLE ++ bool ++ depends on X86_HT ++ default y ++ + config X86_BIOS_REBOOT + bool + depends on !(X86_VISWS || X86_VOYAGER) +diff -urN x/arch/i386/kernel/cpu/intel.c y/arch/i386/kernel/cpu/intel.c +--- x/arch/i386/kernel/cpu/intel.c 2004-08-24 17:16:24.000000000 +1000 ++++ y/arch/i386/kernel/cpu/intel.c 2005-05-19 20:19:07.000000000 +1000 +@@ -267,6 +267,7 @@ + #ifdef CONFIG_X86_HT + if (cpu_has(c, X86_FEATURE_HT)) { + extern int phys_proc_id[NR_CPUS]; ++ extern int disable_ht; + + u32 eax, ebx, ecx, edx; + int index_lsb, index_msb, tmp; +@@ -275,6 +276,9 @@ + cpuid(1, &eax, &ebx, &ecx, &edx); + smp_num_siblings = (ebx & 0xff0000) >> 16; + ++ if (disable_ht) ++ smp_num_siblings = 1; ++ + if (smp_num_siblings == 1) { + printk(KERN_INFO "CPU: Hyper-Threading is disabled\n"); + } else if (smp_num_siblings > 1 ) { +diff -urN x/arch/i386/kernel/setup.c y/arch/i386/kernel/setup.c +--- x/arch/i386/kernel/setup.c 2005-04-06 20:11:18.000000000 +1000 ++++ y/arch/i386/kernel/setup.c 2005-05-19 20:18:01.000000000 +1000 +@@ -57,6 +57,13 @@ + unsigned long init_pg_tables_end __initdata = ~0UL; + + int disable_pse __initdata = 0; ++#ifdef CONFIG_X86_HT ++#ifdef CONFIG_X86_HT_DISABLE ++int disable_ht __initdata = 1; ++#else ++int disable_ht __initdata = 0; ++#endif ++#endif + + /* + * Machine setup.. +@@ -802,6 +809,13 @@ + #endif /* CONFIG_X86_LOCAL_APIC */ + #endif /* CONFIG_ACPI_BOOT */ + ++#ifdef CONFIG_X86_HT ++ else if (!memcmp(from, "ht=on", 5)) ++ disable_ht = 0; ++ else if (!memcmp(from, "ht=off", 6)) ++ disable_ht = 1; ++#endif ++ + /* + * highmem=size forces highmem to be exactly 'size' bytes. + * This works even on boxes that have no highmem otherwise. +diff -urN x/arch/x86_64/Kconfig y/arch/x86_64/Kconfig +--- x/arch/x86_64/Kconfig 2004-08-24 17:18:41.000000000 +1000 ++++ y/arch/x86_64/Kconfig 2005-05-19 20:20:45.000000000 +1000 +@@ -165,6 +165,11 @@ + bool + depends on SMP && !MK8 + default y ++ ++config X86_HT_DISABLE ++ bool ++ depends on X86_HT ++ default y + + config MATH_EMULATION + bool diff --git a/active/CVE-2005-0124 b/active/CVE-2005-0124 new file mode 100644 index 00000000..20ee77c9 --- /dev/null +++ b/active/CVE-2005-0124 @@ -0,0 +1,22 @@ +Candidate: CVE-2005-0124 +References: + MLIST:[linux-kernel] 20041216 [Coverity] Untrusted user data in kernel + URL:http://seclists.org/lists/linux-kernel/2004/Dec/3914.html + MLIST:[linux-kernel] 20050105 Re: [Coverity] Untrusted user data in kernel + URL:http://seclists.org/lists/linux-kernel/2005/Jan/1089.html + MLIST:[linux-kernel] 20050107 [PATCH 2.4.29-pre3-bk4] fs/coda Re: [Coverity] Untrusted user data in kernel + URL:http://seclists.org/lists/linux-kernel/2005/Jan/2018.html + MLIST:[linux-kernel] 20050107 [PATCH 2.6.10-mm2] fs/coda Re: [Coverity] Untrusted user data in kernel + URL:http://seclists.org/lists/linux-kernel/2005/Jan/2020.html +Description: + The coda_pioctl function in the coda functionality (pioctl.c) for Linux + kernel 2.6.9 and 2.4.x before 2.4.29 may allow local users to cause a denial + of service (crash) or execute arbitrary code via negative vi.in_size or + vi.out_size values, which may trigger a buffer overflow. +Notes: +Bugs: +upstream: released (2.6.11) +linux-2.6.16: N/A +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-16sarge2) [fs_coda_coverty.dpatch] +2.4.27-sarge-security: released (2.4.27-8) diff --git a/active/CVE-2005-0179 b/active/CVE-2005-0179 new file mode 100644 index 00000000..323bf2c7 --- /dev/null +++ b/active/CVE-2005-0179 @@ -0,0 +1,20 @@ +Candidate: CVE-2005-0179 +References: + http://lists.grok.org.uk/pipermail/full-disclosure/2005-January/030660.html + http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=000930 + http://www.redhat.com/support/errata/RHSA-2005-092.html +Description: + Linux kernel 2.4.x and 2.6.x allows local users to cause a denial + of service (CPU and memory consumption) and bypass RLIM_MEMLOCK + limits via the mlockall call. +Notes: + jmm> The vulnerable code was only introduced in 2.6.9 + dannf> I believe this is fixed in: + http://linux.bkbits.net:8080/linux-2.6/cset@41e2d63eQyYc3q3MPkKLhEktFoqfUw?nav=index.html|src/|src/mm|related/mm/mmap.c + dannf> and since that was in 2.6.11, i'll mark upstream as such +Bugs: +upstream: released (2.6.11) +linux-2.6.16: N/A +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A diff --git a/active/CVE-2005-0489 b/active/CVE-2005-0489 new file mode 100644 index 00000000..3732e13b --- /dev/null +++ b/active/CVE-2005-0489 @@ -0,0 +1,22 @@ +Candidate: CVE-2005-0489 +References: +Description: + Applied patch by Marcelo Tosatti <marcelo.tosatti@cyclades.com> to fix + potential memory access to free memory in /proc handling +Notes: + still marked **RESERVED** + But it looks like Joey used this patch for his kernel-source-2.4.18 update: + http://linux.bkbits.net:8080/linux-2.4/cset@1.1359.1.22?nav=index.html|src/|src/fs|src/fs/proc|related/fs/proc/base.c +Bugs: +upstream: released (2.4.27-pre1) +linux-2.6.16: N/A +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: released (2.4.19-4.woody3) +2.4.18-woody-security: released (2.4.18-14.4) +2.4.17-woody-security: released (2.4.17-1woody4) +2.4.16-woody-security: released (2.4.16-1woody3) +2.4.17-woody-security-hppa: released (32.5) +2.4.17-woody-security-ia64: released (011226.18) +2.4.18-woody-security-hppa: released (62.4) diff --git a/active/CVE-2005-0504 b/active/CVE-2005-0504 new file mode 100644 index 00000000..a83d6349 --- /dev/null +++ b/active/CVE-2005-0504 @@ -0,0 +1,21 @@ +Candidate: CVE-2005-0504 +References: + MISC:http://www.securitytracker.com/alerts/2005/Feb/1013273.html +Description: + Make sure the length we're passing copy_from_user() is never negative or + too large for moxaBuff. +Notes: + dannf> still not upstream as of 2.6.18-rc4, i've poked upstream about it +Bugs: +upstream: +linux-2.6.16: +linux-2.6: +2.6.8-sarge-security: released (2.6.8-12) [030-moxa_user_copy_checking.dpatch] +2.4.27-sarge-security: released (2.4.27-8) [125_moxa_bound_checking.diff] +2.4.19-woody-security: released (2.4.19-4.woody3) +2.4.18-woody-security: released (2.4.18-14.4) +2.4.17-woody-security: released (2.4.17-1woody4) +2.4.16-woody-security: released (2.4.16-1woody3) +2.4.17-woody-security-hppa: released (32.5) +2.4.17-woody-security-ia64: released (011226.18) +2.4.18-woody-security-hppa: released (62.4) diff --git a/active/CVE-2005-0977 b/active/CVE-2005-0977 new file mode 100644 index 00000000..0df2b3f3 --- /dev/null +++ b/active/CVE-2005-0977 @@ -0,0 +1,20 @@ +Candidate: CVE-2005-0977 +References: + http://www.ubuntulinux.org/support/documentation/usn/usn-103-1 + http://linux.bkbits.net:8080/linux-2.6/cset@420551fbRlv9-QG6Gw9Lw_bKVfPSsg + http://lkml.org/lkml/2005/2/5/111 + http://www.securityfocus.com/bid/12970 +Description: + The shmem_nopage function in shmem.c for the tmpfs driver in Linux kernel + 2.6 does not properly verify the address argument, which allows local users + to cause a denial of service (kernel crash) via an invalid address. +Notes: + dannf> 2.4 does look vulnerable, but the 2.6 fix won't work directly because + 2.4 doesn't have i_size_read(). The 2.6 i_size_read() uses seqlocks, which + aren't in 2.4, so the port isn't trivial for me. +Bugs: 303177 +upstream: released (2.6.11) +linux-2.6.16: +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-16) [mm-shmem-truncate.dpatch] +2.4.27-sarge-security: ignored (2.4.27-10sarge3) diff --git a/active/CVE-2005-1264 b/active/CVE-2005-1264 new file mode 100644 index 00000000..775006c9 --- /dev/null +++ b/active/CVE-2005-1264 @@ -0,0 +1,24 @@ +Candidate: CVE-2005-1264 +References: + MLIST:[linux-kernel] 20050517 [PATCH] Fix root hole in raw device + URL:http://marc.theaimsgroup.com/?l=linux-kernel&m=111630512512222 + VULNWATCH:20050516 Linux kernel pktcdvd and rawdevice ioctl break user space limit vulnerability + URL:http://archives.neohapsis.com/archives/vulnwatch/2005-q2/0045.html + VULNWATCH:20050517 Re: Linux kernel pktcdvd and rawdevice ioctl break user space limit vulnerability + URL:http://archives.neohapsis.com/archives/vulnwatch/2005-q2/0046.html + CONFIRM:http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.11.10 + FRSIRT:ADV-2005-0557 + URL:http://www.frsirt.com/english/advisories/2005/0557 +Description: + Raw character devices (raw.c) in the Linux kernel 2.6.x call the wrong + function before passing an ioctl to the block device, which crosses security + boundaries by making kernel address space accessible from user space, a + similar vulnerability to CVE-2005-1589. +Notes: + dannf> Code is very different in 2.4, don't know if its vulnerable +Bugs: +upstream: released (2.6.11.10) +linux-2.6.16: +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-16) [drivers-block-raw-ioctl.dpatch] +2.4.27-sarge-security: ignored (2.4.27-10sarge3) diff --git a/active/CVE-2005-1265 b/active/CVE-2005-1265 new file mode 100644 index 00000000..61ccb62f --- /dev/null +++ b/active/CVE-2005-1265 @@ -0,0 +1,15 @@ +Candidate: CVE-2005-1265 +References: http://www.ubuntulinux.org/support/documentation/usn/usn-137-1 +Description: + The mmap function in the Linux Kernel 2.6.10 can be used to create memory + maps with a start address beyond the end address, which allows local users + to cause a denial of service (kernel crash) +Notes: + jmm> I've pulled the patch by Linus from the above-mentioned Ubuntu advisory + dannf> Code is very different in 2.4; dunno if its vulnerable +Bugs: +upstream: +linux-2.6.16: +linux-2.6: +2.6.8-sarge-security: released (2.6.8-16sarge1) [mm-mmap-range-test.dpatch] +2.4.27-sarge-security: ignored (2.4.27-10sarge3) diff --git a/active/CVE-2005-1265.patch b/active/CVE-2005-1265.patch new file mode 100644 index 00000000..aa2b36c5 --- /dev/null +++ b/active/CVE-2005-1265.patch @@ -0,0 +1,98 @@ +diff -urN x/include/linux/err.h y/include/linux/err.h +--- x/include/linux/err.h 2004-08-24 17:19:18.000000000 +1000 ++++ y/include/linux/err.h 2005-05-20 18:38:34.000000000 +1000 +@@ -11,6 +11,89 @@ + * This should be a per-architecture thing, to allow different + * error and pointer decisions. + */ ++#define IS_ERR_VALUE(x) ((x) > (unsigned long)-1000L) ++ + static inline void *ERR_PTR(long error) + { + return (void *) error; +@@ -23,7 +25,79 @@ + + static inline long IS_ERR(const void *ptr) + { +- return (unsigned long)ptr > (unsigned long)-1000L; ++ return IS_ERR_VALUE((unsigned long)ptr); + } + + #endif /* _LINUX_ERR_H */ +diff -urN x/mm/mmap.c y/mm/mmap.c +--- x/mm/mmap.c 2005-05-19 20:54:12.000000000 +1000 ++++ y/mm/mmap.c 2005-05-20 18:39:23.000000000 +1000 +@@ -1076,37 +1076,40 @@ + get_unmapped_area(struct file *file, unsigned long addr, unsigned long len, + unsigned long pgoff, unsigned long flags) + { +- if (flags & MAP_FIXED) { +- unsigned long ret; ++ unsigned long ret; + +- if (addr > TASK_SIZE - len) +- return -ENOMEM; +- if (addr & ~PAGE_MASK) +- return -EINVAL; +- if (file && is_file_hugepages(file)) { +- /* +- * Check if the given range is hugepage aligned, and +- * can be made suitable for hugepages. +- */ +- ret = prepare_hugepage_range(addr, len); +- } else { +- /* +- * Ensure that a normal request is not falling in a +- * reserved hugepage range. For some archs like IA-64, +- * there is a separate region for hugepages. +- */ +- ret = is_hugepage_only_range(addr, len); +- } +- if (ret) +- return -EINVAL; +- return addr; +- } ++ if (!(flags & MAP_FIXED)) { ++ unsigned long (*get_area)(struct file *, unsigned long, unsigned long, unsigned long, unsigned long); + +- if (file && file->f_op && file->f_op->get_unmapped_area) +- return file->f_op->get_unmapped_area(file, addr, len, +- pgoff, flags); ++ get_area = arch_get_unmapped_area; ++ if (file && file->f_op && file->f_op->get_unmapped_area) ++ get_area = file->f_op->get_unmapped_area; ++ addr = get_area(file, addr, len, pgoff, flags); ++ if (IS_ERR_VALUE(addr)) ++ return addr; ++ } + +- return arch_get_unmapped_area(file, addr, len, pgoff, flags); ++ if (addr > TASK_SIZE - len) ++ return -ENOMEM; ++ if (addr & ~PAGE_MASK) ++ return -EINVAL; ++ if (file && is_file_hugepages(file)) { ++ /* ++ * Check if the given range is hugepage aligned, and ++ * can be made suitable for hugepages. ++ */ ++ ret = prepare_hugepage_range(addr, len); ++ } else { ++ /* ++ * Ensure that a normal request is not falling in a ++ * reserved hugepage range. For some archs like IA-64, ++ * there is a separate region for hugepages. ++ */ ++ ret = is_hugepage_only_range(addr, len); ++ } ++ if (ret) ++ return -EINVAL; ++ return addr; + } + + EXPORT_SYMBOL(get_unmapped_area); + + + + + diff --git a/active/CVE-2005-1763 b/active/CVE-2005-1763 new file mode 100644 index 00000000..fe04deda --- /dev/null +++ b/active/CVE-2005-1763 @@ -0,0 +1,15 @@ +Candidate: CVE-2005-1763 +References: + http://www.novell.com/linux/security/advisories/2005_29_kernel.html +Description: + Buffer overflow in ptrace in the Linux Kernel for 64-bit architectures allows + local users to write bytes into kernel memory. +Notes: + dannf> The patch we have is only for x86_64. This code was very different + dannf> in 2.4, and we don't ship 2.4/amd64, so we can probably drop this one. + dannf> The question is, does this affect other 64-bit archs? +Bugs: +upstream: released (2.6.12-rc5) +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-16sarge1) [arch-x86_64-kernel-ptrace-boundary-check.dpatch] +2.4.27-sarge-security: ignored (2.4.27-10sarge4) diff --git a/active/CVE-2005-2873 b/active/CVE-2005-2873 new file mode 100644 index 00000000..8e9950f3 --- /dev/null +++ b/active/CVE-2005-2873 @@ -0,0 +1,27 @@ +Candidate: CVE-2005-2873 +References: + URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2873 + Final-Decision: + Interim-Decision: + Modified: + Proposed: + Assigned: 20050909 + Category: SF + MISC:http://blog.blackdown.de/2005/05/09/fixing-the-ipt_recent-netfilter-module/ +Description: + The ipt_recent kernel module (ipt_recent.c) in Linux kernel 2.6.12 and + earlier does not properly perform certain time tests when the jiffies + value is greater than LONG_MAX, which can cause ipt_recent netfilter + rules to block too early, a different vulnerability than + CVE-2005-2872. +Notes: + horms> No patch that is acceptable upstream is available + http://lists.debian.org/debian-kernel/2005/09/msg00257.html + jmm> There's now a complete rewrite by Patrick McHardy in 2.6.18 +upstream: released (2.6.18) +Bugs: 332381, 332231, 332228 +linux-2.6.16: +linux-2.6: needed +2.6.8-sarge-security: ignored (2.6.8-16sarge4) +2.4.27-sid/sarge: needed +2.4.27-sarge-security: ignored (2.4.27-10sarge4) diff --git a/active/CVE-2005-3044 b/active/CVE-2005-3044 new file mode 100644 index 00000000..56aeb144 --- /dev/null +++ b/active/CVE-2005-3044 @@ -0,0 +1,30 @@ +Candidate: CVE-2005-3044 +References: + URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3044 + Final-Decision: + Interim-Decision: + Modified: + Proposed: + Assigned: 20050922 + Category: SF + Reference: CONFIRM:http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.13.2 +Description: + Multiple vulnerabilities in Linux kernel before 2.6.13.2 allow loal + users to cause a denial of service (kernel OOPS from null dereference) + via (1) fput in a 32-bit ioctl on 64-bit x86 systems or (2) sockfd_put + in the 32-bit routing_ioctl function on 64-bit systems. +Notes: + http://lkml.org/lkml/2005/9/30/218 + horms> 2.4.27 code is vulnerable but there is no amd64 for 2.4 in Sarge + dannf> Though, I guess its possible that someone would try to build an amd64 + dannf> kernel out of our tree, so I marked 2.4 "needed" below. Lowest of the + dannf> low priorities though... + micah> there are actually two issues that are fixed in this CVE, so we + micah> have two patches... if you look at them they look REALLY similar, but they aren't + micah> dont be fooled +upstream: released (2.6.13.2) +linux-2.6.16: +linux-2.6: released (2.6.12-7, 2.6.13-1) [lost-fput-in-32bit-ioctl-on-x86-64.patch, linux-2.6.13.2.patch] +2.6.8-sarge-security: released (2.6.8-16sarge2) [lost-fput-in-32bit-ioctl-on-x86-64.dpatch, lost-sockfd_put-in-32bit-compat-routing_ioctl.patch] +2.4.27-sid/sarge: needed +2.4.27-sarge-security: ignored (2.4.27-10sarge4) diff --git a/active/CVE-2005-3105 b/active/CVE-2005-3105 new file mode 100644 index 00000000..99426e68 --- /dev/null +++ b/active/CVE-2005-3105 @@ -0,0 +1,33 @@ +Candidate: CVE-2005-3105 +References: + URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3105 + Final-Decision: + Interim-Decision: + Modified: + Proposed: + Assigned: 20050930 + Category: SF + Reference: MISC:http://www.intel.com/cd/ids/developer/asmo-na/eng/215766.htm + Reference: MISC:http://cache-www.intel.com/cd/00/00/21/57/215792_215792.pdf + Reference: CONFIRM:http://linux.bkbits.net:8080/linux-2.6/cset@4248d4019z8HvgrPAji51TKrWiV2uw?nav=index.html|src/|src/mm|related/mm/mprotect.c +Description: + The mrpotect code (mprotect.c) in Linux 2.6 on Itanium IA64 Montecito + processors does not properly maintain cache coherency as required by + the architecture, which allows local users to cause a denial of + service and possibly corrupt data by modifying PTE protections. + . + Extra information from Moritz Muehlenhof: + ia64 Montecito CPU do not maintain cache coherency correctly, which can be + exploited by a local DoS. + http://linux.bkbits.net:8080/linux-2.6/cset@4248d4019z8HvgrPAji51TKrWiV2uw?nav=index.html|src/|src/mm|related/mm/mprotect.c + . + dannf> These CPUs aren't available on the market yet, and I'm not sure + dannf> 2.4 is vulnerable. Will have to attempt to reproduce when I can + dannf> get my hands on some hardware. Ignoring for sarge2. +Bugs: 332569 +upstream: 2.6.12 +2.6.8-sarge-security: released (2.6.8-16sarge1) [mckinley_icache.dpatch] +2.4.27-sid/sarge: needed +2.4.27-sarge-security: ignored (2.4.27-10sarge3) +linux-2.6.16: +linux-2.6: N/A diff --git a/active/CVE-2005-3527 b/active/CVE-2005-3527 new file mode 100644 index 00000000..a795edb2 --- /dev/null +++ b/active/CVE-2005-3527 @@ -0,0 +1,33 @@ +Candidate: CVE-2005-3527 +References: + CONFIRM:http://www.kernel.org/git/?p=linux/kernel/git/davem/sparc-2.6.git;a=commitdiff;h=788e05a67c343fa22f2ae1d3ca264e7f15c25eaf +Description: + Race condition in signal handling + Race condition in do_coredump in signal.c in Linux kernel 2.6 allows local + users to cause a denial of service by triggering a core dump in one thread + while another thread has a pending SIGSTOP +Notes: + dannf> The changed code doesn't exist in 2.6.8. That code was added later in: + http://linux.bkbits.net:8080/linux-2.6/cset@41db7d2cBjKGtCZDlUmwwo2dgMZ6Wg?nav=index.html|src/|src/kernel|related/kernel/signal.c + Its unclear to me whether or not that patch added the bug, or just made it + look different. + Applying all the prereq changes to get our code to resemble the fixed + code does not look feasible; there are a lot, and some add new features. + horms> This specific problem seems to haev been introduced by the + changeset above. That changeset fixed a problem where STOP signals + weren't correctly canceled if SIGTERM or SIGCONT arrived. + However, that problem seems a lot more mild than CVE-2005-3527. + And I agree with dannf's analysis that backporting is too hard. + To support this, look at how many times STOP signal races + have been fixed since 2.6.8 and note that problems are still + being found. + dannf> Same with 2.4.27. + horms> I'm not entirely sure that 2.4.27 suffers from any of these + problems. But I think it is fair to say that if it does, + backporting is too hard for the same reasons as 2.6.8. +Bugs: +upstream: released (2.6.14) +linux-2.6.16: +linux-2.6: N/A +2.6.8-sarge-security: ignored (2.6.8-16sarge4) +2.4.27-sarge-security: ignored (2.4.27-10sarge4) diff --git a/active/CVE-2005-3660 b/active/CVE-2005-3660 new file mode 100644 index 00000000..163041a4 --- /dev/null +++ b/active/CVE-2005-3660 @@ -0,0 +1,20 @@ +Candidate: CVE-2005-3660 +References: + http://www.idefense.com/intelligence/vulnerabilities/display.php?id=362 + http://www.securityfocus.com/bid/16041 +Description: + Linux kernel 2.4 and 2.6 allows attackers to cause a denial of service + (memory exhaustion and panic) by creating a large number of connected + file descriptors or socketpairs and setting a large data transfer + buffer, then preventing Linux from being able to finish the transfer + by causing the process to become a zombie, or closing the file + descriptor without closing an associated reference. +Notes: + dannf> The fix suggested by idefense includes adding a struct user reference + dannf> to struct file. No such thing has gone upstream yet, however. +Bugs: +upstream: +linux-2.6.16: +linux-2.6: +2.6.8-sarge-security: ignored (2.6.8-16sarge4) +2.4.27-sarge-security: ignored (2.4.27-10sarge4) diff --git a/active/CVE-2005-4440 b/active/CVE-2005-4440 new file mode 100644 index 00000000..0b987253 --- /dev/null +++ b/active/CVE-2005-4440 @@ -0,0 +1,40 @@ +Candidate: CVE-2005-4440 +References: + http://www.securityfocus.com/archive/1/archive/1/419831/100/0/threaded + http://www.securityfocus.com/archive/1/archive/1/419834/100/0/threaded + http://lists.grok.org.uk/pipermail/full-disclosure/2005-December/040333.html +Description: + The 802.1q VLAN protocol allows remote attackers to bypass network segmentation and spoof VLAN traffic + via a message with two 802.1q tags, which causes the second tag to be redirected from a downstream + switch after the first tag has been stripped, as demonstrated by Yersinia, aka "double-tagging VLAN + jumping attack." +Notes: + Quoting Horms: + I've taken a quick look at this. I don't think that 1. (VLAN jumping) effects + Linux because of the following line near the bottom of vlan_skb_recv(). + . + skb->protocol = __constant_htons(ETH_P_802_2); + . + I'm looking at Linus' Git tree as of this morning, + but I don't think there have been any relevnant changes + since Git began at 2.6.12-rc2. + . + This seems to imply that further processing will treat the packet + as an ethernet frame. Though I need to double check that it + can't be passed back into the vlan code. I'm doing that now, + but in about 15 minutes I have to leave, and I'll be on + leave for 6 days. At home, and possibly looking into this problem, + but not at my desk working sensible hours. + . + As for 2 (PVLAN jumping). I haven't looked into that yet but + it seems quite plausible. + . + dannf> Horms believes these to be protocol bugs - they are legal + dannf> things to do. Therefore, we're gonna ignore them for the sarge2 + dannf> series of kernels & follow what upstream does. +Bugs: +upstream: +linux-2.6.16: +linux-2.6: +2.6.8-sarge-security: ignored (2.6.8-16sarge4) +2.4.27-sarge-security: ignored (2.4.27-10sarge4) diff --git a/active/CVE-2005-4441 b/active/CVE-2005-4441 new file mode 100644 index 00000000..c9cb3ad9 --- /dev/null +++ b/active/CVE-2005-4441 @@ -0,0 +1,44 @@ +Candidate: CVE-2005-4441 +References: + BUGTRAQ:20051219 Making unidirectional VLAN and PVLAN jumping bidirectional + URL:http://www.securityfocus.com/archive/1/archive/1/419831/100/0/threaded + BUGTRAQ:20051219 Re: Making unidirectional VLAN and PVLAN jumping bidirectional + URL:http://www.securityfocus.com/archive/1/archive/1/419834/100/0/threaded + FULLDISC:20051219 Making unidirectional VLAN and PVLAN jumping bidirectional + URL:http://lists.grok.org.uk/pipermail/full-disclosure/2005-December/040333.html +Description: + The PVLAN protocol allows remote attackers to bypass network segmentation and + spoof PVLAN traffic via a PVLAN message with a target MAC address that is set + to a gateway router, which causes the packet to be sent to the router, where + the source MAC is modified, aka "Modification of the MAC spoofing PVLAN + jumping attack," as demonstrated by pvlan.c. +Notes: + Quoting Horms: + I've taken a quick look at this. I don't think that 1. (VLAN jumping) effects + Linux because of the following line near the bottom of vlan_skb_recv(). + . + skb->protocol = __constant_htons(ETH_P_802_2); + . + I'm looking at Linus' Git tree as of this morning, + but I don't think there have been any relevnant changes + since Git began at 2.6.12-rc2. + . + This seems to imply that further processing will treat the packet + as an ethernet frame. Though I need to double check that it + can't be passed back into the vlan code. I'm doing that now, + but in about 15 minutes I have to leave, and I'll be on + leave for 6 days. At home, and possibly looking into this problem, + but not at my desk working sensible hours. + . + As for 2 (PVLAN jumping). I haven't looked into that yet but + it seems quite plausible. + . + dannf> Horms believes these to be protocol bugs - they are legal + dannf> things to do. Therefore, we're gonna ignore them for the sarge2 + dannf> series of kernels & follow what upstream does. +Bugs: +upstream: +linux-2.6.16: +linux-2.6: +2.6.8-sarge-security: ignored (2.6.8-16sarge4) +2.4.27-sarge-security: ignored (2.4.27-10sarge4) diff --git a/active/CVE-2005-4798 b/active/CVE-2005-4798 new file mode 100644 index 00000000..633e07c6 --- /dev/null +++ b/active/CVE-2005-4798 @@ -0,0 +1,15 @@ +Candidate: CVE-2005-4798 +References: + http://www.ussg.iu.edu/hypermail/linux/kernel/0509.1/1333.html + http://www.kernel.org/git/?p=linux/kernel/git/marcelo/linux-2.4.git;a=commit;h=87e03738fc15dc3ea4acde3a5dcb5f84b6b6152b + http://www.kernel.org/git/?p=linux/kernel/git/marcelo/linux-2.4.git;a=commitdiff;h=87e03738fc15dc3ea4acde3a5dcb5f84b6b6152b +Description: +Notes: + jmm> Current 2.6 not affected per Ingo Molnar + jmm> http://www.ussg.iu.edu/hypermail/linux/kernel/0509.1/1333.html +Bugs: +upstream: +linux-2.6.16: +linux-2.6: +2.6.8-sarge-security: +2.4.27-sarge-security: diff --git a/active/CVE-2006-0454 b/active/CVE-2006-0454 new file mode 100644 index 00000000..ecd2f597 --- /dev/null +++ b/active/CVE-2006-0454 @@ -0,0 +1,17 @@ +Candidate: CVE-2006-0454 +References: http://kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=fa60cf7f64a00c16e95717e8dccdb128877e342a +Description: Fix extra dst release when ip_options_echo fails + When two ip_route_output_key lookups in icmp_send were combined I + forgot to change the error path for ip_options_echo to not drop the + dst reference since it now sits before the dst lookup. To fix it we + simply jump past the ip_rt_put call. +Notes: + horms> appears to have been added by the following patch which was + horms> included in 2.6.12 + horms> http://www.kernel.org/git/?p=linux/kernel/git/tglx/history.git;a=commitdiff;h=2c7ec2528b5776bd64a7c1240879087198e57da9 +Bugs: +upstream: pending (2.6.15.3) +linux-2.6.16: +linux-2.6: pending (2.6.16-5) [2.6.15.3.patch] +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A diff --git a/active/CVE-2006-0558 b/active/CVE-2006-0558 new file mode 100644 index 00000000..c29ccd3a --- /dev/null +++ b/active/CVE-2006-0558 @@ -0,0 +1,24 @@ +Candidate: CVE-2006-0558 +References: + MLIST:[linux-ia64] [PATCH 1/1] ia64: perfmon.c trips BUG_ON in put_page_testzero + URL:http://marc.theaimsgroup.com/?l=linux-ia64&m=113882384921688 + CONFIRM:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=185082 + BID:17482 + URL:http://www.securityfocus.com/bid/17482 +Description: + perfmon (perfmon.c) in Linux kernel on IA64 architectures allows local users + to cause a denial of service (crash) by interrupting a task while another + process is accessing the mm_struct, which triggers a BUG_ON action in the + put_page_testzero function.proc +Notes: + dannf> This issue is unreproducible in 2.6.16, according to: + dannf> http://marc.theaimsgroup.com/?l=linux-ia64&m=114530938403347&w=2 + dannf> So, I'm marking upstream as 2.6.16 + . + dannf> I have a reproducer from SGI. It causes 2.6.8 to oops, but needs to + dannf> be ported to the 2.4 perfmon API to test 2.4.27 +Bugs: 365375 +upstream: released (2.6.16) +linux-2.6: released (2.6.16-1) +2.6.8-sarge-security: released (2.6.8-16sarge3) +2.4.27-sarge-security: diff --git a/active/CVE-2006-0744 b/active/CVE-2006-0744 new file mode 100644 index 00000000..72348803 --- /dev/null +++ b/active/CVE-2006-0744 @@ -0,0 +1,14 @@ +Candidate: CVE-2006-0744 +References: +Description: + signal catching issue on em64t; similar to CVE-2006-0741 +Notes: + dannf> looks like redhat has developed a patch for their 2.4 + . + dannf> no upstream 2.4 fix, and it is amd64-specific, so ignoring for + 2.4/sarge3 +Bugs: +upstream: +linux-2.6: released (2.6.16-7) +2.6.8-sarge-security: released (2.6.8-16sarge3) [em64t-uncanonical-return-addr.dpatch] +2.4.27-sarge-security: ignored (2.4.27-10sarge3) diff --git a/active/CVE-2006-1052 b/active/CVE-2006-1052 new file mode 100644 index 00000000..4388a816 --- /dev/null +++ b/active/CVE-2006-1052 @@ -0,0 +1,16 @@ +Candidate: CVE-2006-1052 +References: + http://marc.theaimsgroup.com/?l=selinux&m=114226465106131&w=2 + http://marc.theaimsgroup.com/?l=git-commits-head&m=114210002712363&w=2 + http://selinuxnews.org/wp/index.php/2006/03/13/security-ptrace-bug-cve-2006-1052/ +Description: + The selinux_ptrace logic in hooks.c in SELinux for Linux 2.6.6 allows local + users with ptrace permissions to change the tracer SID to an SID of another + process. +Notes: +Bugs: +upstream: released (2.6.16) +linux-2.6.16: +linux-2.6: released (2.6.16-1) +2.6.8-sarge-security: needed +2.4.27-sarge-security: N/A diff --git a/active/CVE-2006-1343 b/active/CVE-2006-1343 new file mode 100644 index 00000000..36805a8c --- /dev/null +++ b/active/CVE-2006-1343 @@ -0,0 +1,19 @@ +Candidate: CVE-2006-1343 +References: + http://marc.theaimsgroup.com/?l=linux-netdev&m=114148078223594&w=2 +Description: + net/ipv4/netfilter/ip_conntrack_core.c in Linux kernel 2.4 and 2.6, and + possibly net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c in 2.6, does not + clear sockaddr_in.sin_zero before returning IPv4 socket names from the + getsockopt function with SO_ORIGINAL_DST, which allows local users to + obtain portions of potentially sensitive memory. +Notes: + troyh> This isn't fixed upstream in 2.6 yet, at least not in the same way as 2.4 + dannf> marking ignored for sarge3/2.6 due to ^^ + jmm> It's now fixed upstream in 2.6 as well, let's include it in sarge4 +Bugs: +upstream: released (2.4.33-pre3), released (2.6.16.19) +linux-2.6.16: +linux-2.6: released (2.6.16-15) +2.6.8-sarge-security: ignored (2.6.8-16sarge3) +2.4.27-sarge-security: released (2.4.27-10sarge3) diff --git a/active/CVE-2006-1528 b/active/CVE-2006-1528 new file mode 100644 index 00000000..3824053e --- /dev/null +++ b/active/CVE-2006-1528 @@ -0,0 +1,15 @@ +Candidate: CVE-2006-1528 +References: + https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=168791 + http://linux.bkbits.net:8080/linux-2.6/cset@43220081yu9ClBQNuqSSnW_9amW7iQ + http://marc.theaimsgroup.com/?l=linux-scsi&m=112540053711489&w=2 +Description: + Linux kernel before 2.6.13 allows local users to cause a denial of service (crash) via + a dio transfer from the sg driver to memory mapped (mmap) IO space. +Notes: +Bugs: +upstream: released (2.6.13) +linux-2.6.16: +linux-2.6: released (2.6.13-1) +2.6.8-sarge-security: +2.4.27-sarge-security: diff --git a/active/CVE-2006-1855 b/active/CVE-2006-1855 new file mode 100644 index 00000000..53f8de37 --- /dev/null +++ b/active/CVE-2006-1855 @@ -0,0 +1,17 @@ +Candidate: CVE-2006-1855 +References: + https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=127302 + http://www.redhat.com/support/errata/RHSA-2006-0493.html +Description: + choose_new_parent in Linux kernel before 2.6.11.12 includes certain + debugging code, which allows local users to cause a denial of service + (panic) by causing certain circumstances involving termination of a + parent process. +Notes: + jmm> Vulnerable code not present in 2.4.27 +Bugs: +upstream: released (2.6.11.12) +linux-2.6.16: +linux-2.6: N/A +2.6.8-sarge-security: needed +2.4.27-sarge-security: N/A diff --git a/active/CVE-2006-1856 b/active/CVE-2006-1856 new file mode 100644 index 00000000..d9228b8e --- /dev/null +++ b/active/CVE-2006-1856 @@ -0,0 +1,17 @@ +Candidate: CVE-2006-1856 +References: + Certain modifications to the Linux kernel 2.6.16 and earlier do not + add the appropriate Linux Security Modules (LSM) file_permission hooks + to the (1) readv and (2) writev functions, which might allow attackers + to bypass intended access restrictions. +Description: + http://lists.jammed.com/linux-security-module/2005/09/0019.html + http://www.ussg.iu.edu/hypermail/linux/kernel/0604.3/0777.html + https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=191524 +Notes: +Bugs: +upstream: +linux-2.6.16: +linux-2.6: +2.6.8-sarge-security: +2.4.27-sarge-security: diff --git a/active/CVE-2006-1862 b/active/CVE-2006-1862 new file mode 100644 index 00000000..8f4b08b9 --- /dev/null +++ b/active/CVE-2006-1862 @@ -0,0 +1,16 @@ +Candidate: CVE-2006-1862 +References: +Description: +Ubuntu-Description: +Notes: + jmm> There's some indication that this is RH-specific, needs to be checked +Bugs: +upstream: +linux-2.6.16: +linux-2.6: +2.6.8-sarge-security: +2.4.27-sarge-security: +2.6.10-hoary-security: +2.6.12-breezy-security: +2.6.15-dapper-security: +2.6.17-edgy: diff --git a/active/CVE-2006-2071 b/active/CVE-2006-2071 new file mode 100644 index 00000000..2e9f122d --- /dev/null +++ b/active/CVE-2006-2071 @@ -0,0 +1,17 @@ +Candidate: CVE-2006-2071 +References: + http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16.6 + http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=b78b6af66a5fbaf17d7e6bfc32384df5e34408c8 + https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=190073 +Description: + Linux kernel 2.4.x and 2.6.x up to 2.6.16 allows local users to bypass IPC + permissions and modify a readonly attachment of shared memory by using + mprotect to give write permission to the attachment. NOTE: some original raw + sources combined this issue with CVE-2006-1524, but they are different bugs. +Notes: +Bugs: +upstream: released (2.6.16.6) +linux-2.6.16: released (2.6.16-8) +linux-2.6: released (2.6.16-8) +2.6.8-sarge-security: needed +2.4.27-sarge-security: needed diff --git a/active/CVE-2006-2275 b/active/CVE-2006-2275 new file mode 100644 index 00000000..dda103dc --- /dev/null +++ b/active/CVE-2006-2275 @@ -0,0 +1,18 @@ +Candidate: CVE-2006-2275 +References: + http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=7c3ceb4fb9667f34f1599a062efecf4cdc4a4ce5 +Description: + Linux SCTP (lksctp) before 2.6.17 allows remote attackers to cause a + denial of service (deadlock) via a large number of small messages + to a receiver application that cannot process the messages quickly + enough, which leads to "spillover of the receive buffer." +Notes: + jmm> Seems like an ABI-breaker, the sctp_chunk struct is changed in the + jmm> upstream fix, this issue alone is not worth an ABI bump, a fix will + jmm> be postponed for now +Bugs: +upstream: released (2.6.16.15) +linux-2.6.16: +linux-2.6: released (2.6.16-13) +2.6.8-sarge-security: ignored (2.6.8-16sarge4) +2.4.27-sarge-security: ignored (2.4.27-10sarge4) diff --git a/active/CVE-2006-2444 b/active/CVE-2006-2444 new file mode 100644 index 00000000..c3df4ba0 --- /dev/null +++ b/active/CVE-2006-2444 @@ -0,0 +1,18 @@ +Candidate: CVE-2006-2444 +References: + http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16.18 + http://www.kernel.org/git/?p=linux/kernel/git/stable/linux-2.6.16.y.git;a=commit;h=1db6b5a66e93ff125ab871d6b3f7363412cc87e8 +Description: + The snmp_trap_decode function in the SNMP NAT helper for Linux kernel before + 2.6.16.18 allows remote attackers to cause a denial of service (crash) via + unspecified remote attack vectors that cause failures in snmp_trap_decode + that trigger (1) frees of random memory or (2) frees of previously-freed + memory (double-free) by snmp_trap_decode as well as its calling function, as + demonstrated via certain test cases of the PROTOS SNMP test suite. +Notes: +Bugs: +upstream: released (2.6.16.18) +linux-2.6.16: released (2.6.16-15) +linux-2.6: released (2.6.16-15) +2.6.8-sarge-security: needed +2.4.27-sarge-security: needed diff --git a/active/CVE-2006-2445 b/active/CVE-2006-2445 new file mode 100644 index 00000000..014959b1 --- /dev/null +++ b/active/CVE-2006-2445 @@ -0,0 +1,24 @@ +Candidate: CVE-2006-2445 +References: + http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=8f17fc20bfb75bcec4cfeda789738979c8338fdc + http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=30f1e3dd8c72abda343bcf415f7d8894a02b4290 + http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=f53ae1dc3429529a58aa538e0a860d713c7079c3 + http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=ca531a0a5e01e5122f67cb6aca8fcbfc70e18e0b +Description: + Race condition in run_posix_cpu_timers in Linux kernel before 2.6.16.21 + allows local users to cause a denial of service (BUG_ON crash) by causing one + CPU to attach a timer to a process that is exiting. +Notes: + jmm> Only exploitable on SMP systems + jmm> 2.6.8 most probably not affected, but there was a reproducer posted to vendor-sec, should be double-checked + jmm> Vulnerable code not present in 2.4 +Bugs: +upstream: released (2.6.16.21) +linux-2.6.16: released (2.6.16-15) +linux-2.6: released (2.6.16-15) +2.6.8-sarge-security: +2.4.27-sarge-security: N/A +2.6.10-hoary-security: needed (only 4th GIT commit, first three applied in 2.6.10-34.21) +2.6.12-breezy-security: needed (only 4th GIT commit, first three applied in 2.6.12-10.35) +26.15-dapper-security: needed (only 4th GIT commit, first three applied in 2.6.15-26.44) +2.6.17-edgy: released diff --git a/active/CVE-2006-2448 b/active/CVE-2006-2448 new file mode 100644 index 00000000..2a180628 --- /dev/null +++ b/active/CVE-2006-2448 @@ -0,0 +1,16 @@ +Candidate: CVE-2006-2448 +References: + http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=7c85d1f9d358b24c5b05c3a2783a78423775a080 +Description: + Linux kernel before 2.6.16.21 and 2.6.17, when running on PowerPC, does not + perform certain required access_ok checks, which allows local users to read + arbitrary kernel memory on 64-bit systems (signal_64.c) and cause a denial of + service (crash) and possibly read kernel memory on 32-bit systems + (signal_32.c). +Notes: +Bugs: +upstream: released (2.6.16.21) +linux-2.6.16: released (2.6.16-15) +linux-2.6: released (2.6.16-15) +2.6.8-sarge-security: +2.4.27-sarge-security: diff --git a/active/CVE-2006-2629 b/active/CVE-2006-2629 new file mode 100644 index 00000000..6f0626bb --- /dev/null +++ b/active/CVE-2006-2629 @@ -0,0 +1,17 @@ +Candidate: CVE-2006-2629 +References: + URL:http://marc.theaimsgroup.com/?l=linux-kernel&m=114860432801543&w=2 +Description: + Race condition in Linux kernel 2.6.15 to 2.6.17, when running on SMP + platforms, allows local users to cause a denial of service (crash) by + creating and exiting a large number of tasks, then accessing the /proc + entry of a task that is exiting, which causes memory corruption that + leads to a failure in the prune_dcache function or a BUG_ON error in + include/linux/list.h. +Notes: +Bugs: +upstream: +linux-2.6.16: +linux-2.6: +2.6.8-sarge-security: +2.4.27-sarge-security: diff --git a/active/CVE-2006-2934 b/active/CVE-2006-2934 new file mode 100644 index 00000000..ce2ae783 --- /dev/null +++ b/active/CVE-2006-2934 @@ -0,0 +1,24 @@ +Candidate: CVE-2006-2934 +References: + http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=dd7271feba61d5dc0fab1cb5365db9926d35ea3a +Description: + SCTP conntrack (ip_conntrack_proto_sctp.c) in netfilter for Linux kernel + 2.6.17 before 2.6.17.3 and 2.6.16 before 2.6.16.23 allows remote attackers to + cause a denial of service (crash) via a packet without any chunks, which + causes a variable to contain an invalid value that is later used to + dereference a pointer. +Ubuntu-Description: + A Denial of service vulnerability was reported in iptables' SCTP + conntrack module. On computers which use this iptables module, a + remote attacker could expoit this to trigger a kernel crash. +Notes: +Bugs: +upstream: released (2.6.16.23, 2.6.17.3) +linux-2.6.16: released (2.6.16-17) +linux-2.6: released (2.6.17-3) +2.6.8-sarge-security: +2.4.27-sarge-security: +2.6.10-hoary-security: needed +2.6.12-breezy-security: needed +2.6.15-dapper-security: 2.6.15-26.46 +2.6.17-edgy: released diff --git a/active/CVE-2006-2935 b/active/CVE-2006-2935 new file mode 100644 index 00000000..b3f64cda --- /dev/null +++ b/active/CVE-2006-2935 @@ -0,0 +1,25 @@ +Candidate: CVE-2006-2935 +References: + http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=454d6fbc48374be8f53b9bafaa86530cf8eb3bc1 +Description: + The dvd_read_bca function in the DVD handling code in drivers/cdrom/cdrom.c + in Linux kernel 2.2.16, and later versions, assigns the wrong value to a + length variable, which allows local users to execute arbitrary code via a + crafted USB Storage device that triggers a buffer overflow. +Ubuntu-Description: + A buffer overflow has been discovered in the dvd_read_bca() function. + By inserting a specially crafted DVD, USB stick, or similar + automatically mounted removable device, a local user could crash the + machine or potentially even execute arbitrary code with full root + privileges. +Notes: +Bugs: +upstream: +linux-2.6.16: +linux-2.6: +2.6.8-sarge-security: +2.4.27-sarge-security: +2.6.10-hoary-security: needed +2.6.12-breezy-security: needed +2.6.15-dapper-security: 2.6.15-26.46 +2.6.17-edgy: pending diff --git a/active/CVE-2006-2936 b/active/CVE-2006-2936 new file mode 100644 index 00000000..24928583 --- /dev/null +++ b/active/CVE-2006-2936 @@ -0,0 +1,25 @@ +Candidate: CVE-2006-2936 +References: + http://www.kernel.org/git/?p=linux/kernel/git/gregkh/patches.git;a=blob;h=4b4d9cfea17618b80d3ac785b701faeaf60141f1;hb=396eb2aac5+50ec55856c6843ef9017e800c3d656;f=usb/usb-serial-ftdi_sio-prevent-userspace-dos.patch + http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=224654004ca688af67cec44d9300e8c3f647577c +Description: + The ftdi_sio driver (usb/serial/ftdi_sio.c) in Linux kernel 2.6.x up to + 2.6.17, and possibly later versions, allows local users to cause a denial of + service (memory consumption) by writing more data to the serial port than the + hardware can handle, which causes the data to be queued. +Ubuntu-Description: + The ftdi_sio driver for serial USB ports did not limit the amount of + pending data to be written. A local user could exploit this to drain + all available kernel memory and thus render the system unusable. +Notes: + jmm> 2.4 not affected due to different memory allocation +Bugs: +upstream: released (2.6.16.26) +linux-2.6.16: +linux-2.6: released (2.6.17-5) +2.6.8-sarge-security: +2.4.27-sarge-security: N/A +2.6.10-hoary-security: needed +2.6.12-breezy-security: needed +2.6.15-dapper-security: 2.6.15-26.46 +2.6.17-edgy: released diff --git a/active/CVE-2006-3085 b/active/CVE-2006-3085 new file mode 100644 index 00000000..77b2bfc0 --- /dev/null +++ b/active/CVE-2006-3085 @@ -0,0 +1,16 @@ +Candidate: CVE-2006-3085 +References: +Description: + xt_sctp in netfilter for Linux kernel before 2.6.17.1 allows attackers to + cause a denial of service (infinite loop) via an SCTP chunk with a 0 length. +Notes: +Bugs: +upstream: released (2.6.16.21, 2.6.17.1) +linux-2.6.16: +linux-2.6: released (2.6.16-15) +2.6.8-sarge-security: +2.4.27-sarge-security: +2.6.10-hoary-security: N/A +2.6.12-breezy-security: N/A +2.6.15-dapper-security: N/A +2.6.17-edgy: released diff --git a/active/CVE-2006-3468 b/active/CVE-2006-3468 new file mode 100644 index 00000000..870b6dd6 --- /dev/null +++ b/active/CVE-2006-3468 @@ -0,0 +1,29 @@ +Candidate: CVE-2006-3468 +References: + http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=2ccb48ebb4de139eef4fcefd5f2bb823cb0d81b9 +Description: + Linux kernel 2.6.x, when using both NFS and EXT3, allows remote + attackers to cause a denial of service (file system panic) via a + crafted UDP packet with a V2 lookup procedure that specifies a bad + file handle (inode number), which triggers an error and causes an + exported directory to be remounted read-only. +Ubuntu-Description: + James McKenzie discovered a Denial of Service vulnerability in the + NFS driver. When exporting an ext3 file system over NFS, a remote + attacker could exploit this to trigger a file system panic by sending + a specially crafted UDP packet. +Notes: + http://lkml.org/lkml/2006/7/20/1: proposed patch + unclear whether 2.4 is affected + dannf> Submitted to Adrian Bunk for inclusion in 2.6.16.x +Bugs: + https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=199172 +upstream: released (2.6.17.8, 2.6.18-rc4) +linux-2.6.16: pending (2.6.16-18) [fs-ext3-bad-nfs-handle.patch] +linux-2.6: needed +2.6.8-sarge-security: pending (2.6.8-16sarge5) [fs-ext3-bad-nfs-handle.dpatch] +2.4.27-sarge-security: +2.6.10-hoary-security: needed +2.6.12-breezy-security: needed +26.15-dapper-security: needed +2.6.17-edgy: needed diff --git a/active/CVE-2006-3634 b/active/CVE-2006-3634 new file mode 100644 index 00000000..ec45d959 --- /dev/null +++ b/active/CVE-2006-3634 @@ -0,0 +1,22 @@ +Candidate: CVE-2006-3634 +References: + http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=bafe00cc9297ca77b66e5c83e5e65e17c0c997c8 + http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=13492c50f69bdf60a42debc6bd3ec49cc1dc941e +Description: + The (1) __futex_atomic_op and (2) futex_atomic_cmpxchg_inatomic functions in + Linux kernel 2.6.17-rc4 to 2.6.18-rc2 performs the atomic futex operation + with user space addresses instead of kernel space addresses, which allows + local users to cause a denial of service (crash). +Ubuntu-Description: +Notes: + dannf> s390 didn't have a futex.h until after 2.6.16 +Bugs: +upstream: released (2.6.18-rc2) +linux-2.6.16: N/A +linux-2.6: released (2.6.17-1) +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.6.10-hoary-security: N/A +2.6.12-breezy-security: N/A +2.6.15-dapper-security: N/A +2.6.17-edgy: ignored diff --git a/active/CVE-2006-4145 b/active/CVE-2006-4145 new file mode 100644 index 00000000..123ee88d --- /dev/null +++ b/active/CVE-2006-4145 @@ -0,0 +1,17 @@ +Candidate: CVE-2006-4145 +References: +Description: + Fix possible UDF deadlock and memory corruption +Ubuntu-Description: +Notes: + patch on vendor-sec, queued for upstream -stable and 2.6.18 +Bugs: +upstream: +linux-2.6.16: +linux-2.6: +2.6.8-sarge-security: needed +2.4.27-sarge-security: +2.6.10-hoary-security: needed +2.6.12-breezy-security: needed +2.6.15-dapper-security: needed +2.6.17-edgy: needed diff --git a/active/block-all-signals-race b/active/block-all-signals-race new file mode 100644 index 00000000..f3100abf --- /dev/null +++ b/active/block-all-signals-race @@ -0,0 +1,16 @@ +Candidate: Needed +References: + http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff_plain;h=c70d3d703ad94727dab2a3664aeee33d71e00715 + http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff_plain;h=9ac95f2f90e022c16d293d7978faddf7e779a1a9 + http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff_plain;h=1ff0be1534839dabec85f6d16dc36734f4e158bf + http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff_plain;h=21b4da78c941f292f6daf87abb562d6285216e51 +Description: + Race in copy_signhand()/do_sigaction that lets you create small processes that + block all signals, including SIGKILL. +Notes: +Bugs: +upstream: +linux-2.6: pending (2.6.15.5) +2.6.8-sarge-security: +2.4.27-sarge-security: +2.4.27: diff --git a/active/dsa-texts/2.4.27-sarge2 b/active/dsa-texts/2.4.27-sarge2 new file mode 100644 index 00000000..260f350f --- /dev/null +++ b/active/dsa-texts/2.4.27-sarge2 @@ -0,0 +1,177 @@ +Subject: New Linux kernel 2.4.27 packages fix several issues + +-------------------------------------------------------------------------- +Debian Security Advisory DSA XXX-1 security@debian.org +http://www.debian.org/security/ Dann Frazier, Simon Horman +XXXXX 8th, 2005 http://www.debian.org/security/faq +-------------------------------------------------------------------------- + +Package : kernel-source-2.4.27 +Vulnerability : several +Problem-Type : local/remote +Debian-specific: no +CVE IDs : CVE-2004-0887 CVE-2004-1058 CVE-2004-2607 CVE-2005-0449 CVE-2005-1761 CVE-2005-2457 CVE-2005-2555 CVE-2005-2709 CVE-2005-2973 CVE-2005-3257 CVE-2005-3783 CVE-2005-3806 CVE-2005-3848 CVE-2005-3857 CVE-2005-3858 CVE-2005-4618 +Debian Bug : + +Several local and remote vulnerabilities have been discovered in the Linux +kernel that may lead to a denial of service or the execution of arbitrary +code. The Common Vulnerabilities and Exposures project identifies the +following problems: + +CVE-2004-0887 + + Martin Schwidefsky discovered that the privileged instruction SACF (Set + Address Space Control Fast) on the S/390 platform is not handled properly, + allowing for a local user to gain root privileges. + +CVE-2004-1058 + + A race condition allows for a local user to read the environment variables + of another process that is still spawning through /proc/.../cmdline. + +CVE-2004-2607 + + A numeric casting discrepancy in sdla_xfer allows local users to read + portions of kernel memory via a large len argument which is received as an + int but cast to a short, preventing read loop from filling a buffer. + +CVE-2005-0449 + + An error in the skb_checksum_help() function from the netfilter framework + has been discovered that allows the bypass of packet filter rules or + a denial of service attack. + +CVE-2005-1761 + + A vulnerability in the ptrace subsystem of the IA-64 architecture can + allow local attackers to overwrite kernel memory and crash the kernel. + +CVE-2005-2457 + + Tim Yamin discovered that insufficient input validation in the compressed + ISO file system (zisofs) allows a denial of service attack through + maliciously crafted ISO images. + +CVE-2005-2555 + + Herbert Xu discovered that the setsockopt() function was not restricted to + users/processes with the CAP_NET_ADMIN capability. This allows attackers to + manipulate IPSEC policies or initiate a denial of service attack. + +CVE-2005-2709 + + Al Viro discovered a race condition in the /proc handling of network devices. + A (local) attacker could exploit the stale reference after interface shutdown + to cause a denial of service or possibly execute code in kernel mode. + +CVE-2005-2973 + + Tetsuo Handa discovered that the udp_v6_get_port() function from the IPv6 code + can be forced into an endless loop, which allows a denial of service attack. + +CVE-2005-3257 + + Rudolf Polzer discovered that the kernel improperly restricts access to the + KDSKBSENT ioctl, which can possibly lead to privilege escalation. + +CVE-2005-3783 + + The ptrace code using CLONE_THREAD didn't use the thread group ID to + determine whether the caller is attaching to itself, which allows a denial + of service attack. + +CVE-2005-3806 + + Yen Zheng discovered that the IPv6 flow label code modified an incorrect variable, + which could lead to memory corruption and denial of service. + +CVE-2005-3848 + + Ollie Wild discovered a memory leak in the icmp_push_reply() function, which + allows denial of service through memory consumption. + +CVE-2005-3857 + + Chris Wright discovered that excessive allocation of broken file lock leases + in the VFS layer can exhaust memory and fill up the system logging, which allows + denial of service. + +CVE-2005-3858 + + Patrick McHardy discovered a memory leak in the ip6_input_finish() function from + the IPv6 code, which allows denial of service. + +CVE-2005-4618 + + Yi Ying discovered that sysctl does not properly enforce the size of a + buffer, which allows a denial of service attack. + +The following matrix explains which kernel version for which architecture +fix the problems mentioned above: + + Debian 3.1 (sarge) + Source 2.4.27-10sarge2 + Alpha architecture 2.4.27-10sarge2 + ARM architecture 2.4.27-2sarge2 + Intel IA-32 architecture 2.4.27-10sarge2 + Intel IA-64 architecture 2.4.27-10sarge2 + Motorola 680x0 architecture 2.4.27-3sarge2 + Big endian MIPS architecture 2.4.27-10.sarge1.040815-2 + Little endian MIPS architecture 2.4.27-10.sarge1.040815-2 + PowerPC architecture 2.4.27-10sarge2 + IBM S/390 architecture 2.4.27-2sarge2 + Sun Sparc architecture 2.4.27-9sarge2 + +The following matrix lists additional packages that were rebuilt for +compatability with or to take advantage of this update: + + Debian 3.1 (sarge) + kernel-latest-2.4-alpha 101sarge1 + kernel-latest-2.4-i386 101sarge1 + kernel-latest-2.4-s390 2.4.27-1sarge1 + kernel-latest-2.4-sparc 42sarge1 + kernel-latest-powerpc 102sarge1 + fai-kernels 1.9.1sarge1 + i2c 1:2.9.1-1sarge1 + kernel-image-speakup-i386 2.4.27-1.1sasrge1 + lm-sensors 1:2.9.1-1sarge3 + mindi-kernel 2.4.27-2sarge1 + pcmcia-modules-2.4.27-i386 3.2.5+2sarge1 + systemimager 3.2.3-6sarge1 + +We recommend that you upgrade your kernel package immediately and reboot +the machine. If you have built a custom kernel from the kernel source +package, you will need to rebuild to take advantage of these fixes. + +Upgrade Instructions +-------------------- + +wget url + will fetch the file for you +dpkg -i file.deb + will install the referenced file. + +If you are using the apt-get package manager, use the line for +sources.list as given below: + +apt-get update + will update the internal database +apt-get upgrade + will install corrected packages + +You may use an automated update by adding the resources from the +footer to the proper configuration. + + +Debian GNU/Linux 3.1 alias sarge +-------------------------------- + + + These files will probably be moved into the stable distribution on + its next update. + +--------------------------------------------------------------------------------- +For apt-get: deb http://security.debian.org/ stable/updates main +For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main +Mailing list: debian-security-announce@lists.debian.org +Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> diff --git a/active/dsa-texts/2.4.27-sarge3 b/active/dsa-texts/2.4.27-sarge3 new file mode 100644 index 00000000..4be83011 --- /dev/null +++ b/active/dsa-texts/2.4.27-sarge3 @@ -0,0 +1,200 @@ +Subject: New Linux kernel 2.4.27 packages fix several issues + +-------------------------------------------------------------------------- +Debian Security Advisory DSA XXX-1 security@debian.org +http://www.debian.org/security/ Dann Frazier, Troy Heber +XXXXX 8th, 2005 http://www.debian.org/security/faq +-------------------------------------------------------------------------- + +Package : kernel-source-2.4.27 +Vulnerability : several +Problem-Type : local/remote +Debian-specific: no +CVE ID : CVE-2006-0038 CVE-2006-0039 CVE-2006-0741 CVE-2006-0742 + CVE-2006-1056 CVE-2006-1242 CVE-2006-1343 CVE-2006-1368 + CVE-2006-1524 CVE-2006-1525 CVE-2006-1857 CVE-2006-1858 + CVE-2006-1864 CVE-2006-2271 CVE-2006-2272 CVE-2006-2274 +Debian Bug : + +Several local and remote vulnerabilities have been discovered in the Linux +kernel that may lead to a denial of service or the execution of arbitrary +code. The Common Vulnerabilities and Exposures project identifies the +following problems: + +CVE-2006-0038 + + "Solar Designer" discovered that arithmetic computations in netfilter's + do_replace() function can lead to a buffer overflow and the execution of + arbitrary code. However, the operation requires CAP_NET_ADMIN privileges, + which is only an issue in virtualization systems or fine grained access + control systems. + +CVE-2006-0039 + + "Solar Designer" discovered a race condition in netfilter's + do_add_counters() function, which allows information disclosure of + kernel memory by exploiting a race condition. Like CVE-2006-0038, + it requires CAP_NET_ADMIN privileges. + +CVE-2006-0741 + + Intel EM64T systems were discovered to be susceptible to a local + DoS due to an endless recursive fault related to a bad ELF entry + address. + +CVE-2006-0742 + + Alan and Gareth discovered that the ia64 platform had an + incorrectly declared die_if_kernel() function as "does never + return" which could be exploited by a local attacker resulting in + a kernel crash. + +CVE-2006-1056 + + AMD64 machines (and other 7th and 8th generation AuthenticAMD + processors) were found to be vulnerable to sensitive information + leakage, due to how they handle saving and restoring the FOP, FIP, + and FDP x87 registers in FXSAVE/FXRSTOR when an exception is + pending. This allows a process to determine portions of the state + of floating point instructions of other processes. + +CVE-2006-1242 + + Marco Ivaldi discovered that there was an unintended information + disclosure allowing remote attackers to bypass protections against + Idle Scans (nmap -sI) by abusing the ID field of IP packets and + bypassing the zero IP ID in DF packet countermeasure. This was a + result of the ip_push_pending_frames function improperly + incremented the IP ID field when sending a RST after receiving + unsolicited TCP SYN-ACK packets. + +CVE-2006-1343 + + Pavel Kankovsky reported the existance of a potential information leak + resulting from the failure to initialize sin.sin_zero in the IPv4 socket + code. + +CVE-2006-1368 + + Shaun Tancheff discovered a buffer overflow (boundry condition + error) in the USB Gadget RNDIS implementation allowing remote + attackers to cause a DoS. While creating a reply message, the + driver allocated memory for the reply data, but not for the reply + structure. The kernel fails to properly bounds-check user-supplied + data before copying it to an insufficiently sized memory + buffer. Attackers could crash the system, or possibly execute + arbitrary machine code. + +CVE-2006-1524 + + Hugh Dickins discovered an issue in the madvise_remove function wherein + file and mmap restrictions are not followed, allowing local users to + bypass IPC permissions and replace portions of readonly tmpfs files with + zeroes. + +CVE-2006-1525 + + Alexandra Kossovsky reported a NULL pointer dereference condition in + ip_route_input() that can be triggered by a local user by requesting + a route for a multicast IP address, resulting in a denial of service + (panic). + +CVE-2006-1857 + + Vlad Yasevich reported a data validation issue in the SCTP subsystem + that may allow a remote user to overflow a buffer using a badly formatted + HB-ACK chunk, resulting in a denial of service. + +CVE-2006-1858 + + Vlad Yasevich reported a bug in the bounds checking code in the SCTP + subsystem that may allow a remote attacker to trigger a denial of service + attack when rounded parameter lengths are used to calculate parameter + lengths instead of the actual values. + +CVE-2006-1864 + + Mark Mosely discovered that chroots residing on an SMB share can be + escaped with specially crafted "cd" sequences. + +CVE-2006-2271 + + The "Mu security team" discovered that carefully crafted ECNE chunks can + cause a kernel crash by accessing incorrect state stable entries in the + SCTP networking subsystem, which allows denial of service. + +CVE-2006-2272 + + The "Mu security team" discovered that fragmented SCTP control + chunks can trigger kernel panics, which allows for denial of + service attacks. + +CVE-2006-2274 + + It was discovered that SCTP packets with two initial bundled data + packets can lead to infinite recursion, which allows for denial of + service attacks. + + + +The following matrix explains which kernel version for which architecture +fix the problems mentioned above: + + Debian 3.1 (sarge) + Source 2.4.27-10sarge3 + Alpha architecture 2.4.27-10sarge3 + ARM architecture 2.4.27-2sarge3 + Intel IA-32 architecture 2.4.27-10sarge3 + Intel IA-64 architecture 2.4.27-10sarge3 + Motorola 680x0 architecture 2.4.27-3sarge3 + Big endian MIPS 2.4.27-10.sarge3.040815-1 + Little endian MIPS 2.4.27-10.sarge3.040815-1 + PowerPC architecture 2.4.27-10sarge3 + IBM S/390 architecture 2.4.27-2sarge3 + Sun Sparc architecture 2.4.27-9sarge3 + +The following matrix lists additional packages that were rebuilt for +compatibility with or to take advantage of this update: + + Debian 3.1 (sarge) + fai-kernels 1.9.1sarge2 + kernel-image-2.4.27-speakup 2.4.27-1.1sarge2 + mindi-kernel 2.4.27-2sarge2 + systemimager 3.2.3-6sarge2 + +We recommend that you upgrade your kernel package immediately and reboot +the machine. If you have built a custom kernel from the kernel source +package, you will need to rebuild to take advantage of these fixes. + +Upgrade Instructions +-------------------- + +wget url + will fetch the file for you +dpkg -i file.deb + will install the referenced file. + +If you are using the apt-get package manager, use the line for +sources.list as given below: + +apt-get update + will update the internal database +apt-get upgrade + will install corrected packages + +You may use an automated update by adding the resources from the +footer to the proper configuration. + + +Debian GNU/Linux 3.1 alias sarge +-------------------------------- + + + These files will probably be moved into the stable distribution on + its next update. + +--------------------------------------------------------------------------------- +For apt-get: deb http://security.debian.org/ stable/updates main +For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main +Mailing list: debian-security-announce@lists.debian.org +Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> diff --git a/active/dsa-texts/2.6.8-sarge2 b/active/dsa-texts/2.6.8-sarge2 new file mode 100644 index 00000000..353c3eee --- /dev/null +++ b/active/dsa-texts/2.6.8-sarge2 @@ -0,0 +1,251 @@ +Subject: New Linux kernel 2.6.8 packages fix several issues + +-------------------------------------------------------------------------- +Debian Security Advisory DSA XXX-1 security@debian.org +http://www.debian.org/security/ Dann Frazier, Simon Horman +XXXXX 8th, 2005 http://www.debian.org/security/faq +-------------------------------------------------------------------------- + +Package : kernel-source-2.6.8 +Vulnerability : several +Problem-Type : local/remote +Debian-specific: no +CVE ID : CVE-2004-1017 CVE-2005-0124 CVE-2005-0449 CVE-2005-2457 CVE-2005-2490 CVE-2005-2555 CVE-2005-2709 CVE-2005-2800 CVE-2005-2973 CVE-2005-3044 CVE-2005-3053 CVE-2005-3055 CVE-2005-3180 CVE-2005-3181 CVE-2005-3257 CVE-2005-3356 CVE-2005-3358 CVE-2005-3783 CVE-2005-3784 CVE-2005-3806 CVE-2005-3847 CVE-2005-3848 CVE-2005-3857 CVE-2005-3858 CVE-2005-4605 CVE-2005-4618 CVE-2006-0095 CVE-2006-0096 CVE-2006-0482 CVE-2006-1066 +Debian Bug : 295949 334113 330287 332587 332596 330343 330353 327416 + +Several local and remote vulnerabilities have been discovered in the Linux +kernel that may lead to a denial of service or the execution of arbitrary +code. The Common Vulnerabilities and Exposures project identifies the +following problems: + +CVE-2004-1017 + + Multiple overflows exist in the io_edgeport driver which might be usable + as a denial of service attack vector. + +CVE-2005-0124 + + Bryan Fulton reported a bounds checking bug in the coda_pioctl function + which may allow local users to execute arbitrary code or trigger a denial + of service attack. + +CVE-2005-0449 + + An error in the skb_checksum_help() function from the netfilter framework + has been discovered that allows the bypass of packet filter rules or + a denial of service attack. + +CVE-2005-2457 + + Tim Yamin discovered that insufficient input validation in the zisofs driver + for compressed ISO file systems allows a denial of service attack through + maliciously crafted ISO images. + +CVE-2005-2490 + + A buffer overflow in the sendmsg() function allows local users to execute + arbitrary code. + +CVE-2005-2555 + + Herbert Xu discovered that the setsockopt() function was not restricted to + users/processes with the CAP_NET_ADMIN capability. This allows attackers to + manipulate IPSEC policies or initiate a denial of service attack. + +CVE-2005-2709 + + Al Viro discovered a race condition in the /proc handling of network devices. + A (local) attacker could exploit the stale reference after interface shutdown + to cause a denial of service or possibly execute code in kernel mode. + +CVE-2005-2800 + + Jan Blunck discovered that repeated failed reads of /proc/scsi/sg/devices + leak memory, which allows a denial of service attack. + +CVE-2005-2973 + + Tetsuo Handa discovered that the udp_v6_get_port() function from the IPv6 code + can be forced into an endless loop, which allows a denial of service attack. + +CVE-2005-3044 + + Vasiliy Averin discovered that the reference counters from sockfd_put() and + fput() can be forced into overlapping, which allows a denial of service attack + through a null pointer dereference. + +CVE-2005-3053 + + Eric Dumazet discovered that the set_mempolicy() system call accepts a negative + value for it's first argument, which triggers a BUG() assert. This allows a + denial of service attack. + +CVE-2005-3055 + + Harald Welte discovered that if a process issues a USB Request Block (URB) + to a device and terminates before the URB completes, a stale pointer + would be dereferenced. This could be used to trigger a denial of service + attack. + +CVE-2005-3180 + + Pavel Roskin discovered that the driver for Orinoco wireless cards clears + it's buffers insufficiently. This could leak sensitive information into + user space. + +CVE-2005-3181 + + Robert Derr discovered that the audit subsystem uses an incorrect function to + free memory, which allows a denial of service attack. + +CVE-2005-3257 + + Rudolf Polzer discovered that the kernel improperly restricts access to the + KDSKBSENT ioctl, which can possibly lead to privilege escalation. + +CVE-2005-3356 + + Doug Chapman discovered that the mq_open syscall can be tricked into + decrementing an internal counter twice, which allows a denial of service attack + through a kernel panic. + +CVE-2005-3358 + + Doug Chapman discovered that passing a 0 zero bitmask to the set_mempolicy() + system call leads to a kernel panic, which allows a denial of service attack. + +CVE-2005-3783 + + The ptrace code using CLONE_THREAD didn't use the thread group ID to + determine whether the caller is attaching to itself, which allows a denial + of service attack. + +CVE-2005-3784 + + The auto-reaping of childe processes functionality included ptraced-attached + processes, which allows denial of service through dangling references. + +CVE-2005-3806 + + Yen Zheng discovered that the IPv6 flow label code modified an incorrect variable, + which could lead to memory corruption and denial of service. + +CVE-2005-3847 + + It was discovered that a threaded real-time process, which is currently dumping + core can be forced into a dead-lock situation by sending it a SIGKILL signal, + which allows a denial of service attack. + +CVE-2005-3848 + + Ollie Wild discovered a memory leak in the icmp_push_reply() function, which + allows denial of service through memory consumption. + +CVE-2005-3857 + + Chris Wright discovered that excessive allocation of broken file lock leases + in the VFS layer can exhaust memory and fill up the system logging, which allows + denial of service. + +CVE-2005-3858 + + Patrick McHardy discovered a memory leak in the ip6_input_finish() function from + the IPv6 code, which allows denial of service. + +CVE-2005-4605 + + Karl Janmar discovered that a signedness error in the procfs code can be exploited + to read kernel memory, which may disclose sensitive information. + +CVE-2005-4618 + + Yi Ying discovered that sysctl does not properly enforce the size of a buffer, which + allows a denial of service attack. + +CVE-2006-0095 + + Stefan Rompf discovered that dm_crypt does not clear an internal struct before freeing + it, which might disclose sensitive information. + +CVE-2006-0096 + + It was discovered that the SDLA driver's capability checks were too lax + for firmware upgrades. + +CVE-2006-0482 + + Ludovic Courtes discovered that get_compat_timespec() performs insufficient input + sanitizing, which allows a local denial of service attack. + +CVE-2006-1066 + + It was discovered that ptrace() on the ia64 architecture allows a local denial of + service attack, when preemption is enabled. + + +The following matrix explains which kernel version for which architecture +fix the problems mentioned above: + + Debian 3.1 (sarge) + Source 2.6.8-16sarge2 + Alpha architecture 2.6.8-16sarge2 + AMD64 architecture 2.6.8-16sarge2 + HP Precision architecture 2.6.8-6sarge2 + Intel IA-32 architecture 2.6.8-16sarge2 + Intel IA-64 architecture 2.6.8-14sarge2 + Motorola 680x0 architecture 2.6.8-4sarge2 + PowerPC architecture 2.6.8-12sarge2 + IBM S/390 architecture 2.6.8-5sarge2 + Sun Sparc architecture 2.6.8-15sarge2 + +The following matrix lists additional packages that were rebuilt for +compatability with or to take advantage of this update: + + Debian 3.1 (sarge) + kernel-latest-2.6-alpha 101sarge1 + kernel-latest-2.6-amd64 103sarge1 + kernel-latest-2.6-hppa 2.6.8-1sarge1 + kernel-latest-2.6-sparc 101sarge1 + kernel-latest-2.6-i386 101sarge1 + kernel-latest-powerpc 102sarge1 + fai-kernels 1.9.1sarge1 + hostap-modules-i386 0.3.7-1sarge1 + mol-modules-2.6.8 0.9.70+2.6.8+12sarge1 + ndiswrapper-modules-i386 1.1-2sarge1 + +We recommend that you upgrade your kernel package immediately and reboot +the machine. If you have built a custom kernel from the kernel source +package, you will need to rebuild to take advantage of these fixes. + +Upgrade Instructions +-------------------- + +wget url + will fetch the file for you +dpkg -i file.deb + will install the referenced file. + +If you are using the apt-get package manager, use the line for +sources.list as given below: + +apt-get update + will update the internal database +apt-get upgrade + will install corrected packages + +You may use an automated update by adding the resources from the +footer to the proper configuration. + + +Debian GNU/Linux 3.1 alias sarge +-------------------------------- + + + These files will probably be moved into the stable distribution on + its next update. + +--------------------------------------------------------------------------------- +For apt-get: deb http://security.debian.org/ stable/updates main +For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main +Mailing list: debian-security-announce@lists.debian.org +Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> diff --git a/active/dsa-texts/2.6.8-sarge3 b/active/dsa-texts/2.6.8-sarge3 new file mode 100644 index 00000000..2803df24 --- /dev/null +++ b/active/dsa-texts/2.6.8-sarge3 @@ -0,0 +1,246 @@ +Subject: New Linux kernel 2.6.8 packages fix several issues + +-------------------------------------------------------------------------- +Debian Security Advisory DSA XXX-1 security@debian.org +http://www.debian.org/security/ Dann Frazier, Troy Heber +XXXXX 8th, 2005 http://www.debian.org/security/faq +-------------------------------------------------------------------------- + +Package : kernel-source-2.6.8 +Vulnerability : several +Problem-Type : local/remote +Debian-specific: no +CVE ID : CVE-2005-3359 CVE-2006-0038 CVE-2006-0039 CVE-2006-0456 + CVE-2006-0554 CVE-2006-0555 CVE-2006-0557 CVE-2006-0558 + CVE-2006-0741 CVE-2006-0742 CVE-2006-0744 CVE-2006-1056 + CVE-2006-1242 CVE-2006-1368 CVE-2006-1523 CVE-2006-1524 + CVE-2006-1525 CVE-2006-1857 CVE-2006-1858 CVE-2006-1863 + CVE-2006-1864 CVE-2006-2271 CVE-2006-2272 CVE-2006-2274 +Debian Bug : + +Several local and remote vulnerabilities have been discovered in the Linux +kernel that may lead to a denial of service or the execution of arbitrary +code. The Common Vulnerabilities and Exposures project identifies the +following problems: + +CVE-2005-3359 + + Franz Filz discovered that some socket calls permit causing inconsistent + reference counts on loadable modules, which allows local users to cause + a denial of service. + +CVE-2006-0038 + + "Solar Designer" discovered that arithmetic computations in netfilter's + do_replace() function can lead to a buffer overflow and the execution of + arbitrary code. However, the operation requires CAP_NET_ADMIN privileges, + which is only an issue in virtualization systems or fine grained access + control systems. + +CVE-2006-0039 + + "Solar Designer" discovered a race condition in netfilter's + do_add_counters() function, which allows information disclosure of kernel + memory by exploiting a race condition. Likewise, it requires CAP_NET_ADMIN + privileges. + +CVE-2006-0456 + + David Howells discovered that the s390 assembly version of the + strnlen_user() function incorrectly returns some string size values. + +CVE-2006-0554 + + It was discovered that the ftruncate() function of XFS can expose + unallocated, which allows information disclosure of previously deleted + files. + +CVE-2006-0555 + + It was discovered that some NFS file operations on handles mounted with + O_DIRECT can force the kernel into a crash. + +CVE-2006-0557 + + It was discovered that the code to configure memory policies allows + tricking the kernel into a crash, thus allowing denial of service. + +CVE-2006-0558 + + It was discovered by Cliff Wickman that perfmon for the IA64 + architecture allows users to trigger a BUG() assert, which allows + denial of service. + +CVE-2006-0741 + + Intel EM64T systems were discovered to be susceptible to a local + DoS due to an endless recursive fault related to a bad elf entry + address. + +CVE-2006-0742 + + Alan and Gareth discovered that the ia64 platform had an + incorrectly declared die_if_kernel() function as "does never + return" which could be exploited by a local attacker resulting in + a kernel crash. + +CVE-2006-0744 + + The Linux kernel did not properly handle uncanonical return + addresses on Intel EM64T CPUs, reporting exceptions in the SYSRET + instead of the next instruction, causing the kernel exception + handler to run on the user stack with the wrong GS. This may result + in a DoS due to a local user changing the frames. + +CVE-2006-1056 + + AMD64 machines (and other 7th and 8th generation AuthenticAMD + processors) were found to be vulnerable to sensitive information + leakage, due to how they handle saving and restoring the FOP, FIP, + and FDP x87 registers in FXSAVE/FXRSTOR when an exception is + pending. This allows a process to determine portions of the state + of floating point instructions of other processes. + +CVE-2006-1242 + + Marco Ivaldi discovered that there was an unintended information + disclosure allowing remote attackers to bypass protections against + Idle Scans (nmap -sI) by abusing the ID field of IP packets and + bypassing the zero IP ID in DF packet countermeasure. This was a + result of the ip_push_pending_frames function improperly + incremented the IP ID field when sending a RST after receiving + unsolicited TCP SYN-ACK packets. + +CVE-2006-1368 + + Shaun Tancheff discovered a buffer overflow (boundry condition + error) in the USB Gadget RNDIS implementation allowing remote + attackers to cause a DoS. While creating a reply message, the + driver allocated memory for the reply data, but not for the reply + structure. The kernel fails to properly bounds-check user-supplied + data before copying it to an insufficiently sized memory + buffer. Attackers could crash the system, or possibly execute + arbitrary machine code. + +CVE-2006-1523 + + Oleg Nesterov reported an unsafe BUG_ON call in signal.c which was + introduced by RCU signal handling. The BUG_ON code is protected by + siglock while the code in switch_exit_pids() uses tasklist_lock. It + may be possible for local users to exploit this to initiate a denial + of service attack (DoS). + +CVE-2006-1524 + + Hugh Dickins discovered an issue in the madvise_remove function wherein + file and mmap restrictions are not followed, allowing local users to + bypass IPC permissions and replace portions of readonly tmpfs files with + zeroes. + +CVE-2006-1525 + + Alexandra Kossovsky reported a NULL pointer dereference condition in + ip_route_input() that can be triggered by a local user by requesting + a route for a multicast IP address, resulting in a denial of service + (panic). + +CVE-2006-1857 + + Vlad Yasevich reported a data validation issue in the SCTP subsystem + that may allow a remote user to overflow a buffer using a badly formatted + HB-ACK chunk, resulting in a denial of service. + +CVE-2006-1858 + + Vlad Yasevich reported a bug in the bounds checking code in the SCTP + subsystem that may allow a remote attacker to trigger a denial of service + attack when rounded parameter lengths are used to calculate parameter + lengths instead of the actual values. + +CVE-2006-1863 + + Mark Mosely discovered that chroots residing on an CIFS share can be + escaped with specially crafted "cd" sequences. + +CVE-2006-1864 + + Mark Mosely discovered that chroots residing on an SMB share can be + escaped with specially crafted "cd" sequences. + +CVE-2006-2271 + + The "Mu security team" discovered that carefully crafted ECNE chunks can + cause a kernel crash by accessing incorrect state stable entries in the + SCTP networking subsystem, which allows denial of service. + +CVE-2006-2272 + + The "Mu security team" discovered that fragmented SCTP control + chunks can trigger kernel panics, which allows for denial of + service attacks. + +CVE-2006-2274 + + It was discovered that SCTP packets with two initial bundled data + packets can lead to infinite recursion, which allows for denial of + service attacks. + + + +The following matrix explains which kernel version for which architecture +fix the problems mentioned above: + + Debian 3.1 (sarge) + Source 2.6.8-16sarge3 + Alpha architecture 2.6.8-16sarge3 + AMD64 architecture 2.6.8-16sarge3 + HP Precision architecture 2.6.8-6sarge3 + Intel IA-32 architecture 2.6.8-16sarge3 + Intel IA-64 architecture 2.6.8-14sarge3 + Motorola 680x0 architecture 2.6.8-4sarge3 + PowerPC architecture 2.6.8-12sarge3 + IBM S/390 architecture 2.6.8-5sarge3 + Sun Sparc architecture 2.6.8-15sarge3 + +The following matrix lists additional packages that were rebuilt for +compatibility with or to take advantage of this update: + + Debian 3.1 (sarge) + fai-kernels 1.9.1sarge2 + +We recommend that you upgrade your kernel package immediately and reboot +the machine. If you have built a custom kernel from the kernel source +package, you will need to rebuild to take advantage of these fixes. + +Upgrade Instructions +-------------------- + +wget url + will fetch the file for you +dpkg -i file.deb + will install the referenced file. + +If you are using the apt-get package manager, use the line for +sources.list as given below: + +apt-get update + will update the internal database +apt-get upgrade + will install corrected packages + +You may use an automated update by adding the resources from the +footer to the proper configuration. + + +Debian GNU/Linux 3.1 alias sarge +-------------------------------- + + + These files will probably be moved into the stable distribution on + its next update. + +--------------------------------------------------------------------------------- +For apt-get: deb http://security.debian.org/ stable/updates main +For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main +Mailing list: debian-security-announce@lists.debian.org +Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> diff --git a/active/dsa-texts/2.6.8-sarge5 b/active/dsa-texts/2.6.8-sarge5 new file mode 100644 index 00000000..fe7b04be --- /dev/null +++ b/active/dsa-texts/2.6.8-sarge5 @@ -0,0 +1,79 @@ +-------------------------------------------------------------------------- +Debian Security Advisory DSA XXX-1 security@debian.org +http://www.debian.org/security/ Dann Frazier, Troy Heber +XXXXX 8th, 2006 http://www.debian.org/security/faq +-------------------------------------------------------------------------- + +Package : kernel-source-2.6.8 +Vulnerability : several +Problem-Type : local/remote +Debian-specific: no +CVE ID : CVE-2006-3468 + +Several local and remote vulnerabilities have been discovered in the Linux +kernel that may lead to a denial of service or the execution of arbitrary +code. The Common Vulnerabilities and Exposures project identifies the +following problems: + +CVE-2006-3468 + + James McKenzie discovered a vulnerability in the NFS subsystem, allowing + remote denial of service if an ext3 filesystem is exported. + +The following matrix explains which kernel version for which architecture +fix the problems mentioned above: + + Debian 3.1 (sarge) + Source 2.6.8-16sarge5 + Alpha architecture 2.6.8-16sarge5 + AMD64 architecture 2.6.8-16sarge5 + HP Precision architecture 2.6.8-6sarge5 + Intel IA-32 architecture 2.6.8-16sarge5 + Intel IA-64 architecture 2.6.8-14sarge5 + Motorola 680x0 architecture 2.6.8-4sarge5 + PowerPC architecture 2.6.8-12sarge5 + IBM S/390 architecture 2.6.8-5sarge5 + Sun Sparc architecture 2.6.8-15sarge5 + +The following matrix lists additional packages that were rebuilt for +compatibility with or to take advantage of this update: + + Debian 3.1 (sarge) + fai-kernels 1.9.1sarge4 + +We recommend that you upgrade your kernel package immediately and reboot +the machine. If you have built a custom kernel from the kernel source +package, you will need to rebuild to take advantage of these fixes. + +Upgrade Instructions +-------------------- + +wget url + will fetch the file for you +dpkg -i file.deb + will install the referenced file. + +If you are using the apt-get package manager, use the line for +sources.list as given below: + +apt-get update + will update the internal database +apt-get upgrade + will install corrected packages + +You may use an automated update by adding the resources from the +footer to the proper configuration. + + +Debian GNU/Linux 3.1 alias sarge +-------------------------------- + + + These files will probably be moved into the stable distribution on + its next update. + +--------------------------------------------------------------------------------- +For apt-get: deb http://security.debian.org/ stable/updates main +For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main +Mailing list: debian-security-announce@lists.debian.org +Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> diff --git a/active/dsa-texts/dsa-XXXX-1.kernel-source-2.4.18 b/active/dsa-texts/dsa-XXXX-1.kernel-source-2.4.18 new file mode 100644 index 00000000..a180b08f --- /dev/null +++ b/active/dsa-texts/dsa-XXXX-1.kernel-source-2.4.18 @@ -0,0 +1,212 @@ +-------------------------------------------------------------------------- +Debian Security Advisory DSA 10XX-1 security@debian.org +http://www.debian.org/security/ Martin Schulze, Dann Frazier +May 20th, 2006 http://www.debian.org/security/faq +-------------------------------------------------------------------------- + +Package : kernel-source-2.4.18,kernel-image-2.4.18-1-alpha,kernel-image-2.4.18-1-i386,kernel-image-2.4.18-hppa,kernel-image-2.4.18-powerpc-xfs,kernel-patch-2.4.18-powerpc,kernel-patch-benh +Vulnerability : several +Problem-Type : local/remote +Debian-specific: no +CVE IDs : CVE-2004-0427 CVE-2005-0489 CVE-2004-0394 CVE-2004-0447 CVE-2004-0554 CVE-2004-0565 CVE-2004-0685 CVE-2005-0001 CVE-2004-0883 CVE-2004-0949 CVE-2004-1016 CVE-2004-1333 CVE-2004-0997 CVE-2004-1335 CVE-2004-1017 CVE-2005-0124 CVE-2005-0528 CVE-2003-0984 CVE-2004-1070 CVE-2004-1071 CVE-2004-1072 CVE-2004-1073 CVE-2004-1074 CVE-2004-0138 CVE-2004-1068 CVE-2004-1234 CVE-2005-0003 CVE-2004-1235 CVE-2005-0504 CVE-2005-0384 CVE-2005-0135 + +Several local and remote vulnerabilities have been discovered in the Linux +kernel that may lead to a denial of service or the execution of arbitrary +code. The Common Vulnerabilities and Exposures project identifies the +following problems: + + + CVE-2004-0427 + + A local denial of service vulnerability in do_fork() has been found. + + CVE-2005-0489 + + A local denial of service vulnerability in proc memory handling has + been found. + + CVE-2004-0394 + + A buffer overflow in the panic handling code has been found. + + CVE-2004-0447 + + A local denial of service vulnerability through a null pointer + dereference in the IA64 process handling code has been found. + + CVE-2004-0554 + + A local denial of service vulnerability through an infinite loop in + the signal handler code has been found. + + CVE-2004-0565 + + An information leak in the context switch code has been found on + the IA64 architecture. + + CVE-2004-0685 + + Unsafe use of copy_to_user in USB drivers may disclose sensitive + information. + + CVE-2005-0001 + + A race condition in the i386 page fault handler may allow privilege + escalation. + + CVE-2004-0883 + + Multiple vulnerabilities in the SMB filesystem code may allow denial + of service of information disclosure. + + CVE-2004-0949 + + An information leak discovered in the SMB filesystem code. + + CVE-2004-1016 + + A local denial of service vulnerability has been found in the SCM layer. + + CVE-2004-1333 + + An integer overflow in the terminal code may allow a local denial of + service vulnerability. + + CVE-2004-0997 + + A local privilege escalation in the MIPS assembly code has been found. + + CVE-2004-1335 + + A memory leak in the ip_options_get() function may lead to denial of + service. + + CVE-2004-1017 + + Multiple overflows exist in the io_edgeport driver which might be usable + as a denial of service attack vector. + + CVE-2005-0124 + + Bryan Fulton reported a bounds checking bug in the coda_pioctl function + which may allow local users to execute arbitrary code or trigger a denial + of service attack. + + CVE-2005-0528 + + A local privilege escalation in the mremap function has been found + + CVE-2003-0984 + + Inproper initialization of the RTC may disclose information. + + CVE-2004-1070 + + Insufficient input sanitising in the load_elf_binary() function may + lead to privilege escalation. + + CVE-2004-1071 + + Incorrect error handling in the binfmt_elf loader may lead to privilege + escalation. + + CVE-2004-1072 + + A buffer overflow in the binfmt_elf loader may lead to privilege + escalation or denial of service. + + CVE-2004-1073 + + The open_exec function may disclose information. + + CVE-2004-1074 + + The binfmt code is vulnerable to denial of service through malformed + a.out binaries. + + CVE-2004-0138 + + A denial of service vulnerability in the ELF loader has been found. + + CVE-2004-1068 + + A programming error in the unix_dgram_recvmsg() function may lead to + privilege escalation. + + CVE-2004-1234 + + The ELF loader is vulnerable to denial of service through malformed + binaries. + + CVE-2005-0003 + + Crafted ELF binaries may lead to privilege escalation, due to + insufficient checking of overlapping memory regions. + + CVE-2004-1235 + + A race condition in the load_elf_library() and binfmt_aout() functions + may allow privilege escalation. + + CVE-2005-0504 + + An integer overflow in the Moxa driver may lead to privilege escalation. + + CVE-2005-0384 + + A remote denial of service vulnerability has been found in the PPP + driver. + + CVE-2005-0135 + + An IA64 specific local denial of service vulnerability has been found + in the unw_unwind_to_user() function. + +The following matrix explains which kernel version for which architecture +fix the problems mentioned above: + + Debian 3.0 (woody) + Source 2.4.18-14.4 + Alpha architecture 2.4.18-15woody1 + Intel IA-32 architecture 2.4.18-13.2 + HP Precision architecture 62.4 + PowerPC architecture 2.4.18-1woody6 + PowerPC architecture/XFS 20020329woody1 + PowerPC architecture/benh 20020304woody1 + Sun Sparc architecture + +We recommend that you upgrade your kernel package immediately and reboot +the machine. + +Upgrade Instructions +-------------------- + +wget url + will fetch the file for you +dpkg -i file.deb + will install the referenced file. + +If you are using the apt-get package manager, use the line for +sources.list as given below: + +apt-get update + will update the internal database +apt-get dist-upgrade + will install corrected packages + +You may use an automated update by adding the resources from the +footer to the proper configuration. + + +Debian GNU/Linux 3.0 alias woody +-------------------------------- + + + These files will probably be moved into the stable distribution on + its next update. + +--------------------------------------------------------------------------------- +For apt-get: deb http://security.debian.org/ stable/updates main +For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main +Mailing list: debian-security-announce@lists.debian.org +Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> diff --git a/active/non-security/180_fs-isofs-ignored-parameters b/active/non-security/180_fs-isofs-ignored-parameters new file mode 100644 index 00000000..0056530b --- /dev/null +++ b/active/non-security/180_fs-isofs-ignored-parameters @@ -0,0 +1,24 @@ +isofs ignores any mount parameters after iocharset, map or session. +http://lists.debian.org/debian-kernel/2005/08/msg00581.html + +Comment from Horms: +Basically works like this. + +When a mount request is received by the kernel for isofs it processes +the mount options in turn. If it encounters the iocharset, map +or session option, then all subsequent options are ignored. +(Ok, that was just a rewording of the text above :) + +So if a user can some how inject some mount options (say iocharset), +before the ones specified by root in the fstab, then they might +be able to do some nasties, like say mounting things with +more generous permisions than was intended. + +But, a user runs mount, even if the mount is permitted in fstab, +mount won't accept any options from the user. Well, at least in my +testing. + +# mount /mnt/tmp/ +# umount /mnt/tmp/ +# mount -o uid=7100 /mnt/tmp/ +mount: only root can do that
\ No newline at end of file diff --git a/active/non-security/sk_run_filter-sk_check_filter b/active/non-security/sk_run_filter-sk_check_filter new file mode 100644 index 00000000..b05628e9 --- /dev/null +++ b/active/non-security/sk_run_filter-sk_check_filter @@ -0,0 +1,49 @@ +I took a look over this, the patch that went into 2.6.15-rc3 is below. +As Dave's comment suggets, this really only moves the check from +sk_run_filter() to sk_chk_filter(). I tried to see how it might +be exploitable, but given the restriction of the check that +was added to sk_chk_filter() (BPF_ALU|BPF_DIV|BPF_K) it only +seems to apply to the case that was already guarded in sk_run_filter(). + +-- +Horms + +commit fb0d366b0803571f06a5b838f02c6706fc287995 +tree 473d0e16f244ef7c7415d865419b7b0187f52a7f +parent aa8751667dcd757dd9a711b51140adf181501c44 +author Kris Katterjohn <kjak@users.sourceforge.net> Sun, 20 Nov 2005 13:41:34 -0800 +committer David S. Miller <davem@davemloft.net> Sun, 20 Nov 2005 13:41:34 -0800 + + [NET]: Reject socket filter if division by constant zero is attempted. + + This way we don't have to check it in sk_run_filter(). + + Signed-off-by: Kris Katterjohn <kjak@users.sourceforge.net> + Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/net/core/filter.c b/net/core/filter.c +index 079c2ed..2841bfc 100644 +--- a/net/core/filter.c ++++ b/net/core/filter.c +@@ -116,8 +116,6 @@ int sk_run_filter(struct sk_buff *skb, s + A /= X; + continue; + case BPF_ALU|BPF_DIV|BPF_K: +- if (fentry->k == 0) +- return 0; + A /= fentry->k; + continue; + case BPF_ALU|BPF_AND|BPF_X: +@@ -320,6 +318,10 @@ int sk_chk_filter(struct sock_filter *fi + } + } + ++ /* check for division by zero -Kris Katterjohn 2005-10-30 */ ++ if (ftest->code == (BPF_ALU|BPF_DIV|BPF_K) && ftest->k == 0) ++ return -EINVAL; ++ + /* check that memory operations use valid addresses. */ + if (ftest->k >= BPF_MEMWORDS) { + /* but it might not be a memory operation... */ + + diff --git a/active/retired/CVE-2002-0429 b/active/retired/CVE-2002-0429 new file mode 100644 index 00000000..6d6e59f5 --- /dev/null +++ b/active/retired/CVE-2002-0429 @@ -0,0 +1,29 @@ +Candidate: CVE-2002-0429 +References: + CONFIRM:http://linux.bkbits.net:8080/linux-2.4/cset@3dd4f4b1MbvSSVddY8E_Yx0bGPux8w?nav=index.html|src/|src/arch|src/arch/i386|src/arch/i386/kernel|related/arch/i386/kernel/entry.S + BUGTRAQ:20020308 linux <=2.4.18 x86 traps.c problem + CONFIRM:http://www.openwall.com/linux/ + DEBIAN:DSA-311 + DEBIAN:DSA-312 + DEBIAN:DSA-332 + DEBIAN:DSA-336 + DEBIAN:DSA-442 + REDHAT:RHSA-2002:158 + BID:4259 + XF:linux-ibcs-lcall-process(8420) +Description: + The iBCS routines in arch/i386/kernel/traps.c for Linux kernels 2.4.18 and earlier on x86 systems allow local + users to kill arbitrary processes via a a binary compatibility interface (lcall). +Notes: +Bugs: +upstream: released (2.4.20) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: released (2.4.19-4.woody3) +2.4.18-woody-security: released (2.4.18-6) +2.4.17-woody-security: released (2.4.17-1woody1) +2.4.16-woody-security: released (2.4.16-1woody3) +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A +2.4.18-woody-security-hppa: released (62.4) diff --git a/active/retired/CVE-2003-0001 b/active/retired/CVE-2003-0001 new file mode 100644 index 00000000..7cd7abbd --- /dev/null +++ b/active/retired/CVE-2003-0001 @@ -0,0 +1,38 @@ +Candidate: CVE-2003-0001 +References: + ATSTAKE:A010603-1 + URL:http://www.atstake.com/research/advisories/2003/a010603-1.txt + BUGTRAQ:20030110 More information regarding Etherleak + URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104222046632243&w=2 + VULNWATCH:20030110 More information regarding Etherleak + URL:http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0016.html + MISC:http://www.atstake.com/research/advisories/2003/atstake_etherleak_report.pdf + CERT-VN:VU#412115 + URL:http://www.kb.cert.org/vuls/id/412115 + REDHAT:RHSA-2003:025 + URL:http://www.redhat.com/support/errata/RHSA-2003-025.html + OVAL:OVAL2665 + URL:http://oval.mitre.org/oval/definitions/data/oval2665.html +Description: + Multiple ethernet Network Interface Card (NIC) device drivers do not pad + frames with null bytes, which allows remote attackers to obtain information + from previous packets or kernel memory by using malformed packets, as + demonstrated by Etherleak. +Notes: + dannf> A number of drivers had to be fixed, but when looking to see where this + dannf> patch had been applied, I just tracked the de600.c file changes. My + dannf> assumption is that all of the other drivers got fixed at the same time. + . + dannf> I've e-mailed the security team + mdz, asking for a patch +Bugs: +upstream: released (2.4.21-pre4) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: needed +2.4.18-woody-security: released (2.4.18-7) +2.4.17-woody-security: released (2.4.17-1woody1) +2.4.16-woody-security: needed +2.4.17-woody-security-hppa: needed +2.4.17-woody-security-ia64: needed +2.4.18-woody-security-hppa: diff --git a/active/retired/CVE-2003-0018 b/active/retired/CVE-2003-0018 new file mode 100644 index 00000000..d89c0b09 --- /dev/null +++ b/active/retired/CVE-2003-0018 @@ -0,0 +1,38 @@ +Candidate: CVE-2003-0018 +References: + DEBIAN:DSA-358 + DEBIAN:DSA-423 + MANDRAKE:MDKSA-2003:014 + REDHAT:RHSA-2003:025 + BID:6763 + XF:linux-odirect-information-leak(11249) +Description: + Linux kernel 2.4.10 through 2.4.21-pre4 does not properly handle the + O_DIRECT feature, which allows local attackers with write privileges to + read portions of previously deleted files, or cause file system + corruption. +Notes: + dannf> It looks like the fix that was used in woody is to diable + dannf> O_DIRECT. Is this the upstream fix? + dannf> http://linux.bkbits.net:8080/linux-2.4/cset@3da0af3a87N78_-K9uAzGF_5cLsRkA?nav=index.html|tags|ChangeSet@..1.717.1.11 + dannf> I've asked hch via e-mail + . + dannf> and here's his response: + . + The big O_DIRECT issues we had a while ago involved redoing large parts of + the locking so it's definitily not the patch above. It was fixed in 2.4.2x + for x = 2 or 3 IIRC. The 2.5.27 kernels in sarge ff are definitly okay. + . + dannf> Therefore, I'm marking >= sarge kernels N/A +Bugs: +upstream: +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: released (2.4.19-4.woody3) +2.4.18-woody-security: released (2.4.18-10) +2.4.17-woody-security: released (2.4.17-1woody4) +2.4.16-woody-security: released (2.4.16-1woody3) +2.4.17-woody-security-hppa: released (32.5) +2.4.17-woody-security-ia64: released (011226.14.1) +2.4.18-woody-security-hppa: released (62.4) diff --git a/active/retired/CVE-2003-0127 b/active/retired/CVE-2003-0127 new file mode 100644 index 00000000..b1b4b1cd --- /dev/null +++ b/active/retired/CVE-2003-0127 @@ -0,0 +1,62 @@ +Candidate: CVE-2003-0127 +References: + VULNWATCH:20030317 Fwd: Ptrace hole / Linux 2.2.25 + URL:http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0134.html + REDHAT:RHSA-2003:098 + URL:http://rhn.redhat.com/errata/RHSA-2003-098.html + REDHAT:RHSA-2003:088 + URL:http://rhn.redhat.com/errata/RHSA-2003-088.html + SUSE:SuSE-SA:2003:021 + ENGARDE:ESA-20030318-009 + DEBIAN:DSA-270 + URL:http://www.debian.org/security/2003/dsa-270 + DEBIAN:DSA-276 + URL:http://www.debian.org/security/2003/dsa-276 + DEBIAN:DSA-311 + URL:http://www.debian.org/security/2003/dsa-311 + DEBIAN:DSA-312 + URL:http://www.debian.org/security/2003/dsa-312 + DEBIAN:DSA-332 + URL:http://www.debian.org/security/2003/dsa-332 + DEBIAN:DSA-336 + URL:http://www.debian.org/security/2003/dsa-336 + DEBIAN:DSA-423 + URL:http://www.debian.org/security/2004/dsa-423 + DEBIAN:DSA-495 + URL:http://www.debian.org/security/2004/dsa-495 + MANDRAKE:MDKSA-2003:038 + URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:038 + MANDRAKE:MDKSA-2003:039 + URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:039 + CALDERA:CSSA-2003-020.0 + URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2003-020.0.txt + ENGARDE:ESA-20030515-017 + URL:http://marc.theaimsgroup.com/?l=bugtraq&m=105301461726555&w=2 + REDHAT:RHSA-2003:145 + URL:http://www.redhat.com/support/errata/RHSA-2003-145.html + GENTOO:GLSA-200303-17 + URL:http://security.gentoo.org/glsa/glsa-200303-17.xml + CERT-VN:VU#628849 + URL:http://www.kb.cert.org/vuls/id/628849 + OVAL:OVAL254 + URL:http://oval.mitre.org/oval/definitions/data/oval254.html +Description: + The kernel module loader in Linux kernel 2.2.x before 2.2.25, and + 2.4.x before 2.4.21, allows local users to gain root privileges by + using ptrace to attach to a child process that is spawned by the + kernel. +Notes: + Changeset comments say "Linux 2.5 is not believed to be vulnerable.", + so marking this issue as N/A for 2.6. +Bugs: +upstream: released (2.4.21-pre6) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: released (2.4.19-4.woody2) +2.4.18-woody-security: released (2.4.18-7) +2.4.17-woody-security: released (2.4.17-1woody1) +2.4.16-woody-security: released (2.4.16-1woody2) +2.4.17-woody-security-hppa: released (32.5) +2.4.17-woody-security-ia64: released (011226.14.1) +2.4.18-woody-security-hppa: released (62.4) diff --git a/active/retired/CVE-2003-0187 b/active/retired/CVE-2003-0187 new file mode 100644 index 00000000..44f10428 --- /dev/null +++ b/active/retired/CVE-2003-0187 @@ -0,0 +1,25 @@ +Candidate: CVE-2003-0187 +References: + http://marc.theaimsgroup.com/?l=bugtraq&m=105986028426824&w=2 + http://oval.mitre.org/oval/definitions/data/oval260.html +Description: + The connection tracking core of Netfilter for Linux 2.4.20, with + CONFIG_IP_NF_CONNTRACK enabled or the ip_conntrack module loaded, allows remote + attackers to cause a denial of service (resource consumption) due to an + inconsistency with Linux 2.4.20's support of linked lists, which causes + Netfilter to fail to identify connections with an UNCONFIRMED status and + use large timeouts. +Notes: + This was fixed before 2.6.0: + http://linux.bkbits.net:8080/linux-2.6/cset@3e631f9evO15b8EcYa8btEi07F2mYQ?nav=index.html|src/|src/include|src/include/linux|src/include/linux/netfilter_ipv4|related/include/linux/netfilter_ipv4/ip_conntrack.h +Bugs: +upstream: released (2.4.21) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/active/retired/CVE-2003-0244 b/active/retired/CVE-2003-0244 new file mode 100644 index 00000000..50f54848 --- /dev/null +++ b/active/retired/CVE-2003-0244 @@ -0,0 +1,50 @@ +Candidate: CVE-2003-0244 +References: + VULNWATCH:20030517 Algorithmic Complexity Attacks and the Linux Networking Code + URL:http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0073.html + MISC:http://www.enyo.de/fw/security/notes/linux-dst-cache-dos.html + MISC:http://marc.theaimsgroup.com/?l=linux-kernel&m=104956079213417 + REDHAT:RHSA-2003:145 + URL:http://www.redhat.com/support/errata/RHSA-2003-145.html + REDHAT:RHSA-2003:147 + URL:http://www.redhat.com/support/errata/RHSA-2003-147.html + REDHAT:RHSA-2003:172 + URL:http://www.redhat.com/support/errata/RHSA-2003-172.html + ENGARDE:ESA-20030515-017 + URL:http://marc.theaimsgroup.com/?l=bugtraq&m=105301461726555&w=2 + DEBIAN:DSA-311 + URL:http://www.debian.org/security/2003/dsa-311 + DEBIAN:DSA-312 + URL:http://www.debian.org/security/2003/dsa-312 + DEBIAN:DSA-332 + URL:http://www.debian.org/security/2003/dsa-332 + DEBIAN:DSA-336 + URL:http://www.debian.org/security/2003/dsa-336 + DEBIAN:DSA-442 + URL:http://www.debian.org/security/2004/dsa-442 + MANDRAKE:MDKSA-2003:066 + URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:066 + MANDRAKE:MDKSA-2003:074 + URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:074 + BUGTRAQ:20030618 [slackware-security] 2.4.21 kernels available (SSA:2003-168-01) + URL:http://marc.theaimsgroup.com/?l=bugtraq&m=105595901923063&w=2 + OVAL:OVAL261 + URL:http://oval.mitre.org/oval/definitions/data/oval261.html +Description: + The route cache implementation in Linux 2.4, and the Netfilter IP conntrack + module, allows remote attackers to cause a denial of service (CPU consumption) + via packets with forged source addresses that cause a large number of hash + table collisions. +Notes: +Bugs: +upstream: released (2.4.21-rc2) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: released +2.4.18-woody-security: released (2.4.18-8) +2.4.17-woody-security: released (2.4.17-1woody1) +2.4.16-woody-security: released (2.4.16-1woody3) +2.4.17-woody-security-hppa: released (32.5) +2.4.17-woody-security-ia64: released (011226.14.1) +2.4.18-woody-security-hppa: released (62.4) diff --git a/active/retired/CVE-2003-0246 b/active/retired/CVE-2003-0246 new file mode 100644 index 00000000..6ad4dddd --- /dev/null +++ b/active/retired/CVE-2003-0246 @@ -0,0 +1,50 @@ +Candidate: CVE-2003-0246 +References: + REDHAT:RHSA-2003:172 + URL:http://www.redhat.com/support/errata/RHSA-2003-172.html + REDHAT:RHSA-2003:147 + URL:http://www.redhat.com/support/errata/RHSA-2003-147.html + ENGARDE:ESA-20030515-017 + URL:http://marc.theaimsgroup.com/?l=bugtraq&m=105301461726555&w=2 + DEBIAN:DSA-311 + URL:http://www.debian.org/security/2003/dsa-311 + DEBIAN:DSA-312 + URL:http://www.debian.org/security/2003/dsa-312 + DEBIAN:DSA-332 + URL:http://www.debian.org/security/2003/dsa-332 + DEBIAN:DSA-336 + URL:http://www.debian.org/security/2003/dsa-336 + DEBIAN:DSA-442 + URL:http://www.debian.org/security/2004/dsa-442 + MANDRAKE:MDKSA-2003:066 + URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:066 + MANDRAKE:MDKSA-2003:074 + URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:074 + TURBO:TLSA-2003-41 + URL:http://www.turbolinux.com/security/TLSA-2003-41.txt + VULNWATCH:20030520 Linux 2.4 kernel ioperm vuln + URL:http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0076.html + OVAL:OVAL278 + URL:http://oval.mitre.org/oval/definitions/data/oval278.html +Description: + The ioperm system call in Linux kernel 2.4.20 and earlier does not properly + restrict privileges, which allows local users to gain read or write access to + certain I/O ports. +Notes: + It looks like the patch originally included in woody was just a one line + change; whereas there were two larger patches that went upstream. I'm + moving our trees forward to the upstream one. + . + Patch is x86 only. +Bugs: +upstream: released (2.4.21-rc4) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: released (2.4.19-4.woody3) +2.4.18-woody-security: pending (2.4.18-14.5) +2.4.17-woody-security: released (2.4.17-1woody4) +2.4.16-woody-security: released (2.4.16-1woody3) +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: released (011226.14.1) +2.4.18-woody-security-hppa: N/A diff --git a/active/retired/CVE-2003-0247 b/active/retired/CVE-2003-0247 new file mode 100644 index 00000000..45159ec0 --- /dev/null +++ b/active/retired/CVE-2003-0247 @@ -0,0 +1,42 @@ +Candidate: CVE-2003-0247 +References: + REDHAT:RHSA-2003:187 + URL:http://www.redhat.com/support/errata/RHSA-2003-187.html + REDHAT:RHSA-2003:195 + URL:http://www.redhat.com/support/errata/RHSA-2003-195.html + REDHAT:RHSA-2003:198 + URL:http://www.redhat.com/support/errata/RHSA-2003-198.html + DEBIAN:DSA-311 + URL:http://www.debian.org/security/2003/dsa-311 + DEBIAN:DSA-312 + URL:http://www.debian.org/security/2003/dsa-312 + DEBIAN:DSA-332 + URL:http://www.debian.org/security/2003/dsa-332 + DEBIAN:DSA-336 + URL:http://www.debian.org/security/2003/dsa-336 + DEBIAN:DSA-442 + URL:http://www.debian.org/security/2004/dsa-442 + MANDRAKE:MDKSA-2003:066 + URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:066 + MANDRAKE:MDKSA-2003:074 + URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:074 + TURBO:TLSA-2003-41 + URL:http://www.turbolinux.com/security/TLSA-2003-41.txt + OVAL:OVAL284 + URL:http://oval.mitre.org/oval/definitions/data/oval284.html +Description: + Unknown vulnerability in the TTY layer of the Linux kernel 2.4 allows + attackers to cause a denial of service ("kernel oops"). +Notes: +Bugs: +upstream: released (2.4.21-rc3) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: released (2.4.19-4.woody3) +2.4.18-woody-security: released (2.4.18-9) +2.4.17-woody-security: released (2.4.17-1woody1) +2.4.16-woody-security: released (2.4.16-1woody3) +2.4.17-woody-security-hppa: released (32.5) +2.4.17-woody-security-ia64: released (011226.14.1) +2.4.18-woody-security-hppa: released (62.4) diff --git a/active/retired/CVE-2003-0248 b/active/retired/CVE-2003-0248 new file mode 100644 index 00000000..9ce634f6 --- /dev/null +++ b/active/retired/CVE-2003-0248 @@ -0,0 +1,42 @@ +Candidate: CVE-2003-0248 +References: + REDHAT:RHSA-2003:187 + URL:http://www.redhat.com/support/errata/RHSA-2003-187.html + REDHAT:RHSA-2003:195 + URL:http://www.redhat.com/support/errata/RHSA-2003-195.html + DEBIAN:DSA-311 + URL:http://www.debian.org/security/2003/dsa-311 + DEBIAN:DSA-312 + URL:http://www.debian.org/security/2003/dsa-312 + DEBIAN:DSA-332 + URL:http://www.debian.org/security/2003/dsa-332 + DEBIAN:DSA-336 + URL:http://www.debian.org/security/2003/dsa-336 + DEBIAN:DSA-442 + URL:http://www.debian.org/security/2004/dsa-442 + MANDRAKE:MDKSA-2003:066 + URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:066 + MANDRAKE:MDKSA-2003:074 + URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:074 + TURBO:TLSA-2003-41 + URL:http://www.turbolinux.com/security/TLSA-2003-41.txt + OVAL:OVAL292 + URL:http://oval.mitre.org/oval/definitions/data/oval292.html +Description: + The mxcsr code in Linux kernel 2.4 allows attackers to modify CPU state + registers via a malformed address. +Notes: + dannf> I think this is the patch: + dannf> http://linux.bkbits.net:8080/linux-2.4/cset@3f293760h0HL1XxaPHNYxPXmpO1k8g?nav=index.html|src/|src/arch|src/arch/i386|src/arch/i386/kernel|related/arch/i386/kernel/i387.c +Bugs: +upstream: released (2.4.22-pre10) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: released (2.4.19-4.woody3) +2.4.18-woody-security: released (2.4.18-9) +2.4.17-woody-security: released (2.4.17-1woody1) +2.4.16-woody-security: released (2.4.16-1woody3) +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: released (011226.14.1) +2.4.18-woody-security-hppa: N/A diff --git a/active/retired/CVE-2003-0364 b/active/retired/CVE-2003-0364 new file mode 100644 index 00000000..1cc1ba9b --- /dev/null +++ b/active/retired/CVE-2003-0364 @@ -0,0 +1,40 @@ +Candidate: CVE-2003-0364 +References: + REDHAT:RHSA-2003:187 + URL:http://www.redhat.com/support/errata/RHSA-2003-187.html + REDHAT:RHSA-2003:195 + URL:http://www.redhat.com/support/errata/RHSA-2003-195.html + REDHAT:RHSA-2003:198 + URL:http://www.redhat.com/support/errata/RHSA-2003-198.html + DEBIAN:DSA-311 + URL:http://www.debian.org/security/2003/dsa-311 + DEBIAN:DSA-312 + URL:http://www.debian.org/security/2003/dsa-312 + DEBIAN:DSA-332 + URL:http://www.debian.org/security/2003/dsa-332 + DEBIAN:DSA-336 + URL:http://www.debian.org/security/2003/dsa-336 + DEBIAN:DSA-442 + URL:http://www.debian.org/security/2004/dsa-442 + TURBO:TLSA-2003-41 + URL:http://www.turbolinux.com/security/TLSA-2003-41.txt + OVAL:OVAL295 + URL:http://oval.mitre.org/oval/definitions/data/oval295.html +Description: + The TCP/IP fragment reassembly handling in the Linux kernel 2.4 allows remote + attackers to cause a denial of service (CPU consumption) via certain packets that + cause a large number of hash table collisions. +Notes: +Bugs: +upstream: released (2.4.21-rc7) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.2.20-woody-security: released (2.2.20-5woody2) +2.4.19-woody-security: released (2.4.19-4.woody3) +2.4.18-woody-security: released (2.4.18-9) +2.4.17-woody-security: released (2.4.17-1woody1) +2.4.16-woody-security: released (2.4.16-1woody3) +2.4.17-woody-security-hppa: released (32.5) +2.4.17-woody-security-ia64: released (011226.14.1) +2.4.18-woody-security-hppa: released (62.4) diff --git a/active/retired/CVE-2003-0418 b/active/retired/CVE-2003-0418 new file mode 100644 index 00000000..f20986e7 --- /dev/null +++ b/active/retired/CVE-2003-0418 @@ -0,0 +1,21 @@ +Candidate: CVE-2003-0418 +References: + http://marc.theaimsgroup.com/?l=bugtraq&m=105519179005065&w=2 + http://www.cartel-securite.fr/pbiondi/adv/CARTSA-20030314-icmpleak.txt + http://www.kb.cert.org/vuls/id/471084 +Description: + The Linux 2.0 kernel IP stack does not properly calculate the size of an ICMP + citation, which causes it to include portions of unauthorized memory in ICMP + error responses. +Notes: +Bugs: +upstream: +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/active/retired/CVE-2003-0461 b/active/retired/CVE-2003-0461 new file mode 100644 index 00000000..c947ee68 --- /dev/null +++ b/active/retired/CVE-2003-0461 @@ -0,0 +1,36 @@ +Candidate: CVE-2003-0461 +References: + MISC:http://rsbac.dyndns.org/pipermail/rsbac/2002-May/000162.html + REDHAT:RHSA-2003:238 + URL:http://www.redhat.com/support/errata/RHSA-2003-238.html + REDHAT:RHSA-2004:188 + URL:http://www.redhat.com/support/errata/RHSA-2004-188.html + DEBIAN:DSA-358 + URL:http://www.debian.org/security/2004/dsa-358 + DEBIAN:DSA-423 + URL:http://www.debian.org/security/2004/dsa-423 + OVAL:OVAL304 + URL:http://oval.mitre.org/oval/definitions/data/oval304.html + OVAL:OVAL997 + URL:http://oval.mitre.org/oval/definitions/data/oval997.html + Description: + /proc/tty/driver/serial in Linux 2.4.x reveals the exact number + of characters used in serial links, which could allow local users + to obtain potentially sensitive information such as the length of + passwords. +Notes: + dannf> Here's the patches I used: + http://linux.bkbits.net:8080/linux-2.4/cset@41a6020dX1GoVx_Eydy1jUOqc11tpw?nav=index.html|src/|src/fs|src/fs/proc|related/fs/proc/proc_tty.c + http://linux.bkbits.net:8080/linux-2.4/cset@41aca810DvutJ8aEj43OuUqJ4e1EIw?nav=index.html|src/|src/include|src/include/linux|related/include/linux/proc_fs.h +Bugs: +upstream: released (2.4.29-pre2, 2.6.1) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: released (2.4.27-1) [025_proc_tty_security.diff] +2.4.19-woody-security: released (2.4.19-4.woody3) +2.4.18-woody-security: released (2.4.18-10) +2.4.17-woody-security: released (2.4.17-1woody4) +2.4.16-woody-security: released (2.4.16-1woody3) +2.4.17-woody-security-hppa: released (32.5) +2.4.17-woody-security-ia64: released (011226.14.1) +2.4.18-woody-security-hppa: released (62.4) diff --git a/active/retired/CVE-2003-0462 b/active/retired/CVE-2003-0462 new file mode 100644 index 00000000..b5d9c8b4 --- /dev/null +++ b/active/retired/CVE-2003-0462 @@ -0,0 +1,47 @@ +Candidate: CVE-2003-0462 +References: + REDHAT:RHSA-2003:198 + URL:http://www.redhat.com/support/errata/RHSA-2003-198.html + REDHAT:RHSA-2003:238 + URL:http://www.redhat.com/support/errata/RHSA-2003-238.html + DEBIAN:DSA-358 + URL:http://www.debian.org/security/2004/dsa-358 + DEBIAN:DSA-423 + URL:http://www.debian.org/security/2004/dsa-423 + OVAL:OVAL309 + URL:http://oval.mitre.org/oval/definitions/data/oval309.html +Description: + A race condition in the way env_start and env_end pointers are + initialized in the execve system call and used in fs/proc/base.c + on Linux 2.4 allows local users to cause a denial of service + (crash). +Notes: + The fix for 2.4 went into a larger patch: + http://linux.bkbits.net:8080/linux-2.4/cset@41c68e9bogrpceA9rUJa-xHwBd-P6g?nav=index.html|src/|src/fs|src/fs/proc|related/fs/proc/base.c + However, the patch for 2.6 is much simpler: + http://linux.bkbits.net:8080/linux-2.6/cset@3ff1101fZfOZMtqtcvKc_s-agJpLrQ?nav=index.html|src/|src/fs|src/fs/proc|related/fs/proc/base.c + Unfortunately, it doesn't apply cleanly to 2.4. It looks like + the fix included in 2.4.18-10 just re-typed len in + proc_pid_environ; while in 2.6 len was also retyped in + proc_pid_cmdline. Only the former deals with evn_end/env_start + pointers and the latter doesn't apply cleanly to 2.4, so I'm + just making the proc_pid_environ change. + . + hrm.. maybe there was an earlier patch to 2.4; the above 2.4 + patch didn't go in till 2.4.29, yet it looks like this was + already fixed in our 2.4.27 .orig.tar.gz + . + jmm> I assume this was fixed upstream in 2.4.22-pre10? + jmm> o Fix /proc/self security issue +Bugs: +upstream: released (2.6.1), released (2.4.22-pre10) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: released (2.4.19-4.woody3) +2.4.18-woody-security: released (2.4.18-10) +2.4.17-woody-security: released (2.4.17-1woody4) +2.4.16-woody-security: released (2.4.16-1woody3) +2.4.17-woody-security-hppa: released (32.5) +2.4.17-woody-security-ia64: released (011226.14.1) +2.4.18-woody-security-hppa: released (62.4) diff --git a/active/retired/CVE-2003-0464 b/active/retired/CVE-2003-0464 new file mode 100644 index 00000000..6fe42cf6 --- /dev/null +++ b/active/retired/CVE-2003-0464 @@ -0,0 +1,27 @@ +Candidate: CVE-2003-0464 +References: + http://www.redhat.com/support/errata/RHSA-2003-238.html + http://oval.mitre.org/oval/definitions/data/oval311.html +Description: + The RPC code in Linux kernel 2.4 sets the reuse flag when sockets are created, + which could allow local users to bind to UDP ports that are used by privileged + services such as nfsd. +Notes: + I couldn't locate the patches RedHat & SuSE used, but Connectiva apparently + just #if 0'd out the sock->sk->reuse = 1; line in svcsock.c:svc_create_socket. + Upstream didn't disable it altogether; just for UDP + http://linux.bkbits.net:8080/linux-2.4/cset@3f1bdcc9r8An_GKkjlXeHBYDYOY11A?nav=index.html|src/|src/net|src/net/sunrpc|related/net/sunrpc/svcsock.c + I'm guessing this is a UDP-only problem, so that is probably the fix we want. + . + This fix was in before 2.6.0. +Bugs: +upstream: released (2.4.22-pre8) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: diff --git a/active/retired/CVE-2003-0465 b/active/retired/CVE-2003-0465 new file mode 100644 index 00000000..8ef0a954 --- /dev/null +++ b/active/retired/CVE-2003-0465 @@ -0,0 +1,34 @@ +Candidate: CVE-2003-0465 +References: + CONFIRM:http://marc.theaimsgroup.com/?l=linux-kernel&m=105796021120436&w=2 + CONFIRM:http://marc.theaimsgroup.com/?l=linux-kernel&m=105796415223490&w=2 + REDHAT:RHSA-2004:188 + URL:http://www.redhat.com/support/errata/RHSA-2004-188.html +Description: + The kernel strncpy function in Linux 2.4 and 2.5 does not %NUL pad + the buffer on architectures other than x86, as opposed to the expected + behavior of strncpy as implemented in libc, which could lead to + information leaks. +Notes: + 2.4.27-8 fixes s390x, ppc64 and s390 but leaves mips & alpha unfixed. + . + horms> N.B. This bug appears to be minor at best + horms> http://marc.theaimsgroup.com/?l=linux-kernel&m=105796021120436&w=2 + . + dannf> Since this is minor, I'm gonna consider the existing patch "good enough" + dannf> and mark the 2.4 issues as complete. + jmm> Alan Cox wrote in above URL that these will be addressed during the 2.5 + jmm> cycle, so I guess it's pretty safe to make all the 2.6 kernels as fixed + jmm> The ramifications are minor anyway +Bugs: +upstream: +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: released (2.4.27-8) +2.4.19-woody-security: released (2.4.19-4.woody3) +2.4.18-woody-security: needed +2.4.17-woody-security: released (2.4.17-1woody4) +2.4.16-woody-security: released (2.4.16-1woody3) +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A +2.4.18-woody-security-hppa: N/A diff --git a/active/retired/CVE-2003-0467 b/active/retired/CVE-2003-0467 new file mode 100644 index 00000000..b51f352f --- /dev/null +++ b/active/retired/CVE-2003-0467 @@ -0,0 +1,25 @@ +Candidate: CVE-2003-0467 +References: + http://marc.theaimsgroup.com/?l=bugtraq&m=105985703724758&w=2 +Description: + Unknown vulnerability in ip_nat_sack_adjust of Netfilter in Linux kernels + 2.4.20, and some 2.5.x, when CONFIG_IP_NF_NAT_FTP or CONFIG_IP_NF_NAT_IRC is + enabled, or the ip_nat_ftp or ip_nat_irc modules are loaded, allows remote + attackers to cause a denial of service (crash) in systems using NAT, possibly + due to an integer signedness error. +Notes: + http://linux.bkbits.net:8080/linux-2.4/cset@3ea42919d7UMn5WVhEYYcN5hnvM6fA?nav=index.html|src/|src/net|src/net/ipv4|src/net/ipv4/netfilter|related/net/ipv4/netfilter/ip_nat_helper.c + . + Looks like this was fixed before 2.6.0: + http://linux.bkbits.net:8080/linux-2.6/cset@3eb76c8aWimEpZAEU5Xbu-LPK-NxeA?nav=index.html|src/|src/net|src/net/ipv4|src/net/ipv4/netfilter|related/net/ipv4/netfilter/ip_nat_helper.c +Bugs: +upstream: released (2.4.21-rc1) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: diff --git a/active/retired/CVE-2003-0476 b/active/retired/CVE-2003-0476 new file mode 100644 index 00000000..03d471c1 --- /dev/null +++ b/active/retired/CVE-2003-0476 @@ -0,0 +1,37 @@ +Candidate: CVE-2003-0476 +References: + BUGTRAQ:20030626 Linux 2.4.x execve() file read race vulnerability + URL:http://marc.theaimsgroup.com/?l=bugtraq&m=105664924024009&w=2 + MANDRAKE:MDKSA-2003:074 + URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:074 + REDHAT:RHSA-2003:238 + URL:http://www.redhat.com/support/errata/RHSA-2003-238.html + REDHAT:RHSA-2003:368 + URL:http://www.redhat.com/support/errata/RHSA-2003-368.html + REDHAT:RHSA-2003:408 + URL:http://www.redhat.com/support/errata/RHSA-2003-408.html + SUSE:SuSE-SA:2003:034 + DEBIAN:DSA-358 + URL:http://www.debian.org/security/2004/dsa-358 + DEBIAN:DSA-423 + URL:http://www.debian.org/security/2004/dsa-423 + OVAL:OVAL327 + URL:http://oval.mitre.org/oval/definitions/data/oval327.html +Description: + The execve system call in Linux 2.4.x records the file + descriptor of the executable process in the file table of the + calling process, which allows local users to gain read access to + restricted file descriptors. +Notes: +Bugs: +upstream: released (2.4.22-pre4, 2.6.1) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: released (2.4.19-4.woody3) +2.4.18-woody-security: released (2.4.18-10) +2.4.17-woody-security: released (2.4.17-1woody4) +2.4.16-woody-security: released (2.4.16-1woody3) +2.4.17-woody-security-hppa: released (32.5) +2.4.17-woody-security-ia64: released (011226.14.1) +2.4.18-woody-security-hppa: released (62.4) diff --git a/active/retired/CVE-2003-0501 b/active/retired/CVE-2003-0501 new file mode 100644 index 00000000..abd9ec50 --- /dev/null +++ b/active/retired/CVE-2003-0501 @@ -0,0 +1,33 @@ +Candidate: CVE-2003-0501 +References: + BUGTRAQ:20030620 Linux /proc sensitive information disclosure + URL:http://marc.theaimsgroup.com/?l=bugtraq&m=105621758104242 + REDHAT:RHSA-2003:198 + URL:http://www.redhat.com/support/errata/RHSA-2003-198.html + REDHAT:RHSA-2003:238 + URL:http://www.redhat.com/support/errata/RHSA-2003-238.html + SUSE:SuSE-SA:2003:034 + DEBIAN:DSA-358 + URL:http://www.debian.org/security/2004/dsa-358 + DEBIAN:DSA-423 + URL:http://www.debian.org/security/2004/dsa-423 + OVAL:OVAL328 + URL:http://oval.mitre.org/oval/definitions/data/oval328.html +Description: + The /proc filesystem in Linux allows local users to obtain + sensitive information by opening various entries in /proc/self + before executing a setuid program, which causes the program to + fail to change the ownership and permissions of those entries. +Notes: +Bugs: +upstream: released (2.4.22-pre10) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: released (2.4.19-4.woody3) +2.4.18-woody-security: released (2.4.18-10) +2.4.17-woody-security: released (2.4.17-1woody4) +2.4.16-woody-security: released (2.4.16-1woody3) +2.4.17-woody-security-hppa: released (32.5) +2.4.17-woody-security-ia64: released (011226.14.1) +2.4.18-woody-security-hppa: released (62.4) diff --git a/active/retired/CVE-2003-0550 b/active/retired/CVE-2003-0550 new file mode 100644 index 00000000..ab06812f --- /dev/null +++ b/active/retired/CVE-2003-0550 @@ -0,0 +1,26 @@ +Candidate: CVE-2003-0550 +References: + REDHAT:RHSA-2003:238 + URL:http://www.redhat.com/support/errata/RHSA-2003-238.html + DEBIAN:DSA-358 + URL:http://www.debian.org/security/2004/dsa-358 + DEBIAN:DSA-423 + URL:http://www.debian.org/security/2004/dsa-423 + OVAL:OVAL380 + URL:http://oval.mitre.org/oval/definitions/data/oval380.html +Description: + The STP protocol, as enabled in Linux 2.4.x, does not provide sufficient + security by design, which allows attackers to modify the bridge topology. +Notes: +Bugs: +upstream: released (2.4.22-pre3) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: released (2.4.19-4.woody3) +2.4.18-woody-security: released (2.4.18-10) +2.4.17-woody-security: released (2.4.17-1woody4) +2.4.16-woody-security: released (2.4.16-1woody3) +2.4.17-woody-security-hppa: released (32.5) +2.4.17-woody-security-ia64: released (011226.14.1) +2.4.18-woody-security-hppa: released (62.4) diff --git a/active/retired/CVE-2003-0551 b/active/retired/CVE-2003-0551 new file mode 100644 index 00000000..7e5161bc --- /dev/null +++ b/active/retired/CVE-2003-0551 @@ -0,0 +1,28 @@ +Candidate: CVE-2003-0551 +References: + REDHAT:RHSA-2003:198 + URL:http://www.redhat.com/support/errata/RHSA-2003-198.html + REDHAT:RHSA-2003:238 + URL:http://www.redhat.com/support/errata/RHSA-2003-238.html + DEBIAN:DSA-358 + URL:http://www.debian.org/security/2004/dsa-358 + DEBIAN:DSA-423 + URL:http://www.debian.org/security/2004/dsa-423 + OVAL:OVAL384 + URL:http://oval.mitre.org/oval/definitions/data/oval384.html +Description: + The STP protocol implementation in Linux 2.4.x does not properly verify + certain lengths, which could allow attackers to cause a denial of service. +Notes: +Bugs: +upstream: released (2.4.22-pre3) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: released (2.4.19-4.woody3) +2.4.18-woody-security: released (2.4.18-10) +2.4.17-woody-security: released (2.4.17-1woody4) +2.4.16-woody-security: released (2.4.16-1woody3) +2.4.17-woody-security-hppa: released (32.5) +2.4.17-woody-security-ia64: released (011226.14.1) +2.4.18-woody-security-hppa: released (62.4) diff --git a/active/retired/CVE-2003-0552 b/active/retired/CVE-2003-0552 new file mode 100644 index 00000000..c3f39485 --- /dev/null +++ b/active/retired/CVE-2003-0552 @@ -0,0 +1,28 @@ +Candidate: CVE-2003-0552 +References: + REDHAT:RHSA-2003:198 + URL:http://www.redhat.com/support/errata/RHSA-2003-198.html + REDHAT:RHSA-2003:238 + URL:http://www.redhat.com/support/errata/RHSA-2003-238.html + DEBIAN:DSA-358 + URL:http://www.debian.org/security/2004/dsa-358 + DEBIAN:DSA-423 + URL:http://www.debian.org/security/2004/dsa-423 + OVAL:OVAL385 + URL:http://oval.mitre.org/oval/definitions/data/oval385.html +Description: + Linux 2.4.x allows remote attackers to spoof the bridge Forwarding table + via forged packets whose source addresses are the same as the target. +Notes: +Bugs: +upstream: released (2.4.22-pre3) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: released (2.4.19-4.woody3) +2.4.18-woody-security: released (2.4.18-10) +2.4.17-woody-security: released (2.4.17-1woody4) +2.4.16-woody-security: released (2.4.16-1woody3) +2.4.17-woody-security-hppa: released (32.5) +2.4.17-woody-security-ia64: released (011226.14.1) +2.4.18-woody-security-hppa: released (62.4) diff --git a/active/retired/CVE-2003-0643 b/active/retired/CVE-2003-0643 new file mode 100644 index 00000000..64a7d8b1 --- /dev/null +++ b/active/retired/CVE-2003-0643 @@ -0,0 +1,25 @@ +Candidate: CVE-2003-0643 +References: + http://www.ultramonkey.org/bugs/cve/CAN-2003-0643.shtml + http://www.ultramonkey.org/bugs/cve-patch/CAN-2003-0643.patch + http://gentoo.kems.net/gentoo-x86-portage/sys-kernel/gentoo-sources/ChangeLog + http://mirror.clarkson.edu/pub/distributions/gentoo-portage/sys-kernel/wolk-sources/ChangeLog + http://ftp.belnet.be/linux/gentoo-portage/sys-kernel/gentoo-sources/files/gentoo-sources-2.4.CAN-2003-0643.patch +Description: + Integer signedness error in the Linux Socket Filter implementation (filter.c) + in Linux 2.4.3-pre3 to 2.4.22-pre10 allows attackers to cause a denial of + service (crash). +Notes: + Fixed before 2.6.0: + http://linux.bkbits.net:8080/linux-2.4/cset@3f216072qjoeL8BVUjH-swPkd1CRgA?nav=index.html|src/|src/net|src/net/core|related/net/core/filter.c +Bugs: +upstream: released (2.4.22-pre10) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: diff --git a/active/retired/CVE-2003-0699 b/active/retired/CVE-2003-0699 new file mode 100644 index 00000000..615d0588 --- /dev/null +++ b/active/retired/CVE-2003-0699 @@ -0,0 +1,24 @@ +Candidate: CVE-2003-0699 +References: + http://www.redhat.com/support/errata/RHSA-2003-198.html + http://www.redhat.com/support/errata/RHSA-2003-238.html + http://oval.mitre.org/oval/definitions/data/oval387.html +Description: + The C-Media PCI sound driver in Linux before 2.4.21 does not use the get_user + function to access userspace, which crosses security boundaries and may + facilitate the exploitation of vulnerabilities, a different vulnerability than + CVE-2003-0700. +Notes: + Fixed before 2.6.0. 2.4 patch: + http://linux.bkbits.net:8080/linux-2.4/cset@3eb6f77bdzIdwwIbhYPVK6Cu16OhBQ?nav=index.html|src/|src/drivers|src/drivers/sound|related/drivers/sound/cmpci.c +Bugs: +upstream: released (2.4.21-rc2) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: diff --git a/active/retired/CVE-2003-0700 b/active/retired/CVE-2003-0700 new file mode 100644 index 00000000..9e0299e5 --- /dev/null +++ b/active/retired/CVE-2003-0700 @@ -0,0 +1,24 @@ +Candidate: CVE-2003-0700 +References: + http://www.redhat.com/support/errata/RHSA-2003-238.html + http://www.redhat.com/support/errata/RHSA-2004-044.html + http://oval.mitre.org/oval/definitions/data/oval401.html +Description: + The C-Media PCI sound driver in Linux before 2.4.22 does not use the get_user + function to access userspace in certain conditions, which crosses security + boundaries and may facilitate the exploitation of vulnerabilities, a different + vulnerability than CVE-2003-0699. +Notes: + Fixed before 2.6.0. 2.4 patch: + http://linux.bkbits.net:8080/linux-2.4/cset@3f0350ec7Wnpix3ihDCUMMnS-czskg?nav=index.html|src/|src/drivers|src/drivers/sound|related/drivers/sound/cmpci.c +Bugs: +upstream: released (2.4.22-pre3) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: diff --git a/active/retired/CVE-2003-0961 b/active/retired/CVE-2003-0961 new file mode 100644 index 00000000..6db82f64 --- /dev/null +++ b/active/retired/CVE-2003-0961 @@ -0,0 +1,67 @@ +Candidate: CVE-2003-0961 +References: + BUGTRAQ:20031204 [iSEC] Linux kernel do_brk() vulnerability details + URL:http://marc.theaimsgroup.com/?l=bugtraq&m=107064798706473&w=2 + MISC:http://isec.pl/papers/linux_kernel_do_brk.pdf + REDHAT:RHSA-2003:368 + URL:http://www.redhat.com/support/errata/RHSA-2003-368.html + REDHAT:RHSA-2003:389 + URL:http://www.redhat.com/support/errata/RHSA-2003-389.html + DEBIAN:DSA-403 + URL:http://www.debian.org/security/2003/dsa-403 + DEBIAN:DSA-417 + URL:http://www.debian.org/security/2004/dsa-417 + DEBIAN:DSA-423 + URL:http://www.debian.org/security/2004/dsa-423 + DEBIAN:DSA-433 + URL:http://www.debian.org/security/2004/dsa-433 + DEBIAN:DSA-439 + URL:http://www.debian.org/security/2004/dsa-439 + DEBIAN:DSA-440 + URL:http://www.debian.org/security/2004/dsa-440 + DEBIAN:DSA-442 + URL:http://www.debian.org/security/2004/dsa-442 + DEBIAN:DSA-450 + URL:http://www.debian.org/security/2004/dsa-450 + DEBIAN:DSA-470 + URL:http://www.debian.org/security/2004/dsa-470 + DEBIAN:DSA-475 + URL:http://www.debian.org/security/2004/dsa-475 + MANDRAKE:MDKSA-2003:110 + URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:110 + CONECTIVA:CLA-2003:796 + URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000796 + SUSE:SuSE-SA:2003:049 + URL:http://www.novell.com/linux/security/advisories/2003_049_kernel.html + BUGTRAQ:20031204 Hot fix for do_brk bug + URL:http://marc.theaimsgroup.com/?l=bugtraq&m=107064830206816&w=2 + BUGTRAQ:20040112 SmoothWall Project Security Advisory SWP-2004:001 + URL:http://marc.theaimsgroup.com/?l=bugtraq&m=107394143105081&w=2 + CERT-VN:VU#301156 + URL:http://www.kb.cert.org/vuls/id/301156 + SECUNIA:10328 + URL:http://secunia.com/advisories/10328 + SECUNIA:10329 + URL:http://secunia.com/advisories/10329 + SECUNIA:10330 + URL:http://secunia.com/advisories/10330 + SECUNIA:10333 + URL:http://secunia.com/advisories/10333 + SECUNIA:10338 + URL:http://secunia.com/advisories/10338 +Description: + Integer overflow in the do_brk function for the brk system call in Linux + kernel 2.4.22 and earlier allows local users to gain root privileges. +Notes: +Bugs: +upstream: released (2.4.23-pre7) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: released (2.4.19-4.woody1) +2.4.18-woody-security: released (2.4.18-14) +2.4.17-woody-security: released (2.4.17-1woody2) +2.4.16-woody-security: released (2.4.16-1woody2) +2.4.17-woody-security-hppa: released (32.3) +2.4.17-woody-security-ia64: released (011226.14.1) +2.4.18-woody-security-hppa: released (62.2) diff --git a/active/retired/CVE-2003-0984 b/active/retired/CVE-2003-0984 new file mode 100644 index 00000000..73760da7 --- /dev/null +++ b/active/retired/CVE-2003-0984 @@ -0,0 +1,46 @@ +Candidate: CVE-2003-0984 +References: + SUSE:SuSE-SA:2003:049 + URL:http://www.novell.com/linux/security/advisories/2003_049_kernel.html + CONECTIVA:CLA-2004:799 + URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000799 + ENGARDE:ESA-20040105-001 + URL:http://www.linuxsecurity.com/advisories/engarde_advisory-3904.html + REDHAT:RHSA-2003:417 + URL:http://www.redhat.com/support/errata/RHSA-2003-417.html + REDHAT:RHSA-2004:188 + URL:http://www.redhat.com/support/errata/RHSA-2004-188.html + MANDRAKE:MDKSA-2004:001 + URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:001 + BUGTRAQ:20040112 SmoothWall Project Security Advisory SWP-2004:001 + URL:http://marc.theaimsgroup.com/?l=bugtraq&m=107394143105081&w=2 + XF:linux-rtc-memory-leak(13943) + URL:http://xforce.iss.net/xforce/xfdb/13943 + OVAL:OVAL1013 + URL:http://oval.mitre.org/oval/definitions/data/oval1013.html + OVAL:OVAL859 + URL:http://oval.mitre.org/oval/definitions/data/oval859.html +Description: + Real time clock (RTC) routines in Linux kernel 2.4.23 and earlier do not + properly initialize their structures, which could leak kernel data to user + space. +Notes: + backport from dilinger; though it isn't quite what appears to have gone + upstream: + http://linux.bkbits.net:8080/linux-2.4/cset@3fd7827aNFUTifwp7_u4babSUA8Bkg?nav=index.html|src/|src/drivers|src/drivers/sbus|src/drivers/sbus/char|related/drivers/sbus/char/rtc.c + http://linux.bkbits.net:8080/linux-2.4/cset@3ff8697bFIYfsvIbsqw27h6C_rbCEA?nav=index.html|src/|src/drivers|src/drivers/sbus|src/drivers/sbus/char|related/drivers/sbus/char/rtc.c + jmm> This was fixed upstream in 2.4.24-rc1: + jmm> | <trini:mvista.com>: + jmm> | o /dev/rtc can leak parts of kernel memory to unpriviledged users +Bugs: +upstream: released (2.4.24-rc1, 2.6.2) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: released (2.4.19-4.woody3) +2.4.18-woody-security: released (2.4.18-14.4) +2.4.17-woody-security: released (2.4.17-1woody4) +2.4.16-woody-security: released (2.4.16-1woody3) +2.4.17-woody-security-hppa: released (32.5) +2.4.17-woody-security-ia64: released (011226.18) +2.4.18-woody-security-hppa: released (62.4) diff --git a/active/retired/CVE-2003-0985 b/active/retired/CVE-2003-0985 new file mode 100644 index 00000000..16f58f01 --- /dev/null +++ b/active/retired/CVE-2003-0985 @@ -0,0 +1,54 @@ +Candidate: CVE-2003-0985 +References: + BUGTRAQ:20040105 Linux kernel mremap vulnerability + MISC:http://isec.pl/vulnerabilities/isec-0013-mremap.txt + BUGTRAQ:20040105 Linux kernel do_mremap() proof-of-concept exploit code + BUGTRAQ:20040106 Linux mremap bug correction + DEBIAN:DSA-423 + DEBIAN:DSA-450 + SUSE:SuSE-SA:2004:001 + SUSE:SuSE-SA:2004:003 + CONECTIVA:CLA-2004:799 + ENGARDE:ESA-20040105-001 + REDHAT:RHSA-2003:416 + REDHAT:RHSA-2003:417 + REDHAT:RHSA-2003:418 + REDHAT:RHSA-2003:419 + DEBIAN:DSA-413 + DEBIAN:DSA-417 + DEBIAN:DSA-427 + DEBIAN:DSA-439 + DEBIAN:DSA-440 + DEBIAN:DSA-442 + DEBIAN:DSA-470 + DEBIAN:DSA-475 + IMMUNIX:IMNX-2004-73-001-01 + MANDRAKE:MDKSA-2004:001 + SGI:20040102-01-U + TRUSTIX:2004-0001 + BUGTRAQ:20040107 [slackware-security] Kernel security update (SSA:2004-006-01) + BUGTRAQ:20040108 [slackware-security] Slackware 8.1 kernel security update (SSA:2004-008-01) + BUGTRAQ:20040112 SmoothWall Project Security Advisory SWP-2004:001 + XF:linux-domremap-gain-privileges(14135) + OSVDB:3315 + OVAL:OVAL860 + OVAL:OVAL867 +Description: + The mremap system call (do_mremap) in Linux kernel 2.4.x before 2.4.21 + does not properly perform bounds checks, which allows local users to + cause a denial of service and possibly gain privileges by causing a + remapping of a virtual memory area (VMA) to create a zero length VMA, + a different vulnerability than CAN-2004-0077. +Notes: +Bugs: +upstream: released (2.4.24-rc1), released (2.6.1) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: released (2.4.19-4.woody1) +2.4.18-woody-security: released (2.4.18-14.1) +2.4.17-woody-security: released (2.4.17-1woody2) +2.4.16-woody-security: released (2.4.16-1woody2) +2.4.17-woody-security-hppa: released (32.3, 62.3) +2.4.17-woody-security-ia64: released (011226.15) +2.4.18-woody-security-hppa: released (62.2) diff --git a/active/retired/CVE-2003-1040 b/active/retired/CVE-2003-1040 new file mode 100644 index 00000000..b4e7a03e --- /dev/null +++ b/active/retired/CVE-2003-1040 @@ -0,0 +1,28 @@ +Candidate: CVE-2003-1040 +References: + ftp://patches.sgi.com/support/free/security/advisories/20040204-01-U.asc + http://www.novell.com/linux/security/advisories/2003_049_kernel.html + http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000820 + http://www.redhat.com/support/errata/RHSA-2004-065.html + http://www.redhat.com/support/errata/RHSA-2004-069.html + http://www.redhat.com/support/errata/RHSA-2004-106.html + http://www.redhat.com/support/errata/RHSA-2004-188.html + http://linux.bkbits.net:8080/linux-2.4/diffs/kernel/kmod.c@1.6?nav=index.html|src/|src/kernel|hist/kernel/kmod.c + http://xforce.iss.net/xforce/xfdb/15577 +Description: + kmod in the Linux kernel does not set its uid, suid, gid, or sgid to 0, which + allows local users to cause a denial of service (crash) by sending certain + signals to kmod. +Notes: + fixed before 2.6 released +Bugs: +upstream: released (2.4.23) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: needed +2.4.18-woody-security: needed +2.4.17-woody-security: needed +2.4.16-woody-security: needed +2.4.17-woody-security-hppa: needed +2.4.17-woody-security-ia64: needed diff --git a/active/retired/CVE-2004-0003 b/active/retired/CVE-2004-0003 new file mode 100644 index 00000000..73002472 --- /dev/null +++ b/active/retired/CVE-2004-0003 @@ -0,0 +1,89 @@ +Candidate: CVE-2004-0003 +References: + CONFIRM:http://www.linuxcompatible.org/print25630.html + DEBIAN:DSA-479 + URL:http://www.debian.org/security/2004/dsa-479 + DEBIAN:DSA-480 + URL:http://www.debian.org/security/2004/dsa-480 + DEBIAN:DSA-481 + URL:http://www.debian.org/security/2004/dsa-481 + DEBIAN:DSA-482 + URL:http://www.debian.org/security/2004/dsa-482 + DEBIAN:DSA-489 + URL:http://www.debian.org/security/2004/dsa-489 + DEBIAN:DSA-491 + URL:http://www.debian.org/security/2004/dsa-491 + DEBIAN:DSA-495 + URL:http://www.debian.org/security/2004/dsa-495 + MANDRAKE:MDKSA-2004:029 + URL:http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2004:029 + REDHAT:RHSA-2004:044 + URL:http://www.redhat.com/support/errata/RHSA-2004-044.html + REDHAT:RHSA-2004:065 + URL:http://www.redhat.com/support/errata/RHSA-2004-065.html + REDHAT:RHSA-2004:106 + URL:http://www.redhat.com/support/errata/RHSA-2004-106.html + REDHAT:RHSA-2004:166 + URL:http://www.redhat.com/support/errata/RHSA-2004-166.html + SUSE:SuSE-SA:2004:005 + URL:http://www.novell.com/linux/security/advisories/2004_05_linux_kernel.html + TURBO:TLSA-2004-14 + URL:http://www.turbolinux.com/security/2004/TLSA-2004-14.txt + CIAC:O-082 + URL:http://www.ciac.org/ciac/bulletins/o-082.shtml + CIAC:O-121 + URL:http://www.ciac.org/ciac/bulletins/o-121.shtml + CIAC:O-126 + URL:http://www.ciac.org/ciac/bulletins/o-126.shtml + CIAC:O-127 + URL:http://www.ciac.org/ciac/bulletins/o-127.shtml + CIAC:O-145 + URL:http://www.ciac.org/ciac/bulletins/o-145.shtml + BID:9570 + URL:http://www.securityfocus.com/bid/9570 + SECUNIA:10782 + URL:http://secunia.com/advisories/10782 + SECUNIA:10911 + URL:http://secunia.com/advisories/10911 + SECUNIA:10912 + URL:http://secunia.com/advisories/10912 + SECUNIA:11202 + URL:http://secunia.com/advisories/11202 + SECUNIA:11361 + URL:http://secunia.com/advisories/11361 + SECUNIA:11362 + URL:http://secunia.com/advisories/11362 + SECUNIA:11369 + URL:http://secunia.com/advisories/11369 + SECUNIA:11370 + URL:http://secunia.com/advisories/11370 + SECUNIA:11376 + URL:http://secunia.com/advisories/11376 + SECUNIA:11464 + URL:http://secunia.com/advisories/11464 + SECUNIA:11891 + URL:http://secunia.com/advisories/11891 + SECUNIA:12075 + URL:http://secunia.com/advisories/12075 + OVAL:OVAL1017 + URL:http://oval.mitre.org/oval/definitions/data/oval1017.html + OVAL:OVAL834 + URL:http://oval.mitre.org/oval/definitions/data/oval834.html + XF:linux-r128-gain-priviliges(15029) + URL:http://xforce.iss.net/xforce/xfdb/15029 +Description: + Unknown vulnerability in Linux kernel before 2.4.22 allows local users to + gain privileges, related to "R128 DRI limits checking." +Notes: +Bugs: +upstream: released (2.4.26-rc4, 2.6.4) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: released (2.4.19-4.woody2) +2.4.18-woody-security: released (2.4.18-14.3) +2.4.17-woody-security: released (2.4.17-1woody3) +2.4.16-woody-security: released (2.4.16-1woody2) +2.4.17-woody-security-hppa: released (32.4, 62.3) +2.4.17-woody-security-ia64: released (011226.17) +2.4.18-woody-security-hppa: released (62.3) diff --git a/active/retired/CVE-2004-0010 b/active/retired/CVE-2004-0010 new file mode 100644 index 00000000..5420ca92 --- /dev/null +++ b/active/retired/CVE-2004-0010 @@ -0,0 +1,16 @@ +Candidate: CVE-2004-0010 +References: +Description: +Notes: +Bugs: +upstream: released (2.4.25-pre7), released (2.6.3) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: released (2.4.19-4.woody2) +2.4.18-woody-security: released (2.4.18-14.3) +2.4.17-woody-security: released (2.4.17-1woody3) +2.4.16-woody-security: released (2.4.16-1woody2) +2.4.17-woody-security-hppa: released (32.4, 62.3) +2.4.17-woody-security-ia64: released (011226.17) +2.4.18-woody-security-hppa: released (62.3) diff --git a/active/retired/CVE-2004-0077 b/active/retired/CVE-2004-0077 new file mode 100644 index 00000000..02f16cd4 --- /dev/null +++ b/active/retired/CVE-2004-0077 @@ -0,0 +1,57 @@ +Candidate: CVE-2004-0077 +References: + BUGTRAQ:20040218 Second critical mremap() bug found in all Linux kernels + VULNWATCH:20040218 Second critical mremap() bug found in all Linux kernels + MISC:http://isec.pl/vulnerabilities/isec-0014-mremap-unmap.txt + CONECTIVA:CLA-2004:820 + DEBIAN:DSA-438 + DEBIAN:DSA-439 + DEBIAN:DSA-440 + DEBIAN:DSA-441 + DEBIAN:DSA-442 + DEBIAN:DSA-444 + DEBIAN:DSA-450 + DEBIAN:DSA-453 + DEBIAN:DSA-454 + DEBIAN:DSA-456 + DEBIAN:DSA-466 + DEBIAN:DSA-470 + DEBIAN:DSA-514 + DEBIAN:DSA-475 + REDHAT:RHSA-2004:065 + REDHAT:RHSA-2004:066 + REDHAT:RHSA-2004:069 + REDHAT:RHSA-2004:106 + SLACKWARE:SSA:2004-049 + SUSE:SuSE-SA:2004:005 + TRUSTIX:2004-0007 + TRUSTIX:2004-0008 + GENTOO:GLSA-200403-02 + CERT-VN:VU#981222 + XF:linux-mremap-gain-privileges(15244) + BID:9686 + OSVDB:3986 + OVAL:OVAL825 + OVAL:OVAL837 +Description: + The do_mremap function for the mremap system call in Linux 2.2 to 2.2.25, 2.4 + to 2.4.24, and 2.6 to 2.6.2, does not properly check the return value from the + do_munmap function when the maximum number of VMA descriptors is exceeded, + which allows local users to gain root privileges, a different vulnerability + than CAN-2003-0985. +Notes: + dannf> we think these are the patches: + 2.6: http://www.kernel.org/git/?p=linux/kernel/git/tglx/history.git;a=commitdiff;h=59287e5eef8d33dcd842852a898b43a81fe0b2c2 + 2.4: http://linux.bkbits.net:8080/linux-2.4/cset@40327d9fxQLz7BU9yAATPsFlWiSG0A?nav=index.html|src/|src/mm|related/mm/mremap.c +Bugs: +upstream: released (2.4.25-rc4, 2.6.3) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: released (2.4.19-4.woody1) +2.4.18-woody-security: released (2.4.18-14.2) +2.4.17-woody-security: released (2.4.17-1woody2) +2.4.16-woody-security: released (2.4.16-1woody2) +2.4.17-woody-security-hppa: released (32.3, 62.3) +2.4.17-woody-security-ia64: released (011226.16) +2.4.18-woody-security-hppa: released (62.2) diff --git a/active/retired/CVE-2004-0109 b/active/retired/CVE-2004-0109 new file mode 100644 index 00000000..fc67f753 --- /dev/null +++ b/active/retired/CVE-2004-0109 @@ -0,0 +1,16 @@ +Candidate: +References: +Description: +Notes: +Bugs: +upstream: released (2.4.26-rc4), released (2.6.6) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: released (2.4.19-4.woody2) +2.4.18-woody-security: released (2.4.18-14.3) +2.4.17-woody-security: released (2.4.17-1woody3) +2.4.16-woody-security: released (2.4.16-1woody2) +2.4.17-woody-security-hppa: released (32.4, 62.3) +2.4.17-woody-security-ia64: released (011226.17) +2.4.18-woody-security-hppa: released (62.3) diff --git a/active/retired/CVE-2004-0133 b/active/retired/CVE-2004-0133 new file mode 100644 index 00000000..dd6420aa --- /dev/null +++ b/active/retired/CVE-2004-0133 @@ -0,0 +1,29 @@ +Candidate: CVE-2004-0133 +References: + http://www.linuxsecurity.com/advisories/engarde_advisory-4285.html + http://security.gentoo.org/glsa/glsa-200407-02.xml + http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:029 + ftp://patches.sgi.com/support/free/security/advisories/20040405-01-U.asc + http://marc.theaimsgroup.com/?l=bugtraq&m=108213675028441&w=2 + http://www.securityfocus.com/bid/10151 + http://secunia.com/advisories/11362 + http://xforce.iss.net/xforce/xfdb/15901 +Description: + The XFS file system code in Linux 2.4.x has an information leak in which + in-memory data is written to the device for the XFS file system, which + allows local users to obtain sensitive information by reading the raw device. +Notes: + jmm> Woody is not affected, as XFS was only added to the kernel in 2.4.25 + dannf> I never did find the actual patch - upstream fixed versions are + dannf> based on the securityfocus page above. +Bugs: +upstream: released (2.4.26-rc2, 2.6.5) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/active/retired/CVE-2004-0136 b/active/retired/CVE-2004-0136 new file mode 100644 index 00000000..77047ee2 --- /dev/null +++ b/active/retired/CVE-2004-0136 @@ -0,0 +1,46 @@ +Candidate: CVE-2004-0136 +References: + REDHAT:RHSA-2004:549 + URL:http://www.redhat.com/support/errata/RHSA-2004-549.html + SGI:20040601-01-P + URL:ftp://patches.sgi.com/support/free/security/advisories/20040601-01-P.asc + XF:irix-mapelf32exec-dos(16416) + URL:http://xforce.iss.net/xforce/xfdb/16416 + BID:10547 + URL:http://www.securityfocus.com/bid/10547 +Description: + The mapelf32exec function call in IRIX 6.5.20 through 6.5.24 allows local + users to cause a denial of service (system crash) via a "corrupted binary." +Notes: + Strange description, but I think this is actually a Linux issue; note the + RedHat URLs above. + dannf> I think I've traced this issue back to a flawed bug report, and that + dannf> this is really CAN-2004-0138. + + mitre references a RedHat advisory for this, RHSA-2004:504-13 + + RHSA-2004:504-13 does in fact reference CVE-2004-0136 + + RedHat notes that their fixed src.rpm is kernel-2.4.18-e.52.src.rpm + + The changelog in the spec file in the above .src.rpm contains the following + entry: + * Tue Nov 16 2004 Jim Paradis <jparadis@redhat.com> + - Fixes for security holes in binfmt_elf loader (Dave Anderson, + Jim Paradis), bugs 127916, 134876 + + https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=127916 references + CVE-2004-0136, but the patches it links to are the fixes for + CVE-2004-0138 + jmm> Red Hat accidentally used CVE-2004-0138 for this in an advisory, pulling + jmm> over the entries from it + jmm> I've verified that the fix from + jmm> http://linux.bkbits.net:8080/linux-2.4/gnupatch@4021346f79nBb-4X_usRikR3Iyb4Vg + jmm> is included in 2.6.8, thus marking 2.6.8 and linux-2.6 N/A +Bugs: +upstream: released (2.4.25-rc1) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: released (2.4.19-4.woody3) +2.4.18-woody-security: released (2.4.18-14.4) +2.4.17-woody-security: released (2.4.17-1woody4) +2.4.16-woody-security: released (2.4.16-1woody3) +2.4.17-woody-security-hppa: released (32.5) +2.4.17-woody-security-ia64: released (011226.18) +2.4.18-woody-security-hppa: released (62.4) diff --git a/active/retired/CVE-2004-0138 b/active/retired/CVE-2004-0138 new file mode 100644 index 00000000..e2f1e3b5 --- /dev/null +++ b/active/retired/CVE-2004-0138 @@ -0,0 +1,23 @@ +Candidate: CVE-2004-0138 +References: +Description: +Notes: + Still marked **RESERVED** + dannf> However, it was already fixed in woody, whose changelog says: + * Applied patch by Chris Wright to denial of service in the ELF loader + when the interpreter architecture doesn't match the current one + <http://linux.bkbits.net:8080/linux-2.4/cset@4021346f79nBb-4X_usRikR3Iyb4Vg> + [fs/binfmt_elf.c, CAN-2004-0138] + jmm> This was a previous Red Hat internal name for CVE-2004-0136, so + jmm> Red hat advisories, which fix this are in fact for CVE-2004-0136 +Bugs: +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A +2.4.18-woody-security-hppa: N/A diff --git a/active/retired/CVE-2004-0177 b/active/retired/CVE-2004-0177 new file mode 100644 index 00000000..f42298e4 --- /dev/null +++ b/active/retired/CVE-2004-0177 @@ -0,0 +1,28 @@ +Candidate: CVE-2004-0177 +References: +Description: +Notes: + jmm> This is resolved by the following patch by tytso: + jmm>--- kernel-source-2.4.18-2.4.18.orig/fs/jbd/journal.c + jmm>+++ kernel-source-2.4.18-2.4.18/fs/jbd/journal.c + jmm>@@ -671,6 +671,7 @@ + jmm> + jmm> bh = getblk(journal->j_dev, blocknr, journal->j_blocksize); + jmm> lock_buffer(bh); + jmm>+ memset(bh->b_data, 0, journal->j_blocksize); + jmm> BUFFER_TRACE(bh, "return this buffer"); + jmm> return journal_add_journal_head(bh); + jmm> } + jmm> This fix is present in 2.4.27 and 2.6.8, so marking them and l-2.6 N/A +Bugs: +upstream: released (2.4.26-pre4) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: released (2.4.19-4.woody2) +2.4.18-woody-security: released (2.4.18-14.3) +2.4.17-woody-security: released (2.4.17-1woody3) +2.4.16-woody-security: released (2.4.16-1woody2) +2.4.17-woody-security-hppa: released (32.4, 62.3) +2.4.17-woody-security-ia64: released (011226.17) +2.4.18-woody-security-hppa: released (62.3) diff --git a/active/retired/CVE-2004-0178 b/active/retired/CVE-2004-0178 new file mode 100644 index 00000000..3594c976 --- /dev/null +++ b/active/retired/CVE-2004-0178 @@ -0,0 +1,40 @@ +Candidate: CVE-2004-0178 +References: + http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000846 + http://www.debian.org/security/2004/dsa-479 + http://www.debian.org/security/2004/dsa-480 + http://www.debian.org/security/2004/dsa-481 + http://www.debian.org/security/2004/dsa-482 + http://www.debian.org/security/2004/dsa-489 + http://www.debian.org/security/2004/dsa-491 + http://www.debian.org/security/2004/dsa-495 + http://security.gentoo.org/glsa/glsa-200407-02.xml + http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:029 + http://www.redhat.com/support/errata/RHSA-2004-413.html + http://www.redhat.com/support/errata/RHSA-2004-437.html + ftp://patches.sgi.com/support/free/security/advisories/20040804-01-U.asc + http://linux.bkbits.net:8080/linux-2.4/cset@404ce5967rY2Ryu6Z_uNbYh643wuFA + http://www.ciac.org/ciac/bulletins/o-121.shtml + http://www.ciac.org/ciac/bulletins/o-127.shtml + http://www.ciac.org/ciac/bulletins/o-193.shtml + http://www.securityfocus.com/bid/9985 + http://xforce.iss.net/xforce/xfdb/15868 +Description: + The OSS code for the Sound Blaster (sb16) driver in Linux 2.4.x + before 2.4.26, when operating in 16 bit mode, does not properly + handle certain sample sizes, which allows local users to cause a + denial of service (crash) via a sample with an odd number of bytes. +Notes: + jmm> I've verified that above patch is included in 2.6.8 +Bugs: +upstream: released (2.4.26-pre3) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: released (2.4.19-4.woody2) +2.4.18-woody-security: released (2.4.18-14.3) +2.4.17-woody-security: released (2.4.17-1woody3) +2.4.16-woody-security: released (2.4.16-1woody2) +2.4.17-woody-security-hppa: released (32.4, 62.3) +2.4.17-woody-security-ia64: released (011226.17) +2.4.18-woody-security-hppa: released (62.3) diff --git a/active/retired/CVE-2004-0181 b/active/retired/CVE-2004-0181 new file mode 100644 index 00000000..0d56ff39 --- /dev/null +++ b/active/retired/CVE-2004-0181 @@ -0,0 +1,27 @@ +Candidate: CVE-2004-0181 +References: + http://www.linuxsecurity.com/advisories/engarde_advisory-4285.html + http://security.gentoo.org/glsa/glsa-200407-02.xml + http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:029 + http://marc.theaimsgroup.com/?l=bugtraq&m=108213675028441&w=2 + http://www.turbolinux.com/security/2004/TLSA-2004-14.txt + http://www.securityfocus.com/bid/10143 + http://xforce.iss.net/xforce/xfdb/15902 +Description: + The JFS file system code in Linux 2.4.x has an information leak in which + in-memory data is written to the device for the JFS file system, which allows + local users to obtain sensitive information by reading the raw device. +Notes: + jmm> JFS was merged into the 2.4 kernel in 2.4.20-pre4 and into 2.6 at 2.6.5-rc2, + jmm> so I'm marking all versions N/A +Bugs: +upstream: released (2.4.26-pre5), released (2.6.5-rc2) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/active/retired/CVE-2004-0228 b/active/retired/CVE-2004-0228 new file mode 100644 index 00000000..4b6758bb --- /dev/null +++ b/active/retired/CVE-2004-0228 @@ -0,0 +1,33 @@ +Candidate: CVE-2004-0228 +References: + http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000852 + http://www.redhat.com/archives/fedora-announce-list/2004-April/msg00010.html + http://security.gentoo.org/glsa/glsa-200407-02.xml + http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:050 + http://www.novell.com/linux/security/advisories/2004_10_kernel.html + http://secunia.com/advisories/11429 + http://secunia.com/advisories/11464 + http://secunia.com/advisories/11486 + http://secunia.com/advisories/11491 + http://secunia.com/advisories/11683 + http://xforce.iss.net/xforce/xfdb/15951 +Description: + Integer signedness error in the cpufreq proc handler (cpufreq_procctl) in + Linux kernel 2.6 allows local users to gain privileges. +Notes: + jmm> 2.4 does not have cpufreq + jmm> In 2.6 the affected code has changed to drivers/cpufreq/cpufreq_userspace.c + jmm> I've verified that the isolated patch from + jmm> http://www.ultramonkey.org/bugs/cve-patch/CAN-2004-0228.patch + jmm> is included in 2.6.8 +Bugs: +upstream: +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/active/retired/CVE-2004-0229 b/active/retired/CVE-2004-0229 new file mode 100644 index 00000000..08ee5079 --- /dev/null +++ b/active/retired/CVE-2004-0229 @@ -0,0 +1,16 @@ +Candidate: CVE-2004-0229 +References: +Description: +Notes: + jmm> 2.4 is not affected by this problem. +Bugs: +upstream: released (2.6.6) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/active/retired/CVE-2004-0394 b/active/retired/CVE-2004-0394 new file mode 100644 index 00000000..438a4600 --- /dev/null +++ b/active/retired/CVE-2004-0394 @@ -0,0 +1,39 @@ +Candidate: CVE-2004-0394 +References: + CONECTIVA:CLA-2004:846 + URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000846 + GENTOO:GLSA-200407-02 + URL:http://security.gentoo.org/glsa/glsa-200407-02.xml + MANDRAKE:MDKSA-2004:037 + URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:037 + MLIST:[fedora-announce] 20040422 Fedora alert FEDORA-2004-111 (kernel) + URL:http://lwn.net/Articles/81773/ + ENGARDE:ESA-20040428-004 + URL:http://www.linuxsecurity.com/advisories/engarde_advisory-4285.html + SGI:20040504-01-U + URL:ftp://patches.sgi.com/support/free/security/advisories/20040504-01-U.asc + SGI:20040505-01-U + URL:ftp://patches.sgi.com/support/free/security/advisories/20040505-01-U.asc + SUSE:SuSE-SA:2004:010 + URL:http://www.novell.com/linux/security/advisories/2004_10_kernel.html + XF:linux-panic-bo(15953) + URL:http://xforce.iss.net/xforce/xfdb/15953 +Description: + A "potential" buffer overflow exists in the panic() function in Linux 2.4.x, + although it may not be exploitable due to the functionality of panic. +Notes: + jmm> I've verified 2.6.8 to contain the correct vsnprintf() call + jmm> For 2.4 it's fixed in 2.4.32, but unfixed in 2.4.27. I'm marking it + jmm> needed, although I guess it's not exploitable +Bugs: +upstream: released (2.4.28-pre1) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: released (2.4.27-1) +2.4.19-woody-security: released (2.4.19-4.woody3) +2.4.18-woody-security: released (2.4.18-14.4) +2.4.17-woody-security: released (2.4.17-1woody4) +2.4.16-woody-security: released (2.4.16-1woody3) +2.4.17-woody-security-hppa: released (32.5) +2.4.17-woody-security-ia64: released (011226.18) +2.4.18-woody-security-hppa: released (62.4) diff --git a/active/retired/CVE-2004-0415 b/active/retired/CVE-2004-0415 new file mode 100644 index 00000000..89c5fdc0 --- /dev/null +++ b/active/retired/CVE-2004-0415 @@ -0,0 +1,42 @@ +Candidate: CVE-2004-0415 +References: + CONECTIVA:CLA-2004:879 + URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000879 + GENTOO:GLSA-200408-24 + URL:http://www.gentoo.org/security/en/glsa/glsa-200408-24.xml + MANDRAKE:MDKSA-2004:087 + URL:http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2004:087 + REDHAT:RHSA-2004:413 + URL:http://www.redhat.com/support/errata/RHSA-2004-413.html + REDHAT:RHSA-2004:418 + URL:http://www.redhat.com/support/errata/RHSA-2004-418.html + SGI:20040804-01-U + URL:ftp://patches.sgi.com/support/free/security/advisories/20040804-01-U.asc + XF:linux-pointer-info-disclosure(16877) + URL:http://xforce.iss.net/xforce/xfdb/16877 +Description: + Linux kernel does not properly convert 64-bit file offset pointers to 32 bits, + which allows local users to access portions of kernel memory. +Notes: + dannf> Based on the 2.4.27 changelog, I think this is the 2.4 fix: + http://linux.bkbits.net:8080/linux-2.4/cset@411064f7uz3rKDb73dEb4vCqbjEIdw?nav=index.html|src/|src/drivers|src/drivers/char|related/drivers/char/i8k.c + and + http://linux.bkbits.net:8080/linux-2.4/cset@41113629fBqsXgKVAey-EzhZOkS2Lw?nav=index.html|src/|src/net|src/net/atm|related/net/atm/br2684.c + Which doesn't look like it ever made 2.6. + . + dannf> I've asked Al Viro & Marcelo for more info + dannf> Marcelo says: + 2.6 avoids the file offset race by having a copy of it at the high + level VFS functions, its safe. +Bugs: +upstream: released (2.4.27-rc5) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/active/retired/CVE-2004-0427 b/active/retired/CVE-2004-0427 new file mode 100644 index 00000000..048cc7e6 --- /dev/null +++ b/active/retired/CVE-2004-0427 @@ -0,0 +1,70 @@ +Candidate: CVE-2004-0427 +References: + MLIST:[linux-kernel] 20040408 [PATCH]: 2.4/2.6 do_fork() error path memory leak + URL:http://marc.theaimsgroup.com/?l=linux-kernel&m=108139073506983&w=2 + CONECTIVA:CLA-2004:846 + URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000846 + ENGARDE:ESA-20040428-004 + FEDORA:FEDORA-2004-111 + URL:http://fedoranews.org/updates/FEDORA-2004-111.shtml + GENTOO:GLSA-200407-02 + URL:http://security.gentoo.org/glsa/glsa-200407-02.xml + MANDRAKE:MDKSA-2004:037 + URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:037 + REDHAT:RHSA-2004:255 + URL:http://www.redhat.com/support/errata/RHSA-2004-255.html + REDHAT:RHSA-2004:260 + URL:http://www.redhat.com/support/errata/RHSA-2004-260.html + REDHAT:RHSA-2004:327 + URL:http://www.redhat.com/support/errata/RHSA-2004-327.html + SGI:20040504-01-U + URL:ftp://patches.sgi.com/support/free/security/advisories/20040504-01-U.asc + SGI:20040505-01-U + URL:ftp://patches.sgi.com/support/free/security/advisories/20040505-01-U.asc + SUSE:SuSE-SA:2004:010 + URL:http://www.novell.com/linux/security/advisories/2004_10_kernel.html + TURBO:TLSA-2004-14 + URL:http://www.turbolinux.com/security/2004/TLSA-2004-14.txt + MISC:http://linux.bkbits.net:8080/linux-2.4/cset@407bf20eDeeejm8t36_tpvSE-8EFHA + MISC:http://linux.bkbits.net:8080/linux-2.6/cset@407b1217x4jtqEkpFW2g_-RcF0726A + CIAC:O-164 + URL:http://www.ciac.org/ciac/bulletins/o-164.shtml + BID:10221 + URL:http://www.securityfocus.com/bid/10221 + SECUNIA:11429 + URL:http://secunia.com/advisories/11429 + SECUNIA:11464 + URL:http://secunia.com/advisories/11464 + SECUNIA:11486 + URL:http://secunia.com/advisories/11486 + SECUNIA:11541 + URL:http://secunia.com/advisories/11541 + SECUNIA:11861 + URL:http://secunia.com/advisories/11861 + SECUNIA:11891 + URL:http://secunia.com/advisories/11891 + SECUNIA:11892 + URL:http://secunia.com/advisories/11892 + OVAL:OVAL2819 + URL:http://oval.mitre.org/oval/definitions/data/oval2819.html + XF:linux-dofork-memory-leak(16002) + URL:http://xforce.iss.net/xforce/xfdb/16002 +Description: + The do_fork function in Linux 2.4.x before 2.4.26, and 2.6.x before 2.6.6, + does not properly decrement the mm_count counter when an error occurs after + the mm_struct for a child process has been activated, which triggers a memory + leak that allows local users to cause a denial of service (memory exhaustion) + via the clone (CLONE_VM) system call. +Notes: +Bugs: +upstream: released (2.4.26, 2.6.6) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: released (2.4.19-4.woody3) +2.4.18-woody-security: released (2.4.18-14.4) +2.4.17-woody-security: released (2.4.17-1woody4) +2.4.16-woody-security: released (2.4.16-1woody3) +2.4.17-woody-security-hppa: released (32.5) +2.4.17-woody-security-ia64: released (011226.18) +2.4.18-woody-security-hppa: released (62.4) diff --git a/active/retired/CVE-2004-0447 b/active/retired/CVE-2004-0447 new file mode 100644 index 00000000..b3c51eef --- /dev/null +++ b/active/retired/CVE-2004-0447 @@ -0,0 +1,37 @@ +Candidate: CVE-2004-0447 +References: + MLIST:[owl-users] 20040619 Linux 2.4.26-ow2 + URL:http://archives.neohapsis.com/archives/linux/owl/2004-q2/0038.html + GENTOO:GLSA-200407-16 + URL:http://security.gentoo.org/glsa/glsa-200407-16.xml + REDHAT:RHSA-2004:413 + URL:http://www.redhat.com/support/errata/RHSA-2004-413.html + SGI:20040804-01-U + URL:ftp://patches.sgi.com/support/free/security/advisories/20040804-01-U.asc + CIAC:O-193 + URL:http://www.ciac.org/ciac/bulletins/o-193.shtml + BID:10783 + URL:http://www.securityfocus.com/bid/10783 + XF:linux-ia64-dos(16661) + URL:http://xforce.iss.net/xforce/xfdb/16661 +Description: + Unknown vulnerability in Linux before 2.4.26 for IA64 allows local users to + cause a denial of service, with unknown impact. NOTE: due to a typo, this + issue was accidentally assigned CVE-2004-0477. This is the proper candidate to + use for the Linux local DoS. +Notes: + jmm> I've verified that the patch from David Mosberger available at + jmm> http://marc.theaimsgroup.com/?l=linux-ia64&m=108026377907667&w=2 + jmm> is included in stock 2.4.27 and 2.6.8, so it's N/A. +Bugs: +upstream: +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: released (2.4.19-4.woody3) +2.4.18-woody-security: released (2.4.18-14.4) +2.4.17-woody-security: released (2.4.17-1woody4) +2.4.16-woody-security: released (2.4.16-1woody3) +2.4.17-woody-security-hppa: released (32.5) +2.4.17-woody-security-ia64: released (011226.18) +2.4.18-woody-security-hppa: released (62.4) diff --git a/active/retired/CVE-2004-0491 b/active/retired/CVE-2004-0491 new file mode 100644 index 00000000..245dac3b --- /dev/null +++ b/active/retired/CVE-2004-0491 @@ -0,0 +1,27 @@ +Candidate: CVE-2004-0491 +References: + CONFIRM:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=126411 + MLIST:[linux-kernel] 20040402 Re: disable-cap-mlock + URL:http://marc.theaimsgroup.com/?l=linux-kernel&m=108087017610947&w=2 + OVAL:OVAL1117 + URL:http://oval.mitre.org/oval/definitions/data/oval1117.html +Description: + The linux-2.4.21-mlock.patch in Red Hat Enterprise Linux 3 does not properly + maintain the mlock page count when one process unlocks pages that belong to + another process, which allows local users to mlock more memory than specified + by the rlimit. +Notes: + dannf> It doesn't look like the code in linux-2.4.21-mlock.patch was ever + dannf> accepted upstream in 2.4 or 2.6, so it doesn't apply to us. +Bugs: +upstream: N/A +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A +2.4.18-woody-security-hppa: N/A diff --git a/active/retired/CVE-2004-0495 b/active/retired/CVE-2004-0495 new file mode 100644 index 00000000..d0aed8aa --- /dev/null +++ b/active/retired/CVE-2004-0495 @@ -0,0 +1,48 @@ +Candidate: CVE-2004-0495 +References: + CONECTIVA:CLA-2004:845 + URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000845 + CONECTIVA:CLA-2004:846 + URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000846 + FEDORA:FEDORA-2004-186 + URL:http://lwn.net/Articles/91155/ + GENTOO:GLSA-200407-02 + URL:http://security.gentoo.org/glsa/glsa-200407-02.xml + MANDRAKE:MDKSA-2004:066 + URL:http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2004:066 + REDHAT:RHSA-2004:255 + URL:http://www.redhat.com/support/errata/RHSA-2004-255.html + REDHAT:RHSA-2004:260 + URL:http://www.redhat.com/support/errata/RHSA-2004-260.html + SUSE:SUSE-SA:2004:020 + URL:http://www.novell.com/linux/security/advisories/2004_20_kernel.html + OVAL:OVAL2961 + URL:http://oval.mitre.org/oval/definitions/data/oval2961.html + XF:linux-drivers-gain-privileges(16449) + URL:http://xforce.iss.net/xforce/xfdb/16449 + BID:10566 + URL:http://www.securityfocus.com/bid/10566 +Description: + Multiple unknown vulnerabilities in Linux kernel 2.4 and 2.6 allow local users + to gain privileges or access kernel memory, as found by the Sparse source code + checking tool. +Notes: + dannf> 2.4 patches: + http://linux.bkbits.net:8080/linux-2.4/cset@40d972a19cY-Al1qQickpmg8z_gxmg?nav=index.html|src/|src/net|src/net/decnet|related/net/decnet/dn_dev.c + http://linux.bkbits.net:8080/linux-2.4/cset@40d97303iUWCFF5wizAKNT5CC5ctJg?nav=index.html|src/|src/drivers|src/drivers/sound|related/drivers/sound/mpu401.c + http://linux.bkbits.net:8080/linux-2.4/cset@40d973835aLERLaEv4dP6Hjw31Nn5A?nav=index.html|src/|src/drivers|src/drivers/sound|related/drivers/sound/msnd.h + http://linux.bkbits.net:8080/linux-2.4/cset@40d973d9FCCgP1ZDVGknBTDKgDXw6w?nav=index.html|src/|src/drivers|src/drivers/sound|related/drivers/sound/pss.c + http://linux.bkbits.net:8080/linux-2.4/cset@40d9743al24lCKKm8wbRs-S_2CgWTA?nav=index.html|src/|src/drivers|src/drivers/net|src/drivers/net/wireless|related/drivers/net/wireless/airo.c + http://linux.bkbits.net:8080/linux-2.4/cset@40d975a2Ttlhd2amhkcgbfzndDMUZA?nav=index.html|src/|src/drivers|src/drivers/acpi|related/drivers/acpi/asus_acpi.c +Bugs: +upstream: released (2.4.27-rc2, 2.6.7) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/active/retired/CVE-2004-0496 b/active/retired/CVE-2004-0496 new file mode 100644 index 00000000..762a0bb0 --- /dev/null +++ b/active/retired/CVE-2004-0496 @@ -0,0 +1,26 @@ +Candidate: CVE-2004-0496 +References: + http://www.novell.com/linux/security/advisories/2004_20_kernel.html + http://xforce.iss.net/xforce/xfdb/16625 +Description: + Multiple unknown vulnerabilities in Linux kernel 2.6 allow local users to gain + privileges or access kernel memory, a different set of vulnerabilities than + those identified in CVE-2004-0495, as found by the Sparse source code checking + tool. +Notes: + dannf> I wasn't able to find the patches for this, but the description and + dannf> vendor advisories only note 2.6, so I'm assuming these are 2.6-only. + dannf> The description says this affects < 2.6.7. 2.6.7 contains a bunch + dannf> of sparse fixes in the changelog, so I'll label upstream + dannf> as fixed in 2.6.7. +Bugs: +upstream: released (2.6.7) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/active/retired/CVE-2004-0497 b/active/retired/CVE-2004-0497 new file mode 100644 index 00000000..2addb710 --- /dev/null +++ b/active/retired/CVE-2004-0497 @@ -0,0 +1,33 @@ +Candidate: CVE-2004-0497 +References: + CONECTIVA:CLA-2004:852 + URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000852 + MANDRAKE:MDKSA-2004:066 + URL:http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2004:066 + REDHAT:RHSA-2004:354 + URL:http://www.redhat.com/support/errata/RHSA-2004-354.html + REDHAT:RHSA-2004:360 + URL:http://www.redhat.com/support/errata/RHSA-2004-360.html + SUSE:SUSE-SA:2004:020 + URL:http://www.novell.com/linux/security/advisories/2004_20_kernel.html + XF:linux-fchown-groupid-modify(16599) + URL:http://xforce.iss.net/xforce/xfdb/16599 +Description: + Unknown vulnerability in Linux kernel 2.x may allow local users to modify the + group ID of files, such as NFS exported files in kernel 2.4. +Notes: + Changelog shows fixed in 2.4.26-3 + 2.6 patch: + http://linux.bkbits.net:8080/linux-2.6/cset@40e62e18vom8K1fHgbJfe1oQ6mdkkQ?nav=index.html|src/|src/fs|related/fs/attr.c +Bugs: +upstream: released (2.4.27, 2.6.8) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: released (2.4.27-1) +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/active/retired/CVE-2004-0535 b/active/retired/CVE-2004-0535 new file mode 100644 index 00000000..63948c79 --- /dev/null +++ b/active/retired/CVE-2004-0535 @@ -0,0 +1,44 @@ +Candidate: CVE-2004-0535 +References: + CONFIRM:http://www.kernel.org/pub/linux/kernel/v2.4/testing/patch-2.4.27.log + CONFIRM:http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=125168 + CONECTIVA:CLA-2004:845 + URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000845 + FEDORA:FEDORA-2004-186 + URL:http://lwn.net/Articles/91155/ + GENTOO:GLSA-200407-02 + URL:http://security.gentoo.org/glsa/glsa-200407-02.xml + MANDRAKE:MDKSA-2004:062 + URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:062 + REDHAT:RHSA-2004:413 + URL:http://www.redhat.com/support/errata/RHSA-2004-413.html + REDHAT:RHSA-2004:418 + URL:http://www.redhat.com/support/errata/RHSA-2004-418.html + SGI:20040804-01-U + URL:ftp://patches.sgi.com/support/free/security/advisories/20040804-01-U.asc + SUSE:SUSE-SA:2004:020 + URL:http://www.novell.com/linux/security/advisories/2004_20_kernel.html + XF:linux-e1000-bo(16159) + URL:http://xforce.iss.net/xforce/xfdb/16159 + BID:10352 + URL:http://www.securityfocus.com/bid/10352 +Description: + The e1000 driver for Linux kernel 2.4.26 and earlier does not properly + initialize memory before using it, which allows local users to read portions + of kernel memory. NOTE: this issue was originally incorrectly reported as a + "buffer overflow" by some sources. +Notes: + Patch: + http://linux.bkbits.net:8080/linux-2.6/cset@4084025a6AP3ORKQ7iaTFCmOGvTJXw?nav=index.html|src/|src/drivers|src/drivers/net|src/drivers/net/e1000|related/drivers/net/e1000/e1000_ethtool.c +Bugs: +upstream: released (2.4.27, 2.6.6) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: needed +2.4.18-woody-security-hppa: N/A diff --git a/active/retired/CVE-2004-0554 b/active/retired/CVE-2004-0554 new file mode 100644 index 00000000..6e11727f --- /dev/null +++ b/active/retired/CVE-2004-0554 @@ -0,0 +1,54 @@ +Candidate: CVE-2004-0554 +References: + MISC:http://gcc.gnu.org/bugzilla/show_bug.cgi?id=15905 + MISC:http://linuxreviews.org/news/2004-06-11_kernel_crash/index.html + MLIST:[linux-kernel] 20040609 timer + fpu stuff locks my console race + URL:http://marc.theaimsgroup.com/?l=linux-kernel&m=108681568931323&w=2 + CONECTIVA:CLA-2004:845 + URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000845 + ENGARDE:ESA-20040621-005 + URL:http://marc.theaimsgroup.com/?l=bugtraq&m=108793699910896&w=2 + FEDORA:FEDORA-2004-186 + URL:http://lwn.net/Articles/91155/ + GENTOO:GLSA-200407-02 + URL:http://security.gentoo.org/glsa/glsa-200407-02.xml + MANDRAKE:MDKSA-2004:062 + URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:062 + REDHAT:RHSA-2004:255 + URL:http://www.redhat.com/support/errata/RHSA-2004-255.html + REDHAT:RHSA-2004:260 + URL:http://www.redhat.com/support/errata/RHSA-2004-260.html + SUSE:SuSE-SA:2004:017 + URL:http://www.novell.com/linux/security/advisories/2004_17_kernel.html + TRUSTIX:2004-0034 + URL:http://www.trustix.net/errata/2004/0034/ + BUGTRAQ:20040620 TSSA-2004-011 - kernel + URL:http://marc.theaimsgroup.com/?l=bugtraq&m=108786114032681&w=2 + CERT-VN:VU#973654 + URL:http://www.kb.cert.org/vuls/id/973654 + OVAL:OVAL2915 + URL:http://oval.mitre.org/oval/definitions/data/oval2915.html + XF:linux-dos(16412) + URL:http://xforce.iss.net/xforce/xfdb/16412 + BID:10566 + URL:http://www.securityfocus.com/bid/10566 +Description: + Linux kernel 2.4.x and 2.6.x for x86 allows local users to cause a denial of + service (system crash), possibly via an infinite loop that triggers a signal + handler with a certain sequence of fsave and frstor instructions, as + originally demonstrated using a "crash.c" program. +Notes: + jmm> I don't know at which version this was merged, but I've verified that + jmm> the stock 2.4.27 and 2.6.8 contain the fix +Bugs: 261521 +upstream: +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: released (2.4.19-4.woody3) +2.4.18-woody-security: released (2.4.18-14.4) +2.4.17-woody-security: released (2.4.17-1woody4) +2.4.16-woody-security: released (2.4.16-1woody3) +2.4.17-woody-security-hppa: released (32.5) +2.4.17-woody-security-ia64: released (011226.18) +2.4.18-woody-security-hppa: released (62.4) diff --git a/active/retired/CVE-2004-0565 b/active/retired/CVE-2004-0565 new file mode 100644 index 00000000..a49abb1f --- /dev/null +++ b/active/retired/CVE-2004-0565 @@ -0,0 +1,30 @@ +Candidate: CVE-2004-0565 +References: + MISC:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=124734 + MLIST:[owl-users] 20040619 Linux 2.4.26-ow2 + URL:http://archives.neohapsis.com/archives/linux/owl/2004-q2/0038.html + MANDRAKE:MDKSA-2004:066 + URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:066 + XF:linux-ia64-info-disclosure(16644) + URL:http://xforce.iss.net/xforce/xfdb/16644 +Description: + Floating point information leak in the context switch code for Linux 2.4.x + only checks the MFH bit but does not verify the FPH owner, which allows local + users to read register values of other processes by setting the MFH bit. +Notes: + jmm> I've verified that the check for FPH ownership is included in stock 2.6.8: + jmm> # define switch_to(prev,next,last) do { \ + jmm> if (ia64_psr(ia64_task_regs(prev))->mfh && ia64_is_local_fpu_owner(prev)) { + jmm> So it's N/A, but I don't know at which time it was fixed upstream +Bugs: +upstream: released (2.4.27) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: released (2.4.19-4.woody3) +2.4.18-woody-security: released (2.4.18-14.4) +2.4.17-woody-security: released (2.4.17-1woody4) +2.4.16-woody-security: released (2.4.16-1woody3) +2.4.17-woody-security-hppa: released (32.5) +2.4.17-woody-security-ia64: released (011226.18) +2.4.18-woody-security-hppa: released (62.4) diff --git a/active/retired/CVE-2004-0587 b/active/retired/CVE-2004-0587 new file mode 100644 index 00000000..72028b0d --- /dev/null +++ b/active/retired/CVE-2004-0587 @@ -0,0 +1,41 @@ +Candidate: CVE-2004-0587 +References: + FEDORA:FEDORA-2004-186 + URL:http://lwn.net/Articles/91155/ + MANDRAKE:MDKSA-2004:066 + URL:http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2004:066 + REDHAT:RHSA-2004:413 + URL:http://www.redhat.com/support/errata/RHSA-2004-413.html + REDHAT:RHSA-2004:418 + URL:http://www.redhat.com/support/errata/RHSA-2004-418.html + SGI:20040804-01-U + URL:ftp://patches.sgi.com/support/free/security/advisories/20040804-01-U.asc + SUSE:SuSE-SA:2004:010 + URL:http://www.novell.com/linux/security/advisories/2004_10_kernel.html + BID:10279 + URL:http://www.securityfocus.com/bid/10279 + SECTRACK:1010057 + URL:http://securitytracker.com/id?1010057 + XF:suse-hbaapinode-dos(16062) + URL:http://xforce.iss.net/xforce/xfdb/16062 +Description: + Insecure permissions for the /proc/scsi/qla2300/HbaApiNode file in Linux + allows local users to cause a denial of service. +Notes: + 2.4.26-3 has the note: + CVE-2004-0587 code is not present, not vulnerable + So the question is, did the code get added when we moved to 2.4.27, and + was it still vulnerable? + dannf> Nope; qla2xxx isn't in 2.4.27 +Bugs: +upstream: +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: needed +2.4.18-woody-security-hppa: N/A diff --git a/active/retired/CVE-2004-0596 b/active/retired/CVE-2004-0596 new file mode 100644 index 00000000..1ab8f835 --- /dev/null +++ b/active/retired/CVE-2004-0596 @@ -0,0 +1,24 @@ +Candidate: CVE-2004-0596 +References: + CONFIRM:http://linux.bkbits.net:8080/linux-2.6/cset@40d4aa72hPLWy-jMLr0eJAXMxHcNZg + XF:linux-eql-dos(16694) + URL:http://xforce.iss.net/xforce/xfdb/16694 + BID:10730 + URL:http://www.securityfocus.com/bid/10730 +Description: + The Equalizer Load-balancer for serial network interfaces (eql.c) in Linux + kernel 2.6.x up to 2.6.7 allows local users to cause a denial of service via a + non-existent device name that triggers a null dereference. +Notes: +Bugs: +upstream: released (2.4.27-rc2) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/active/retired/CVE-2004-0619 b/active/retired/CVE-2004-0619 new file mode 100644 index 00000000..1cb869e3 --- /dev/null +++ b/active/retired/CVE-2004-0619 @@ -0,0 +1,28 @@ +Candidate: CVE-2004-0619 +References: + http://marc.theaimsgroup.com/?l=bugtraq&m=108802653409053&w=2 + http://www.redhat.com/support/errata/RHSA-2004-549.html + http://www.redhat.com/support/errata/RHSA-2005-283.html + http://www.ciac.org/ciac/bulletins/p-047.shtml + http://www.securityfocus.com/bid/10599 + http://secunia.com/advisories/11936 + http://xforce.iss.net/xforce/xfdb/16459 +Description: + Integer overflow in the ubsec_keysetup function for Linux Broadcom 5820 + cryptonet driver allows local users to cause a denial of service (crash) + and possibly execute arbitrary code via a negative add_dsa_buf_bytes + variable, which leads to a buffer overflow. +Notes: + jmm> I've checked 2.6.8, 2.4.27 and 2.6.14, this is not included in the + jmm> stock kernel, only in Red Hat's. I'm marking Woody N/A as well. +Bugs: +upstream: N/A +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/active/retired/CVE-2004-0626 b/active/retired/CVE-2004-0626 new file mode 100644 index 00000000..8f50960d --- /dev/null +++ b/active/retired/CVE-2004-0626 @@ -0,0 +1,27 @@ +Candidate: CVE-2004-0626 +References: + http://marc.theaimsgroup.com/?l=bugtraq&m=108861141304495&w=2 + http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000852 + http://lwn.net/Articles/91964/ + http://www.gentoo.org/security/en/glsa/glsa-200407-12.xml + http://www.novell.com/linux/security/advisories/2004_20_kernel.html + http://xforce.iss.net/xforce/xfdb/16554 +Description: + The tcp_find_option function of the netfilter subsystem in Linux kernel 2.6, + when using iptables and TCP options rules, allows remote attackers to cause a + denial of service (CPU consumption by infinite loop) via a large option length + that produces a negative integer after a casting operation to the char type. +Notes: + jmm> The bug was introduced during a rewrite of the code that accesses the skb's + jmm> during earlier 2.6 kernels. 2.4 has the correct u_int8_t declaration. +Bugs: +upstream: released (2.6.8) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/active/retired/CVE-2004-0685 b/active/retired/CVE-2004-0685 new file mode 100644 index 00000000..131c021d --- /dev/null +++ b/active/retired/CVE-2004-0685 @@ -0,0 +1,36 @@ +Candidate: CVE-2004-0685 +References: + FEDORA:FLSA:2336 + URL:https://bugzilla.fedora.us/show_bug.cgi?id=2336 + GENTOO:GLSA-200408-24 + URL:http://www.gentoo.org/security/en/glsa/glsa-200408-24.xml + TRUSTIX:2004-0041 + URL:http://www.trustix.net/errata/2004/0041/ + CONFIRM:http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=127921 + CERT-VN:VU#981134 + URL:http://www.kb.cert.org/vuls/id/981134 + BID:10892 + URL:http://www.securityfocus.com/bid/10892 + XF:linux-usb-gain-privileges(16931) + URL:http://xforce.iss.net/xforce/xfdb/16931 + MISC:http://www.securityspace.com/smysecure/catid.html?id=14580 +Description: + Certain USB drivers in the Linux 2.4 kernel use the copy_to_user function on + uninitialized structures, which could allow local users to obtain sensitive + information by reading memory that was not cleared from previous usage. +Notes: + jmm> This was commited into the 2.5/2.6 version before in this changeset: + jmm> http://linux.bkbits.net:8080/linux-2.6/cset@3f986b35LyBKc-OxB8G6k22oOjgYTQ + jmm> So I'm marking all 2.6 versions N/A +Bugs: +upstream: released (2.4.27) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: released (2.4.19-4.woody3) +2.4.18-woody-security: released (2.4.18-14.4) +2.4.17-woody-security: released (2.4.17-1woody4) +2.4.16-woody-security: released (2.4.16-1woody3) +2.4.17-woody-security-hppa: released (32.5) +2.4.17-woody-security-ia64: released (011226.18) +2.4.18-woody-security-hppa: released (62.4) diff --git a/active/retired/CVE-2004-0790 b/active/retired/CVE-2004-0790 new file mode 100644 index 00000000..765295f8 --- /dev/null +++ b/active/retired/CVE-2004-0790 @@ -0,0 +1,44 @@ +Candidate: CVE-2004-0790 +References: + MISC:http://www.watersprings.org/pub/id/draft-gont-tcpm-icmp-attacks-03.txt + MISC:http://www.uniras.gov.uk/niscc/docs/al-20050412-00308.html?lang=en + MISC:http://www.gont.com.ar/drafts/icmp-attacks-against-tcp.html + HP:HPSBTU01210 + URL:http://marc.theaimsgroup.com/?l=bugtraq&m=112861397904255&w=2 + HP:SSRT4743 + URL:http://marc.theaimsgroup.com/?l=bugtraq&m=112861397904255&w=2 + HP:SSRT4884 + URL:http://marc.theaimsgroup.com/?l=bugtraq&m=112861397904255&w=2 + MS:MS05-019 + URL:http://www.microsoft.com/technet/security/bulletin/ms05-019.mspx + SUNALERT:57746 + URL:http://sunsolve.sun.com/search/document.do?assetkey=1-26-57746-1 + OVAL:OVAL3458 + URL:http://oval.mitre.org/oval/definitions/data/oval3458.html + OVAL:OVAL1910 + URL:http://oval.mitre.org/oval/definitions/data/oval1910.html + OVAL:OVAL4804 + URL:http://oval.mitre.org/oval/definitions/data/oval4804.html +Description: + Multiple TCP/IP and ICMP implementations allow remote attackers to cause a + denial of service (reset TCP connections) via spoofed ICMP error messages, aka + the "blind connection-reset attack." NOTE: CVE-2004-0790, CVE-2004-0791, and + CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, + CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that + are SPLIT based on the underlying vulnerability. While CVE normally SPLITs + based on vulnerability, the attack-based identifiers exist due to the variety + and number of affected implementations and solutions that address the attacks + instead of the underlying vulnerabilities. +Notes: +Bugs: 305655 305664 +upstream: +linux-2.6: +2.6.8-sarge-security: released (2.6.8-16) [net-ipv4-icmp-quench.dpatch] +2.4.27-sarge-security: released (2.4.27-10) [164_net-ipv4-icmp-quench.diff] +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/active/retired/CVE-2004-0812 b/active/retired/CVE-2004-0812 new file mode 100644 index 00000000..f6fba4ae --- /dev/null +++ b/active/retired/CVE-2004-0812 @@ -0,0 +1,36 @@ +Candidate: CVE-2004-0812 +References: + REDHAT:RHSA-2004:549 + URL:http://www.redhat.com/support/errata/RHSA-2004-549.html + CONFIRM:http://linux.bkbits.net:8080/linux-2.6/cset@3fad673ber4GuU7iWppydzNIyLntEQ + CIAC:P-047 + URL:http://www.ciac.org/ciac/bulletins/p-047.shtml + BID:11794 + URL:http://www.securityfocus.com/bid/11794 + SECUNIA:13359 + URL:http://secunia.com/advisories/13359 + XF:linux-tss-gain-privilege(18346) + URL:http://xforce.iss.net/xforce/xfdb/18346 +Description: + Unknown vulnerability in the Linux kernel before 2.4.23, on the AMD AMD64 and + Intel EM64T architectures, associated with "setting up TSS limits," allows + local users to cause a denial of service (crash) and possibly execute + arbitrary code. +Notes: + jmm> I've verified that above bkbits fixed is included in 2.6.8, so I'm + jmm> marking 2.6 N/A + jmm> The vulnerable code doesn't seem to be present in 2.4.27. Plus, 2.4 + jmm> is unsupported for amd64 anyway, so I'm marking it N/A as well for + jmm> the 2.4 kernels +Bugs: +upstream: released (2.6.0-test10) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A +2.4.18-woody-security-hppa: N/A diff --git a/active/retired/CVE-2004-0814 b/active/retired/CVE-2004-0814 new file mode 100644 index 00000000..6623e502 --- /dev/null +++ b/active/retired/CVE-2004-0814 @@ -0,0 +1,38 @@ +Candidate: CVE-2004-0814 +References: + BUGTRAQ:20041020 CVE-2004-0814: Linux terminal layer races + URL:http://www.securityfocus.com/archive/1/379005 + CONFIRM:http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=131672 + CONFIRM:http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=133110 + FEDORA:FLSA:2336 + URL:https://bugzilla.fedora.us/show_bug.cgi?id=2336 + MANDRAKE:MDKSA-2005:022 + URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:022 + BUGTRAQ:20041214 [USN-38-1] Linux kernel vulnerabilities + URL:http://marc.theaimsgroup.com/?l=bugtraq&m=110306397320336&w=2 + BID:11491 + URL:http://www.securityfocus.com/bid/11491 + BID:11492 + URL:http://www.securityfocus.com/bid/11492 + XF:linux-tiocsetd-race-condition(17816) + URL:http://xforce.iss.net/xforce/xfdb/17816 +Description: + Multiple race conditions in the terminal layer in Linux 2.4.x, and 2.6.x + before 2.6.9, allow (1) local users to obtain portions of kernel data via a + TIOCSETD ioctl call to a terminal interface that is being accessed by another + thread, or (2) remote attackers to cause a denial of service (panic) by + switching from console to PPP line discipline, then quickly sending data that + is received during the switch. +Notes: +Bugs: +upstream: released (2.6.9) +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-8) [tty-locking-fixes.dpatch, tty-locking-fixes2.dpatch, tty-locking-fixes3.dpatch, tty-locking-fixes4.dpatch, tty-locking-fixes5.dpatch, tty-locking-fixes6.dpatch, tty-locking-fixes7.dpatch, tty-locking-fixes8.dpatch] +2.4.27-sarge-security: released (2.4.27-7) [093_tty_lockup.diff, 093_tty_lockup-2.diff, 115_tty_lockup-3.diff, 093-tty_lockup-3.diff] +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/active/retired/CVE-2004-0816 b/active/retired/CVE-2004-0816 new file mode 100644 index 00000000..db95f003 --- /dev/null +++ b/active/retired/CVE-2004-0816 @@ -0,0 +1,35 @@ +Candidate: CVE-2004-0816 +References: + MANDRAKE:MDKSA-2005:022 + URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:022 + SUSE:SUSE-SA:2004:037 + URL:http://www.novell.com/linux/security/advisories/2004_37_kernel.html + BID:11488 + URL:http://www.securityfocus.com/bid/11488 + SECUNIA:11202 + URL:http://secunia.com/advisories/11202/ + XF:linux-ip-packet-dos(17800) + URL:http://xforce.iss.net/xforce/xfdb/17800 +Description: + Integer underflow in the firewall logging rules for iptables in Linux before + 2.6.8 allows remote attackers to cause a denial of service (application crash) + via a malformed IP packet. +Notes: + jmm> Quoting from http://groups.google.com/group/nz.comp/msg/71ec927b491f247d: + jmm> The bug, discovered by Richard Hart, does not affect the 2.4 series kernel + jmm> Quoting from http://www.novell.com/linux/security/advisories/2004_37_kernel.html: + jmm> This problem has already been fixed in the 2.6.8 upstream Linux kernel, + jmm> this update contains a backport of the fix. + jmm> So I'm marking all kernels N/A +Bugs: +upstream: +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A +2.4.18-woody-security-hppa: N/A diff --git a/active/retired/CVE-2004-0883 b/active/retired/CVE-2004-0883 new file mode 100644 index 00000000..fc843e97 --- /dev/null +++ b/active/retired/CVE-2004-0883 @@ -0,0 +1,48 @@ +Candidate: CVE-2004-0883 +References: + BUGTRAQ:20041117 Advisory 14/2004: Linux 2.x smbfs multiple remote vulnerabilities + URL:http://marc.theaimsgroup.com/?l=bugtraq&m=110072140811965&w=2 + MISC:http://security.e-matters.de/advisories/142004.html + BUGTRAQ:20041118 [USN-30-1] Linux kernel vulnerabilities + URL:http://marc.theaimsgroup.com/?l=bugtraq&m=110082989725345&w=2 + FEDORA:FLSA:2336 + URL:https://bugzilla.fedora.us/show_bug.cgi?id=2336 + MANDRAKE:MDKSA-2005:022 + URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:022 + REDHAT:RHSA-2004:537 + URL:http://www.redhat.com/support/errata/RHSA-2004-537.html + CERT-VN:VU#726198 + URL:http://www.kb.cert.org/vuls/id/726198 + SECUNIA:13232 + URL:http://secunia.com/advisories/13232/ + BID:11695 + URL:http://www.securityfocus.com/bid/11695 + XF:linux-smbprocreadxdata-dos(18135) + URL:http://xforce.iss.net/xforce/xfdb/18135 + XF:linux-smb-response-dos(18134) + URL:http://xforce.iss.net/xforce/xfdb/18134 + XF:linux-smbreceivetrans2-dos(18136) + URL:http://xforce.iss.net/xforce/xfdb/18136 +Description: + Multiple vulnerabilities in the samba filesystem (smbfs) in Linux kernel 2.4 + and 2.6 allow remote samba servers to cause a denial of service (crash) or + gain sensitive information from kernel memory via a samba server (1) returning + more data than requested to the smb_proc_read function, (2) returning a data + offset from outside the samba packet to the smb_proc_readX function, (3) + sending a certain TRANS2 fragmented packet to the smb_receive_trans2 function, + (4) sending a samba packet with a certain header size to the + smb_proc_readX_data function, or (5) sending a certain packet based offset for + the data in a packet to the smb_receive_trans2 function. +Notes: +Bugs: +upstream: released (2.4.28-rc3), released (2.6.10) +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-9) [smbfs-overflow-fixes-2.dpatch] +2.4.27-sarge-security: released (2.4.27-6) [111-smb-client-overflow-fix-1.diff, 111-smb-client-overflow-fix-2.diff] +2.4.19-woody-security: released (2.4.19-4.woody3) +2.4.18-woody-security: released (2.4.18-14.4) +2.4.17-woody-security: released (2.4.17-1woody4) +2.4.16-woody-security: released (2.4.16-1woody3) +2.4.17-woody-security-hppa: released (32.5) +2.4.17-woody-security-ia64: released (011226.18) +2.4.18-woody-security-hppa: released (62.4) diff --git a/active/retired/CVE-2004-0887 b/active/retired/CVE-2004-0887 new file mode 100644 index 00000000..a9b4ef2e --- /dev/null +++ b/active/retired/CVE-2004-0887 @@ -0,0 +1,23 @@ +Candidate: CVE-2004-0887 +References: + http://www.novell.com/linux/security/advisories/2004_37_kernel.html + http://www.securityfocus.com/bid/11489 + http://xforce.iss.net/xforce/xfdb/17801 +Description: + SUSE Linux Enterprise Server 9 on the S/390 platform does not properly + handle a certain privileged instruction, which allows local users to + gain root privileges. +Notes: + dannf> 2.4 looks vulnerable; I've asked waldi's advice on applying it. +Bugs: +upstream: +linux-2.6: +2.6.8-sarge-security: released (2.6.8-10) [s390-sacf-fix.dpatch] +2.4.27-sarge-security: released (2.4.27-10sarge2) [206_s390-sacf-fix.diff] +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/active/retired/CVE-2004-0949 b/active/retired/CVE-2004-0949 new file mode 100644 index 00000000..8c716e2d --- /dev/null +++ b/active/retired/CVE-2004-0949 @@ -0,0 +1,40 @@ +Candidate: CVE-2004-0949 +References: + BUGTRAQ:20041117 Advisory 14/2004: Linux 2.x smbfs multiple remote vulnerabilities + URL:http://marc.theaimsgroup.com/?l=bugtraq&m=110072140811965&w=2 + MISC:http://security.e-matters.de/advisories/142004.html + FEDORA:FLSA:2336 + URL:https://bugzilla.fedora.us/show_bug.cgi?id=2336 + MANDRAKE:MDKSA-2005:022 + URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:022 + REDHAT:RHSA-2004:537 + URL:http://www.redhat.com/support/errata/RHSA-2004-537.html + TRUSTIX:2004-0061 + URL:http://www.trustix.org/errata/2004/0061/ + UBUNTU:USN-30-1 + URL:http://marc.theaimsgroup.com/?l=bugtraq&m=110082989725345&w=2 + XF:linux-smbrecvtrans2-memory-leak(18137) + URL:http://xforce.iss.net/xforce/xfdb/18137 + BID:11695 + URL:http://www.securityfocus.com/bid/11695 + SECUNIA:13232 + URL:http://secunia.com/advisories/13232/ +Description: + The smb_recv_trans2 function call in the samba filesystem (smbfs) in Linux + kernel 2.4 and 2.6 does not properly handle the re-assembly of fragmented + packets correctly, which could allow remote samba servers to (1) read + arbitrary kernel information or (2) raise a counter value to an arbitrary + number by sending the first part of the fragmented packet multiple times. +Notes: +Bugs: +upstream: released (2.4.28-rc3), released (2.6.10) +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-13) [smbfs-overrun.dpatch] +2.4.27-sarge-security: released (2.4.27-6) [111-smb-client-overflow-fix-1.diff, 111-smb-client-overflow-fix-2.diff] +2.4.19-woody-security: released (2.4.19-4.woody3) +2.4.18-woody-security: released (2.4.18-14.4) +2.4.17-woody-security: released (2.4.17-1woody4) +2.4.16-woody-security: released (2.4.16-1woody3) +2.4.17-woody-security-hppa: released (32.5) +2.4.17-woody-security-ia64: released (011226.18) +2.4.18-woody-security-hppa: released (62.4) diff --git a/active/retired/CVE-2004-1016 b/active/retired/CVE-2004-1016 new file mode 100644 index 00000000..191860c5 --- /dev/null +++ b/active/retired/CVE-2004-1016 @@ -0,0 +1,36 @@ +Candidate: CVE-2004-1016 +References: + VULNWATCH:20041214 Linux kernel scm_send local DoS + MISC:http://isec.pl/vulnerabilities/isec-0019-scm.txt + UBUNTU:USN-38-1 + URL:http://marc.theaimsgroup.com/?l=bugtraq&m=110306397320336&w=2 + FEDORA:FLSA:2336 + URL:https://bugzilla.fedora.us/show_bug.cgi?id=2336 + MANDRAKE:MDKSA-2005:022 + URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:022 + REDHAT:RHSA-2004:689 + URL:http://www.redhat.com/support/errata/RHSA-2004-689.html + XF:linux-scmsend-dos(18483) + URL:http://xforce.iss.net/xforce/xfdb/18483 +Description: + The scm_send function in the scm layer for Linux kernel 2.4.x up to 2.4.28, + and 2.6.x up to 2.6.9, allows local users to cause a denial of service (system + hang) via crafted auxiliary messages that are passed to the sendmsg function, + which causes a deadlock condition. +Notes: + dannf> 2.4.27 has a reference to CVE-2004-1016 in the changelog, but it looks + like it referred to the wrong issue - our 2.4.27 may still be + vulnerable. + dannf> on second review, those patches look correct +Bugs: +upstream: +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-11) [scm_send-dos-fix.dpatch, scm_send-dos-fix2.dpatch] +2.4.27-sarge-security: released (2.4.27-7) [116-cmsg-validation-checks.patch, 118-cmsg-validation-checks-compat.patch] +2.4.19-woody-security: released (2.4.19-4.woody3) +2.4.18-woody-security: released (2.4.18-14.4) +2.4.17-woody-security: released (2.4.17-1woody4) +2.4.16-woody-security: released (2.4.16-1woody3) +2.4.17-woody-security-hppa: released (32.5) +2.4.17-woody-security-ia64: released (011226.18) +2.4.18-woody-security-hppa: released (62.4) diff --git a/active/retired/CVE-2004-1017 b/active/retired/CVE-2004-1017 new file mode 100644 index 00000000..20d4709b --- /dev/null +++ b/active/retired/CVE-2004-1017 @@ -0,0 +1,27 @@ +Candidate: CVS-2004-1017 +References: + FEDORA:FLSA:2336 + URL:https://bugzilla.fedora.us/show_bug.cgi?id=2336 + REDHAT:RHSA-2004:689 + URL:http://www.redhat.com/support/errata/RHSA-2004-689.html + XF:linux-ioedgeport-bo(18433) + URL:http://xforce.iss.net/xforce/xfdb/18433 +Description: + Multiple "overflows" in the io_edgeport driver for Linux kernel 2.4.x have + unknown impact and unknown attack vectors. +Notes: + jmm> I've checked 2.6.14, but I didn't find the exact upstream version when + jmm> this was fixed + jmm> The fix is required for 2.6.8 +Bugs: +upstream: +linux-2.6: released (2.4.31-rc1, 2.6.10) +2.6.8-sarge-security: released (2.6.8-16sarge2) [io_edgeport_overflow.dpatch] +2.4.27-sarge-security: released (2.4.27-9) [137_io_edgeport_overflow.diff] +2.4.19-woody-security: released (2.4.19-4.woody3) +2.4.18-woody-security: released (2.4.18-14.4) +2.4.17-woody-security: released (2.4.17-1woody4) +2.4.16-woody-security: released (2.4.16-1woody3) +2.4.17-woody-security-hppa: released (32.5) +2.4.17-woody-security-ia64: released (011226.18) +2.4.18-woody-security-hppa: released (62.4) diff --git a/active/retired/CVE-2004-1056 b/active/retired/CVE-2004-1056 new file mode 100644 index 00000000..e768cfaa --- /dev/null +++ b/active/retired/CVE-2004-1056 @@ -0,0 +1,27 @@ +Candidate: CVE-2004-1056 +References: + UBUNTU:USN-38-1 + URL:http://marc.theaimsgroup.com/?l=bugtraq&m=110306397320336&w=2 + FEDORA:FLSA:2336 + URL:https://bugzilla.fedora.us/show_bug.cgi?id=2336 + REDHAT:RHSA-2005:092 + URL:http://www.redhat.com/support/errata/RHSA-2005-092.html + XF:linux-i810-dma-dos(15972) + URL:http://xforce.iss.net/xforce/xfdb/15972 +Description: + Direct Rendering Manager (DRM) driver in Linux kernel 2.6 does not properly + check the DMA lock, which could allow remote attackers or local users to cause + a denial of service (X Server crash) and possibly modify the video output. +Notes: +Bugs: +upstream: +linux-2.6: +2.6.8-sarge-security: released (2.6.8-11) [drm-locking-fixes.dpatch] +2.4.27-sarge-security: released (2.4.27-8) [121_drm-locking-checks-1.diff, 121_drm-locking-checks-2.diff] +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/active/retired/CVE-2004-1057 b/active/retired/CVE-2004-1057 new file mode 100644 index 00000000..fab0fac1 --- /dev/null +++ b/active/retired/CVE-2004-1057 @@ -0,0 +1,27 @@ +Candidate: CVE-2004-1057 +References: + MISC:http://www.kernel.org/pub/linux/kernel/people/andrea/kernels/v2.4/2.4.23aa3/00_VM_IO-4 + REDHAT:RHSA-2005:016 + URL:http://www.redhat.com/support/errata/RHSA-2005-016.html + CONFIRM:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=137821 + XF:linux-kernel-vmio-dos(19275) + URL:http://xforce.iss.net/xforce/xfdb/19275 +Description: + Multiple drivers in Linux kernel 2.4.19 and earlier do not properly mark + memory with the VM_IO flag, which causes incorrect reference counts and may + lead to a denial of service (kernel panic) when accessing freed kernel pages. +Notes: + dannf> I see the PageReserved() check in the 2.6 code, going back to 2.4.0 + dannf> so I'll mark 2.6 N/A +Bugs: +upstream: +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: released (2.4.27-10) [165_VM_IO.diff] +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/active/retired/CVE-2004-1058 b/active/retired/CVE-2004-1058 new file mode 100644 index 00000000..b5445d34 --- /dev/null +++ b/active/retired/CVE-2004-1058 @@ -0,0 +1,28 @@ +Candidate: CVE-2004-1058 +References: + FEDORA:FLSA:152532 + URL:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152532 + GENTOO:GLSA-200408-24 + URL:http://www.gentoo.org/security/en/glsa/glsa-200408-24.xml + MANDRAKE:MDKSA-2005:022 + URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:022 + UBUNTU:USN-38-1 + URL:http://www.ubuntulinux.org/support/documentation/usn/usn-38-1 + XF:linux-spawning-race-condition(17151) + URL:http://xforce.iss.net/xforce/xfdb/17151 +Description: + Race condition in Linux kernel 2.6 allows local users to read the environment + variables of another process that is still spawning via /proc/.../cmdline. +Notes: +Bugs: +upstream: released (2.4.33-pre2) +linux-2.6: +2.6.8-sarge-security: released (2.6.8-14) [proc-cmdline-mmput-leak.dpatch] +2.4.27-sarge-security: released (2.4.27-10sarge2) [203_proc_pid_cmdline_race.diff] +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/active/retired/CVE-2004-1068 b/active/retired/CVE-2004-1068 new file mode 100644 index 00000000..55015143 --- /dev/null +++ b/active/retired/CVE-2004-1068 @@ -0,0 +1,33 @@ +Candidate: CVE-2004-1068 +References: + BUGTRAQ:20041119 Addendum, recent Linux <= 2.4.27 vulnerabilities + URL:http://www.securityfocus.com/archive/1/381689 + FEDORA:FLSA:2336 + URL:https://bugzilla.fedora.us/show_bug.cgi?id=2336 + MANDRAKE:MDKSA-2005:022 + URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:022 + REDHAT:RHSA-2004:537 + URL:http://www.redhat.com/support/errata/RHSA-2004-537.html + BUGTRAQ:20041214 [USN-38-1] Linux kernel vulnerabilities + URL:http://marc.theaimsgroup.com/?l=bugtraq&m=110306397320336&w=2 + BID:11715 + URL:http://www.securityfocus.com/bid/11715 + XF:linux-afunix-race-condition(18230) + URL:http://xforce.iss.net/xforce/xfdb/18230 +Description: + A "missing serialization" error in the unix_dgram_recvmsg function in Linux + 2.4.27 and earlier, and 2.6.x up to 2.6.9, allows local users to gain + privileges via a race condition. +Notes: +Bugs: +upstream: released (2.4.27, 2.6.9) +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-11) +2.4.27-sarge-security: released (2.4.27-7) +2.4.19-woody-security: released (2.4.19-4.woody3) +2.4.18-woody-security: released (2.4.18-14.4) +2.4.17-woody-security: released (2.4.17-1woody4) +2.4.16-woody-security: released (2.4.16-1woody3) +2.4.17-woody-security-hppa: released (32.5) +2.4.17-woody-security-ia64: released (011226.18) +2.4.18-woody-security-hppa: released (62.4) diff --git a/active/retired/CVE-2004-1069 b/active/retired/CVE-2004-1069 new file mode 100644 index 00000000..ea4e901e --- /dev/null +++ b/active/retired/CVE-2004-1069 @@ -0,0 +1,24 @@ +Candidate: CVE-2004-1069 +References: + http://marc.theaimsgroup.com/?l=linux-kernel&m=110045613004761 + http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:022 + http://marc.theaimsgroup.com/?l=bugtraq&m=110306397320336&w=2 + http://xforce.iss.net/xforce/xfdb/18312 +Description: + Race condition in SELinux 2.6.x through 2.6.9 allows local users to + cause a denial of service (kernel crash) via SOCK_SEQPACKET unix + domain sockets, which are not properly handled in the sock_dgram_sendmsg + function. +Notes: +Bugs: +upstream: +linux-2.6: +2.6.8-sarge-security: released (2.6.8-11) +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A +2.4.18-woody-security-hppa: diff --git a/active/retired/CVE-2004-1070 b/active/retired/CVE-2004-1070 new file mode 100644 index 00000000..cb13be15 --- /dev/null +++ b/active/retired/CVE-2004-1070 @@ -0,0 +1,30 @@ +Candidate: CVE-2004-1070 +References: + MISC:http://www.isec.pl/vulnerabilities/isec-0017-binfmt_elf.txt + FEDORA:FLSA:2336 + URL:https://bugzilla.fedora.us/show_bug.cgi?id=2336 + MANDRAKE:MDKSA-2005:022 + URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:022 + REDHAT:RHSA-2004:549 + URL:http://www.redhat.com/support/errata/RHSA-2004-549.html + XF:linux-elf-setuid-gain-privileges(18025) + URL:http://xforce.iss.net/xforce/xfdb/18025 +Description: + The load_elf_binary function in the binfmt_elf loader (binfmt_elf.c) in Linux + kernel 2.4.x up to 2.4.27, and 2.6.x up to 2.6.8 , does not properly check + return values from calls to the kernel_read function, which may allow local + users to modify sensitive memory in a setuid program and execute arbitrary + code. +Notes: +Bugs: +upstream: +linux-2.6: +2.6.8-sarge-security: released (2.6.8-9) [elf-loader-fixes.dpatch, elf-loader-fixes-the-return.dpatch] +2.4.27-sarge-security: released (2.4.27-6) [097-elf_loader_overflow-1.diff, 097-elf_loader_overflow-2.diff, 097-elf_loader_overflow-3.diff, 097-elf_loader_overflow-4.diff] +2.4.19-woody-security: released (2.4.19-4.woody3) +2.4.18-woody-security: released (2.4.18-14.4) +2.4.17-woody-security: released (2.4.17-1woody4) +2.4.16-woody-security: released (2.4.16-1woody3) +2.4.17-woody-security-hppa: released (32.5) +2.4.17-woody-security-ia64: released (011226.18) +2.4.18-woody-security-hppa: released (62.4) diff --git a/active/retired/CVE-2004-1071 b/active/retired/CVE-2004-1071 new file mode 100644 index 00000000..14325cbb --- /dev/null +++ b/active/retired/CVE-2004-1071 @@ -0,0 +1,29 @@ +Candidate: CVE-2004-1071 +References: + MISC:http://www.isec.pl/vulnerabilities/isec-0017-binfmt_elf.txt + FEDORA:FLSA:2336 + URL:https://bugzilla.fedora.us/show_bug.cgi?id=2336 + MANDRAKE:MDKSA-2005:022 + URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:022 + REDHAT:RHSA-2004:537 + URL:http://www.redhat.com/support/errata/RHSA-2004-537.html + XF:linux-elf-setuid-gain-privileges(18025) + URL:http://xforce.iss.net/xforce/xfdb/18025 +Description: + The binfmt_elf loader (binfmt_elf.c) in Linux kernel 2.4.x up to 2.4.27, and + 2.6.x up to 2.6.8, does not properly handle a failed call to the mmap + function, which causes an incorrect mapped image and may allow local users to + execute arbitrary code. +Notes: +Bugs: +upstream: +linux-2.6: +2.6.8-sarge-security: released (2.6.8-9) [elf-loader-fixes.dpatch, elf-loader-fixes-the-return.dpatch] +2.4.27-sarge-security: released (2.4.27-6) [097-elf_loader_overflow-1.diff, 097-elf_loader_overflow-2.diff, 097-elf_loader_overflow-3.diff, 097-elf_loader_overflow-4.diff] +2.4.19-woody-security: released (2.4.19-4.woody3) +2.4.18-woody-security: released (2.4.18-14.4) +2.4.17-woody-security: released (2.4.17-1woody4) +2.4.16-woody-security: released (2.4.16-1woody3) +2.4.17-woody-security-hppa: released (32.5) +2.4.17-woody-security-ia64: released (011226.18) +2.4.18-woody-security-hppa: released (62.4) diff --git a/active/retired/CVE-2004-1072 b/active/retired/CVE-2004-1072 new file mode 100644 index 00000000..822e3a63 --- /dev/null +++ b/active/retired/CVE-2004-1072 @@ -0,0 +1,32 @@ +Candidate: CVE-2004-1072 +References: + MISC:http://www.isec.pl/vulnerabilities/isec-0017-binfmt_elf.txt + FEDORA:FLSA:2336 + URL:https://bugzilla.fedora.us/show_bug.cgi?id=2336 + MANDRAKE:MDKSA-2005:022 + URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:022 + REDHAT:RHSA-2004:537 + URL:http://www.redhat.com/support/errata/RHSA-2004-537.html + REDHAT:RHSA-2005:275 + URL:http://www.redhat.com/support/errata/RHSA-2005-275.html + XF:linux-elf-setuid-gain-privileges(18025) + URL:http://xforce.iss.net/xforce/xfdb/18025 +Description: + The binfmt_elf loader (binfmt_elf.c) in Linux kernel 2.4.x up to 2.4.27, and + 2.6.x up to 2.6.8, may create an interpreter name string that is not NULL + terminated, which could cause strings longer than PATH_MAX to be used, leading + to buffer overflows that allow local users to cause a denial of service (hang) + and possibly execute arbitrary code. +Notes: +Bugs: +upstream: +linux-2.6: +2.6.8-sarge-security: released (2.6.8-9) [elf-loader-fixes.dpatch, elf-loader-fixes-the-return.dpatch] +2.4.27-sarge-security: released (2.4.27-6) [097-elf_loader_overflow-1.diff, 097-elf_loader_overflow-2.diff, 097-elf_loader_overflow-3.diff, 097-elf_loader_overflow-4.diff] +2.4.19-woody-security: released (2.4.19-4.woody3) +2.4.18-woody-security: released (2.4.18-14.4) +2.4.17-woody-security: released (2.4.17-1woody4) +2.4.16-woody-security: released (2.4.16-1woody3) +2.4.17-woody-security-hppa: released (32.5) +2.4.17-woody-security-ia64: released (011226.18) +2.4.18-woody-security-hppa: released (62.4) diff --git a/active/retired/CVE-2004-1073 b/active/retired/CVE-2004-1073 new file mode 100644 index 00000000..21cc9e6c --- /dev/null +++ b/active/retired/CVE-2004-1073 @@ -0,0 +1,28 @@ +Candidate: CVE-2004-1073 +References: + MISC:http://www.isec.pl/vulnerabilities/isec-0017-binfmt_elf.txt + FEDORA:FLSA:2336 + URL:https://bugzilla.fedora.us/show_bug.cgi?id=2336 + MANDRAKE:MDKSA-2005:022 + URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:022 + REDHAT:RHSA-2004:549 + URL:http://www.redhat.com/support/errata/RHSA-2004-549.html + XF:linux-elf-setuid-gain-privileges(18025) + URL:http://xforce.iss.net/xforce/xfdb/18025 +Description: + The open_exec function in the execve functionality (exec.c) in Linux kernel + 2.4.x up to 2.4.27, and 2.6.x up to 2.6.8, allows local users to read + non-readable ELF binaries by using the interpreter (PT_INTERP) functionality. +Notes: +Bugs: +upstream: +linux-2.6: +2.6.8-sarge-security: released (2.6.8-9) [elf-loader-fixes.dpatch, elf-loader-fixes-the-return.dpatch] +2.4.27-sarge-security: released (2.4.27-6) [097-elf_loader_overflow-1.diff, 097-elf_loader_overflow-2.diff, 097-elf_loader_overflow-3.diff, 097-elf_loader_overflow-4.diff] +2.4.19-woody-security: released (2.4.19-4.woody3) +2.4.18-woody-security: released (2.4.18-14.4) +2.4.17-woody-security: released (2.4.17-1woody4) +2.4.16-woody-security: released (2.4.16-1woody3) +2.4.17-woody-security-hppa: released (32.5) +2.4.17-woody-security-ia64: released (011226.18) +2.4.18-woody-security-hppa: released (62.4) diff --git a/active/retired/CVE-2004-1137 b/active/retired/CVE-2004-1137 new file mode 100644 index 00000000..de8f91b6 --- /dev/null +++ b/active/retired/CVE-2004-1137 @@ -0,0 +1,39 @@ +Candidate: CVE-2004-1137 +References: + VULNWATCH:20041214 Linux kernel IGMP vulnerabilities + BUGTRAQ:20041214 Linux kernel IGMP vulnerabilities + MISC:http://isec.pl/vulnerabilities/isec-0018-igmp.txt + CONECTIVA:CLA-2005:930 + URL:http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=000930 + FEDORA:FLSA:2336 + URL:https://bugzilla.fedora.us/show_bug.cgi?id=2336 + MANDRAKE:MDKSA-2005:022 + URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:022 + REDHAT:RHSA-2005:092 + URL:http://www.redhat.com/support/errata/RHSA-2005-092.html + BUGTRAQ:20041214 [USN-38-1] Linux kernel vulnerabilities + URL:http://marc.theaimsgroup.com/?l=bugtraq&m=110306397320336&w=2 + XF:linux-igmpmarksources-dos(18482) + URL:http://xforce.iss.net/xforce/xfdb/18482 + XF:linux-ipmcsource-code-execution(18481) + URL:http://xforce.iss.net/xforce/xfdb/18481 +Description: + Multiple vulnerabilities in the IGMP functionality for Linux kernel 2.4.22 to + 2.4.28, and 2.6.x to 2.6.9, allow local and remote attackers to cause a denial + of service or execute arbitrary code via (1) the ip_mc_source function, which + decrements a counter to -1, or (2) the igmp_marksources function, which does + not properly validate IGMP message parameters and performs an out-of-bounds + read. +Notes: +Bugs: +upstream: +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-11) [igmp-src-list-fix.dpatch] +2.4.27-sarge-security: released (2.4.27-7) [117-igmp-source-filter-fixes.patch] +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/active/retired/CVE-2004-1144 b/active/retired/CVE-2004-1144 new file mode 100644 index 00000000..84734f73 --- /dev/null +++ b/active/retired/CVE-2004-1144 @@ -0,0 +1,27 @@ +Candidate: CVE-2004-1144 +References: + REDHAT:RHSA-2004:689 + URL:http://www.redhat.com/support/errata/RHSA-2004-689.html + SUSE:SUSE-SA:2004:046 + URL:http://marc.theaimsgroup.com/?l=bugtraq&m=110376890429798&w=2 + XF:linux-32bit-emulation-gain-privileges(18686) + URL:http://xforce.iss.net/xforce/xfdb/18686 +Description: + Unknown vulnerability in the 32bit emulation code in Linux 2.4 on AMD64 + systems allows local users to gain privileges. +Notes: + jmm> 2.6 is not affected, see the comment by Andi Kleen from the patch: + jmm> # The problem only occurs on 2.4 x86-64 kernels, 2.6 doesn't have this + jmm> # hole because some unrelated changes in 2.5 fixed it as a side effect. +Bugs: +upstream: +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: released (2.4.27-9) [138_amd64_syscall_vuln.diff] +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/active/retired/CVE-2004-1151 b/active/retired/CVE-2004-1151 new file mode 100644 index 00000000..a5f83c36 --- /dev/null +++ b/active/retired/CVE-2004-1151 @@ -0,0 +1,28 @@ +Candidate: CVE-2004-1151 +References: + MLIST:[linux-kernel] 20041130 Buffer overrun in arch/x86_64/sys_ia32.c:sys32_ni_syscall() + URL:http://www.ussg.iu.edu/hypermail/linux/kernel/0411.3/1467.html + MISC:http://linux.bkbits.net:8080/linux-2.6/cset@1.2079 + MISC:http://linux.bkbits.net:8080/linux-2.6/gnupatch@41ae6af1cR3mJYlW6D8EHxCKSxuJiQ + MANDRAKE:MDKSA-2005:022 + URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:022 + BUGTRAQ:20041214 [USN-38-1] Linux kernel vulnerabilities + URL:http://marc.theaimsgroup.com/?l=bugtraq&m=110306397320336&w=2 +Description: + Multiple buffer overflows in the (1) sys32_ni_syscall and (2) + sys32_vm86_warning functions in sys_ia32.c for Linux 2.6.x may allow local + attackers to modify kernel memory and gain privileges. +Notes: + <= 2.4.27 doesn't look vulnerable, and we don't have 2.4/x86_64 anyway. +Bugs: +upstream: released (2.6.10) +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-11) [arch-x86_64-sys32_ni-overflow.dpatch] +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A +2.4.18-woody-security-hppa: N/A diff --git a/active/retired/CVE-2004-1234 b/active/retired/CVE-2004-1234 new file mode 100644 index 00000000..b262dcc7 --- /dev/null +++ b/active/retired/CVE-2004-1234 @@ -0,0 +1,35 @@ +Candidate: CVE-2004-1234 +References: + FEDORA:FLSA:2336 + URL:https://bugzilla.fedora.us/show_bug.cgi?id=2336 + REDHAT:RHSA-2004:689 + URL:http://www.redhat.com/support/errata/RHSA-2004-689.html + CONFIRM:http://linux.bkbits.net:8080/linux-2.4/cset@4076466d_SqUm4azg4_v3FIG2-X6XQ + CONFIRM:http://linux.bkbits.net:8080/linux-2.4/cset@4076466d_SqUm4azg4_v3FIG2-X6XQ + CONFIRM:http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=142965 + BID:12101 + URL:http://www.securityfocus.com/bid/12101 + XF:linux-loadelfbinary-dos(18687) + URL:http://xforce.iss.net/xforce/xfdb/18687 +Description: + load_elf_binary in Linux before 2.4.26 allows local users to cause a denial of + service (system crash) via an ELF binary in which the interpreter is NULL. +Notes: + jmm> I don't know at which version this was merged into 2.6, but I've verified + jmm> that above-mentioned fix is included in 2.6.8's binfmt_elf.c: + jmm> out_free_dentry: + jmm> allow_write_access(interpreter); + jmm> if (interpreter) + jmm> fput(interpreter); +Bugs: +upstream: released (2.4.26-rc3) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: released (2.4.19-4.woody3) +2.4.18-woody-security: released (2.4.18-14.4) +2.4.17-woody-security: released (2.4.17-1woody4) +2.4.16-woody-security: released (2.4.16-1woody3) +2.4.17-woody-security-hppa: released (32.5) +2.4.17-woody-security-ia64: released (011226.18) +2.4.18-woody-security-hppa: released (62.4) diff --git a/active/retired/CVE-2004-1235 b/active/retired/CVE-2004-1235 new file mode 100644 index 00000000..122bb271 --- /dev/null +++ b/active/retired/CVE-2004-1235 @@ -0,0 +1,43 @@ +Candidate: CVE-2004-1235 +References: + BUGTRAQ:20050107 Linux kernel sys_uselib local root vulnerability + URL:http://marc.theaimsgroup.com/?l=bugtraq&m=110512575901427&w=2 + MISC:http://isec.pl/vulnerabilities/isec-0021-uselib.txt + CONECTIVA:CLA-2005:930 + URL:http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=000930 + FEDORA:FEDORA-2005-013 + URL:http://www.securityfocus.com/advisories/7806 + FEDORA:FEDORA-2005-014 + URL:http://www.securityfocus.com/advisories/7805 + FEDORA:FLSA:2336 + URL:https://bugzilla.fedora.us/show_bug.cgi?id=2336 + MANDRAKE:MDKSA-2005:022 + URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:022 + REDHAT:RHSA-2005:043 + URL:http://www.redhat.com/support/errata/RHSA-2005-043.html + REDHAT:RHSA-2005:092 + URL:http://www.redhat.com/support/errata/RHSA-2005-092.html + TRUSTIX:2005-0001 + URL:http://www.trustix.org/errata/2005/0001/ + CONFIRM:http://www.securityfocus.com/advisories/7804 + BID:12190 + URL:http://www.securityfocus.com/bid/12190 + XF:linux-uselib-gain-privileges(18800) + URL:http://xforce.iss.net/xforce/xfdb/18800 +Description: + Race condition in the (1) load_elf_library and (2) binfmt_aout function calls + for uselib in Linux kernel 2.4 through 2.429-rc2 and 2.6 through 2.6.10 allows + local users to execute arbitrary code by manipulating the VMA descriptor. +Notes: +Bugs: +upstream: +linux-2.6: +2.6.8-sarge-security: released (2.6.8-12) [028-do_brk_security_fixes.dpatch] +2.4.27-sarge-security: released (2.4.27-8) [122_sec_brk-locked.diff] +2.4.19-woody-security: released (2.4.19-4.woody3) +2.4.18-woody-security: released (2.4.18-14.4) +2.4.17-woody-security: released (2.4.17-1woody4) +2.4.16-woody-security: released (2.4.16-1woody3) +2.4.17-woody-security-hppa: released (32.5) +2.4.17-woody-security-ia64: released (011226.18) +2.4.18-woody-security-hppa: released (62.4) diff --git a/active/retired/CVE-2004-1237 b/active/retired/CVE-2004-1237 new file mode 100644 index 00000000..099e2cf7 --- /dev/null +++ b/active/retired/CVE-2004-1237 @@ -0,0 +1,28 @@ +Candidate: CVE-2004-1237 +References: + http://www.redhat.com/support/errata/RHSA-2005-043.html + https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=132245 + https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=141996 + https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=142091 + https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=142442 + https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=143886 + https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=144048 +Description: + Unknown vulnerability in the system call filtering code in the audit + subsystem for Red Hat Enterprise Linux 3 allows local users to cause + a denial of service (system crash) via unknown vectors. +Notes: + jmm> What a remarkably concrete description :-) + jmm> I found the Bugzilla entries above and this seems RHEL specific. + jmm> I'm marking it at such, but please double-check someone +Bugs: +upstream: N/A +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/active/retired/CVE-2004-1333 b/active/retired/CVE-2004-1333 new file mode 100644 index 00000000..9f40c436 --- /dev/null +++ b/active/retired/CVE-2004-1333 @@ -0,0 +1,32 @@ +Candidate: CVE-2004-1333 +References: + FULLDISC:20041215 fun with linux kernel + URL:http://www.securitytrap.com/mail/full-disclosure/2004/Dec/0323.html + MISC:http://www.guninski.com/where_do_you_want_billg_to_go_today_2.html + FEDORA:FLSA:152532 + URL:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152532 + SUSE:SUSE-SA:2005:018 + URL:http://www.novell.com/linux/security/advisories/2005_18_kernel.html + UBUNTU:USN-47-1 + URL:http://www.ubuntulinux.org/support/documentation/usn/usn-47-1 + BID:11956 + URL:http://www.securityfocus.com/bid/11956 + XF:linux-vcresize-dos(18523) + URL:http://xforce.iss.net/xforce/xfdb/18523 +Description: + Integer overflow in the vc_resize function in the Linux kernel 2.4 and 2.6 + before 2.6.10 allows local users to cause a denial of service (kernel crash) + via a short new screen value, which leads to a buffer overflow. +Notes: +Bugs: +upstream: released (2.6.10) +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-11) [vt-of-death.dpatch] +2.4.27-sarge-security: released (2.4.27-9) [136_vc_resizing_overflow.diff] +2.4.19-woody-security: released (2.4.19-4.woody3) +2.4.18-woody-security: released (2.4.18-14.4) +2.4.17-woody-security: released (2.4.17-1woody4) +2.4.16-woody-security: released (2.4.16-1woody3) +2.4.17-woody-security-hppa: released (32.5) +2.4.17-woody-security-ia64: released (011226.18) +2.4.18-woody-security-hppa: released (62.4) diff --git a/active/retired/CVE-2004-1334 b/active/retired/CVE-2004-1334 new file mode 100644 index 00000000..6ac0f8dd --- /dev/null +++ b/active/retired/CVE-2004-1334 @@ -0,0 +1,25 @@ +Candidate: CVE-2004-1334 +References: + http://www.securitytrap.com/mail/full-disclosure/2004/Dec/0323.html + http://marc.theaimsgroup.com/?l=bugtraq&m=110383108211524&w=2 + http://www.guninski.com/where_do_you_want_billg_to_go_today_2.html + http://www.securityfocus.com/bid/11956 + http://xforce.iss.net/xforce/xfdb/18522 +Description: + Integer overflow in the ip_options_get function in the Linux kernel before + 2.6.10 allows local users to cause a denial of service (kernel crash) via a + cmsg_len that contains a -1, which leads to a buffer overflow. +Notes: + dannf> This is a duplicate of CAN-2004-1016 +Bugs: +upstream: +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-11) [scm_send-dos-fix.dpatch, scm_send-dos-fix2.dpatch] +2.4.27-sarge-security: released (2.4.27-7) [116-cmsg-validation-checks.patch, 118-cmsg-validation-checks-compat.patch] +2.4.19-woody-security: released (2.4.19-4.woody3) +2.4.18-woody-security: released (2.4.18-14.4) +2.4.17-woody-security: released (2.4.17-1woody4) +2.4.16-woody-security: released (2.4.16-1woody3) +2.4.17-woody-security-hppa: released (32.5) +2.4.17-woody-security-ia64: released (011226.18) +2.4.18-woody-security-hppa: released (62.4) diff --git a/active/retired/CVE-2004-1335 b/active/retired/CVE-2004-1335 new file mode 100644 index 00000000..70b11309 --- /dev/null +++ b/active/retired/CVE-2004-1335 @@ -0,0 +1,28 @@ +Candidate: CVE-2004-1335 +References: + FULLDISC:20041215 fun with linux kernel + URL:http://www.securitytrap.com/mail/full-disclosure/2004/Dec/0323.html + MISC:http://www.guninski.com/where_do_you_want_billg_to_go_today_2.html + BUGTRAQ:20041215 [USN-47-1] Linux kernel vulnerabilities + URL:http://marc.theaimsgroup.com/?l=bugtraq&m=110383108211524&w=2 + BID:11956 + URL:http://www.securityfocus.com/bid/11956 + XF:linux-ipoptionsget-memory-leak(18524) + URL:http://xforce.iss.net/xforce/xfdb/18524 +Description: + Memory leak in the ip_options_get function in the Linux kernel before 2.6.10 + allows local users to cause a denial of service (memory consumption) by + repeatedly calling the ip_cmsg_send function. +Notes: +Bugs: +upstream: released (2.6.10) +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-11) [fix-ip-options-leak.dpatch] +2.4.27-sarge-security: released (2.4.27-9) [135_fix_ip_options_leak.diff] +2.4.19-woody-security: released (2.4.19-4.woody3) +2.4.18-woody-security: released (2.4.18-14.4) +2.4.17-woody-security: released (2.4.17-1woody4) +2.4.16-woody-security: released (2.4.16-1woody3) +2.4.17-woody-security-hppa: released (32.5) +2.4.17-woody-security-ia64: released (011226.18) +2.4.18-woody-security-hppa: released (62.4) diff --git a/active/retired/CVE-2004-1337 b/active/retired/CVE-2004-1337 new file mode 100644 index 00000000..53542701 --- /dev/null +++ b/active/retired/CVE-2004-1337 @@ -0,0 +1,28 @@ +Candidate: +References: + BUGTRAQ:20041223 Linux 2.6 Kernel Capability LSM Module Local Privilege Elevation + URL:http://marc.theaimsgroup.com/?l=bugtraq&m=110384535113035&w=2 + CONECTIVA:CLA-2005:930 + URL:http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=000930 + BID:12093 + URL:http://www.securityfocus.com/bid/12093 + XF:linux-security-module-gain-privileges(18673) + URL:http://xforce.iss.net/xforce/xfdb/18673 +Description: + The POSIX Capability Linux Security Module (LSM) for Linux kernel 2.6 does not + properly handle the credentials of a process that is launched before the + module is loaded, which allows local users to gain privileges. +Notes: + dannf> This code isn't in <= 2.4.27 +Bugs: +upstream: released (2.6.11) +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-14) [025-track_dummy_capability.dpatch, 027-track_dummy_capability.dpatch] +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A +2.4.18-woody-security-hppa: N/A diff --git a/active/retired/CVE-2004-2013 b/active/retired/CVE-2004-2013 new file mode 100644 index 00000000..d965a45b --- /dev/null +++ b/active/retired/CVE-2004-2013 @@ -0,0 +1,27 @@ +Candidate: CVE-2004-2013 +References: + http://archives.neohapsis.com/archives/bugtraq/2004-05/0091.html + http://lists.netsys.com/pipermail/full-disclosure/2004-May/021223.html + http://marc.theaimsgroup.com/?l=bugtraq&m=108456230815842&w=2 + http://www.securityfocus.com/bid/10326 + http://xforce.iss.net/xforce/xfdb/16117 +Description: + Integer overflow in the SCTP_SOCKOPT_DEBUG_NAME SCTP socket option in socket.c + in the Linux kernel 2.4.25 and earlier allows local users to execute arbitrary + code via an optlen value of -1, which causes kmalloc to allocate 0 bytes of + memory. +Notes: + jmm> http://archives.neohapsis.com/archives/bugtraq/2004-05/0091.html + jmm> The vulnerable socket option was removed entirely in 2.4.26 and 2.6.*, + jmm> Woody could be affected, though +Bugs: +upstream: released (2.4.26) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: diff --git a/active/retired/CVE-2004-2302 b/active/retired/CVE-2004-2302 new file mode 100644 index 00000000..f39ee81f --- /dev/null +++ b/active/retired/CVE-2004-2302 @@ -0,0 +1,25 @@ +Candidate: CVE-2004-2302 +References: + http://linux.bkbits.net:8080/linux-2.6/cset%404186a4deVoR88JjTwMa3ZnIp-_YJsA + http://kernel.org/pub/linux/kernel/people/akpm/patches/2.6/2.6.10-rc1/2.6.10-rc1-mm1/broken-out/fix-race-in-sysfs_read_file-and-sysfs_write_file.patch + http://frontal2.mandriva.com/security/advisories?name=MDKSA-2005:218 + http://frontal2.mandriva.com/security/advisories?name=MDKSA-2005:219 + http://www.novell.com/linux/security/advisories/2005_44_kernel.html +Description: + Race condition in the sysfs_read_file and sysfs_write_file functions in Linux + kernel before 2.6.10 allows local users to read kernel memory and cause a + denial of service (crash) via large offsets in sysfs files. +Notes: + dannf> sysfs is only in 2.6, so marking 2.4 N/A +Bugs: 322339 +upstream: released (2.6.10) +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-16sarge1) [fs-sysfs-read-write-race.dpatch] +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A +2.4.18-woody-security-hppa: N/A diff --git a/active/retired/CVE-2004-2536 b/active/retired/CVE-2004-2536 new file mode 100644 index 00000000..5ae37d27 --- /dev/null +++ b/active/retired/CVE-2004-2536 @@ -0,0 +1,28 @@ +Candidate: CVE-2004-2536 +References: + http://www.ussg.iu.edu/hypermail/linux/kernel/0405.0/1242.html + http://www.ussg.iu.edu/hypermail/linux/kernel/0405.0/1265.html + http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.6 +Description: + The exit_thread function (process.c) in Linux kernel 2.6 through + 2.6.5 does not invalidate the per-TSS io_bitmap pointers if a + process obtains IO access permissions from the ioperm function but + does not drop those permissions when it exits, which allows other + processes to access the per-TSS pointers, access restricted memory + locations, and possibly gain privileges. +Notes: + Horms> Tested against kernel-image-2.4.27-2-686 2.4.27-11 which does not + seem to exhibit the problem, although the code suggests it might. I guess + its just a 2.6 problem. I marked 2.4.27 and the woody kernels N/A +Bugs: +upstream: released (2.6.6) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A +2.4.18-woody-security-hppa: N/A diff --git a/active/retired/CVE-2004-2607 b/active/retired/CVE-2004-2607 new file mode 100644 index 00000000..ec1da937 --- /dev/null +++ b/active/retired/CVE-2004-2607 @@ -0,0 +1,30 @@ +Candidate: CVE-2004-2607 +References: + http://www.uwsg.iu.edu/hypermail/linux/kernel/0404.2/0313.html + http://www.kernel.org/git/?p=linux/kernel/git/tglx/history.git;a=commitdiff;h=98cd917c1ac348d5cd94beabecc3011dcaa0a0f2 +Description: + A numeric casting discrepancy in sdla_xfer in Linux kernel 2.6.x up to + 2.6.5 and 2.4 up to 2.4.29-rc1 allows local users to read portions of + kernel memory via a large len argument, which is received as an int but + cast to a short, which prevents a read loop from filling a buffer. +Notes: + jmm> The referenced patch was applied by Jeff Garzik on 2004-04-16, + jmm> 2.6.6 was released on 2004-05-09, so Sarge seems not affected, should + jmm> be double-checked against the source though, but my bandwidth is currently + jmm> too slim to download 2.6.8 + jmm> + jmm> The fix below is for a completely different issue, I've split it out + horms> Fix was included in 2.6.6. Checked source and 2.6.8 is not vulnerable + horms> 2.4.27 is vulnerable, added fix to SVN. Woody is likely vulnerable +Bugs: +upstream: released (2.4.33-pre2), released (2.6.6) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: released (2.4.27-10sarge2) [200_net_sdla_xfer_leak.diff] +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/active/retired/CVE-2005-0001 b/active/retired/CVE-2005-0001 new file mode 100644 index 00000000..97943e59 --- /dev/null +++ b/active/retired/CVE-2005-0001 @@ -0,0 +1,42 @@ +Candidate: CVE-2005-0001 +References: + BUGTRAQ:20050112 Linux kernel i386 SMP page fault handler privilege escalation + URL:http://marc.theaimsgroup.com/?l=bugtraq&m=110554694522719&w=2 + FULLDISC:20050112 Linux kernel i386 SMP page fault handler privilege escalation + URL:http://lists.grok.org.uk/pipermail/full-disclosure/2005-January/030826.html + MISC:http://isec.pl/vulnerabilities/isec-0022-pagefault.txt + CONECTIVA:CLA-2005:930 + URL:http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=000930 + FEDORA:FLSA:2336 + URL:https://bugzilla.fedora.us/show_bug.cgi?id=2336 + MANDRAKE:MDKSA-2005:022 + URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:022 + REDHAT:RHSA-2005:043 + URL:http://www.redhat.com/support/errata/RHSA-2005-043.html + REDHAT:RHSA-2005:092 + URL:http://www.redhat.com/support/errata/RHSA-2005-092.html + TRUSTIX:2005-0001 + URL:http://www.trustix.org/errata/2005/0001/ + BUGTRAQ:20050114 [USN-60-0] Linux kernel vulnerabilities + URL:http://marc.theaimsgroup.com/?l=bugtraq&m=110581146702951&w=2 + XF:linux-fault-handler-gain-privileges(18849) + URL:http://xforce.iss.net/xforce/xfdb/18849 +Description: + Race condition in the page fault handler (fault.c) for Linux kernel 2.2.x to + 2.2.7, 2.4 to 2.4.29, and 2.6 to 2.6.10, when running on multiprocessor + machines, allows local users to execute arbitrary code via concurrent threads + that share the same virtual memory space and simultaneously request stack + expansion. +Notes: +Bugs: +upstream: +linux-2.6: +2.6.8-sarge-security: released (2.6.8-13) [034-stack_resize_exploit.dpatch] +2.4.27-sarge-security: released (2.4.27-8) [131_expand_stack_race.diff] +2.4.19-woody-security: released (2.4.19-4.woody3) +2.4.18-woody-security: released (2.4.18-14.4) +2.4.17-woody-security: released (2.4.17-1woody4) +2.4.16-woody-security: released (2.4.16-1woody3) +2.4.17-woody-security-hppa: released (32.5) +2.4.17-woody-security-ia64: released (011226.18) +2.4.18-woody-security-hppa: released (62.4) diff --git a/active/retired/CVE-2005-0003 b/active/retired/CVE-2005-0003 new file mode 100644 index 00000000..77071990 --- /dev/null +++ b/active/retired/CVE-2005-0003 @@ -0,0 +1,34 @@ +Candidate: CVE-2005-0003 +References: + CONFIRM:http://linux.bkbits.net:8080/linux-2.4/cset@41c36fb6q1Z68WUzKQFjJR-40Ev3tw + MANDRAKE:MDKSA-2005:022 + URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:022 + REDHAT:RHSA-2005:043 + URL:http://www.redhat.com/support/errata/RHSA-2005-043.html + SUSE:SUSE-SA:2005:018 + URL:http://www.novell.com/linux/security/advisories/2005_18_kernel.html + TRUSTIX:2005-0001 + URL:http://www.trustix.org/errata/2005/0001/ + MISC:http://linux.bkbits.net:8080/linux-2.6/cset@41a6721cce-LoPqkzKXudYby_3TUmg + BID:12261 + URL:http://www.securityfocus.com/bid/12261 + XF:linux-vma-gain-privileges(18886) + URL:http://xforce.iss.net/xforce/xfdb/18886 +Description: + The 64 bit ELF support in Linux kernel 2.6 before 2.6.10, on 64-bit + architectures, does not properly check for overlapping VMA (virtual memory + address) allocations, which allows local users to cause a denial of service + (system crash) or execute arbitrary code via a crafted ELF or a.out file. +Notes: +Bugs: +upstream: released (2.6.10) +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-11) [binfmt-huge-vma-dos2.dpatch] +2.4.27-sarge-security: released (2.4.27-9) [145_insert_vm_struct-no-BUG.patch] +2.4.19-woody-security: released (2.4.19-4.woody3) +2.4.18-woody-security: released (2.4.18-14.4) +2.4.17-woody-security: released (2.4.17-1woody4) +2.4.16-woody-security: released (2.4.16-1woody3) +2.4.17-woody-security-hppa: released (32.5) +2.4.17-woody-security-ia64: released (011226.18) +2.4.18-woody-security-hppa: released (62.4) diff --git a/active/retired/CVE-2005-0090 b/active/retired/CVE-2005-0090 new file mode 100644 index 00000000..3a6ff8b0 --- /dev/null +++ b/active/retired/CVE-2005-0090 @@ -0,0 +1,22 @@ +Candidate: CVE-2005-0090 +References: + A regression error in the Red Hat Enterprise Linux 4 kernel 4GB/4GB split + patch omits an "access check," which allows local users to cause a denial + of service (crash). +Description: + http://www.redhat.com/support/errata/RHSA-2005-092.html + http://www.securityfocus.com/bid/12599 + http://xforce.iss.net/xforce/xfdb/20618 +Notes: + Red Hat specific vulnerability +Bugs: +upstream: +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/active/retired/CVE-2005-0091 b/active/retired/CVE-2005-0091 new file mode 100644 index 00000000..589abd45 --- /dev/null +++ b/active/retired/CVE-2005-0091 @@ -0,0 +1,22 @@ +Candidate: CVE-2005-0091 +References: + http://www.redhat.com/support/errata/RHSA-2005-092.html + http://www.securityfocus.com/bid/12599 + http://xforce.iss.net/xforce/xfdb/20619 +Description: + Unknown vulnerability in the Red Hat Enterprise Linux 4 kernel 4GB/4GB split + patch, when using the hugemem kernel, allows local users to read and write to + arbitrary kernel memory and gain privileges via certain syscalls. +Notes: + Red Hat specific. +Bugs: +upstream: N/A +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/active/retired/CVE-2005-0092 b/active/retired/CVE-2005-0092 new file mode 100644 index 00000000..426e1b21 --- /dev/null +++ b/active/retired/CVE-2005-0092 @@ -0,0 +1,22 @@ +Candidate: CVE-2005-0092 +References: + http://www.redhat.com/support/errata/RHSA-2005-092.html + http://www.securityfocus.com/bid/12599 + http://xforce.iss.net/xforce/xfdb/20620 +Description: + Unknown vulnerability in the Red Hat Enterprise Linux 4 kernel 4GB/4GB split + patch, when running on x86 with the hugemem kernel, allows local users to + cause a denial of service (crash). +Notes: + Red Hat specific. +Bugs: +upstream: N/A +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/active/retired/CVE-2005-0135 b/active/retired/CVE-2005-0135 new file mode 100644 index 00000000..372db1a5 --- /dev/null +++ b/active/retired/CVE-2005-0135 @@ -0,0 +1,28 @@ +Candidate: CVE-2005-0135 +References: + REDHAT:RHSA-2005:284 + URL:http://www.redhat.com/support/errata/RHSA-2005-284.html + REDHAT:RHSA-2005:366 + URL:http://www.redhat.com/support/errata/RHSA-2005-366.html + CONFIRM:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=148868 + CONFIRM:http://linux.bkbits.net:8080/linux-2.6/cset@41f2beablXVnAs_6fznhhITh1j5hZg + SECUNIA:15019 + URL:http://secunia.com/advisories/15019 +Description: + The unw_unwind_to_user function in unwind.c on Itanium (ia64) architectures in + Linux kernel 2.6 allows local users to cause a denial of service (system + crash). +Notes: + dannf> This is fixed in kernel-patch-2.4.27-ia64 +Bugs: +upstream: released (linux-2.4.29-ia64-050312.diff, 2.6.11) +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-14) [ia64-unwind-fix.dpatch] +2.4.27-sarge-security: released (2.4.27-10) +2.4.19-woody-security: released (2.4.19-4.woody3) +2.4.18-woody-security: released (2.4.18-14.4) +2.4.17-woody-security: released (2.4.17-1woody4) +2.4.16-woody-security: released (2.4.16-1woody3) +2.4.17-woody-security-hppa: released (32.5) +2.4.17-woody-security-ia64: released (011226.18) +2.4.18-woody-security-hppa: released (62.4) diff --git a/active/retired/CVE-2005-0136 b/active/retired/CVE-2005-0136 new file mode 100644 index 00000000..b17e5920 --- /dev/null +++ b/active/retired/CVE-2005-0136 @@ -0,0 +1,18 @@ +Candidate: CVE-2005-0136 +References: + ** RESERVED ** +Description: +Notes: + dannf> This is fixed in kernel-patch-2.4.27-ia64 +Bugs: +upstream: released (linux-2.4.29-ia64-050312.diff, 2.6.11) +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-14) [ia64-ptrace-fixes.dpatch, ia64-ptrace-speedup.dpatch] +2.4.27-sarge-security: released (2.4.27-10) +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/active/retired/CVE-2005-0137 b/active/retired/CVE-2005-0137 new file mode 100644 index 00000000..d20391d8 --- /dev/null +++ b/active/retired/CVE-2005-0137 @@ -0,0 +1,23 @@ +Candidate: CVE-2005-0137 +References: + REDHAT:RHSA-2005:284 + URL:http://www.redhat.com/support/errata/RHSA-2005-284.html + REDHAT:RHSA-2005:293 + URL:http://www.redhat.com/support/errata/RHSA-2005-293.html +Description: + Linux kernel 2.6 on Itanium (ia64) architectures allows local users to cause a + denial of service via a "missing Itanium syscall table entry." +Notes: + dannf> This is actually 2.4 specific - the mitre description is incorrect. +Bugs: +upstream: released (2.4.30-rc2) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: released (2.4.27-10) [165_arch-ia64-kernel-missing-sysctl.diff] +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/active/retired/CVE-2005-0176 b/active/retired/CVE-2005-0176 new file mode 100644 index 00000000..87dd16a6 --- /dev/null +++ b/active/retired/CVE-2005-0176 @@ -0,0 +1,27 @@ +Candidate: CVE-2005-0176 +References: + http://marc.theaimsgroup.com/?l=full-disclosure&m=110846102231365&w=2 + http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=000930 + http://www.redhat.com/support/errata/RHSA-2005-092.html + http://oval.mitre.org/oval/definitions/data/oval1225.html + http://www.kernel.org/git/?p=linux/kernel/git/tglx/history.git;a=commit;h=2637792e3d9ae50079238615fd16384a0d393b30 +Description: + The shmctl function in Linux 2.6.9 and earlier allows local users to unlock + the memory of other processes, which could cause sensitive memory to be swapped + to disk, which could allow it to be read by other users once it has been released. +Notes: + It appears that 2.6.8 and earlier are not vulnerable as prior to the + following patch, local users could not effect lock or unlock + http://www.kernel.org/git/?p=linux/kernel/git/tglx/history.git;a=commit;h=16698c49bbb42567c0bbc528d3820d18885e4642 + That is, only 2.6.10 is effected. +Bugs: +upstream: +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/active/retired/CVE-2005-0177 b/active/retired/CVE-2005-0177 new file mode 100644 index 00000000..c87b5954 --- /dev/null +++ b/active/retired/CVE-2005-0177 @@ -0,0 +1,26 @@ +Candidate: CVE-2005-0177 +References: + CONFIRM:http://linux.bkbits.net:8080/linux-2.6/cset@41e2bfbeOiXFga62XrBhzm7Kv9QDmQ + CONECTIVA:CLA-2005:930 + URL:http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=000930 + REDHAT:RHSA-2005:092 + URL:http://www.redhat.com/support/errata/RHSA-2005-092.html + BUGTRAQ:20050215 [USN-82-1] Linux kernel vulnerabilities + URL:http://marc.theaimsgroup.com/?l=full-disclosure&m=110846102231365&w=2 +Description: + nls_ascii.c in Linux before 2.6.8.1 uses an incorrect table size, which allows + attackers to cause a denial of service (kernel crash) via a buffer overflow. +Notes: + dannf> nls_ascii.c isn't in <= 2.4.27 +Bugs: +upstream: released (2.6.8.1, 2.6.11) +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-14) [nls-table-overflow.dpatch] +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A +2.4.18-woody-security-hppa: N/A diff --git a/active/retired/CVE-2005-0178 b/active/retired/CVE-2005-0178 new file mode 100644 index 00000000..eb3a56dd --- /dev/null +++ b/active/retired/CVE-2005-0178 @@ -0,0 +1,30 @@ +Candidate: CVE-2005-0178 +References: + CONFIRM:http://linux.bkbits.net:8080/linux-2.6/cset@41ddda70CWJb5nNL71T4MOlG2sMG8A + CONECTIVA:CLA-2005:930 + URL:http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=000930 + REDHAT:RHSA-2005:092 + URL:http://www.redhat.com/support/errata/RHSA-2005-092.html + BUGTRAQ:20050215 [USN-82-1] Linux kernel vulnerabilities + URL:http://marc.theaimsgroup.com/?l=full-disclosure&m=110846102231365&w=2 +Description: + Race condition in the setsid function in Linux before 2.6.8.1 allows local + users to cause a denial of service (crash) and possibly access portions of + kernel memory, related to TTY changes, locking, and semaphores. +Notes: + dannf> Alan Cox suggested that this is not a 2.4 issue: + Alan> Is it actually needed for 2.4. In the 2.4 case your controlling tty is + Alan> private not thread group so a setsid() can't race because you can't + Alan> setsid in the same thread as is opening current->tty. +Bugs: +upstream: released (2.6.8.1, 2.6.11) +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-14) [setsid-race.dpatch] +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A +2.4.18-woody-security-hppa: N/A diff --git a/active/retired/CVE-2005-0180 b/active/retired/CVE-2005-0180 new file mode 100644 index 00000000..01275bf5 --- /dev/null +++ b/active/retired/CVE-2005-0180 @@ -0,0 +1,28 @@ +Candidate: CVE-2005-0180 +References: + http://lists.grok.org.uk/pipermail/full-disclosure/2005-January/030660.html + http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=000930 + http://frontal2.mandriva.com/security/advisories?name=MDKSA-2005:218 + http://frontal2.mandriva.com/security/advisories?name=MDKSA-2005:219 + http://www.redhat.com/support/errata/RHSA-2005-092.html +Description: + Multiple integer signedness errors in the sg_scsi_ioctl function in + scsi_ioctl.c for Linux 2.6.x allow local users to read or modify kernel + memory via negative integers in arguments to the scsi ioctl, which + bypass a maximum length check before calling the copy_from_user and + copy_to_user functions. +Notes: + jmm> The 2.4.27 version, scsi_ioctl_send_command(), is not affected, as + jmm> intlen and outlen are unsigned ints +Bugs: +upstream: +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-12) [031-sg_scsi_ioctl_int_overflows.dpatch] +2.4.27-sarge-security: N/A +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/active/retired/CVE-2005-0204 b/active/retired/CVE-2005-0204 new file mode 100644 index 00000000..d663b2ed --- /dev/null +++ b/active/retired/CVE-2005-0204 @@ -0,0 +1,23 @@ +Candidate: CVE-2005-0204 +References: + REDHAT:RHSA-2005:092 + URL:http://www.redhat.com/support/errata/RHSA-2005-092.html +Description: + Linux kernel before 2.6.9, when running on the AMD64 and Intel EM64T + architectures, allows local users to write to privileged IO ports via the OUTS + instruction. +Notes: + jmm> 190_outs-2.diff had regressions +Bugs: 296700 +upstream: +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-14) [outs.dpatch] +2.4.27-sarge-security: released (2.4.27-9) [143_outs.diff] +2.4.27-sid: released (2.4.27-12) [190_outs-2.diff] +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/active/retired/CVE-2005-0207 b/active/retired/CVE-2005-0207 new file mode 100644 index 00000000..effeab57 --- /dev/null +++ b/active/retired/CVE-2005-0207 @@ -0,0 +1,27 @@ +Candidate: CVE-2005-0207 +References: + CONECTIVA:CLA-2005:930 + URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000930 + SUSE:SUSE-SA:2005:003 + URL:http://www.securityfocus.com/advisories/7880 + BID:12330 + URL:http://www.securityfocus.com/bid/12330 + http://www.acm.cs.rpi.edu/~dilinger/patches/2.6.10/as2/linux-2.6.10-as2/026-nfs_o_direct_error.patch + http://linux.bkbits.net:8080/linux-2.6/cset@41db2d65wbgJvuXTv4x9_quExW0vEA +Description: + Unknown vulnerability in Linux kernel 2.4.x, 2.5.x, and 2.6.x allows NFS + clients to cause a denial of service via O_DIRECT. +Notes: + dannf> The vulnerable code doesn't exist in <= 2.4.27 +Bugs: +upstream: released (2.6.11) +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-14) [nfs-O_DIRECT-fix.dpatch] +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A +2.4.18-woody-security-hppa: N/A diff --git a/active/retired/CVE-2005-0209 b/active/retired/CVE-2005-0209 new file mode 100644 index 00000000..7c5941a6 --- /dev/null +++ b/active/retired/CVE-2005-0209 @@ -0,0 +1,25 @@ +Candidate: CVE-2005-0209 +References: + BUGTRAQ:20050315 [USN-95-1] Linux kernel vulnerabilities + URL:http://marc.theaimsgroup.com/?l=bugtraq&m=111091402626556&w=2 + CONECTIVA:CLA-2005:945 + URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000945 + SUSE:SUSE-SA:2005:018 + URL:http://www.novell.com/linux/security/advisories/2005_18_kernel.html + http://oss.sgi.com/archives/netdev/2005-01/msg01072.html +Description: + Netfilter in Linux kernel 2.6.8.1 allows remote attackers to cause a denial of + service (kernel crash) via crafted IP packet fragments. +Notes: +Bugs: +upstream: +linux-2.6: +2.6.8-sarge-security: released (2.6.8-14) [skb-reset-ip_summed.dpatch] +2.4.27-sarge-security: released (2.4.27-9) [134_skb_reset_ip_summed.diff] +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/active/retired/CVE-2005-0210 b/active/retired/CVE-2005-0210 new file mode 100644 index 00000000..804e62c1 --- /dev/null +++ b/active/retired/CVE-2005-0210 @@ -0,0 +1,25 @@ +Candidate: CVE-2005-0210 +References: + BUGTRAQ:20050315 [USN-95-1] Linux kernel vulnerabilities + URL:http://marc.theaimsgroup.com/?l=bugtraq&m=111091402626556&w=2 + CONECTIVA:CLA-2005:945 + URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000945 + SUSE:SUSE-SA:2005:018 + URL:http://www.novell.com/linux/security/advisories/2005_18_kernel.html +Description: + Netfilter in the Linux kernel 2.6.8.1 allows local users to cause a denial of + service (memory consumption) via certain packet fragments that are reassembled + twice, which causes a data structure to be allocated twice. +Notes: +Bugs: +upstream: +linux-2.6: +2.6.8-sarge-security: released (2.6.8-15) [ip_copy_metadata_leak.dpatch, ip6_copy_metadata_leak.dpatch] +2.4.27-sarge-security: released (2.4.27-9) [146_ip6_copy_metadata_leak.diff, 147_ip_copy_metadata_leak.diff] +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/active/retired/CVE-2005-0384 b/active/retired/CVE-2005-0384 new file mode 100644 index 00000000..133e2209 --- /dev/null +++ b/active/retired/CVE-2005-0384 @@ -0,0 +1,31 @@ +Candidate: CVE-2005-0384 +References: + FEDORA:FLSA:152532 + URL:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152532 + REDHAT:RHSA-2005:283 + URL:http://www.redhat.com/support/errata/RHSA-2005-283.html + REDHAT:RHSA-2005:284 + URL:http://www.redhat.com/support/errata/RHSA-2005-284.html + SUSE:SUSE-SA:2005:018 + URL:http://www.novell.com/linux/security/advisories/2005_18_kernel.html + TRUSTIX:2005-0009 + URL:http://www.trustix.org/errata/2005/0009/ + UBUNTU:USN-95-1 + URL:http://www.ubuntulinux.org/support/documentation/usn/usn-95-1 +Description: + Unknown vulnerability in the PPP driver for the Linux kernel 2.6.8.1 allows + remote attackers to cause a denial of service (kernel crash) via a pppd + client. +Notes: +Bugs: +upstream: +linux-2.6: +2.6.8-sarge-security: released (2.6.8-15) [drivers-net-ppp_async-fix-dos.dpatch] +2.4.27-sarge-security: released (2.4.27-9) [153_ppp_async_dos.diff] +2.4.19-woody-security: released (2.4.19-4.woody3) +2.4.18-woody-security: released (2.4.18-14.4) +2.4.17-woody-security: released (2.4.17-1woody4) +2.4.16-woody-security: released (2.4.16-1woody3) +2.4.17-woody-security-hppa: released (32.5) +2.4.17-woody-security-ia64: released (011226.18) +2.4.18-woody-security-hppa: released (62.4) diff --git a/active/retired/CVE-2005-0400 b/active/retired/CVE-2005-0400 new file mode 100644 index 00000000..84063342 --- /dev/null +++ b/active/retired/CVE-2005-0400 @@ -0,0 +1,32 @@ +Candidate: CVE-2005-0400 +References: + BUGTRAQ:20050401 Information leak in the Linux kernel ext2 implementation + URL:http://marc.theaimsgroup.com/?l=bugtraq&m=111238764720696&w=2 + MISC:http://arkoon.net/advisories/ext2-make-empty-leak.txt + FEDORA:FLSA:152532 + URL:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152532 + UBUNTU:USN-103-1 + URL:http://www.ubuntulinux.org/support/documentation/usn/usn-103-1 + XF:kernel-ext2-information-disclosure(19866) + URL:http://xforce.iss.net/xforce/xfdb/19866 + CONFIRM:http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.11.6 + SECUNIA:14713 + URL:http://secunia.com/advisories/14713/ +Description: + The ext2_make_empty function call in the Linux kernel before 2.6.11.6 does not + properly initialize memory when creating a block for a new directory entry, + which allows local users to obtain potentially sensitive information by + reading the block. +Notes: +Bugs: 301799 303294 +upstream: released (2.6.11.6) +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-16) [fs-ext2-info-leak.dpatch] +2.4.27-sarge-security: released (2.4.27-10) [156_fs-ext2-info-leak.diff] +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/active/retired/CVE-2005-0449 b/active/retired/CVE-2005-0449 new file mode 100644 index 00000000..62875ef2 --- /dev/null +++ b/active/retired/CVE-2005-0449 @@ -0,0 +1,20 @@ +Candidate: CVE-2005-0449 +References: + http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0449 + http://kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=1e01441051dda3bb01c455b6e20bce6d00563\d82 + http://oss.sgi.com/archives/netdev/2005-01/msg01107.html +Description: + The netfilter/iptables module in Linux before 2.6.8.1 allows remote attackers to + cause a denial of service (kernel crash) or bypass firewall rules via crafted + packets, which are not properly handled by the skb_checksum_help function. +Notes: + ** CHANGES ABI ** + ipv4-fragment-queues-[1,2,2.1].dpatch are in sarge's 2.6.8. + ipv4-fragment-queues-[3,4].dpatch are awaiting an ABI event + . + 150_private_fragment_queues-[1,2].diff are awaiting a 2.4.27 ABI event +Bugs: +upstream: released (2.6.8.1) +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-16sarge2) [ipv4-fragment-queues-1.dpatch, ipv4-fragment-queues-2.dpatch, ipv4-fragment-queues-3.dpatch, ipv4-fragment-queues-4.dpatch] +2.4.27-sarge-security: released (2.4.27-10sarge2) [150_private_fragment_queues-1.diff, 150_private_fragment_queues-2.diff] diff --git a/active/retired/CVE-2005-0528 b/active/retired/CVE-2005-0528 new file mode 100644 index 00000000..d896c0f6 --- /dev/null +++ b/active/retired/CVE-2005-0528 @@ -0,0 +1,28 @@ +Candidate: CVE-2005-0528 +References: +Description: +Notes: + From Joey's 2.4.18-14.4 changelog: + * Applied patch by Andrea Arcangeli from 2.4.24 to fix privilege + escalation in the mremap() syscall [mm/mremap.c, CAN-2004-nnnn] + jmm> Isn't this CVE-2004-0077? + dannf> Looks like this is a different issue. Joey's patch is here: + http://klecker.debian.org/~joey/security/kernel/patches/patch.CAN-2005-0528.mremap + dannf> But it doesn't look like mitre has released the details yet: + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0528 + jmm> The patch is merged as of 2.4.27, but I'm not sure at which exact version + dannf> It looks like this would apply to 2.6, but isn't necessary because + dannf> its already fixed in a different way. 2.6 checks for a 0 new_len + dannf> earlier and errors out + jmm> This turned out to be a dupe of CVE-2003-0985 +Bugs: +upstream: N/A +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: released (2.4.19-4.woody3) +2.4.18-woody-security: released (2.4.18-14.4) +2.4.17-woody-security: released (2.4.17-1woody4) +2.4.16-woody-security: released (2.4.16-1woody3) +2.4.17-woody-security-hppa: released (32.5) +2.4.17-woody-security-ia64: released (011226.18) diff --git a/active/retired/CVE-2005-0529 b/active/retired/CVE-2005-0529 new file mode 100644 index 00000000..c941380b --- /dev/null +++ b/active/retired/CVE-2005-0529 @@ -0,0 +1,31 @@ +Candidate: CVE-2005-0529 +References: + FULLDISC:20050215 linux kernel 2.6 fun. windoze is a joke + URL:http://marc.theaimsgroup.com/?l=full-disclosure&m=110846727602817&w=2 + MISC:http://www.guninski.com/where_do_you_want_billg_to_go_today_3.html + CONFIRM:http://linux.bkbits.net:8080/linux-2.6/cset@4201818eC6aMn0x3GY_9rw3ueb2ZWQ + CONECTIVA:CLA-2005:930 + URL:http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=000930 + SUSE:SUSE-SA:2005:018 + URL:http://www.novell.com/linux/security/advisories/2005_18_kernel.html + BUGTRAQ:20050315 [USN-95-1] Linux kernel vulnerabilities + URL:http://marc.theaimsgroup.com/?l=bugtraq&m=111091402626556&w=2 +Description: + Linux kernel 2.6.10 and 2.6.11rc1-bk6 uses different size types for offset + arguments to the proc_file_read and locks_read_proc functions, which leads to + a heap-based buffer overflow when a signed comparison causes negative integers + to be used in a positive context. +Notes: + dannf> 2.4 doesn't do the signed cast, so it shouldn't be vulnerable +Bugs: +upstream: released (2.6.11) +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-14) [115-proc_file_read_nbytes_signedness_fix.dpatch] +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A +2.4.18-woody-security-hppa: N/A diff --git a/active/retired/CVE-2005-0530 b/active/retired/CVE-2005-0530 new file mode 100644 index 00000000..042124ce --- /dev/null +++ b/active/retired/CVE-2005-0530 @@ -0,0 +1,38 @@ +Candidate: CVE-2005-0530 +References: + FULLDISC:20050215 linux kernel 2.6 fun. windoze is a joke + URL:http://marc.theaimsgroup.com/?l=full-disclosure&m=110846727602817&w=2 + MISC:http://www.guninski.com/where_do_you_want_billg_to_go_today_3.html + CONFIRM:http://linux.bkbits.net:8080/linux-2.6/cset@420181322LZmhPTewcCOLkubGwOL3w + CONECTIVA:CLA-2005:930 + URL:http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=000930 + SUSE:SUSE-SA:2005:018 + URL:http://www.novell.com/linux/security/advisories/2005_18_kernel.html + BUGTRAQ:20050315 [USN-95-1] Linux kernel vulnerabilities + URL:http://marc.theaimsgroup.com/?l=bugtraq&m=111091402626556&w=2 +Description: + Signedness error in the copy_from_read_buf function in n_tty.c for Linux + kernel 2.6.10 and 2.6.11rc1 allows local users to read kernel memory via a + negative argument. +Notes: + dannf> This doesn't affect 2.4: + marcello> v2.4 does not suffer from the issue mentioned by Guninski because + marcello> the first argument of the arithmetic comparison is not casted + marcello> to a "signed" value: + . + marcello> n = min((ssize_t)*nr, n); + . + marcello> That was the problem in v2.6, where an unsigned value bigger than + marcello> 2^31 would be treated as a negative signed. +Bugs: +upstream: released (2.6.11) +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-14) [116-n_tty_copy_from_read_buf_signedness_fixes.dpatch] +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A +2.4.18-woody-security-hppa: N/A diff --git a/active/retired/CVE-2005-0531 b/active/retired/CVE-2005-0531 new file mode 100644 index 00000000..5a095abd --- /dev/null +++ b/active/retired/CVE-2005-0531 @@ -0,0 +1,20 @@ +Candidate: CVE-2005-0531 +References: + FULLDISC:20050215 linux kernel 2.6 fun. windoze is a joke + URL:http://marc.theaimsgroup.com/?l=full-disclosure&m=110846727602817&w=2 + MISC:http://www.guninski.com/where_do_you_want_billg_to_go_today_3.html + CONFIRM:http://linux.bkbits.net:8080/linux-2.6/gnupatch@4208e1fcfccuD-eH2OGM5mBhihmQ3A + CONECTIVA:CLA-2005:930 + URL:http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=000930 + BUGTRAQ:20050315 [USN-95-1] Linux kernel vulnerabilities + URL:http://marc.theaimsgroup.com/?l=bugtraq&m=111091402626556&w=2 +Description: + The atm_get_addr function in addr.c for Linux kernel 2.6.10 and 2.6.11 before + 2.6.11-rc4 may allow local users to trigger a buffer overflow via negative + arguments. +Notes: +Bugs: +upstream: released (2.6.11-rc4) +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-14) [123-atm_get_addr_signedness_fix.dpatch] +2.4.27-sarge-security: released (2.4.27-9) [151_atm_get_addr_signedness_fix.diff] diff --git a/active/retired/CVE-2005-0532 b/active/retired/CVE-2005-0532 new file mode 100644 index 00000000..ec7873f6 --- /dev/null +++ b/active/retired/CVE-2005-0532 @@ -0,0 +1,29 @@ +Candidate: CVE-2005-0532 +References: + FULLDISC:20050215 linux kernel 2.6 fun. windoze is a joke + URL:http://marc.theaimsgroup.com/?l=full-disclosure&m=110846727602817&w=2 + MISC:http://www.guninski.com/where_do_you_want_billg_to_go_today_3.html + CONFIRM:http://linux.bkbits.net:8080/linux-2.6/cset@42018227TkNpHlX6BefnItV_GqMmzQ + SUSE:SUSE-SA:2005:018 + URL:http://www.novell.com/linux/security/advisories/2005_18_kernel.html + BUGTRAQ:20050315 [USN-95-1] Linux kernel vulnerabilities + URL:http://marc.theaimsgroup.com/?l=bugtraq&m=111091402626556&w=2 +Description: + The reiserfs_copy_from_user_to_file_region function in reiserfs/file.c for + Linux kernel 2.6.10 and 2.6.11 before 2.6.11-rc4, when running on 64-bit + architectures, may allow local users to trigger a buffer overflow as a result + of casting discrepancies between size_t and int data types. +Notes: + dannf> Vulnerable code didn't exist in 2.4 +Bugs: +upstream: released (2.6.11-rc3) +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-14) [117-reiserfs_file_64bit_size_t_fixes.dpatch] +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A +2.4.18-woody-security-hppa: N/A diff --git a/active/retired/CVE-2005-0736 b/active/retired/CVE-2005-0736 new file mode 100644 index 00000000..d6d730db --- /dev/null +++ b/active/retired/CVE-2005-0736 @@ -0,0 +1,22 @@ +Candidate: CVE-2005-0736 +References: + http://lists.grok.org.uk/pipermail/full-disclosure/2005-March/032314.html + http://linux.bkbits.net:8080/linux-2.6/cset@422dd06a1p5PsyFhoGAJseinjEq3ew?nav=index.html|ChangeSet@-1d + http://www.novell.com/linux/security/advisories/2005_18_kernel.html + http://www.ubuntulinux.org/support/documentation/usn/usn-95-1 + http://www.securityfocus.com/bid/12763 +Description: + Integer overflow in sys_epoll_wait in eventpoll.c for Linux kernel 2.6 to 2.6.11 + allows local users to overwrite kernel memory via a large number of events. +Notes: 2.4.* doesn't have epoll() +Bugs: +upstream: released (2.6.11.2) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/active/retired/CVE-2005-0749 b/active/retired/CVE-2005-0749 new file mode 100644 index 00000000..44137f1c --- /dev/null +++ b/active/retired/CVE-2005-0749 @@ -0,0 +1,28 @@ +Candidate: CVE-2005-0749 +References: + FEDORA:FLSA:152532 + URL:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152532 + UBUNTU:USN-103-1 + URL:http://www.ubuntulinux.org/support/documentation/usn/usn-103-1 + CONFIRM:http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.11.6 + SECUNIA:14713 + URL:http://secunia.com/advisories/14713/ + XF:kernel-loadelflibrary-dos(19867) + URL:http://xforce.iss.net/xforce/xfdb/19867 +Description: + The load_elf_library in the Linux kernel before 2.6.11.6 allows local users to + cause a denial of service (kernel crash) via a crafted ELF library or + executable, which causes a free of an invalid pointer. +Notes: +Bugs: 301799, 303498 +upstream: released (2.6.11.6) +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-16) [fs-binfmt_elf-dos.dpatch] +2.4.27-sarge-security: released (2.4.27-10) [158_fs-binfmt_elf-dos.diff] +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/active/retired/CVE-2005-0750 b/active/retired/CVE-2005-0750 new file mode 100644 index 00000000..7b2ad779 --- /dev/null +++ b/active/retired/CVE-2005-0750 @@ -0,0 +1,32 @@ +Candidate: CVE-2005-0750 +References: + BUGTRAQ:20050327 local root security bug in linux >= 2.4.6 <= 2.4.30-rc1 and 2.6.x.y <= 2.6.11.5 + URL:http://marc.theaimsgroup.com/?l=bugtraq&m=111204562102633&w=2 + FULLDISC:20050327 local root security bug in linux >= 2.4.6 <= 2.4.30-rc1 and 2.6.x.y <= 2.6.11.5 + URL:http://lists.grok.org.uk/pipermail/full-disclosure/2005-March/032913.html + FEDORA:FLSA:152532 + URL:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152532 + REDHAT:RHSA-2005:283 + URL:http://www.redhat.com/support/errata/RHSA-2005-283.html + REDHAT:RHSA-2005:284 + URL:http://www.redhat.com/support/errata/RHSA-2005-284.html + XF:kernel-bluezsockcreate-integer-underflow(19844) + URL:http://xforce.iss.net/xforce/xfdb/19844 +Description: + The bluez_sock_create function in the Bluetooth stack for Linux kernel 2.4.6 + through 2.4.30-rc1 and 2.6 through 2.6.11.5 allows local users to gain + privileges via (1) socket or (2) socketpair call with a negative protocol + value. +Notes: +Bugs: 301799 +upstream: released (2.6.11.5) +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-16) [net-bluetooth-signdness-fix.dpatch] +2.4.27-sarge-security: released (2.4.27-10) [155_net-bluetooth-signdness-fix.diff] +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/active/retired/CVE-2005-0756 b/active/retired/CVE-2005-0756 new file mode 100644 index 00000000..de676ae1 --- /dev/null +++ b/active/retired/CVE-2005-0756 @@ -0,0 +1,19 @@ +Candidate: CVE-2005-0756 +References: + http://www.ubuntulinux.org/support/documentation/usn/usn-137-1 +Description: + ptrace 2.6.8.1 does not properly verify addresses on the amd64 platform, + which allows local users to cause a denial of service (kernel crash). +Notes: +Bugs: +upstream: +linux-2.6: +2.6.8-sarge-security: released (2.6.8-16sarge1) [arch-x86_64-kernel-ptrace-canonical-rip-2.dpatch] +2.4.27-sarge-security: released (2.4.27-10sarge1) +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/active/retired/CVE-2005-0757 b/active/retired/CVE-2005-0757 new file mode 100644 index 00000000..49061609 --- /dev/null +++ b/active/retired/CVE-2005-0757 @@ -0,0 +1,21 @@ +Candidate: CVE-2005-0757 +References: +Description: + source: Trawled out of Red Hat's kernel-2.4.21-32.0.1.EL.src.rpm by Horms + inclusion: upstream code has been reworked and doesn't appear vulnerable + descrition: on 64 bit architectures incorrect handling of xattr offsets + may cause a local DoS + revision date: Fri, 29 Jul 2005 12:04:57 +0900 +Notes: +Bugs: +upstream: +2.4.27-sarge-security: released (2.4.27-10sarge1) +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-16sarge1) [fs-ext3-64bit-offset.dpatch] +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/active/retired/CVE-2005-0767 b/active/retired/CVE-2005-0767 new file mode 100644 index 00000000..48d7e737 --- /dev/null +++ b/active/retired/CVE-2005-0767 @@ -0,0 +1,22 @@ +Candidate: CVE-2005-0767 +References: + http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000945 + http://www.ubuntulinux.org/support/documentation/usn/usn-95-1 +Description: + Race condition in the Radeon DRI driver for Linux kernel 2.6.8.1 allows + local users with DRI privileges to execute arbitrary code as root. +Notes: + horms> For the record: + horms> The patch seems to already be present in 2.6.11. + horms> And the bug does not seem to be present in 2.4.27. +Bugs: 297203 +upstream: released (2.6.11-rc4) +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-15) +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/active/retired/CVE-2005-0815 b/active/retired/CVE-2005-0815 new file mode 100644 index 00000000..19302776 --- /dev/null +++ b/active/retired/CVE-2005-0815 @@ -0,0 +1,28 @@ +Candidate: CVE-2005-0815 +References: + BUGTRAQ:20050317 Linux ISO9660 handling flaws + URL:http://www.securityfocus.com/archive/1/393590 + CONFIRM:http://kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.12-rc1 + FEDORA:FLSA:152532 + URL:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152532 + BID:12837 + URL:http://www.securityfocus.com/bid/12837 + XF:kernel-iso9660-filesystem(19741) + URL:http://xforce.iss.net/xforce/xfdb/19741 +Description: + Multiple "range checking flaws" in the ISO9660 filesystem handler in Linux + 2.6.11 and earlier may allow attackers to cause a denial of service or corrupt + memory via a crafted filesystem. +Notes: +Bugs: 301799 +upstream: released (2.6.12-rc1) +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-16) [fs-isofs-range-check-1.dpatch, fs-isofs-range-check-2.dpatch, fs-isofs-range-check-3.dpatch] +2.4.27-sarge-security: released (2.4.27-10) [157_fs-isofs-range-check-1.diff, 157_fs-isofs-range-check-2.diff, 157_fs-isofs-range-check-3.diff] +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/active/retired/CVE-2005-0839 b/active/retired/CVE-2005-0839 new file mode 100644 index 00000000..5a933031 --- /dev/null +++ b/active/retired/CVE-2005-0839 @@ -0,0 +1,23 @@ +Candidate: CVE-2005-0839 +References: + MLIST:[linux-kernel] 20050301 Re: Breakage from patch: Only root should be able to set the N_MOUSE line discipline. + URL:http://www.mail-archive.com/linux-kernel@vger.kernel.org/msg64704.html + MISC:http://linux.bkbits.net:8080/linux-2.6/cset@41fa6464E1UuGu6zmketEYxm73KSyQ +Description: + Linux kernel 2.6 before 2.6.11 does not restrict access to the N_MOUSE line + discipline for a TTY, which allows local users to gain privileges by injecting + mouse or keyboard events into other user sessions. +Notes: + dannf> This file isn't in <= 2.4.27 +Bugs: 301372 +upstream: released (2.6.11) +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-16) [drivers-input-serio-nmouse.dpatch] +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A +2.4.18-woody-security-hppa: N/A diff --git a/active/retired/CVE-2005-0867 b/active/retired/CVE-2005-0867 new file mode 100644 index 00000000..116d7497 --- /dev/null +++ b/active/retired/CVE-2005-0867 @@ -0,0 +1,22 @@ +Candidate: CVE-2005-0867 +References: + http://www.novell.com/linux/security/advisories/2005_18_kernel.html +Description: + Integer overflow in Linux kernel 2.6 allows local users to overwrite kernel + memory by writing to a sysfs file. +Notes: + horms> The Debian Packages for 2.6.8 and 2.6.11 do not appear to + horms> have this bug. 2.4.27 does not include sysfs, and thus + horma> also does not have this bug. + jmm> The patch for the vulnerability in question can be found in the BTS +Bugs: 306137 +upstream: +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/active/retired/CVE-2005-0916 b/active/retired/CVE-2005-0916 new file mode 100644 index 00000000..9ed5249f --- /dev/null +++ b/active/retired/CVE-2005-0916 @@ -0,0 +1,22 @@ +Candidate: CVE-2005-0916 +References: + http://groups-beta.google.com/group/linux.kernel/browse_thread/thread/13b43bd5783842f6/7ce3c5a514a497ab + http://linux.bkbits.net:8080/linux-2.6/cset%404248c8c0es30_4YVdwa6vteKi7h_nw + http://www.novell.com/linux/security/advisories/2005_50_kernel.html +Description: + AIO in the Linux kernel 2.6.11 on the PPC64 or IA64 architectures with + CONFIG_HUGETLB_PAGE enabled allows local panic) via a process that executes + the io_queue_init function but exits without running io_queue_release, which + to fail. +Notes: +Bugs: +upstream: released (2.6.12) +linux-2.6: released (2.6.12-1) +2.6.8-sarge-security: released (2.6.8-16) [arch-ppc64-hugepage-aio-panic.dpatch] +2.4.27-sarge-security: N/A +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: diff --git a/active/retired/CVE-2005-1041 b/active/retired/CVE-2005-1041 new file mode 100644 index 00000000..c27caac5 --- /dev/null +++ b/active/retired/CVE-2005-1041 @@ -0,0 +1,22 @@ +Candidate: CVE-2005-1041 +References: + http://marc.theaimsgroup.com/?l=bk-commits-head&m=111186506706769&w=2 +Description: + The fib_seq_start function in fib_hash.c in Linux kernel allows local + users to cause a denial of service (system crash) via /proc/net/route. +Notes: + horms> 2.4.27 is not effected by 304548 as the buggy code is a complete + horms> rework for 2.6. I looked over the way that proc/route is handled + horms> for 2.4.27, and it seems fine. +Bugs: 304548 +upstream: released (2.6.11.5) +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-16) +2.4.27-sarge-security: N/A +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/active/retired/CVE-2005-1263 b/active/retired/CVE-2005-1263 new file mode 100644 index 00000000..4c749bfd --- /dev/null +++ b/active/retired/CVE-2005-1263 @@ -0,0 +1,28 @@ +Candidate: CVE-2005-1263 +References: + BUGTRAQ:20050511 Linux kernel ELF core dump privilege elevation + URL:http://www.securityfocus.com/archive/1/397966 + MISC:http://www.isec.pl/vulnerabilities/isec-0023-coredump.txt + FRSIRT:ADV-2005-0524 + URL:http://www.frsirt.com/english/advisories/2005/0524 + OVAL:OVAL1122 + URL:http://oval.mitre.org/oval/definitions/data/oval1122.html +Description: + The elf_core_dump function in binfmt_elf.c for Linux kernel 2.x.x to + 2.2.27-rc2, 2.4.x to 2.4.31-pre1, and 2.6.x to 2.6.12-rc4 allows local users + to execute arbitrary code via an ELF binary that, in certain conditions + involving the create_elf_tables function, causes a negative length argument + to pass a signed integer comparison, leading to a buffer overflow. +Notes: +Bugs: +upstream: released (2.2.27-rc2, 2.4.31-pre1, 2.6.12-rc4) +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-16) +2.4.27-sarge-security: released (2.4.27-10) +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/active/retired/CVE-2005-1368 b/active/retired/CVE-2005-1368 new file mode 100644 index 00000000..03933ce2 --- /dev/null +++ b/active/retired/CVE-2005-1368 @@ -0,0 +1,23 @@ +Candidate: CVE-2005-1368 +References: + http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.11.8 + http://linux.bkbits.net:8080/linux-2.6/cset%40423078fafVa6mAyny23YZ87hDipmTw +Description: + The key_user_lookup function in security/keys/key.c in Linux kernel 2.6.10 to 2.6.11.8 may allow + attackers to cause a denial of service (oops) via SMP. +Notes: + horms> The fix for CAN-2005-1368 is in SVN for 2.6.11. + horms> The code that this bug manifests in is not present + horms> in 2.6.8 or 2.4.27. + jmm> The code in question isn't present in Woody either +Bugs: +upstream: released (2.6.11.8) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/active/retired/CVE-2005-1369 b/active/retired/CVE-2005-1369 new file mode 100644 index 00000000..10d7dd87 --- /dev/null +++ b/active/retired/CVE-2005-1369 @@ -0,0 +1,24 @@ +Candidate: CVE-2005-1369 +References: + http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.11.8 + http://lkml.org/lkml/2005/4/20/159 +Description: + The (1) it87 and (2) via686a drivers in I2C for Linux 2.6.x before 2.6.11.8, + and 2.6.12 before 2.6.12-rc2, create the sysfs "alarms" file with write + permissions, which allows local users to cause a denial of service (CPU + consumption) by attempting to write to the file, which does not have an + associated store function. +Notes: + jmm> These drivers are not present in 2.4 +Bugs: 307552 +upstream: released (2.6.11.8) +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-16) +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A +2.4.18-woody-security-hppa: N/A diff --git a/active/retired/CVE-2005-1589 b/active/retired/CVE-2005-1589 new file mode 100644 index 00000000..da505ae3 --- /dev/null +++ b/active/retired/CVE-2005-1589 @@ -0,0 +1,36 @@ +Candidate: CVE-2005-1589 +References: + http://marc.theaimsgroup.com/?l=linux-kernel&m=111630531515901&w=2 + http://archives.neohapsis.com/archives/vulnwatch/2005-q2/0045.html + http://archives.neohapsis.com/archives/vulnwatch/2005-q2/0046.html + http://archives.neohapsis.com/archives/vulnwatch/2005-q2/0047.html + http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.11.10 + http://frontal2.mandriva.com/security/advisories?name=MDKSA-2005:219 + http://www.frsirt.com/english/advisories/2005/0557 +Description: + The pkt_ioctl function in the pktcdvd block device ioctl handler (pktcdvd.c) + in Linux kernel 2.6.12-rc4 and earlier calls the wrong function before + passing an ioctl to the block device, which crosses security boundaries by + making kernel address space accessible from user space and allows local users + to cause a denial of service and possibly execute arbitrary code, a similar + vulnerability to CVE-2005-1264. +Notes: + horms> (discussing this and a similar problem): + horms> 2.6.8 is only vulnerable to the raw ioctl problem, + horms> which I believe is CAN-2005-1264. + horms> (unstable/testing-proposed-updates) and sarge-security + horms> (testing-security) branches and it should appear in 2.6.8-16 and + horms> 2.6.8-15sarge1 respectively. + horms> 2.4.27 does not appear to be vulnerable to either of these problems. +Bugs: 309429 +upstream: released (2.6.11.10), released (2.6.12-rc5) +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-16) +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A +2.4.18-woody-security-hppa: N/A diff --git a/active/retired/CVE-2005-1761 b/active/retired/CVE-2005-1761 new file mode 100644 index 00000000..13f91713 --- /dev/null +++ b/active/retired/CVE-2005-1761 @@ -0,0 +1,25 @@ +Candidate: CVE-2005-1761 +References: + http://www.novell.com/linux/security/advisories/2005_44_kernel.html + http://kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=4ea78729b8dbfc400fe165a57b90a394a7275a54 +Description: + Linux kernel 2.6 and 2.4 on the IA64 architecture allows local users + to cause a denial of service (kernel crash) via ptrace and the + restore_sigcontext function. +Notes: + jmm> This uses arch-ia64-ptrace-restore_sigcontext.dpatch, correct? + dannf> 2.4 patch for ia64 from SuSE in: CVE-2005-1761-linux24.patch + dannf> Unfortunately, its against an older 2.4, so this doesn't apply + dannf> trivially +Bugs: +upstream: released (2.6.12.1) +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-16sarge1) [arch-x86_64-private-tss.dpatch, arch-x86_64-nmi.dpatch, arch-ia64-ptrace-getregs-putregs.dpatch, arch-ia64-ptrace-restore_sigcontext.dpatch] +2.4.27-sarge-security: released (2.4.27-10sarge2) [204_arch-ia64-ptrace-getregs-putregs.diff, 205_arch-ia64-ptrace-restore_sigcontext.diff] +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/active/retired/CVE-2005-1762 b/active/retired/CVE-2005-1762 new file mode 100644 index 00000000..cdf20f53 --- /dev/null +++ b/active/retired/CVE-2005-1762 @@ -0,0 +1,22 @@ +Candidate: CVE-2005-1762 +References: + http://www.novell.com/linux/security/advisories/2005_29_kernel.html + http://www.ubuntulinux.org/support/documentation/usn/usn-143-1 + http://secunia.com/advisories/15786 +Description: + The ptrace call in the Linux kernel 2.6.8.1 and 2.6.10 for the AMD64 + platform allows local users to cause a denial of service (kernel + crash) via a "non-canonical" address. +Notes: +Bugs: +upstream: released (2.6.12-rc5) +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-16sarge1) [arch-x86_64-kernel-ptrace-canonical-rip-1.dpatch] +2.4.27-sarge-security: released (2.4.27-10sarge1) [169_arch-x86_64-kernel-ptrace-canonical-rip-1.dpatch] +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/active/retired/CVE-2005-1764 b/active/retired/CVE-2005-1764 new file mode 100644 index 00000000..26a1a60b --- /dev/null +++ b/active/retired/CVE-2005-1764 @@ -0,0 +1,30 @@ +Candidate: CVE-2005-1764 +References: + URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1764 + Final-Decision: + Interim-Decision: + Modified: + Proposed: + Assigned: 20050531 + Category: SF + CONFIRM:http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=637716a3825e186555361574aa1fa3c0ebf8018b + CONFIRM:http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=637716a3825e186555361574aa1fa3c0ebf8018bReference: SUSE:SUSE-SA:2005:029 + URL:http://freshmeat.net/articles/view/1678/ +Description: + Linux 2.6.11 on 64-bit x86 (x86_64) platforms does not use a guard + page for the 47-bit address page to protect against an AMD K8 bug, + which allows local users to cause a denial of service. +Notes: + horms> I believe that only 2.6.11 is vulnerable to this +upstream: released (2.6.11.11) +2.6.8-sarge-security: N/A +2.4.27-sid/sarge: N/A +2.4.27-sarge-security: N/A +linux-2.6: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A +2.4.18-woody-security-hppa: N/A diff --git a/active/retired/CVE-2005-1765 b/active/retired/CVE-2005-1765 new file mode 100644 index 00000000..f17d7dbc --- /dev/null +++ b/active/retired/CVE-2005-1765 @@ -0,0 +1,24 @@ +Candidate: CVE-2005-1765 +References: + http://www.novell.com/linux/security/advisories/2005_29_kernel.html + http://www.ubuntulinux.org/support/documentation/usn/usn-143-1 +Description: + syscall in the Linux kernel 2.6.8.1 and 2.6.10 for the AMD64 platform, + when running in 32-bit compatibility mode, allows local users to cause + a denial of service (kernel hang) via crafted arguments. +Notes: + jmm> I've extracted the patch from the Ubuntu update (CVE-2005-1765.patch) + dannf> This code was very different in 2.4, and we don't ship 2.4/amd64, so + I'll mark 2.4 N/A +Bugs: +upstream: +linux-2.6: +2.6.8-sarge-security: released (2.6.8-16sarge1) [arch-x86_64-mm-mmap.dpatch] +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A +2.4.18-woody-security-hppa: N/A diff --git a/active/retired/CVE-2005-1767 b/active/retired/CVE-2005-1767 new file mode 100644 index 00000000..e1cbe995 --- /dev/null +++ b/active/retired/CVE-2005-1767 @@ -0,0 +1,23 @@ +Candidate: CVE-2005-1767 +References: + CONFIRM:http://kernel.org/git/?p=linux/kernel/git/marcelo/linux-2.4.git;a=commit;h=51e31546a2fc46cb978da2ee0330a6a68f07541e + http://www.novell.com/linux/security/advisories/2005_44_kernel.html + http://www.ubuntu.com/usn/usn-187-1 +Description: + traps.c in the Linux kernel 2.6.x and 2.4.x executes stack segment faults on an exception + stack, which allows local users to cause a denial of service (oops and stack fault exception). +Notes: + This is already fixed in 2.6 and added for completeness. + Horms> This is amd64 specific, and thus should not affect 2.4 +Bugs: +upstream: released (2.6.12, 2.4.32) +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-16sarge1) [arch-x86_64-kernel-stack-faults.dpatch, arch-x86_64-nmi.dpatch, arch-x86_64-kernel-stack-faults.dpatch] +2.4.27-sarge-security: released (2.4.27-10sarge1) [181_arch-x86_64-kernel-stack-faults.diff] +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A +2.4.18-woody-security-hppa: N/A diff --git a/active/retired/CVE-2005-1768 b/active/retired/CVE-2005-1768 new file mode 100644 index 00000000..00eb2833 --- /dev/null +++ b/active/retired/CVE-2005-1768 @@ -0,0 +1,34 @@ +Candidate: CVE-2005-1768 +References: + URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1768 + Final-Decision: + Interim-Decision: + Modified: + Proposed: + Assigned: 20050531 + Category: SF + BUGTRAQ:20050711 [ Suresec Advisories ] - Linux kernel ia32 compatibility (ia64/x86-64) + URL:http://marc.theaimsgroup.com/?l=bugtraq&m=112110120216116&w=2 + MISC:http://www.suresec.org/advisories/adv4.pdf +Description: + Race condition in the ia32 compatibility code for the execve system + call in Linux kernel 2.4 before 2.4.31 and 2.6 before 2.6.6 allows + local users to cause a denial of service (kernel panic) and possibly + execute arbitrary code via a concurrent thread that increments a + pointer count after the nargs function has counted the pointers, but + before the count is copied from user space to kernel space, which + leads to a buffer overflow. +Notes: + 167_arch-ia64-x86_64_execve.diff (note 2.4 is not supported for amd64) +upstream: released (2.4.31, 2.6.6) +2.6.8-sarge-security: N/A +2.4.27-sid/sarge: released (2.4.27-11) +2.4.27-sarge-security: released (2.4.27-10sarge1) +linux-2.6: N/A +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/active/retired/CVE-2005-1913 b/active/retired/CVE-2005-1913 new file mode 100644 index 00000000..e3ccfe9f --- /dev/null +++ b/active/retired/CVE-2005-1913 @@ -0,0 +1,37 @@ +Candidate: CVE-2005-1913 +References: + URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1913 + Final-Decision: + Interim-Decision: + Modified: + Proposed: + Assigned: 20050608 + Category: SF + CONFIRM:http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.12.1 + UBUNTU:USN-178-1 + URL:http://www.ubuntu.com/usn/usn-178-1 + BID:14054 + URL:http://www.securityfocus.com/bid/14054 + SECUNIA:15786 + URL:http://secunia.com/advisories/15786/ + XF:kernel-subthread-dos(21138) + URL:http://xforce.iss.net/xforce/xfdb/21138 +Description: + The Linux kernel 2.6 before 2.6.12.1 allows local users to cause a + denial of service (kernel panic) via a non group-leader thread + executing a different program than was pending in itimer, which causes + the signal to be delivered to the old group-leader task, which does + not exist. +Notes: +upstream: released (2.6.12.1) +2.6.8-sarge-security: N/A +2.4.27-sid/sarge: N/A +2.4.27-sarge-security: N/A +linux-2.6: released (2.6.12-1) [linux-2.6.12.1.patch] +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/active/retired/CVE-2005-2098 b/active/retired/CVE-2005-2098 new file mode 100644 index 00000000..20aaf4f5 --- /dev/null +++ b/active/retired/CVE-2005-2098 @@ -0,0 +1,33 @@ +Candidate: CVE-2005-2098 +References: + URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2098 + Final-Decision: + Interim-Decision: + Modified: + Proposed: + Assigned: 20050630 + Category: SF + CONFIRM:http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.12.5 + UBUNTU:USN-169-1 + URL:http://www.ubuntulinux.org/support/documentation/usn/usn-169-1 + SECUNIA:16355 + URL:http://secunia.com/advisories/16355/ +Description: + The KEYCTL_JOIN_SESSION_KEYRING operation in the Linux kernel before + 2.6.12.5 contains an error path that does not properly release the + session management semaphore, which allows local users or remote + attackers to cause a denial of service (semaphore hang) via a new + session keyring (1) with an empty name string, (2) with a long name + string, (3) with the key quota reached, or (4) ENOMEM. +upstream: released (2.6.12.5) +2.6.8-sarge-security: N/A +2.4.27-sid/sarge: N/A +2.4.27-sarge-security: N/A +linux-2.6: released (2.6.12-3) [linux-2.6.12.5.patch] +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/active/retired/CVE-2005-2099 b/active/retired/CVE-2005-2099 new file mode 100644 index 00000000..15e33c8a --- /dev/null +++ b/active/retired/CVE-2005-2099 @@ -0,0 +1,32 @@ +Candidate: CVE-2005-2099 +References: + URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2099 + Final-Decision: + Interim-Decision: + Modified: + Proposed: + Assigned: 20050630 + Category: SF + CONFIRM:http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.12.5 + UBUNTU:USN-169-1 + URL:http://www.ubuntulinux.org/support/documentation/usn/usn-169-1 + SECUNIA:16355 + URL:http://secunia.com/advisories/16355/ +Description: + The Linux kernel before 2.6.12.5 does not properly destroy a keyring + that is not instantiated properly, which allows local users or remote + attackers to cause a denial of service (kernel oops) via a keyring + with a payload that is not empty, which causes the creation to fail, + leading toa null dereference in the keyring destructor. +upstream: released (2.6.12.5) +2.6.8-sarge-security: N/A +2.4.27-sid/sarge: N/A +2.4.27-sarge-security: N/A +linux-2.6: released (2.6.12-3) [linux-2.6.12.5.patch] +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/active/retired/CVE-2005-2100 b/active/retired/CVE-2005-2100 new file mode 100644 index 00000000..343d09d6 --- /dev/null +++ b/active/retired/CVE-2005-2100 @@ -0,0 +1,24 @@ +Candidate: CVE-2005-2100 +References: + CONFIRM:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=165547 + REDHAT:RHSA-2005:514 + URL:http://www.redhat.com/support/errata/RHSA-2005-514.html +Description: + The rw_vm function in usercopy.c in the 4GB split patch for the Linux kernel in + Red Hat Enterprise Linux 4 does not perform proper bounds checking, which allows + local users to cause a denial of service (crash). +Notes: + horms> This is a bug in the Red Hat 4G/4G patch, and doesn't appear + in Upstream or Debian Kernels. +Bugs: +upstream: +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A +2.4.18-woody-security-hppa: diff --git a/active/retired/CVE-2005-2456 b/active/retired/CVE-2005-2456 new file mode 100644 index 00000000..90b2a29a --- /dev/null +++ b/active/retired/CVE-2005-2456 @@ -0,0 +1,32 @@ +Candidate: CVE-2005-2456 +References: + http://www.mail-archive.com/netdev@vger.kernel.org/msg00520.html + http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=a4f1bac62564049ea4718c4624b0fadc9f597c84 + http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=blobdiff;h=8da3e25b2c4c1f305fd85428d3a9eb62b543bfba;hp=ecade4893a139cc35d4fe345ce70242ede5358c4;hb=a4f1bac62564049ea4718c4624b0fadc9f597c84;f=net/xfrm/xfrm_user.c + http://frontal2.mandriva.com/security/advisories?name=MDKSA-2005:219 + http://frontal2.mandriva.com/security/advisories?name=MDKSA-2005:220 + http://www.ubuntulinux.org/support/documentation/usn/usn-169-1 + http://www.novell.com/linux/security/advisories/2005_50_kernel.html + http://www.securityfocus.com/bid/14477 + http://secunia.com/advisories/16298 + http://secunia.com/advisories/16500 + http://xforce.iss.net/xforce/xfdb/21710 +Description: + Array index overflow in the xfrm_sk_policy_insert function in xfrm_user.c + in Linux kernel 2.6 allows local users to cause a denial of service (oops + or deadlock) and possibly execute arbitrary code via a p->dir value that is + larger than XFRM_POLICY_OUT, which is used as an index in the sock->sk_policy + array. +Notes: +Bugs: 321401 +upstream: +linux-2.6: released (2.6.12-2) +2.6.8-sarge-security: released (2.6.8-16sarge1) +2.4.27-sarge-security: released (2.4.27-10sarge1) [176_ipsec-array-overflow.diff] +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/active/retired/CVE-2005-2457 b/active/retired/CVE-2005-2457 new file mode 100644 index 00000000..06715f7f --- /dev/null +++ b/active/retired/CVE-2005-2457 @@ -0,0 +1,27 @@ +Candidate: CVE-2005-2457 +References: + URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2457 + CONFIRM:http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.12.5 + UBUNTU:USN-169-1 + URL:http://www.ubuntulinux.org/support/documentation/usn/usn-169-1 + BID:14614 + URL:http://www.securityfocus.com/bid/14614 + SECUNIA:16355 + URL:http://secunia.com/advisories/16355/ +Description: + The driver for compressed ISO file systems (zisofs) in the Linux + kernel before 2.6.12.5 allows local users and remote attackers to + cause a denial of service (kernel crash) via a crafted compressed ISO + file system. +upstream: released (2.6.12.5) +2.6.8-sarge-security: released (2.6.8-16sarge2) [zisofs.diff] +2.4.27-sid/sarge: pending [187_zisofs-2.diff] +2.4.27-sarge-security: released (2.4.27-10sarge2) [187_zisofs-2.diff] +linux-2.6: released (2.6.12-3) [linux-2.6.12.5.patch] +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/active/retired/CVE-2005-2458 b/active/retired/CVE-2005-2458 new file mode 100644 index 00000000..6d7b55a2 --- /dev/null +++ b/active/retired/CVE-2005-2458 @@ -0,0 +1,32 @@ +Candidate: CVE-2005-2458 +References: + URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2458 + Final-Decision: + Interim-Decision: + Modified: + Proposed: + Assigned: 20050805 + Category: SF + MLIST:[bug-gnu-utils] 19990625 Re: bug in gzip: segfault when doing "gzip -t" on a broken file + URL:http://sources.redhat.com/ml/bug-gnu-utils/1999-06/msg00183.html + CONFIRM:http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.12.5 + UBUNTU:USN-169-1 + URL:http://www.ubuntulinux.org/support/documentation/usn/usn-169-1 + SECUNIA:16355 + URL:http://secunia.com/advisories/16355/ +Description: + inflate.c in the zlib routines in the Linux kernel before 2.6.12.5 + allows remote attackers to cause a denial of service (kernel crash) + via a compressed file with "improper tables". +upstream: released (2.6.12.5) +linux-2.6: released (2.6.12-3) [linux-2.6.12.5.patch] +2.6.8-sarge-security: released (2.6.8-16sarge1) [linux-zlib-fixes.dpatch] +2.4.27-sid/sarge: released (2.4.27-11) [182_linux-zlib-fixes.diff] +2.4.27-sarge-security: released (2.4.27-10sarge1) [182_linux-zlib-fixes.diff] +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/active/retired/CVE-2005-2459 b/active/retired/CVE-2005-2459 new file mode 100644 index 00000000..2bdc6f42 --- /dev/null +++ b/active/retired/CVE-2005-2459 @@ -0,0 +1,31 @@ +Candidate: CVE-2005-2459 +References: + URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2459 + MISC:http://bugs.gentoo.org/show_bug.cgi?id=94584 + CONFIRM:http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.12.5 + UBUNTU:USN-169-1 + URL:http://www.ubuntulinux.org/support/documentation/usn/usn-169-1 + SECUNIA:16355 + URL:http://secunia.com/advisories/16355/ +Description: + The huft_build function in inflate.c in the zlib routines in the Linux + kernel before 2.6.12.5 returns the wrong value, which allows remote + attackers to cause a denial of service (kernel crash) via a certain + compressed file that leads to a null pointer dereference, a different + vulnerability than CVE-2005-2458. +Notes: + This is a bogus fix that was applied in 2.6.12.5 and reverted in 2.6.12.6 + http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.12.6 + We included the broken fix in the sarge1 releases, so this backs it out. +upstream: released (2.6.12.5) +linux-2.6: released (2.6.12.3) +2.6.8-sarge-security: released (2.6.8-16sarge1) [linux-zlib-fixes.dpatch] +2.4.27-sid/sarge: released (2.4.27-11) [182_linux-zlib-fixes.diff] +2.4.27-sarge-security: released (2.4.27-10sarge1) [182_linux-zlib-fixes.diff] +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/active/retired/CVE-2005-2490 b/active/retired/CVE-2005-2490 new file mode 100644 index 00000000..d06ca172 --- /dev/null +++ b/active/retired/CVE-2005-2490 @@ -0,0 +1,36 @@ +Candidate: CVE-2005-2490 +References: + URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2490 + Final-Decision: + Interim-Decision: + Modified: + Proposed: + Assigned: 20050808 + Category: SF + MISC:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=166248 + CONFIRM:http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.13.1 + UBUNTU:USN-178-1 + URL:http://www.ubuntu.com/usn/usn-178-1 + BID:14785 + URL:http://www.securityfocus.com/bid/14785 + SECUNIA:16747 + URL:http://secunia.com/advisories/16747/ + XF:kernel-sendmsg-bo(22217) + URL:http://xforce.iss.net/xforce/xfdb/22217 +Description: + Stack-based buffer overflow in the sendmsg function call in the Linux + kernel 2.6 before 2.6.13.1 allows local users execute arbitrary code + by calling sendmsg and modifying the message contents in another + thread. +upstream: released (2.6.13.1), released (2.4.33-pre1) +linux-2.6: released (2.6.12-7, 2.6.13-1) [sendmsg-stackoverflow.patch, linux-2.6.13.1.patch] +2.6.8-sarge-security: released (2.6.8-16sarge2) [sendmsg-stackoverflow.dpatch] +2.4.27-sid/sarge: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/active/retired/CVE-2005-2492 b/active/retired/CVE-2005-2492 new file mode 100644 index 00000000..efc21d41 --- /dev/null +++ b/active/retired/CVE-2005-2492 @@ -0,0 +1,35 @@ +Candidate: CVE-2005-2492 +References: + URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2492 + Final-Decision: + Interim-Decision: + Modified: + Proposed: + Assigned: 20050808 + Category: SF + MISC:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=166830 + CONFIRM:http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.13.1 + UBUNTU:USN-178-1 + URL:http://www.ubuntu.com/usn/usn-178-1 + BID:14787 + URL:http://www.securityfocus.com/bid/14787 + SECUNIA:16747 + URL:http://secunia.com/advisories/16747/ + XF:kernel-rawsendmsg-obtain-information(22218) + URL:http://xforce.iss.net/xforce/xfdb/22218 +Description: + The raw_sendmsg function in the Linux kernel 2.6 before 2.6.13.1 + allows local users to cause a denial of service (change hardware + state) or read from arbitrary memory via crafted input. +upstream: released (2.6.13.1) +linux-2.6: released (2.6.12-7, 2.6.13-1) [sendmsg-DoS.patch, linux-2.6.13.1.patch] +2.6.8-sarge-security: N/A +2.4.27-sid/sarge: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/active/retired/CVE-2005-2548 b/active/retired/CVE-2005-2548 new file mode 100644 index 00000000..7aa9f590 --- /dev/null +++ b/active/retired/CVE-2005-2548 @@ -0,0 +1,27 @@ +Candidate: CVE-2005-2548 +References: + URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2548 + Final-Decision: + Interim-Decision: + Modified: + Proposed: + Assigned: 20050812 + Category: SF + CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=309308 +Description: + vlan_dev.c in Linux kernel 2.6.8 allows remote attackers to cause a + denial of service (kernel oops from null dereference) via certain UDP + packets that lead to a function call with the wrong argument, as + demonstrated using snmpwalk on snmpd. +upstream: released (2.4.29) +2.6.8-sarge-security: released (2.6.8-16sarge1) [vlan-mii-ioctl.dpatch] +2.4.27-sid/sarge: N/A +2.4.27-sarge-security: N/A +linux-2.6: N/A +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/active/retired/CVE-2005-2553 b/active/retired/CVE-2005-2553 new file mode 100644 index 00000000..444d853c --- /dev/null +++ b/active/retired/CVE-2005-2553 @@ -0,0 +1,24 @@ +Candidate: CVE-2005-2553 +References: + URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2553 + CONFIRM:http://lkml.org/lkml/2005/1/5/245 + CONFIRM:http://linux.bkbits.net:8080/linux-2.4/cset@41dd3455GwQPufrGvBJjcUOXQa3WXA +Description: + The find_target function in ptrace32.c in the Linux kernel 2.4.x + before 2.4.29 does not properly handle a NULL return value from + another function, which allows local users to cause a denial of + service (kernel crash/oops) by running a 32-bit ltrace program with + the -i option on a 64-bit executable program. +Bugs: +upstream: released (2.4.29) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sid/sarge: pending [184_arch-x86_64-ia32-ptrace32-oops.diff] +2.4.27-sarge-security: released (2.4.27-10sarge1) [184_arch-x86_64-ia32-ptrace32-oops.diff] +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/active/retired/CVE-2005-2555 b/active/retired/CVE-2005-2555 new file mode 100644 index 00000000..4c466519 --- /dev/null +++ b/active/retired/CVE-2005-2555 @@ -0,0 +1,21 @@ +Candidate: CVE-2005-2555 +References: + URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2555 +Description: + Linux kernel 2.6.x does not properly restrict socket policy access to users + with the CAP_NET_ADMIN capability, which could allow local users to conduct + unauthorized activities via (1) ipv4/ip_sockglue.c and + (2) ipv6/ipv6_sockglue.c. +Notes: +Bugs: +upstream: released (2.6.13) +linux-2.6: released (2.6.13-1) +2.6.8-sarge-security: released (2.6.8-16sarge2) +2.4.27-sarge-security: released (2.4.27-10sarge2) +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/active/retired/CVE-2005-2708 b/active/retired/CVE-2005-2708 new file mode 100644 index 00000000..8c10fd12 --- /dev/null +++ b/active/retired/CVE-2005-2708 @@ -0,0 +1,24 @@ +Candidate: CVE-2005-2708 +References: + CONFIRM:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=161925 +Description: + The search_binary_handler function in exec.c in Linux kernel on 64-bit x86 + architectures does not check a return code for a particular function call when + virtual memory is low, which allows local users to cause a denial of service + (panic), as demonstrated by running a process using the bash ulimit -v + command. +Notes: + This bug only affects 2.4 and AMD64, a combination that does not exist in + Debian +Bugs: +upstream: released (2.4.33-pre1) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A +2.4.18-woody-security-hppa: diff --git a/active/retired/CVE-2005-2709 b/active/retired/CVE-2005-2709 new file mode 100644 index 00000000..12eb1c7e --- /dev/null +++ b/active/retired/CVE-2005-2709 @@ -0,0 +1,30 @@ +Candidate: CVE-2005-2709 +References: + CONFIRM:http://www.kernel.org/git/?p=linux/kernel/git/chrisw/stable-queue.git;a=blob_plain;h=5dbbdc13a7bdbc132de44bc00e13079afaf033d0;f=2.6.14.1/cve-2005-2709-sysctl-unregistration-oops.patch +Description: + From: Al Viro <viro@zeniv.linux.org.uk> + . + You could open the /proc/sys/net/ipv4/conf/<if>/<whatever> file, then + wait for interface to go away, try to grab as much memory as possible in + hope to hit the (kfreed) ctl_table. Then fill it with pointers to your + function. Then do read from file you've opened and if you are lucky, + you'll get it called as ->proc_handler() in kernel mode. +Notes: + CVE is reserved, so we can't take the description from there yet + . + dannf> arch/s390/appldata/appldata_base.c doesn't exist in 2.4, so I dropped + dannf> that hunk in my backport + . + **THIS IS AN ABI CHANGE** +Bug: +upstream: released (2.6.14.1), released (2.4.33-pre1) +linux-2.6: released (2.6.14-3) +2.6.8-sarge-security: released (2.6.8-16sarge2) [sysctl-unregistration-oops.dpatch] +2.4.27-sarge-security: released (2.4.27-10sarge2) [196_sysctl-unregistration-oops.patch] +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/active/retired/CVE-2005-2800 b/active/retired/CVE-2005-2800 new file mode 100644 index 00000000..6174e495 --- /dev/null +++ b/active/retired/CVE-2005-2800 @@ -0,0 +1,24 @@ +Candidate: CVE-2005-2800 +References: + URL:http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=CVE-2005-2800 +Description: + Memory leak in the seq_file implemenetation in the SCSI procfs interface + (sg.c) in Linux kernel 2.6.13 and earlier allows local users to cause a + denial of service (memory consumption) via certain repeated reads from the + /proc/scsi/sg/devices file, which is not properly handled when the next() + iterator returns NULL or an error. +Notes: + dannf> seq_file is a 2.6ism, so marking 2.4 as N/A + dannf> There's a trivial test case - can it be reproduce this on 2.4? +Bugs: +upstream: released (2.6.12.6) +linux-2.6: released (2.6.12-6) +2.6.8-sarge-security: released (2.6.8-16sarge2) +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A +2.4.18-woody-security-hppa: N/A diff --git a/active/retired/CVE-2005-2801 b/active/retired/CVE-2005-2801 new file mode 100644 index 00000000..975e4eec --- /dev/null +++ b/active/retired/CVE-2005-2801 @@ -0,0 +1,26 @@ +Candidate: CVE-2005-2801 +References: + URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2801 + MLIST:[Acl-Devel] 20050205 [FIX] Long-standing xattr sharing bug + URL:http://acl.bestbits.at/pipermail/acl-devel/2005-February/001848.html + MLIST:[debian-kernel] 20050809 Re: ACL patches in Debian 2.4 series kernel. + URL:http://lists.debian.org/debian-kernel/2005/08/msg00238.html + SUSE:SUSE-SA:2005:018 + URL:http://www.novell.com/linux/security/advisories/2005_18_kernel.html +Description: + xattr.c in the ext2 and ext3 file system code for Linux kernel 2.6 + does not properly compare the name_index fields when sharing xattr + blocks, which could prevent default ACLs from being applied. +Bugs: 332381 +upstream: released (2.6.11) +2.6.8-sarge-security: released (2.6.8-16sarge1) [fs_ext2_ext3_xattr-sharing.dpatch] +2.4.27-sarge-security: released (2.4.27-10sarge1) [178_fs_ext2_ext3_xattr-sharing.diff] +2.4.27-sid: released (2.4.27-12) [178_fs_ext2_ext3_xattr-sharing.diff] +linux-2.6: N/A +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/active/retired/CVE-2005-2872 b/active/retired/CVE-2005-2872 new file mode 100644 index 00000000..5fb79ff8 --- /dev/null +++ b/active/retired/CVE-2005-2872 @@ -0,0 +1,31 @@ +Candidate: CVE-2005-2872 +References: + URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2872 + Final-Decision: + Interim-Decision: + Modified: + Proposed: + Assigned: 20050909 + Category: SF + Reference: CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=322237 + Reference: + CONFIRM:http://www.kernel.org/git/?p=linux/kernel/git/chrisw/lsm-2.6.git;a=commit;h=bcfff0b471a60df350338bcd727fc9b8a6aa54b2 +Description: + The ipt_recent kernel module (ipt_recent.c) in Linux kernel before + 2.6.12, when running on 64-bit processors such as AMD64, allows remote + attackers to cause a denial of service (kernel panic) via certain + attacks such as SSH brute force, which leads to memset calls using a + length based on the u_int32_t type, acting on an array of unsigned + long elements, a different vulnerability than CVE-2005-2873. +upstream: released (2.6.12) +2.6.8-sarge-security: released (2.6.8-16sarge1) [net-ipv4-netfilter-ip_recent-last_pkts.dpatch] +2.4.27-sid/sarge: released (2.4.27-12) [179_net-ipv4-netfilter-ip_recent-last_pkts.diff] +2.4.27-sarge-security: released (2.4.27-10sarge1) [179_net-ipv4-netfilter-ip_recent-last_pkts.diff] +linux-2.6: N/A +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/active/retired/CVE-2005-2973 b/active/retired/CVE-2005-2973 new file mode 100644 index 00000000..ba46533d --- /dev/null +++ b/active/retired/CVE-2005-2973 @@ -0,0 +1,21 @@ +Candidate: CVE-2005-2973 +References: + URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2973 + CONFIRM:http://linux.bkbits.net:8080/linux-2.6/cset@4342df67SNhRx_3FGhUrrU-FXLlQIA +Description: + Fix infinite loop in udp_v6_get_port(). +Bugs: +Notes: + submitted for inclusion in 2.4.32-rc2 +upstream: released (2.6.14-rc4) +2.6.8-sarge-security: released (2.6.8-16sarge2) [net-ipv6-udp_v6_get_port-loop.patch] +2.4.27-sarge-security: released (2.4.27-10sarge2) [195_net-ipv6-udp_v6_get_port-loop.diff] +2.4.27-sarge/sid: pending (2.4.27-12) +linux-2.6: released (2.6.13+2.6.14-rc4-0experimental.1) +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/active/retired/CVE-2005-3053 b/active/retired/CVE-2005-3053 new file mode 100644 index 00000000..27a385f0 --- /dev/null +++ b/active/retired/CVE-2005-3053 @@ -0,0 +1,28 @@ +Candidate: CVE-2005-3053 +References: + URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3053 + Final-Decision: + Interim-Decision: + Modified: + Proposed: + Assigned: 20050926 + Category: SF + Reference: CONFIRM:http://linux.bkbits.net:8080/linux-2.6/cset@42eef8b09C5r6iI0LuMe5Uy3k05c5g +Description: + The sys_set_mempolicy function in mempolicy.c in Linux kernel 2.6.x + allows local users to cause a denial of service (kernel BUG()) via a + negative first argument. +Notes: + horms> http://lkml.org/lkml/2005/9/30/218 +upstream: released (2.6.12.5) +linux-2.6: released (2.6.12-3) +2.6.8-sarge-security: released (2.6.8-16sarge2) [mempolicy-check-mode.dpatch] +2.4.27-sid/sarge: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/active/retired/CVE-2005-3055 b/active/retired/CVE-2005-3055 new file mode 100644 index 00000000..c4da2529 --- /dev/null +++ b/active/retired/CVE-2005-3055 @@ -0,0 +1,33 @@ +Candidate: CVE-2005-3055 +References: + URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3055 + Final-Decision: + Interim-Decision: + Modified: + Proposed: + Assigned: 20050926 + Category: SF + MLIST:[linux-kernel] 20050925 [BUG/PATCH/RFC] Oops while completing async USB via usbdevio + URL:http://marc.theaimsgroup.com/?l=linux-kernel&m=112766129313883 +Description: + Linux kernel 2.6.8 to 2.6.14-rc2 allows local users to cause a denial + of service (kernel OOPS) via a userspace process that issues a USB + Request Block (URB) to a USB device and terminates before the URB is + finished, which leads to a stale pointer reference. +Notes: + horms> http://lkml.org/lkml/mbox/2005/10/11/90 + horms> http://lkml.org/lkml/2005/10/11/90 + horms> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=330287;msg=21 +Bugs: 330287, 332587 +upstream: released (2.6.14-rc4) +linux-2.6: released (2.6.14-1) +2.6.8-sarge-security: released (2.6.8-16sarge2) +2.4.27-sid/sarge: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/active/retired/CVE-2005-3106 b/active/retired/CVE-2005-3106 new file mode 100644 index 00000000..7b2b2e99 --- /dev/null +++ b/active/retired/CVE-2005-3106 @@ -0,0 +1,33 @@ +Candidate: CVE-2005-3106 +References: + URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3106 + Final-Decision: + Interim-Decision: + Modified: + Proposed: + Assigned: 20050930 + Category: SF + CONFIRM:http://linux.bkbits.net:8080/linux-2.6/diffs/fs/exec.c@1.156?nav=index.html|src/|src/fs|hist/fs/exec.c +Description: + Race condition in Linux 2.6, when threads are sharing memory mapping + via CLONE_VM (such as linuxthreads and vfork), might allow local users + to cause a denial of service (deadlock) by triggering a core dump + while waiting for a thread that has just performed an exec. + . + Extra information from Moritz Muehlenhof: + CVE-2005-3106: + DoS through race condition in processes that share a memory mapping through + CLONE_VM + http://linux.bkbits.net:8080/linux-2.6/diffs/fs/exec.c@1.156?nav=index.html|src/|src/fs|hist/fs/exec.c +upstream: released (2.6.11) +2.6.8-sarge-security: released (2.6.8-16sarge1) [fs-exec-ptrace-core-exec-race.dpatch] +2.4.27-sid/sarge: N/A +2.4.27-sarge-security: N/A +linux-2.6: N/A +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/active/retired/CVE-2005-3107 b/active/retired/CVE-2005-3107 new file mode 100644 index 00000000..5123c7b3 --- /dev/null +++ b/active/retired/CVE-2005-3107 @@ -0,0 +1,33 @@ +Candidate: CVE-2005-3107 +References: + URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3107 + Final-Decision: + Interim-Decision: + Modified: + Proposed: + Assigned: 20050930 + Category: SF + CONFIRM:http://www.kernel.org/pub/linux/kernel/people/akpm/patches/2.6/2.6.11-rc1/2.6.11-rc1-mm1/broken-out/fix-coredump_wait-deadlock-with-ptracer-tracee-on-shared-mm.patch + CONFIRM:http://linux.bkbits.net:8080/linux-2.6/diffs/fs/exec.c@1.155?nav=index.html|src/|src/fs|hist/fs/exec.c +Description: + fs/exec.c in Linux 2.6, when one thread is tracing another thread that + shares the same memory map, might allow local users to cause a denial + of service (deadlock) by forcing a core dump when the traced thread is + in the TASK_TRACED state. + . + Extra information from Moritz Muehlenhof: + Local DoS through threads tracing each other by forcing a core dump, while the traced + thread is in TASK_TRACED state. + http://www.kernel.org/pub/linux/kernel/people/akpm/patches/2.6/2.6.11-rc1/2.6.11-rc1-mm1/broken-out/fix-coredump_wait-deadlock-with-ptracer-tracee-on-shared-mm.patch +upstream: released (2.6.11) +2.6.8-sarge-security: released (2.6.8-16sarge1) [fs-exec-ptrace-deadlock.dpatch] +2.4.27-sid/sarge: N/A +2.4.27-sarge-security: N/A +linux-2.6: N/A +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/active/retired/CVE-2005-3108 b/active/retired/CVE-2005-3108 new file mode 100644 index 00000000..54985b8e --- /dev/null +++ b/active/retired/CVE-2005-3108 @@ -0,0 +1,31 @@ +Candidate: CVE-2005-3108 +References: + URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3108 + Final-Decision: + Interim-Decision: + Modified: + Proposed: + Assigned: 20050930 + Category: SF + CONFIRM:http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=93ef70a217637ade3f335303a112b22a134a1ec2 +Description: + mm/ioremap.c in Linux 2.6 on 64-bit x86 systems allows local users to + cause a denial of service or an information leak via an iremap on a + certain memory map that causes the iounmap to perform a lookup of a + page that does not exist. +Notes: + Extra information from Moritz Muehlenhof: + DoS and potential information leak in ioremap (seemingly specific to amd64) + http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=93ef70a217637ade3f335303a112b22a134a1ec2 +upstream: released (2.6.11.12) +2.6.8-sarge-security: released (2.6.8-16sarge1) [arch-x86_64-mm-ioremap-page-lookup.dpatch] +2.4.27-sid/sarge: N/A +2.4.27-sarge-security: N/A +linux-2.6: N/A +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/active/retired/CVE-2005-3109 b/active/retired/CVE-2005-3109 new file mode 100644 index 00000000..2d36440f --- /dev/null +++ b/active/retired/CVE-2005-3109 @@ -0,0 +1,32 @@ +Candidate: CVE-2005-3109 +References: + URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3109 + Final-Decision: + Interim-Decision: + Modified: + Proposed: + Assigned: 20050930 + Category: SF + CONFIRM:http://www.kernel.org/git/gitweb.cgi?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=945b092011c6af71a0107be96e119c8c08776f3f +Description: + The HFS and HFS+ (hfsplus) modules in Linux 2.6 allows attackers to + cause a denial of service (oops) by using hfsplus to mount a + filesystem that is not hfsplus. +Notes: + Extra information from Moritz Muehlenhof: + Local DoS through oops by mounting a non-HFS+ filesystem as HFS+. + Asking upstream about 2.4: http://lkml.org/lkml/2005/10/7/3/index.html + dannf> Looks like, from the above thread, that 2.4 is not affected; marking + as such. +upstream: released (2.6.11.12) +2.6.8-sarge-security: released (2.6.8-16sarge1) [fs-hfs-oops-and-leak.dpatch] +2.4.27-sid/sarge: N/A +2.4.27-sarge-security: N/A +linux-2.6: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A +2.4.18-woody-security-hppa: N/A diff --git a/active/retired/CVE-2005-3110 b/active/retired/CVE-2005-3110 new file mode 100644 index 00000000..7b5f4922 --- /dev/null +++ b/active/retired/CVE-2005-3110 @@ -0,0 +1,32 @@ +Candidate: CVE-2005-3110 +References: + URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3110 + Final-Decision: + Interim-Decision: + Modified: + Proposed: + Assigned: 20050930 + Category: SF + Reference: CONFIRM:http://sourceforge.net/mailarchive/forum.php?thread_id=6800453&forum_id=8572 +Description: + Race condition in ebtables netfilter module (ebtables.c) in Linux 2.6, + when running on an SMP system that is operating under a heavy load, + might allow remote attackers to cause a denial of service (crash) via + a series of packets that cause a value to be modified after it has + been read but before it has been locked. +Notes: + Extra information from Moritz Muehlenhof: + DoS on SMP, potentially 2.4 and 2.6 + http://sourceforge.net/mailarchive/forum.php?thread_id=6800453&forum_id=8572 +upstream: released (2.6.11.11) +2.6.8-sarge-security: released (2.6.8-16sarge1) [net-bridge-netfilter-etables-smp-race.dpatch] +2.4.27-sid/sarge: N/A +2.4.27-sarge-security: N/A +linux-2.6: N/A +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/active/retired/CVE-2005-3119 b/active/retired/CVE-2005-3119 new file mode 100644 index 00000000..85710594 --- /dev/null +++ b/active/retired/CVE-2005-3119 @@ -0,0 +1,30 @@ +Candidate: CVE-2005-3119 +References: + URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3119 + CONFIRM:http://linux.bkbits.net:8080/linux-2.6/cset@43483fddCiQX1WyG_orbko06TrjMVA + REDHAT:RHSA-2005:808 + URL:http://www.redhat.com/support/errata/RHSA-2005-808.html + SECUNIA:17364 + URL:http://secunia.com/advisories/17364 +Description: + Memory leak in the request_key_auth_destroy function in request_key_auth in Linux + kernel 2.6.13 and earlier allows local users to cause a denial of service (memory + consumption) via a large number of authorization token keys. +Notes: + Plug request_key_auth memleak. This can be triggered by unprivileged + users, so is local DoS. + http://www.ussg.iu.edu/hypermail/linux/kernel/0510.0/1860.html + . + dannf> This file doesn't exist in 2.6.8, so sarge isn't vulnerable +upstream: released (2.6.13.4, 2.6.14) +linux-2.6: released (2.6.13+2.6.14-rc4-0experimental.1) +2.6.8-sarge-security: N/A +2.4.27-sid/sarge: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A +2.4.18-woody-security-hppa: diff --git a/active/retired/CVE-2005-3179 b/active/retired/CVE-2005-3179 new file mode 100644 index 00000000..f2b7e547 --- /dev/null +++ b/active/retired/CVE-2005-3179 @@ -0,0 +1,27 @@ +Candidate: CVE-2005-3179 +References: + URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3179 + Reference: CONFIRM:http://www.kernel.org/hg/linux-2.6/?cmd=changeset;node=d7067d7d1f92cba14963a430cfbd53098cbbc8fd + Reference: CONFIRM:http://bugs.gentoo.org/show_bug.cgi?id=107893 +Description: + drm.c in Linux kernel 2.6.13 and earlier creates a debug file in sysfs + with world-readable and world-writable permissions, which allows local + users to enable DRM debugging and obtain sensitive information. +Notes: + (from Horms) + > > From: Dave Jones <davej@redhat.com> + > > + > > Please consider for next 2.6.13, it is a minor security issue allowing + > > users to turn on drm debugging when they shouldn't... +upstream: released (2.6.13.4) +linux-2.6: released (2.6.13+2.6.14-rc4-0experimental.1) +2.6.8-sarge-security: N/A +2.4.27-sid/sarge: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/active/retired/CVE-2005-3180 b/active/retired/CVE-2005-3180 new file mode 100644 index 00000000..70d585c3 --- /dev/null +++ b/active/retired/CVE-2005-3180 @@ -0,0 +1,31 @@ +Candidate: CVE-2005-3180 +References: + URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3180 + CONFIRM:http://www.kernel.org/hg/linux-2.6/?cmd=changeset;node=feecb2ffde28639e60ede769c6f817dc536c677b +Description: + The Orinoco driver (orinoco.c) in Linux kernel 2.6.13 and earlier does + not properly clear memory from a previously used packet whose length + is increased, which allows remote attackers to obtain sensitive + information. +Notes: + > > From: Pavel Roskin <proski@gnu.org> + > > + > > The orinoco driver can send uninitialized data exposing random pieces of + > > the system memory. This happens because data is not padded with zeroes + > > when its length needs to be increased. + horms> a better fix for this is + horms> http://mirror.local.valinux.co.jp/linux/kernel/v2.6/ChangeLog-2.6.15 + horms> 192_orinoco-info-leak.diff is missing the ALIGN macro which is not + horms> defined elsewhere in 2.4. + horms> is added by 192_orinoco-info-leak-2.diff +upstream: released (2.6.13.4), released (2.4.33-pre2) +linux-2.6: released (2.6.13+2.6.14-rc4-0experimental.1) +2.6.8-sarge-security: released (2.6.8-16sarge2) [orinoco-info-leak.dpatch] +2.4.27-sarge-security: released (2.4.27-10sarge2) [192_orinoco-info-leak.diff, 192_orinoco-info-leak-2.diff] +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/active/retired/CVE-2005-3181 b/active/retired/CVE-2005-3181 new file mode 100644 index 00000000..614a43ea --- /dev/null +++ b/active/retired/CVE-2005-3181 @@ -0,0 +1,24 @@ +Candidate: CVE-2005-3181 +References: + URL: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=CVE-2005-3181 + CONFIRM: http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=829841146878e082613a49581ae252c071057c23 +Description: + Linux kernel before 2.6.13.4, when CONFIG_AUDITSYSCALL is enabled, uses an + incorrect function to free names_cache memory, which prevents the memory + from being tracked by AUDITSYSCALL code and leads to a memory leak that + allows attackers to cause a denial of service (memory consumption). +Notes: + 2.4 isn't vulnerable because AUDITSYSCALL doesn't exist in 2.4 +Bugs: +upstream: released (2.6.13.4) +2.6.8-sarge-security: released (2.6.8-16sarge2) +2.4.27-sarge-security: N/A +2.4.27-sarge/sid: N/A +linux-2.6: released (2.6.13+2.6.14-rc4-0experimental.1) +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/active/retired/CVE-2005-3257 b/active/retired/CVE-2005-3257 new file mode 100644 index 00000000..f2dfa81f --- /dev/null +++ b/active/retired/CVE-2005-3257 @@ -0,0 +1,25 @@ +Candidate: CVE-2005-3257 +References: + URL: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=CVE-2005-3257 + CONFIRM: http://article.gmane.org/gmane.linux.debian.devel.bugs.general/8533 +Description: + The VT implementation (vt_ioctl.c) in Linux kernel 2.6.12 allows local + users to use the KDSKBSENT ioctl on terminals of other users and gain + privileges, as demonstrated by modifying key bindings using loadkeys. +Bugs: 334113 +Notes: + The first patch is the bit that adds the capability check; the second + one makes it less anal (only apply to writes). + jmm> The patch targeted to 2.6.14.4 is slightly different, needs to be + jmm> sorted out. +upstream: released (2.4.32-rc3), released (2.6.15-rc1), released (2.6.14.4) +2.6.8-sarge-security: released (2.6.8-16sarge2) [setkeys-needs-root-1.dpatch, setkeys-needs-root-2.dpatch] +2.4.27-sarge-security: released (2.4.27-10sarge2) [197_setkeys-needs-root-1.diff, 197_setkeys-needs-root-2.diff] +linux-2.6: released (2.6.14-6) +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/active/retired/CVE-2005-3271 b/active/retired/CVE-2005-3271 new file mode 100644 index 00000000..f2300a6c --- /dev/null +++ b/active/retired/CVE-2005-3271 @@ -0,0 +1,24 @@ +Candidate: CVE-2005-3271 +References: + URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3271 + MLIST:[linux-kernel] 20040911 [PATCH] exec: fix posix-timers leak and pending signal loss + URL:http://www.ussg.iu.edu/hypermail/linux/kernel/0409.1/1107.html + CONFIRM:http://linux.bkbits.net:8080/linux-2.6/cset@414b332fsZQvEUsfzKJIo-q2_ZH0hg +Description: + Exec in Linux kernel 2.6 does not properly clear posix-timers in + multi-threaded environments, which results in a resource leak and + could allow a large number of multiple local users to cause a denial + of service by using more posix-timers than specified by the quota for + a single user. +Bugs: +upstream: released (2.6.9) +2.6.8-sarge-security: released (2.6.8-16sarge1) [fs-exec-posix-timers-leak-1.dpatch] +2.4.27-sarge-security: N/A +linux-2.6: N/A +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/active/retired/CVE-2005-3272 b/active/retired/CVE-2005-3272 new file mode 100644 index 00000000..62faaf83 --- /dev/null +++ b/active/retired/CVE-2005-3272 @@ -0,0 +1,20 @@ +Candidate: CVE-2005-3272 +References: + URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3272 + CONFIRM:http://linux.bkbits.net:8080/linux-2.6/cset@1.3097.18.19?nav=index.html|src/|src/net|src/net/bridge|related/net/bridge/br_input.c +Description: + Linux kernel before 2.6.12 allows remote attackers to poison the + bridge forwarding table using frames that have already been dropped by + filtering, which can cause the bridge to forward spoofed packets. +Bugs: +upstream: released (2.6.12) +2.6.8-sarge-security: released (2.6.8-16sarge1) [net-bridge-forwarding-poison-1.dpatch, net-bridge-mangle-oops-1.dpatch, net-bridge-mangle-oops-2.dpatch] +2.4.27-sarge-security: N/A +linux-2.6: released (2.6.12-1) +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/active/retired/CVE-2005-3273 b/active/retired/CVE-2005-3273 new file mode 100644 index 00000000..7226e3d8 --- /dev/null +++ b/active/retired/CVE-2005-3273 @@ -0,0 +1,22 @@ +Candidate: CVE-2005-3273 +References: + URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3273 + CONFIRM:http://linux.bkbits.net:8080/linux-2.6/diffs/net/rose/rose_route.c@1.16?nav=index.html|src/|src/net|src/net/rose|related/net/rose/rose_route.c|cset@1.2009.1.46 + CONFIRM:http://lkml.org/lkml/2005/5/23/169 +Description: + The rose_rt_ioctl function in rose_route.c for ROSE in Linux 2.6 + kernels prior to 2.6.12 does not properly verify the ndigis argument + for a new route, which allows attackers to trigger array out-of-bounds + errors with a large number of digipeats. +Bugs: +upstream: released (2.6.12) +2.6.8-sarge-security: released (2.6.8-16sarge1) [net-rose-ndigis-verify.dpatch] +2.4.27-sarge-security: N/A +linux-2.6: released (2.6.12-1) +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/active/retired/CVE-2005-3274 b/active/retired/CVE-2005-3274 new file mode 100644 index 00000000..46e16aab --- /dev/null +++ b/active/retired/CVE-2005-3274 @@ -0,0 +1,24 @@ +Candidate: CVE-2005-3274 +References: + URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3274 + CONFIRM:http://www.kernel.org/git/?p=linux/kernel/git/marcelo/linux-2.4.git;a=commit;h=e684f066dff5628bb61ad1912de6e8058b5b4c7d + CONFIRM:http://lkml.org/lkml/2005/6/23/249 + CONFIRM:http://lkml.org/lkml/2005/6/24/173 +Description: + Race condition in ip_vs_conn_flush in Linux 2.6 before 2.6.13 and 2.4 + before 2.4.32-pre2, when running on SMP systems, allows local users to + cause a denial of service (null dereference) by causing a connection + timer to expire while the connection table is being flushed before the + appropriate lock is acquired. +Bugs: +upstream: released (2.6.13, 2.4.32-pre2) +linux-2.6: released (2.6.13-1) +2.6.8-sarge-security: released (2.6.8-16sarge1) [net-ipv4-ipvs-conn_tab-race.dpatch] +2.4.27-sarge-security: released (2.4.27-10sarge1) +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/active/retired/CVE-2005-3275 b/active/retired/CVE-2005-3275 new file mode 100644 index 00000000..9fc10e88 --- /dev/null +++ b/active/retired/CVE-2005-3275 @@ -0,0 +1,23 @@ +Candidate: CVE-2005-3275 +References: + URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3275 + CONFIRM:http://linux.bkbits.net:8080/linux-2.6/cset@1.3596.79.34?nav=index.html|src/|src/net|src/net/ipv4|src/net/ipv4/netfilter|related/net/ipv4/netfilter/ip_nat_proto_udp.c +Description: + The NAT code (1) ip_nat_proto_tcp.c and (2) ip_nat_proto_udp.c in + Linux kernel 2.6 before 2.6.13 and 2.4 before 2.4.32-rc1 incorrectly + declares a variable to be static, which allows remote attackers to + cause a denial of service (memory corruption) by causing two packets + for the same protocol to be NATed at the same time, which leads to + memory corruption. +Bugs: +upstream: released (2.6.12.3) +2.6.8-sarge-security: released (2.6.8-16sarge1) [netfilter-NAT-memory-corruption.dpatch] +2.4.27-sarge-security: released (2.4.27-10sarge1) [174_net-ipv4-netfilter-nat-mem.diff] +linux-2.6: released (2.6.12-1) +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/active/retired/CVE-2005-3276 b/active/retired/CVE-2005-3276 new file mode 100644 index 00000000..56a01b84 --- /dev/null +++ b/active/retired/CVE-2005-3276 @@ -0,0 +1,21 @@ +Candidate: CVE-2005-3276 +References: + CONFIRM:http://linux.bkbits.net:8080/linux-2.6/cset@1.3700.4.106?nav=index.html|src/|src/arch|src/arch/i386|src/arch/i386/kernel|related/arch/i386/kernel/process.c + CONFIRM: http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=71ae18ec690953e9ba7107c7cc44589c2cc0d9f1 + URL:http://lkml.org/lkml/2005/8/3/36 +Description: + The sys_get_thread_area function in Linux 2.6 kernels prior to 2.6.12.4 and + 2.6.13 does not entirely clear a user_desc structure before copying it + to userspace, resulting in a small information leak. +Bugs: +upstream: released (2.6.12.4) +linux-2.6: released (2.6.12-2) +2.6.8-sarge-security: released (2.6.8-16sarge1) [sys_get_thread_area-leak.dpatch] +2.4.27-sarge-security: N/A +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/active/retired/CVE-2005-3356 b/active/retired/CVE-2005-3356 new file mode 100644 index 00000000..4da47902 --- /dev/null +++ b/active/retired/CVE-2005-3356 @@ -0,0 +1,34 @@ +Candidate: CVE-2005-3356 +References: + http://kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff_plain;h=7c7dce9209161eb260cdf9e9172f72c3a02379e6h+p=12dbf3fc4d06d2c0c4c44dc0612df04248b3cfd3 +Description: + [PATCH] Fix double decrement of mqueue_mnt->mnt_count in sys_mq_open + . + Fixed the refcounting on failure exits in sys_mq_open() and + cleaned the logics up. Rules are actually pretty simple - dentry_open() + expects vfsmount and dentry to be pinned down and it either transfers + them into created struct file or drops them. Old code had been very + confused in that area - if dentry_open() had failed either in do_open() + or do_create(), we ended up dentry and mqueue_mnt dropped twice, once + by dentry_open() cleanup and then by sys_mq_open(). + . + Fix consists of making the rules for do_create() and do_open() + same as for dentry_open() and updating the sys_mq_open() accordingly; + that actually leads to more straightforward code and less work on + normal path. + . + Signed-off-by: Al Viro <aviro@redhat.com> + Signed-off-by: Linus Torvalds <torvalds@osdl.org> +Notes: + jmm> Discovered by Doug Chapman +Bugs: +upstream: released (2.6.15.2) +linux-2.6: released (2.6.15-4) +2.6.8-sarge-security: released (2.6.8-16sarge2) +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/active/retired/CVE-2005-3358 b/active/retired/CVE-2005-3358 new file mode 100644 index 00000000..bcb2ae93 --- /dev/null +++ b/active/retired/CVE-2005-3358 @@ -0,0 +1,22 @@ +Candidate: CVE-2005-3358 +References: + https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=175683 +Description: + Linux kernel 2.6.x, possibly before 2.6.11, allows local users to + cause a denial of service (panic) via a set_mempolicy call with a + 0 bitmask, which causes a panic when a page fault occurs. +Notes: + jmm> This was initially believed to be fixed as of 2.6.11, but this + jmm> turned out to be wrong. +Bugs: +upstream: released (2.6.15) +linux-2.6: released (2.6.15-1) +2.6.8-sarge-security: released (2.6.8-16sarge2) [mempolicy-undefined-nodes.dpatch] +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A +2.4.18-woody-security-hppa: N/A diff --git a/active/retired/CVE-2005-3359 b/active/retired/CVE-2005-3359 new file mode 100644 index 00000000..54534cbd --- /dev/null +++ b/active/retired/CVE-2005-3359 @@ -0,0 +1,35 @@ +Candidate: CVE-2005-3359 +References: + http://linux.bkbits.net:8080/linux-2.6/cset@4339c66aLroC1_zunYKhEIbtIWrnwg + https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=175769 + http://kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=a79af59efd20990473d579b1d8d70bb120f0920c + CONFIRM:http://linux.bkbits.net:8080/linux-2.6/cset@4339c66aLroC1_zunYKhEIbtIWrnwg + CONFIRM:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=175769 + UBUNTU:USN-263-1 + URL:http://www.ubuntulinux.org/support/documentation/usn/usn-263-1 + BID:17078 + URL:http://www.securityfocus.com/bid/17078 + SECUNIA:19220 + URL:http://secunia.com/advisories/19220 +Description: + The atm module in Linux kernel 2.6 before 2.6.14 allows local users to cause a + denial of service (panic) via certain socket calls that produce inconsistent + reference counts for loadable protocol modules. +Notes: + dannf> Easily reproduced on 2.6.8, not reproducible on 2.4.27, so marking + dannf> 2.4 N/A + . + dannf> Note that atm is marked experimental in 2.6.8, and is not built + dannf> as a module on i386, amd64 or ia64 - but of course users could + dannf> build their own kernels, and this isn't atm specific +Bugs: +upstream: released (2.6.14) +linux-2.6: released (2.6.14-1) +2.6.8-sarge-security: released (2.6.8-16sarge3) +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/active/retired/CVE-2005-3623 b/active/retired/CVE-2005-3623 new file mode 100644 index 00000000..928c8ebd --- /dev/null +++ b/active/retired/CVE-2005-3623 @@ -0,0 +1,21 @@ +Candidate: CVE-2005-3623 +References: + http://permalink.gmane.org/gmane.linux.kernel/360868 +Description: + We must check for MAY_SATTR before setting acls, which includes + checking for read-only exports: the lower-level setxattr operation + that eventually sets the acl cannot check export-level restrictions. +Notes: + jmm> NFS ACLs were only introduced somewhere between 2.6.12-2.6.14, so + jmm> Sarge and Woody are not vulnerable +Bugs: +upstream: released (2.6.14.5), released (2.6.15-pre7) +linux-2.6: released (2.6.14-7) +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/active/retired/CVE-2005-3783 b/active/retired/CVE-2005-3783 new file mode 100644 index 00000000..5edfb1da --- /dev/null +++ b/active/retired/CVE-2005-3783 @@ -0,0 +1,22 @@ +Candidate: CVE-2005-3783 +References: + http://www.kernel.org/git/?p=linux/kernel/git/gregkh/linux-2.6.14.y.git;a=commit;h=082d52c56f642d21b771a13221068d40915a1409 + http://www.kernel.org/git/?p=linux/kernel/git/gregkh/linux-2.6.14.y.git;a=blobdiff;h=fcfc4568b45f3f190ba320b0d5853836921cb8bc;hp=019e04ec065a55d8f28157d3a1f7ba06cafd347f;hb=082d52c56f642d21b771a13221068d40915a1409;f=kernel/ptrace.c +Description: + The ptrace functionality (ptrace.c) in Linux kernel 2.6 before 2.6.14.2, + using CLONE_THREAD, does not use the thread group ID to check whether it + is attaching to itself, which allows local users to cause a denial of + service (crash). +Notes: +Bugs: +upstream: released (2.4.33-pre1, 2.6.14.2) +linux-2.6: released (2.6.14-3) +2.6.8-sarge-security: released (2.6.8-16sarge2) [ptrace-fix_self-attach_rule.dpatch] +2.4.27-sarge-security: released (2.4.27-10sarge2) [201_ptrace-fix_self-attach_rule.diff] +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/active/retired/CVE-2005-3784 b/active/retired/CVE-2005-3784 new file mode 100644 index 00000000..ecaa8893 --- /dev/null +++ b/active/retired/CVE-2005-3784 @@ -0,0 +1,21 @@ +Candidate: CVE-2005-3784 +References: + http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=7ed0175a462c4c30f6df6fac1cccac058f997739 +Description: + The auto-reap of child processes in Linux kernel 2.6 before 2.6.15 includes processes + with ptrace attached,which leads to a dangling ptrace reference and allows local users + to cause a denial of service (crash). +Notes: + jmm,horms> 2.4 code seems very different and not vulnerable +Bugs: +upstream: released (2.6.15) +linux-2.6: released (2.6.15-1) +2.6.8-sarge-security: released (2.6.8-16sarge2) [kernel-dont-reap-traced.dpatch] +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A +2.4.18-woody-security-hppa: N/A diff --git a/active/retired/CVE-2005-3805 b/active/retired/CVE-2005-3805 new file mode 100644 index 00000000..dee7bc66 --- /dev/null +++ b/active/retired/CVE-2005-3805 @@ -0,0 +1,22 @@ +Candidate: CVE-2005-3805 +References: + http://kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=25f407f0b668f5e4ebd5d13e1fb4306ba6427ead +Description: + A locking problem in POSIX timer cleanup handling on exit in Linux kernel + 2.6.10 to 2.6.14, when running on SMP systems, allows local users to cause + a denial of service (deadlock) involving process CPU timers. +Notes: + The referenced patch was actually added in 2.6.14, so I think the vulnerable + versions listed in the description are wrong. +Bugs: +upstream: released (2.6.14) +linux-2.6: released (2.6.14-1) +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A +2.4.18-woody-security-hppa: N/A diff --git a/active/retired/CVE-2005-3806 b/active/retired/CVE-2005-3806 new file mode 100644 index 00000000..de1ca218 --- /dev/null +++ b/active/retired/CVE-2005-3806 @@ -0,0 +1,23 @@ +Candidate: CVE-2005-3806 +References: + http://kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=4ea6a8046bb49d43c950898f0cb4e1994ef6c89d + http://kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=blobdiff;h=bbbe80cdaf72a75a463aff9551e60b31e2f69061;hp=f841bde30c18493a94fd5d522b84724a8eb82a4a;hb=4ea6a8046bb49d43c950898f0cb4e1994ef6c89d;f=net/ipv6/ip6_flowlabel.c +Description: + The IPv6 flowlabel handling code (ip6_flowlabel.c) in Linux kernels + 2.4 up to 2.4.32 and 2.6 before 2.6.14 modifies the wrong variable in + certain circumstances, which allows local users to corrupt kernel memory + or cause a denial of service (crash) by triggering a free of non-allocated + memory. +Notes: +Bugs: +upstream: released (2.6.14) +linux-2.6: released (2.6.14-1) +2.6.8-sarge-security: released (2.6.8-16sarge2) [net-ipv6-flowlabel-refcnt.dpatch] +2.4.27-sarge-security: released (2.4.27-10sarge2) [net-ipv6-flowlabel-refcnt.dpatch] +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/active/retired/CVE-2005-3807 b/active/retired/CVE-2005-3807 new file mode 100644 index 00000000..28c164ba --- /dev/null +++ b/active/retired/CVE-2005-3807 @@ -0,0 +1,24 @@ +Candidate: CVE-2005-3807 +References: + CONFIRM:http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=dc15ae14e97ee9d5ed740cbb0b94996076d8b37e +Description: + [PATCH] VFS: Fix memory leak with file leases + . + Memory leak in the VFS file lease handling in locks.c in Linux kernels + 2.6.10 to 2.6.15 allows local users to cause a denial of service + (memory exhaustion) via certain Samba activities that cause an fasync + entry to be re-allocated by the fcntl_setlease function after the + fasync queue has already +Notes: +Bugs: +upstream: released (2.6.14.3) +linux-2.6: released (2.6.14-4) +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/active/retired/CVE-2005-3808 b/active/retired/CVE-2005-3808 new file mode 100644 index 00000000..47f74a1d --- /dev/null +++ b/active/retired/CVE-2005-3808 @@ -0,0 +1,19 @@ +Candidate: CVE-2005-3808 +References: http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=479ef592f3664dd629417098c8599261c0f689ab +Description: + Fix a 32 bit integer overflow in invalidate_inode_pages2_range. Local DoS +Notes: + horms> I don't see any evidence of this on 2.6.8 or 2.4.27 + I didn't check the woody kernels, but it seems very unlikely it is there +Bugs: +upstream: released (2.6.14.4) +linux-2.6: released (2.6.14-4) +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A +2.4.18-woody-security-hppa: diff --git a/active/retired/CVE-2005-3809 b/active/retired/CVE-2005-3809 new file mode 100644 index 00000000..93e4f5db --- /dev/null +++ b/active/retired/CVE-2005-3809 @@ -0,0 +1,16 @@ +Candidate: CVE-2005-3809 +References: http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=51df784ed739246a3774b300e5f536e17bec36ed +Description: +Notes: +Bugs: +upstream: released (2.6.15-rc1, 2.6.14.3) +linux-2.6: pending (2.6.14-4) +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A +2.4.18-woody-security-hppa: diff --git a/active/retired/CVE-2005-3810 b/active/retired/CVE-2005-3810 new file mode 100644 index 00000000..786a9235 --- /dev/null +++ b/active/retired/CVE-2005-3810 @@ -0,0 +1,20 @@ +Candidate: CVE-2005-3810 +References: http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=439a9994bb6ae3c7cab1f0b776bca6bc7aa58a11 +Description: + [NETFILTER] ctnetlink: Fix oops when no ICMP ID info in message + . + This patch fixes an userspace triggered oops. If there is no ICMP_ID + info the reference to attr will be NULL. +Notes: +Bugs: +upstream: released (2.6.15-rc1, 2.6.14.3) +linux-2.6: released (2.6.14-4) +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A +2.4.18-woody-security-hppa: diff --git a/active/retired/CVE-2005-3847 b/active/retired/CVE-2005-3847 new file mode 100644 index 00000000..84af9587 --- /dev/null +++ b/active/retired/CVE-2005-3847 @@ -0,0 +1,30 @@ +Candidate: CVE-2005-3847 +References: + CONFIRM:http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=dd12f48d4e8774415b528d3991ae47c28f26e1ac;hp=ade6648b3b11a5d81f6f28135193ab6d85d621db + MISC:http://groups.google.com/group/linux.kernel/browse_thread/thread/74683bcc8dbf0df3/bf540370894d3de0%23bf540370894d3de0?sa=X&oi=groupsr&start=0&num=3 + MISC:http://svn.debian.org/wsvn/kernel/dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/nptl-signal-delivery-deadlock-fix.dpatch?op=file&rev=4458&sc=0 +Description: + Bhavesh P. Davda reported a race condition that exists in Linux 2.6 kernels prior to + 2.6.13 and 2.6.12.6. A deadlock can occur when a SIGKILL signal is sent to a real-time + threaded process that is dumping core, which can be used by a local user to initiate + a denial of service attack. +Notes: + handle_stop_signal() in 2.4 looks significantly different, and since this bug + is associated with NPTL, I don't think we need to worry about in 2.4. + CVE description is actually as follows: + signal.c in Linux kernel before 2.6.13 and 2.6.12.6 and earlier allows + local users to cause a denial of service (deadlock) by sending a + SIGKILL to a real-time threaded process while it is performing a core + dump. +Bug: +upstream: released (2.6.12.6, 2.6.13) +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-16sarge2) [nptl-signal-delivery-deadlock-fix.dpatch] +2.4.27-sarge-security: N/A +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/active/retired/CVE-2005-3848 b/active/retired/CVE-2005-3848 new file mode 100644 index 00000000..13cb1398 --- /dev/null +++ b/active/retired/CVE-2005-3848 @@ -0,0 +1,32 @@ +Candidate: CVE-2005-3848 +References: + CONFIRM:http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=cb94c62c252796f42bb83fe40960d12f3ea5a82a + MISC:http://lkml.org/lkml/2005/8/26/173 +Description: + Ollie Wild discovered a leak in the icmp_push_reply() function in Linux 2.6, + in which an ignored error returned by ip_append_data() would result in the + route and net_device not being freed. A malicious remote user could exploit + this in order to initiate a denial of service attack. This issue was fixed + in Linux 2.6.12.6 and 2.6.13. +Notes: + This code looks completely different in 2.4; neither ip_append_data() (the + function that returns an error) nor icmp_push_reply() (the function that fails + to check this error) exist. So, I'm marking 2.4 as unaffected. + Actual CVE description: + Memory leak in the icmp_push_reply function in Linux 2.6 before + 2.6.12.6 and 2.6.13 allows remote attackers to cause a denial of + service (memory consumption) via a large number of crafted packets + that cause the ip_append_data function to fail, aka "DST leak in + icmp_push_reply." +upstream: released (2.6.12.6, 2.6.13) +2.6.8-sarge-security: released (2.6.8-16sarge2) [fix-dst-leak-in-icmp_push_reply.dpatch] +2.4.27-sid/sarge: released (2.4.27-12) [188_fix-dst-leak-in-icmp_push_reply.diff] +2.4.27-sarge-security: released (2.4.27-10sarge2) [188_fix-dst-leak-in-icmp_push_reply.diff] +linux-2.6: +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A +2.4.18-woody-security-hppa: diff --git a/active/retired/CVE-2005-3857 b/active/retired/CVE-2005-3857 new file mode 100644 index 00000000..414ec8fb --- /dev/null +++ b/active/retired/CVE-2005-3857 @@ -0,0 +1,24 @@ +Candidate: CVE-2005-3857 +References: + CONFIRM:http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=f3a9388e4ebea57583272007311fffa26ebbb305 +Description: + [PATCH] VFS: local denial-of-service with file leases + . + The time_out_leases function in locks.c for Linux kernel before 2.6.15 + allows local users to cause a denial of service (kernel log message + consumption) by causing a large number of broken leases, which is + recorded to the log using the printk function. +Notes: + Sent for inclusion in 2.4.33 +Bugs: +upstream: released (2.6.15-rc2), needed (2.6.33) +linux-2.6: released (2.6.14+2.6.15-rc5-0experimental.1) +2.6.8-sarge-security: released (2.6.8-16sarge2) +2.4.27-sarge-security: released (2.4.27-10sarge2) +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/active/retired/CVE-2005-3858 b/active/retired/CVE-2005-3858 new file mode 100644 index 00000000..0da7beed --- /dev/null +++ b/active/retired/CVE-2005-3858 @@ -0,0 +1,24 @@ +Candidate: CVE-2005-3858 +References: + CONFIRM:http://www.kernel.org/git/?p=linux/kernel/git/chrisw/linux-2.6.12.y.git;a=commit;h=f982542ed2f495cbe94e6d9001878f27ea738b36 + MISC:http://lkml.org/lkml/2005/8/26/175 +Description: + ip6_input_finish() contains a memory leak in Linux kernels prior to + 2.6.12.6 and 2.6.13. This could potentially be used to trigger a remote + denial of service (DoS) attack. +Notes: + dannf> Though the code in 2.4 is quite different, it looks to me like the + dannf> 2.4 code could be vulnerable. +Bugs: +upstream: released (2.6.12.6, 2.6.13) +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-16sarge2) +2.4.27-sarge-security: released (2.4.27-10sarge2) [189_ipv6-skb-leak.diff] +2.4.27-sid: released (2.4.27-12) [189_ipv6-skb-leak.diff] +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/active/retired/CVE-2005-4351 b/active/retired/CVE-2005-4351 new file mode 100644 index 00000000..63dec1f5 --- /dev/null +++ b/active/retired/CVE-2005-4351 @@ -0,0 +1,23 @@ +Candidate: CVE-2005-4351 +References: + http://www.redteam-pentesting.de/advisories/rt-sa-2005-15.txt +Description: + The securelevels implementation in FreeBSD 7.0 and earlier, OpenBSD up to 3.8, + DragonFly up to 1.2, and Linux up to 2.6.15 allows root users to bypass + immutable settings for files by mounting another filesystem that masks the + immutable files while the system is running. +Notes: + jmm> This affects the LSM module for BSD secure levels, not included in 2.4 and + jmm> 2.6.8 + jmm> To be removed in 2.6.18 or 2.6.19 +Bugs: +upstream: +linux-2.6: +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/active/retired/CVE-2005-4352 b/active/retired/CVE-2005-4352 new file mode 100644 index 00000000..5ac5c560 --- /dev/null +++ b/active/retired/CVE-2005-4352 @@ -0,0 +1,24 @@ +Candidate: CVE-2005-4352 +References: + http://www.redteam-pentesting.de/advisories/rt-sa-2005-16.txt +Description: + The securelevels implementation in NetBSD 2.1 and earlier, and Linux 2.6.15 + and earlier, allows local users to bypass time setting restrictions and set + the clock backwards by setting the clock ahead to the maximum unixtime value + (19 Jan 2038), which then wraps around to the minimum value (13 Dec 1901), + which can then be set ahead to the desired time, aka "settimeofday() time wrap." +Notes: + jmm> This affects the LSM module for BSD secure levels, not included in 2.6.8 + jmm> and 2.4.27 + jmm> To be removed in 2.6.18 or 2.6.19 +Bugs: +upstream: +linux-2.6: +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/active/retired/CVE-2005-4605 b/active/retired/CVE-2005-4605 new file mode 100644 index 00000000..e6f75575 --- /dev/null +++ b/active/retired/CVE-2005-4605 @@ -0,0 +1,25 @@ +Candidate: CVE-2005-4605 +References: + http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=8b90db0df7187a01fb7177f1f812123138f562cf + http://marc.theaimsgroup.com/?l=full-disclosure&m=113535380422339&w=2 + http://linux.bkbits.net:8080/linux-2.6/gnupatch@43b562ae6hJGLWZA4TNf2k-RzXnVlQ +Description: + The procfs code (proc_misc.c) in Linux 2.6.14.3 and other versions + before 2.6.15 allows attackers to read sensitive kernel memory via + unspecified vectors in which a signed value is added to an unsigned + value. +Notes: + jmm> 2.4 not affected as proc_file_lseek() contains a check for this + jmm> if (offset>=0 && (unsigned long long)offset<=file->f_dentry->d_inode->i_sb->s_maxbytes) { + jmm> Discovered by Karl Janmar +Bugs: +upstream: released (2.6.15), released (2.6.14.6) +linux-2.6: released (2.6.15-1) +2.6.8-sarge-security: released (2.6.8-16sarge2) [proc-legacy-loff-underflow.dpatch] +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/active/retired/CVE-2005-4618 b/active/retired/CVE-2005-4618 new file mode 100644 index 00000000..c4e87ac6 --- /dev/null +++ b/active/retired/CVE-2005-4618 @@ -0,0 +1,22 @@ +Candidate: CVE-2005-4618 +References: + http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.15 + http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=8febdd85adaa41fa1fc1cb31286210fc2cd3ed0c +Description: + Buffer overflow in sysctl in the Linux Kernel 2.6 before 2.6.15 allows + local users to cause a denial of service and possibly execute arbitrary + code via a long string, which causes sysctl to write a zero byte outside + the buffer. +Notes: + jmm> Discovered by Yi Ying +Bugs: +upstream: released (2.6.15) +linux-2.6: released (2.6.15-1) +2.6.8-sarge-security: released (2.6.8-16sarge2) +2.4.27-sarge-security: released (2.4.27-10sarge2) +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: diff --git a/active/retired/CVE-2005-4635 b/active/retired/CVE-2005-4635 new file mode 100644 index 00000000..f0696f60 --- /dev/null +++ b/active/retired/CVE-2005-4635 @@ -0,0 +1,29 @@ +Candidate: CVE-2005-4635 +References: + MISC:http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=ea86575eaf99a9262a969309d934318028dbfacb + CONFIRM:http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.15 + BID:16139 + URL:http://www.securityfocus.com/bid/16139 + FRSIRT:ADV-2006-0035 + URL:http://www.frsirt.com/english/advisories/2006/0035 + SECUNIA:18216 + URL:http://secunia.com/advisories/18216 +Description: + The nl_fib_input function in fib_frontend.c in the Linux kernel before 2.6.15 + does not check for valid lengths of the header and payload, which allows + remote attackers to cause a denial of service (invalid memory reference) via + malformed fib_lookup netlink messages. +Notes: + dannf> Well, I don't know how it could be exploited by an unpriveleged user - dannf> but I don't think we need to worry about it. The vulnerable function + dannf> wasn't added until after 2.6.12, and is already fixed in 2.6.15. +Bugs: +upstream: released (2.6.15) +linux-2.6: released (2.6.15-1) +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/active/retired/CVE-2005-4639 b/active/retired/CVE-2005-4639 new file mode 100644 index 00000000..1fb9348b --- /dev/null +++ b/active/retired/CVE-2005-4639 @@ -0,0 +1,25 @@ +Candidate: CVE-2005-4639 +References: + CONFIRM:http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.15 + URL:http://www.securityfocus.com/bid/16142 + URL:http://www.frsirt.com/english/advisories/2006/0035 + URL:http://secunia.com/advisories/18216 +Description: + Buffer overflow in the CA-driver (dst_ca.c) for TwinHan DST Frontend/ + Card in Linux kernel 2.6.12 and other versions before 2.6.15 allows + local users to cause a denial of service (crash) and possibly execute + arbitrary code by "reading more than 8 bytes into an 8 byte long array". +Notes: + jmm> Discovered by Perceval Anichini + dannf> Driver wasn't added till after 2.6.8 +Bugs: +upstream: released (2.6.15) +linux-2.6: released (2.6.15-1) +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/active/retired/CVE-2006-0035 b/active/retired/CVE-2006-0035 new file mode 100644 index 00000000..fbcdac97 --- /dev/null +++ b/active/retired/CVE-2006-0035 @@ -0,0 +1,19 @@ +Candidate: CVE-2006-0035 +References: + http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=ad8e4b75c8a7bed475d72ce09bf5267188621961 +Description: + Sanity check nlmsg_len during netlink_rcv_skb. An nlmsg_len == 0 can cause + infinite loop in kernel, effectively DoSing machine. Noted by Matin Murray. +Notes: + dannf> The vulnerable code doesn't exist in <= 2.6.8 +Bugs: +upstream: released (2.6.15.1) +linux-2.6: released (2.6.15-3) +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/active/retired/CVE-2006-0036 b/active/retired/CVE-2006-0036 new file mode 100644 index 00000000..0f811535 --- /dev/null +++ b/active/retired/CVE-2006-0036 @@ -0,0 +1,21 @@ +Candidate: CVE-2006-0036 +References: + http://kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=15db34702cfafd24acc60295cf14861e4975\02ab +Description: + When an inbound PPTP_IN_CALL_REQUEST packet is received the + PPTP NAT helper uses a NULL pointer in pointer arithmentic to + calculate the offset in the packet which needs to be mangled + and corrupts random memory or crashes. +Notes: + jmm> This is not included in 2.4 and 2.6.8 +Bugs: +upstream: released (2.6.15.1) +linux-2.6: released (2.6.15-3) +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/active/retired/CVE-2006-0037 b/active/retired/CVE-2006-0037 new file mode 100644 index 00000000..b9e97843 --- /dev/null +++ b/active/retired/CVE-2006-0037 @@ -0,0 +1,21 @@ +Candidate: CVE-2006-0037 +References: http://kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=03b9feca89366952ae5dfe4ad8107b1ece50b710 +Description: + The PPTP NAT helper calculates the offset at which the packet needs + to be mangled as difference between two pointers to the header. With + non-linear skbs however the pointers may point to two seperate buffers + on the stack and the calculation results in a wrong offset beeing + used. +Notes: + jmm> The vulnerable code isn't present in 2.4 and 2.6.8 +Bugs: +upstream: released (2.6.15.1) +linux-2.6: released (2.6.15-3) +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/active/retired/CVE-2006-0038 b/active/retired/CVE-2006-0038 new file mode 100644 index 00000000..504f0c1d --- /dev/null +++ b/active/retired/CVE-2006-0038 @@ -0,0 +1,22 @@ +Candidate: CVE-2006-0038 +References: + https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=186295 + http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=ee4bb818ae35f68d1f848eae0a7b150a38eb4168 +Description: + Integer overflow in the do_replace function in netfilter for Linux + before 2.6.16-rc3, when using "virtualization solutions" such as OpenVZ, + allows local users with CAP_NET_ADMIN rights to cause a buffer overflow + in the copy_from_user function. +Notes: + dannf> Submitted to Marcelo for 2.4 +Bugs: +upstream: released (2.6.16-rc3) +linux-2.6: released (2.6.16-1) +2.6.8-sarge-security: released (2.6.8-16sarge3) [netfilter-do_replace-overflow.dpatch] +2.4.27-sarge-security: released (2.4.27-10sarge3) [221_netfilter-do_replace-overflow.diff] +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: diff --git a/active/retired/CVE-2006-0039 b/active/retired/CVE-2006-0039 new file mode 100644 index 00000000..89597172 --- /dev/null +++ b/active/retired/CVE-2006-0039 @@ -0,0 +1,13 @@ +Candidate: CVE-2006-0039 +References: + https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=191698 +Description: netfilter do_add_counters race +Notes: + jmm> Only exploitable with CAP_NET_ADMIN privilege + jmm> exposure is leakage of sensitive information + dannf> Submitted to Marcelo for 2.4 +Bugs: +upstream: released (2.6.16.17) +linux-2.6: released (2.6.16-14) +2.6.8-sarge-security: released (2.6.8-16sarge3) +2.4.27-sarge-security: released (2.4.27-10sarge3) diff --git a/active/retired/CVE-2006-0095 b/active/retired/CVE-2006-0095 new file mode 100644 index 00000000..44fc3af1 --- /dev/null +++ b/active/retired/CVE-2006-0095 @@ -0,0 +1,22 @@ +Candidate: CVE-2006-0095 +References: + http://article.gmane.org/gmane.linux.kernel/363528/match=dm+crypt +Description: + dm-crypt does not clear struct crypt_config before freeing it. Thus, + information on the key could leak f.e. to a swsusp image even after the + encrypted device has been removed. The attached patch against 2.6.14 / + 2.6.15 fixes it. +Notes: + jhorms> 2.4 not affected as dm-crypt doesn't seem to exist + jmm> Discovered by Stefan Rompf +Bugs: +upstream: released (2.6.16-rc1) +linux-2.6: released (2.6.16-1) +2.6.8-sarge-security: released (2.6.8-16sarge2) [dm-crypt-zero-key.dpatch] +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/active/retired/CVE-2006-0096 b/active/retired/CVE-2006-0096 new file mode 100644 index 00000000..d3adfd46 --- /dev/null +++ b/active/retired/CVE-2006-0096 @@ -0,0 +1,34 @@ +Candidate: CVE-2006-0096 +References: +http://www.kernel.org/git/?p=linux/kernel/git/tglx/history.git;a=commitdiff;h=0f1d4813a4a65296e1131f320a60741732bc068f +http://linux.bkbits.net:8080/linux-2.4/cset@1.1448.91.23?nav=index.html|src/|src/drivers|src/drivers/net|src/drivers/net/wan|related/drivers/net/wan/sdla.c +Description: +Notes: + jmm> This was accidentally released as a fix for CVE-2004-2607 in 2.4.27-8: + jmm> + jmm> diff -Nru a/drivers/net/wan/sdla.c b/drivers/net/wan/sdla.c + jmm> --- a/drivers/net/wan/sdla.c 2005-01-13 08:41:42 -08:00 + jmm> +++ b/drivers/net/wan/sdla.c 2005-01-13 08:41:42 -08:00 + jmm> @@ -1300,6 +1300,8 @@ + jmm> + jmm> case SDLA_WRITEMEM: + jmm> case SDLA_READMEM: + jmm> + if(!capable(CAP_SYS_RAWIO)) + jmm> + return -EPERM; + jmm> return(sdla_xfer(dev, (struct sdla_mem *)ifr->ifr_data, cmd == SDLA_READMEM)); + jmm> + jmm> case SDLA_START: + horms> I only see reference to CVE-2004-2607 in patch-tracking, + horms> not in the changelog for 2.4.27-8, so I don't think the first line + horms> of the statement above is correct +Bugs: +upstream: released (2.6.11), fixed (2.4.29) +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-16sarge2) [net-sdla-coverty.dpatch] +2.4.27-sarge-security: released (2.4.27-8) [129_net_sdla_coverty.diff] +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: diff --git a/active/retired/CVE-2006-0456 b/active/retired/CVE-2006-0456 new file mode 100644 index 00000000..b164ee1a --- /dev/null +++ b/active/retired/CVE-2006-0456 @@ -0,0 +1,20 @@ +Candidate: CVE-2006-0456 +References: + http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=331c46591414f7f92b1cec048009abe89892ee79 +Description: + strnlen_user() on s390 and s390x does not return a value greater than + maxlen if the string is looking at is longer than maxlen; instead it + returns maxlen. +Notes: + jmm> 2.4 doesn't have an assembly version +Bugs: +upstream: released (2.6.16) +linux-2.6: released (2.6.16-1) +2.6.8-sarge-security: released (2.6.8-16sarge3) +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/active/retired/CVE-2006-0457 b/active/retired/CVE-2006-0457 new file mode 100644 index 00000000..e413d34e --- /dev/null +++ b/active/retired/CVE-2006-0457 @@ -0,0 +1,31 @@ +Candidate: CVE-2006-0457 +References: + http://linux.bkbits.net:8080/linux-2.6/cset@43e385c7rMAIqryXIl7lGGdWgZ1Ivg + MANDRIVA:MDKSA-2006:059 + URL:http://frontal2.mandriva.com/security/advisories?name=MDKSA-2006:059 + UBUNTU:USN-263-1 + URL:http://www.ubuntulinux.org/support/documentation/usn/usn-263-1 + BID:17084 + URL:http://www.securityfocus.com/bid/17084 + OSVDB:23894 + URL:http://www.osvdb.org/23894 + SECUNIA:19220 + URL:http://secunia.com/advisories/19220 +Description: + Race condition in the (1) add_key, (2) request_key, and (3) keyctl functions + in Linux kernel 2.6.x allows local users to cause a denial of service (crash) + or read sensitive kernel memory by modifying the length of a string argument + between the time that the kernel calculates the length and when it copies the + data into kernel memory. +Notes: +Bugs: +upstream: released (2.6.10) +linux-2.6: released (2.6.10-1) +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/active/retired/CVE-2006-0482 b/active/retired/CVE-2006-0482 new file mode 100644 index 00000000..47100448 --- /dev/null +++ b/active/retired/CVE-2006-0482 @@ -0,0 +1,21 @@ +Candidate: CVE-2006-0482 +References: http://lists.debian.org/debian-sparc/2006/01/msg00129.html + http://marc.theaimsgroup.com/?t=113861017400002&r=1&w=2 + http://marc.theaimsgroup.com/?l=linux-sparc&m=113861287813463&w=2 +Description: date -s run as a normal user hangs machine on sparc64 +Notes: + Jurij Smakov> sparc32 would be tricky to test and i don't know about 2.4.27 + dannf> Code isn't present in 2.4, and Jurij couldn't reproduce it there + dannf> I can't reproduce on sparc32, which makes sense because the bug is + dannf> in sparc64 32-bit compat code +Bugs: +upstream: pending (2.6.16-rc2) +linux-2.6: pending (2.6.16-4) [sparc64-clock-settime.patch] +2.6.8-sarge-security: released (2.6.8-16sarge2) [sparc64-clock-settime.dpatch] +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/active/retired/CVE-2006-0554 b/active/retired/CVE-2006-0554 new file mode 100644 index 00000000..d6117ab6 --- /dev/null +++ b/active/retired/CVE-2006-0554 @@ -0,0 +1,18 @@ +Candidate: CVE-2006-0554 +References: + http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.15.5 +Description: + Linux kernel 2.6 before 2.6.15.5 allows local users to obtain sensitive + information via a crafted XFS ftruncate call, which may return stale data. +Notes: +Bugs: +upstream: released (2.6.15.5) +linux-2.6: released (2.6.15-8) +2.6.8-sarge-security: released (2.6.8-16sarge3) +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/active/retired/CVE-2006-0555 b/active/retired/CVE-2006-0555 new file mode 100644 index 00000000..1d38a731 --- /dev/null +++ b/active/retired/CVE-2006-0555 @@ -0,0 +1,19 @@ +Candidate: CVE-2006-0555 +References: + http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.15.5 +Description: + The Linux Kernel before 2.6.15.5 allows local users to cause a denial of + service (NFS client panic) via unknown attack vectors related to the use of + O_DIRECT (direct I/O). +Notes: UBUNTU:USN-263-1 +Bugs: +upstream: released (2.6.15.5) +linux-2.6: released (2.6.15-8) +2.6.8-sarge-security: released (2.6.8-16sarge3) +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/active/retired/CVE-2006-0557 b/active/retired/CVE-2006-0557 new file mode 100644 index 00000000..07b4435a --- /dev/null +++ b/active/retired/CVE-2006-0557 @@ -0,0 +1,20 @@ +Candidate: CVE-2006-0557 +References: + http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=636f13c174dd7c84a437d3c3e8fa66f03f7fda63 + http://www.securityfocus.com/bid/16924 +Description: + Local DoS in mempolicy code; certain maxnodes values cause a crash. +Notes: + Fixed in git on Feb 17, dunno about 2.6.15.x + dannf> mempolicy.c doesn't exist in 2.4, marking N/A +Bugs: +upstream: released (2.6.16-rc4) +linux-2.6: released (2.6.16-1) +2.6.8-sarge-security: released (2.6.8-16sarge3) +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/active/retired/CVE-2006-0741 b/active/retired/CVE-2006-0741 new file mode 100644 index 00000000..0fcd6859 --- /dev/null +++ b/active/retired/CVE-2006-0741 @@ -0,0 +1,20 @@ +Candidate: CVE-2006-0741 +References: +Description: + Fixes a local DOS on Intel systems that lead to an endless +recursive fault. AMD machines don't seem to be affected. +Notes: + 2.6: http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=5342fba5412cead88b61ead07168615dbeba1ee3 + . + This is amd64-specific (em64t in particular), so we could ignore it for 2.4 +Bugs: +upstream: released (2.6.15.5) +linux-2.6: released (2.6.15-8) +2.6.8-sarge-security: released (2.6.8-16sarge3) [binfmt-bad-elf-entry-address.dpatch] +2.4.27-sarge-security: released (2.4.27-10sarge3) [222_binfmt-bad-elf-entry-address.diff] +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/active/retired/CVE-2006-0742 b/active/retired/CVE-2006-0742 new file mode 100644 index 00000000..36546475 --- /dev/null +++ b/active/retired/CVE-2006-0742 @@ -0,0 +1,21 @@ +Candidate: CVE-2006-0742 +References: + http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e963701a761aede31c9c1bfc74cf8e0ec671f0f4;hp=eb0911e27e8c6778d6c8ec95b7dd60c002d923c3 +Description: + The die_if_kernel function in arch/ia64/kernel/unaligned.c in Linux kernel + 2.6.x before 2.6.15.6, possibly when compiled with certain versions of gcc, + has the "noreturn" attribute set, which allows local users to cause a denial + of service by causing user faults on Itanium systems. +Notes: + dannf> Forwarded to Bjorn for 2.4-ia64 inclusion +Bugs: +upstream: released (2.6.15.6) +linux-2.6: released (2.6.15-8) +2.6.8-sarge-security: released (2.6.8-16sarge3) +2.4.27-sarge-security: released (2.4.27-10sarge3) +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: diff --git a/active/retired/CVE-2006-1055 b/active/retired/CVE-2006-1055 new file mode 100644 index 00000000..3b264a56 --- /dev/null +++ b/active/retired/CVE-2006-1055 @@ -0,0 +1,26 @@ +Candidate: CVE-2006-1055 +References: +Description: + Quoting Greg KH: + Al just pointed me at an old sysfs patch that went into the tree last + year that has some potential security problems. Turns out that if you + write to a sysfs file exactly PAGE_SIZE worth of data, with no zeros in + it, there's a good chance you could read off the end of the kernel + buffer into who knows where. +Notes: + jmm> This was judged non-exploitable by Al Viro, but it's still a local DoS + jmm> 2.4 N/A, as it doesn't have sysfs + . + troyh> N/A for sarge, it was broken in 2.6.12 - 2.6.17-rc1. 2.6.8 is fine, + and since its's sysfs 2.4 is N/A. +Bugs: +upstream: released (2.6.17-rc1), released (2.6.16.2) +linux-2.6: released (2.6.16-6) +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/active/retired/CVE-2006-1056 b/active/retired/CVE-2006-1056 new file mode 100644 index 00000000..af49eed2 --- /dev/null +++ b/active/retired/CVE-2006-1056 @@ -0,0 +1,29 @@ +Candidate: CVE-2006-1056 +References: + CONFIRM:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=187910 + CONFIRM:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=187911 + URL:http://marc.theaimsgroup.com/?l=linux-kernel&m=114548768214478&w=2 + URL:http://www.securityfocus.com/bid/17600 + URL:http://xforce.iss.net/xforce/xfdb/25871 +Description: + The Linux kernel before 2.6.16.9 and the FreeBSD kernel, when running on + AMD64 and other 7th and 8th generation AuthenticAMD processors, only + save/restore the FOP, FIP, and FDP x87 registers in FXSAVE/FXRSTOR when an + exception is pending, which allows one process to determine portions of the + state of floating point instructions of other processes, which can be + leveraged to obtain sensitive information such as cryptographic keys. NOTE: + this is the documented behavior of AMD64 processors, but it is inconsistent + with Intel processers in a security-relevant fashion that was not addressed + by the kernels. +Notes: +Bugs: +upstream: released (2.4.33-pre3), released (2.6.16.9) +linux-2.6: released (2.6.16-9) +2.6.8-sarge-security: released (2.6.8-16sarge3) +2.4.27-sarge-security: released (2.4.27-10sarge3) +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: diff --git a/active/retired/CVE-2006-1066 b/active/retired/CVE-2006-1066 new file mode 100644 index 00000000..7636fdd7 --- /dev/null +++ b/active/retired/CVE-2006-1066 @@ -0,0 +1,40 @@ +Candidate: CVE-2006-1066 +References: +Description: 2.6.8 ia64 kernel w/ PREEMPT enabled permits local DoS (oops) +Notes: + From: dann frazier <dannf@dannf.org> + To: team@security.debian.org + Subject: kernel-image-2.6.8-ia64 - disable preempt + Date: Fri, 25 Mar 2005 18:57:59 -0700 + . + hey security team, + Its likely that kernel-image-2.6.8-ia64 (2.6.8-12) will be the version + that ships in sarge. This kernel has CONFIG_PREEMPT enabled, which has + at least one known issue in ptrace code that lets an unpriveleged + userspace process trigger an oops. This issue went away upstream by + 2.6.9, but its unclear what actually fixed it. SuSE/RedHat disable + PREEMPT for ia64 (or so I'm told), so they are not affected. This same + test case does _not_ fail on x86, which also has PREEMPT enabled for + sarge. + . + This issue has been known for a while, but I waited until after d-i + RC3 to upload it, since it changes the ABI. This fix is in the 2.6.8-13 + build in unstable, but the release team is blocking this kernel from + normal sarge propagation to keep the kernel udebs in sync. + . + . + dannf> This is only a config change, so it requires no changes to + dannf> kernel-source-2.6.8, but I'll use the kernel-source version + dannf> for the pending/released tags to match the others. +Bugs: +upstream: +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-16sarge2) +2.4.27-sarge-security: N/A +2.6.8: needed +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/active/retired/CVE-2006-1242 b/active/retired/CVE-2006-1242 new file mode 100644 index 00000000..08a09c4a --- /dev/null +++ b/active/retired/CVE-2006-1242 @@ -0,0 +1,38 @@ +Candidate: CVE-2006-1242 +References: +http://www.kernel.org/git/gitweb.cgi?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=1a55d57b107c3e06935763905dc0fb235214569d +Description: + [TCP]: Do not use inet->id of global tcp_socket when sending RST. + . + The problem is in ip_push_pending_frames(), which uses: + . if (!df) { + . __ip_select_ident(iph, &rt->u.dst, 0); + . } else { + . iph->id = htons(inet->id++); + . } + . + instead of ip_select_ident(). + . + Right now I think the code is a nonsense. Most likely, I copied it from + old ip_build_xmit(), where it was really special, we had to decide + whether to generate unique ID when generating the first (well, the last) + fragment. + . + In ip_push_pending_frames() it does not make sense, it should use plain + ip_select_ident() instead. +Notes: + jmm> 2.4 doesn't seem to be affected, but I'd prefer a second look before + jmm> marking it N/A + . + dannf> troyh gave me a patch for 2.4, so I guess it is affected +Bugs: +upstream: released (2.6.16.1) +linux-2.6: released (2.6.16-4) +2.6.8-sarge-security: released (2.6.8-16sarge3) +2.4.27-sarge-security: released (2.4.27-10sarge3) +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: diff --git a/active/retired/CVE-2006-1342 b/active/retired/CVE-2006-1342 new file mode 100644 index 00000000..ae41638d --- /dev/null +++ b/active/retired/CVE-2006-1342 @@ -0,0 +1,25 @@ +Candidate: CVE-2006-1342 +References: + http://marc.theaimsgroup.com/?l=linux-netdev&m=114148078223594&w=2 + http://www.kernel.org/git/?p=linux/kernel/git/marcelo/linux-2.4.git;a=commit;h=09d3b3dcfa80c9094f1748c1be064b9326c9ef2b +Description: + net/ipv4/af_inet.c in Linux kernel 2.4 does not clear sockaddr_in.sin_zero + before returning IPv4 socket names from the (1) getsockname, (2) getpeername, + and (3) accept functions, which allows local users to obtain portions of + potentially sensitive memory. +Notes: + jmm> getorigdst() requires the fix in 2.6.8, inet_getname() is already fixed + dannf> both CVE-2006-1342 & CVE-2006-1343 were fixed by the same patch; + however we actually coincidentally already fixed 1343 in the + 043_ipsec.diff patch +Bugs: +upstream: released (2.4.33-pre3) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: released (2.4.27-1) +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: diff --git a/active/retired/CVE-2006-1368 b/active/retired/CVE-2006-1368 new file mode 100644 index 00000000..df2f4997 --- /dev/null +++ b/active/retired/CVE-2006-1368 @@ -0,0 +1,23 @@ +Candidate: CVE-2006-1368 +References: + http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=8763716bfe4d8a16bef28c9947cf9d799b1796a5 + http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16 +Description: + Buffer overflow in the USB Gadget RNDIS implementation in the Linux kernel before + 2.6.16 allows remote attackers to cause a denial of service (kmalloc'd memory + corruption) via a remote NDIS response to OID_GEN_SUPPORTED_LIST, which causes + memory to be allocated for the reply data but not the reply structure. +Notes: + dannf> Marcelo has posted a patch identical to ours and has asked for + feedback, so it should be upstream soon +Bugs: +upstream: released (2.6.16) +linux-2.6: released (2.6.16-1) +2.6.8-sarge-security: released (2.6.8-16sarge3) +2.4.27-sarge-security: released (2.4.27-10sarge3) +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: diff --git a/active/retired/CVE-2006-1522 b/active/retired/CVE-2006-1522 new file mode 100644 index 00000000..0122676f --- /dev/null +++ b/active/retired/CVE-2006-1522 @@ -0,0 +1,16 @@ +Candidate: CVE-2006-1522 +References: +Description: +Notes: + jmm> Vulnerable code not present in 2.6.8 and 2.4 +Bugs: +upstream: released (2.6.16.3) +linux-2.6: released (2.6.16-7) +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/active/retired/CVE-2006-1523 b/active/retired/CVE-2006-1523 new file mode 100644 index 00000000..61d6590a --- /dev/null +++ b/active/retired/CVE-2006-1523 @@ -0,0 +1,23 @@ +Candidate: CVE-2006-1523 +References: + MLIST:[linux-kernel] 20060411 [PATCH] __group_complete_signal: remove bogus BUG_ON + URL:http://marc.theaimsgroup.com/?l=linux-kernel&m=114476543426600&w=2 + CONFIRM:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=188604 + BID:17640 + URL:http://www.securityfocus.com/bid/17640 +Description: + The __group_complete_signal function in the RCU signal handling (signal.c) in + Linux kernel 2.6.16, and possibly other versions, has unknown impact and + attack vectors related to improper use of BUG_ON. +Notes: +Bugs: +upstream: released (2.6.16.4) +linux-2.6: released (2.6.16-7) +2.6.8-sarge-security: released (2.6.8-16sarge3) +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/active/retired/CVE-2006-1524 b/active/retired/CVE-2006-1524 new file mode 100644 index 00000000..5ed3b130 --- /dev/null +++ b/active/retired/CVE-2006-1524 @@ -0,0 +1,28 @@ +Candidate: CVE-2006-1524 +References: + CONFIRM:http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16.6 + BID:17587 + URL:http://www.securityfocus.com/bid/17587 + SECUNIA:19664 + URL:http://secunia.com/advisories/19664 + SECUNIA:19657 + URL:http://secunia.com/advisories/19657 +Description: + madvise_remove in Linux kernel 2.6.16 up to 2.6.16.6 does not follow + file and mmap restrictions, which allows local users to bypass IPC + permissions and replace portions of readonly tmpfs files with zeroes, + aka the MADV_REMOVE vulnerability. NOTE: this description was + originally written in a way that combined two separate issues. The + mprotect issue now has a separate name, CVE-2006-2071. +Notes: +Bugs: +upstream: released (2.6.16.7) +linux-2.6: +2.6.8-sarge-security: released (2.6.8-16sarge3) +2.4.27-sarge-security: released (2.4.27-10sarge3) +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: diff --git a/active/retired/CVE-2006-1525 b/active/retired/CVE-2006-1525 new file mode 100644 index 00000000..c7033bf5 --- /dev/null +++ b/active/retired/CVE-2006-1525 @@ -0,0 +1,23 @@ +Candidate: CVE-2006-1525 +References: + CONFIRM:http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16.8 + CONFIRM:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=189346 + URL:http://www.securityfocus.com/bid/17593 + URL:http://xforce.iss.net/xforce/xfdb/25872 +Description: + ip_route_input in Linux kernel 2.6 before 2.6.16.8 allows local users to + cause a denial of service (panic) via a request for a route for a multicast + IP address, which triggers a null dereference. +Notes: + dannf> Submitted to Marcelo for 2.4 +Bugs: +upstream: released (2.6.16.8) +linux-2.6: released (2.6.16-9) +2.6.8-sarge-security: released (2.6.8-16sarge3) +2.4.27-sarge-security: released (2.4.27-10sarge3) +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: diff --git a/active/retired/CVE-2006-1527 b/active/retired/CVE-2006-1527 new file mode 100644 index 00000000..7bd36f71 --- /dev/null +++ b/active/retired/CVE-2006-1527 @@ -0,0 +1,30 @@ +Candidate: CVE-2006-1527 +References: + CONFIRM:http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16.13 + TRUSTIX:2006-0024 + URL:http://www.trustix.org/errata/2006/0024 + BID:17806 + URL:http://www.securityfocus.com/bid/17806 + FRSIRT:ADV-2006-1632 + URL:http://www.frsirt.com/english/advisories/2006/1632 + OSVDB:25229 + URL:http://www.osvdb.org/25229 + SECUNIA:19926 + URL:http://secunia.com/advisories/19926 +Description: + The SCTP-netfilter code in Linux kernel before 2.6.16.13 allows remote attackers to trigger a denial of + service (infinite loop) via unknown vectors that cause an invalid SCTP chunk size to be processed by the + for_each_sctp_chunk function. +Notes: + troyh> SCTP-netfilter code didn't exist until after 2.6.8 +Bugs: +upstream: released (2.6.16.13) +linux-2.6: released (2.6.16-12) +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/active/retired/CVE-2006-1857 b/active/retired/CVE-2006-1857 new file mode 100644 index 00000000..2fe2e36e --- /dev/null +++ b/active/retired/CVE-2006-1857 @@ -0,0 +1,20 @@ +Candidate: CVE-2006-1857 +References: + http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=a601266e4f3c479790f373c2e3122a766d123652;hp=dd2d1c6f2958d027e4591ca5d2a04dfe36ca6512 +Description: + Buffer overflow in SCTP in Linux kernel before 2.6.16.17 allows remote + attackers to cause a denial of service (crash) and possibly execute arbitrary + code via a malformed HB-ACK chunk. +Notes: + dannf> Submitted to Marcelo for 2.4 +Bugs: +upstream: released (2.6.16.17) +linux-2.6: released (2.6.16-14) +2.6.8-sarge-security: released (2.6.8-16sarge3) +2.4.27-sarge-security: released (2.4.27-10sarge3) +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/active/retired/CVE-2006-1858 b/active/retired/CVE-2006-1858 new file mode 100644 index 00000000..48b082a8 --- /dev/null +++ b/active/retired/CVE-2006-1858 @@ -0,0 +1,20 @@ +Candidate: CVE-2006-1858 +References: + http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=dd2d1c6f2958d027e4591ca5d2a04dfe36ca6512;hp=61c9fed41638249f8b6ca5345064eb1beb50179f +Description: + SCTP in Linux kernel before 2.6.16.17 allows remote attackers to cause a + denial of service (crash) and possibly execute arbitrary code via a chunk + length that is inconsistent with the actual length of provided parameters. +Notes: + dannf> Submitted to Marcello for 2.4 +Bugs: +upstream: released (2.6.16.17) +linux-2.6: released (2.6.16-14) +2.6.8-sarge-security: released (2.6.8-16sarge3) +2.4.27-sarge-security: released (2.4.27-10sarge3) +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/active/retired/CVE-2006-1859 b/active/retired/CVE-2006-1859 new file mode 100644 index 00000000..d88822dd --- /dev/null +++ b/active/retired/CVE-2006-1859 @@ -0,0 +1,25 @@ +Candidate: CVE-2006-1859 +References: + http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16.16 + http://www.kernel.org/git/?p=linux/kernel/git/stable/linux-2.6.16.y.git;a=commit;h=1f0e637c94a9b0418 + http://www.kernel.org/git/?p=linux/kernel/git/stable/linux-2.6.16.y.git;a=blobdiff;h=aa7f66091823dde953e15895dc427615701c39c7;hp=e75ac392a313f3fad823bf2e46a03f29701e3e34;hb=1f0e637c94a9b041833947c79110d6c02fff8618;f=fs/locks.c + http://www.securityfocus.com/bid/17943 + http://www.frsirt.com/english/advisories/2006/1767 + http://secunia.com/advisories/20083 +Description: + lease_init in fs/locks.c in Linux kernel before 2.6.16.16 allows attackers to + cause a denial of service (fcntl_setlease lockup) via actions that cause + lease_init to free a lock that might not have been allocated on the stack. +Notes: + jmm> The vulnerable NFS4 leases code was only introduced in 2.6.10 +Bugs: +upstream: released (2.6.16.6) +linux-2.6: released (2.6.16-8) +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/active/retired/CVE-2006-1860 b/active/retired/CVE-2006-1860 new file mode 100644 index 00000000..8a18aa62 --- /dev/null +++ b/active/retired/CVE-2006-1860 @@ -0,0 +1,25 @@ +Candidate: CVE-2006-1860 +References: + http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16.16 + http://www.kernel.org/git/?p=linux/kernel/git/stable/linux-2.6.16.y.git;a=commit;h=1f0e637c94a9b0418 + http://www.kernel.org/git/?p=linux/kernel/git/stable/linux-2.6.16.y.git;a=blobdiff;h=aa7f66091823dde953e15895dc427615701c39c7;hp=e75ac392a313f3fad823bf2e46a03f29701e3e34;hb=1f0e637c94a9b041833947c79110d6c02fff8618;f=fs/locks.c + http://www.securityfocus.com/bid/17943 + http://www.frsirt.com/english/advisories/2006/1767 + http://secunia.com/advisories/20083 +Description: + lease_init in fs/locks.c in Linux kernel before 2.6.16.16 allows attackers to + cause a denial of service (fcntl_setlease lockup) via actions that cause + lease_init to free a lock that might not have been allocated on the stack. +Notes: + jmm> The vulnerable NFS4 leases code was only introduced in 2.6.10 +Bugs: +upstream: released (2.6.16.6) +linux-2.6: released (2.6.16-8) +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/active/retired/CVE-2006-1863 b/active/retired/CVE-2006-1863 new file mode 100644 index 00000000..e44adcf0 --- /dev/null +++ b/active/retired/CVE-2006-1863 @@ -0,0 +1,17 @@ +Candidate: CVE-2006-1863 +References: + http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=296034f7de8bdf111984ce1630ac598a9c94a253 +Description: cifs chroot escape +Notes: + jmm> 2.4 doesn't have CIFS +Bugs: +upstream: released (2.6.16.11) +linux-2.6: released (2.6.16-10) +2.6.8-sarge-security: released (2.6.8-16sarge3) +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/active/retired/CVE-2006-1864 b/active/retired/CVE-2006-1864 new file mode 100644 index 00000000..70dccdfb --- /dev/null +++ b/active/retired/CVE-2006-1864 @@ -0,0 +1,21 @@ +Candidate: CVE-2006-1864 +References: + CONFIRM:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=189435 + URL:http://www.trustix.org/errata/2006/0026 + URL:http://www.securityfocus.com/bid/17735 +Description: + Directory traversal vulnerability in smbfs in Linux 2.6.16 and earlier allows + local users to escape chroot restrictions for an SMB-mounted filesystem via + "..\\" sequences, a similar vulnerability to CVE-2006-1863. +Notes: +Bugs: +upstream: pending (2.4.33-pre4), released (2.6.16.14) +linux-2.6: released (2.6.16-10) +2.6.8-sarge-security: released (2.6.8-16sarge3) +2.4.27-sarge-security: released (2.4.27-10sarge3) +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: diff --git a/active/retired/CVE-2006-2271 b/active/retired/CVE-2006-2271 new file mode 100644 index 00000000..28d861c5 --- /dev/null +++ b/active/retired/CVE-2006-2271 @@ -0,0 +1,27 @@ +Candidate: CVE-2006-2271 +References: + FULLDISC:20060508 [MU-200605-01] Multiple vulnerabilities in Linux SCTP 2.6.16 + URL:http://archives.neohapsis.com/archives/fulldisclosure/2006-05/0227.html + MISC:http://labs.musecurity.com/advisories/MU-200605-01.txt + CONFIRM:http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=35d63edb1c807bc5317e49592260e84637bc432e + FRSIRT:ADV-2006-1734 + URL:http://www.frsirt.com/english/advisories/2006/1734 + SECUNIA:19990 + URL:http://secunia.com/advisories/19990 +Description: + The ECNE chunk handling in Linux SCTP (lksctp) before 2.6.17 allows remote + attackers to cause a denial of service (kernel panic) via an unexpected chunk + when the session is in CLOSED state. +Notes: + dannf> Forwarded to Marcelo for 2.4 inclusion +Bugs: +upstream: released (2.6.16.15) +linux-2.6: released (2.6.16-13) +2.6.8-sarge-security: released (2.6.8-16sarge3) +2.4.27-sarge-security: released (2.4.27-10sarge3) +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/active/retired/CVE-2006-2272 b/active/retired/CVE-2006-2272 new file mode 100644 index 00000000..b579d769 --- /dev/null +++ b/active/retired/CVE-2006-2272 @@ -0,0 +1,22 @@ +Candidate: CVE-2006-2272 +References: + CONFIRM:http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=62b08083ec3dbfd7e533c8d230dd1d8191a6e813 + URL:http://www.securityfocus.com/bid/17910 + URL:http://xforce.iss.net/xforce/xfdb/26431 +Description: + Linux SCTP (lksctp) before 2.6.17 allows remote attackers to cause a denial + of service (kernel panic) via incoming IP fragmented (1) COOKIE_ECHO and (2) + HEARTBEAT SCTP control chunks. +Notes: + dannf> Submitted to Marcelo for inclusion in 2.4 +Bugs: +upstream: released (2.6.16.15) +linux-2.6: released (2.6.16-13) +2.6.8-sarge-security: released (2.6.8-16sarge3) +2.4.27-sarge-security: released (2.4.27-10sarge3) +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/active/retired/CVE-2006-2274 b/active/retired/CVE-2006-2274 new file mode 100644 index 00000000..a3dacf6c --- /dev/null +++ b/active/retired/CVE-2006-2274 @@ -0,0 +1,25 @@ +Candidate: CVE-2006-2274 +References: + CONFIRM:http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=672e7cca17ed6036a1756ed34cf20dbd72d5e5f6 + URL:http://www.securityfocus.com/bid/17955 + URL:http://secunia.com/advisories/20237 + URL:http://xforce.iss.net/xforce/xfdb/26432 +Description: + Linux SCTP (lksctp) before 2.6.17 allows remote attackers to cause a denial + of service (infinite recursion and crash) via a packet that contains two or + more DATA fragments, which causes an skb pointer to refer back to itself when + the full message is reassembled, leading to infinite recursion in the + sctp_skb_pull function. +Notes: + dannf> Submitted to Marcelo for 2.4 +Bugs: +upstream: released (2.6.16.15) +linux-2.6: released (2.6.16-13) +2.6.8-sarge-security: released (2.6.8-16sarge3) +2.4.27-sarge-security: released (2.4.27-10sarge3) +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/active/retired/CVE-2006-2451 b/active/retired/CVE-2006-2451 new file mode 100644 index 00000000..369c23e6 --- /dev/null +++ b/active/retired/CVE-2006-2451 @@ -0,0 +1,15 @@ +Candidate: CVE-2006-2451 +References: +Description: + The suid_dumpable support in Linux kernel 2.6.13 up to versions before + 2.6.17.4, and 2.6.16 before 2.6.16.24, allows a local user to cause a denial + of service (disk consumption) and possibly gain privileges via the + PR_SET_DUMPABLE argument of the prctl function and a program that causes a + core dump file to be created in a directory for which the user does not have + permissions. +Notes: +Bugs: +upstream: released (2.6.16.14), released (2.6.17.4) +linux-2.6: released (2.6.16-17) +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A diff --git a/active/retired/CVE-2006-3626 b/active/retired/CVE-2006-3626 new file mode 100644 index 00000000..0307c5b2 --- /dev/null +++ b/active/retired/CVE-2006-3626 @@ -0,0 +1,14 @@ +Candidate: CVE-2006-3626 +References: + FULLDISC:20060714, http://lists.grok.org.uk/pipermail/full-disclosure/2006-July/047907.html + http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=18b0bbd8ca6d3cb90425aa0d77b99a762c6d6de3 +Description: Linux kernel 0day - dynamite inside, don't burn your fingers + Race condition in Linux kernel 2.6.17.4 and earlier allows local users + to gain root privileges by using prctl with PR_SET_DUMPABLE in a way + that causes /proc/self/environ to become setuid root. +Notes: +Bugs: +upstream: released (2.6.16.25, 2.6.17.5) +linux-2.6: released (2.6.16-17, 2.6.17-4) +2.6.8-sarge-security: released (2.6.8-16sarge4) +2.4.27-sarge-security: N/A diff --git a/active/scripts/deb822.py b/active/scripts/deb822.py new file mode 100755 index 00000000..a6432cc5 --- /dev/null +++ b/active/scripts/deb822.py @@ -0,0 +1,182 @@ +#!/usr/bin/python + +## Version: 0.20051107 + +import re, string + +class deb822: + def __init__(self, fp): + self.map = {} + self.keys = [] + single = re.compile("^(?P<key>\S+):\s+(?P<data>\S.*)$") + multi = re.compile("^(?P<key>\S+):\s*$") + multidata = re.compile("^\s(?P<data>.*)$") + ws = re.compile("^\s*$") + + curkey = None + content = "" + for line in fp.readlines(): + if ws.match(line): + if curkey: + self.map[curkey] = content[:-1] + curkey = None + content = "" + continue + + m = single.match(line) + if m: + if curkey: + self.map[curkey] = content[:-1] + curkey = m.group('key') + self.keys.append(curkey) + self.map[curkey] = m.group('data') + curkey = None + content = "" + continue + + m = multi.match(line) + if m: + if curkey: + self.map[curkey] = content[:-1] + curkey = m.group('key') + self.keys.append(curkey) + content = "\n" + continue + + m = multidata.match(line) + if m: + content = content + line + continue + + if curkey: + self.map[curkey] = content[:-1] + + def dump(self, fd): + for key in self.keys: + fd.write(key + ": " + self.map[key] + "\n") + + def isSingleLine(self, s): + if s.count("\n"): + return False + else: + return True + + def isMultiLine(self, s): + return not self.isSingleLine(s) + + def _mergeFields(self, s1, s2): + if not s2: + return s1 + if not s1: + return s2 + + if self.isSingleLine(s1) and self.isSingleLine(s2): + ## some fields are delimited by a single space, others + ## a comma followed by a space. this heuristic assumes + ## that there are multiple items in one of the string fields + ## so that we can pick up on the delimiter being used + delim = ' ' + if (s1 + s2).count(', '): + delim = ', ' + + L = (s1 + delim + s2).split(delim) + L.sort() + + prev = merged = L[0] + + for item in L[1:]: + ## skip duplicate entries + if item == prev: + continue + merged = merged + delim + item + prev = item + return merged + + if self.isMultiLine(s1) and self.isMultiLine(s2): + for item in s2.splitlines(True): + if item not in s1.splitlines(True): + s1 = s1 + "\n" + item + return s1 + + raise ValueError + + def mergeFields(self, key, d1, d2 = None): + ## this method can work in two ways - abstract that away + if d2 == None: + x1 = self + x2 = d1 + else: + x1 = d1 + x2 = d2 + + ## we only have to do work if both objects contain our key + ## otherwise, we just take the one that does, or raise an + ## exception if neither does + if key in x1.keys and key in x1.keys: + merged = self._mergeFields(x1.map[key], x2.map[key]) + elif key in x1.keys: + merged = x1[key] + elif key in x2.keys: + merged = x2[key] + else: + raise KeyError + + ## back to the two different ways - if this method was called + ## upon an object, update that object in place. + ## return nothing in this case, to make the author notice a + ## problem if she assumes the object itself will not be modified + if d2 == None: + self.map[key] = merged + return None + + return merged + + def hasField(self, key): + if key in self.keys: + return True + return False + + def addField(self, key, value): + if key in self.keys: + ## key is already there + raise KeyError + else: + self.keys.append(key) + self.map[key] = value + +## methods that changes and dsc files have in common +class _dscchanges(deb822): + """A base class; not intended for direct use""" + +## Specialty class for dealing with .dsc files +class dsc(_dscchanges): + def files(self): + fileList = [] + + for fileEntry in self.map["Files"].splitlines(): + file = {} + if fileEntry: + fields = fileEntry.split() + file["md5sum"] = fields[0] + file["size"] = fields[1] + file["name"] = fields[2] + fileList.append(file) + + return fileList + +class changes(_dscchanges): + def files(self): + fileList = [] + + for fileEntry in self.map["Files"].splitlines(): + file = {} + if fileEntry: + fields = fileEntry.split() + file["md5sum"] = fields[0] + file["size"] = fields[1] + file["section"] = fields[2] + file["priority"] = fields[3] + file["name"] = fields[4] + fileList.append(file) + + return fileList diff --git a/active/scripts/html-report b/active/scripts/html-report new file mode 100755 index 00000000..38ca25e5 --- /dev/null +++ b/active/scripts/html-report @@ -0,0 +1,160 @@ +#!/usr/bin/python2.4 + +import os, os.path, sys +import deb822, re + +TrackerDir = ".." + +## get an unsorted list of tracked issues +def trackedIssues(dir): + ignores = [ re.compile('~$'), + re.compile('^#.*#$'), + re.compile('^00'), + re.compile('\.patch$')] + + validpaths = [] + for f in os.listdir(dir): + nogood = False + for i in ignores: + if i.search(f): + nogood = True + break + if nogood: + continue + else: + validpaths.append(f) + + issues = [] + for f in validpaths: + path = os.path.join(dir, f) + if os.path.isfile(path): + issues.append(f) + return issues + +def trackedVersions(dir): + pkglist = os.path.join(dir, '00pkglist') + f = open(pkglist, 'r') + return f.read().split('\n')[:-1] + +def issueStatus(issue, version): + path = os.path.join(TrackerDir, issue) + i = deb822.deb822(open(path, 'r')) + if i.hasField(version): + return i.map[version] + else: + return None + +def statusMatrix(issues, versions): + Di = {} + for i in issues: + Dv = {} + for v in versions: + Dv[v] = issueStatus(i, v) + Di[i] = Dv + return Di + +## remaining functions create the HTML +def htmlHeader(): + sys.stdout.write('<html>\n') + sys.stdout.write('<head>\n') + sys.stdout.write(' <title>Debian Kernel Patch Tracker Status</title>\n') + sys.stdout.write('</head>\n') + sys.stdout.write('<body>\n') + sys.stdout.write('<h1><center>Debian Kernel Patch Tracker Status</center></h1>') + key = ''' + <table border=1> + <tr> + <td>Key</td> + </tr> + <tr> + <td bgcolor="green">Fixed or N/A - version is listed if specified</td> + </tr> + <tr> + <td bgcolor="lightgreen">Pending - version is listed if specified</td> + </tr> + <tr> + <td bgcolor="yellow">Needed</td> + </tr> + <tr> + <td bgcolor="orange">Ignored for a reason</td> + </tr> + </table>''' + sys.stdout.write(key) + sys.stdout.write('<BR>\n') + + +def htmlFooter(): + sys.stdout.write(' </body>\n') + sys.stdout.write('</html>\n') + +def tableHeader(columns): + ## populateTable() will assume columns should be filled out + ## in sort() order, so make sure our column names match + columns.sort() + sys.stdout.write("<table border=1>\n") + sys.stdout.write(" <tr>\n") + sys.stdout.write(" <td> </td>\n") + for c in columns: + sys.stdout.write(" <td>"+c+"</td>\n") + sys.stdout.write(" </tr>\n") + +def tableFooter(): + sys.stdout.write("</table>\n") + +## Parse a status string, and return an html table entry +def statusCell(status): + if not status: + return '<td color="grey">Unknown</td>' + + statusRe = re.compile("(?P<status>\S+)(\s*\((?P<ver>.*)\))?(\s*\[(?P<name>.*)\])?$") + + m = statusRe.match(status) + if m: + d = m.groupdict() + ver = name = "" + if d.has_key('ver') and d['ver']: + ver = d['ver'] + if d.has_key('name') and d['name']: + name = d['name'] + + if d['status'] == 'N/A': + return '<td bgcolor="green">N/A</td>' + elif d['status'] == "released": + return '<td bgcolor="green">' + ver + '</td>' + elif d['status'] == "pending": + return '<td bgcolor="lightgreen">' + ver + '</td>' + elif d['status'] == "needed": + return '<td bgcolor="yellow">' + ver + '</td>' + elif d['status'] == "ignored": + return '<td bgcolor="orange">' + ver + '</td>' + else: + return '<td bgcolor="grey">Unknown</td>' + +def populateTable(matrix): + issues = matrix.keys() + issues.sort() + + for i in issues: + versions = matrix[i].keys() + versions.sort() + sys.stdout.write(' <tr>\n') + sys.stdout.write(' <td>' + i + '</td>\n') + for v in versions: + cell = statusCell(matrix[i][v].strip()) + if cell: + sys.stdout.write(cell) + else: + sys.stderr.write("Error in field: " + i + ", " + v + "\n") + sys.stdout.write(' </tr>\n') + +if __name__ == '__main__': + ## Doing this in a separate stage means some unnecessary duplicate + ## opens & closes... but oh well - our data set isn't very large + issues = trackedIssues(TrackerDir) + versions = trackedVersions(TrackerDir) + + htmlHeader() + tableHeader(versions) + populateTable(statusMatrix(issues, versions)) + tableFooter() + htmlFooter() diff --git a/active/scripts/sync-pkg-list b/active/scripts/sync-pkg-list new file mode 100755 index 00000000..7702f6e9 --- /dev/null +++ b/active/scripts/sync-pkg-list @@ -0,0 +1,32 @@ +#!/usr/bin/python + +import sys +import deb822 +from optparse import OptionParser + +if __name__ == '__main__': + parser = OptionParser() + parser.add_option("-p", "--pkglist", dest="pkglist", + help="File containing list of packages being tracked", + metavar="PACKAGELIST") + (options, args) = parser.parse_args() + + if not options.pkglist: + sys.stderr.write("A package list must be specified, see --help") + sys.exit(1) + + f = open(options.pkglist, 'r') + pkglist = f.read().split() + f.close() + + for file in args: + f = open(file, 'r') + d = deb822.deb822(f) + f.close + for pkg in pkglist: + if not d.hasField(pkg): + d.addField(pkg, "") + f = open(file, 'w') + d.dump(f) + f.close() + diff --git a/active/scripts/ubuntu-todo b/active/scripts/ubuntu-todo new file mode 100755 index 00000000..a8f5c439 --- /dev/null +++ b/active/scripts/ubuntu-todo @@ -0,0 +1,2 @@ +#!/bin/sh -e +egrep '(hoary|breezy|dapper|edgy).*(needed|pending)' * diff --git a/active/scripts/verify-report.pl b/active/scripts/verify-report.pl new file mode 100755 index 00000000..b810b9c7 --- /dev/null +++ b/active/scripts/verify-report.pl @@ -0,0 +1,70 @@ +#!/usr/bin/perl -w +# Analyse patch-tracker entries +# Problems reported to stderr +# Suggested entrie printed to stdout +# Must be run in directory with patch-tracker entries +# +# (C) 2006 Horms <horms@verge.net.au> +# Released under the terms of the GNU GPL v2 + +use strict; + +my $BOILERPLATE = "00boilerplate"; + +sub readfile { + my ($file) = (@_); + my $l = []; + my $h = {}; + my $key = undef; + + open BP, "<$file" or die "Could not open \"$file\" for reading\n"; + while (<BP>) { + if (m/(^[a-zA-Z0-9.-]+:)(.*)/ and $1 ne "http:") { + $key = $1; + push @$l , $1; + $h->{"$1"} = $2 . "\n"; + } + elsif (defined $key) { + $h->{"$key"} .= $_; + } + else { + print STDERR "Leading crap: $_"; + } + } + close BP; + + return ($l, $h); +} + +{ + my $bp_l; + my $bp_h; + my $l; + my $h; + + ($bp_l, $bp_h) = readfile($BOILERPLATE); + + foreach my $f (@ARGV) { + ($l, $h) = readfile($f); + my $log_p = (scalar @ARGV > 1) ? "$f: " : ""; + for my $i (@$bp_l) { + if (defined $h->{"$i"}) { + print $i . $h->{"$i"}; + delete $h->{"$i"}; + } + else { + print STDERR $log_p . "Missing Field: \"$i\"\n"; + print $i . " XXX\n"; + } + } + for my $i (keys %$h) { + print STDERR $log_p . "Extra Feild: \"$i\"\n"; + if (defined $h->{"$i"}) { + print $i . $h->{"$i"}; + } + else { + print $i . " XXX\n"; + } + } + } +} |