diff options
author | Moritz Muehlenhoff <jmm@debian.org> | 2007-05-01 00:15:11 +0000 |
---|---|---|
committer | Moritz Muehlenhoff <jmm@debian.org> | 2007-05-01 00:15:11 +0000 |
commit | 4e879024289dae7264857f2f05005ddc92e2b4ce (patch) | |
tree | 2e452ccab14e534bd23efbb71af510ada80387ea /active | |
parent | 317709a810cfab5c9716f64b4cf0e634bdcf2b0b (diff) |
retire old SG_IO issue
move two conceptual disk-encryption issues to ignored
git-svn-id: svn+ssh://svn.debian.org/svn/kernel-sec@792 e094ebfe-e918-0410-adfb-c712417f3574
Diffstat (limited to 'active')
-rw-r--r-- | active/CVE-2004-0813 | 30 | ||||
-rw-r--r-- | active/CVE-2004-2135 | 24 | ||||
-rw-r--r-- | active/CVE-2004-2136 | 20 |
3 files changed, 0 insertions, 74 deletions
diff --git a/active/CVE-2004-0813 b/active/CVE-2004-0813 deleted file mode 100644 index 525f8717..00000000 --- a/active/CVE-2004-0813 +++ /dev/null @@ -1,30 +0,0 @@ -Candidate: CVE-2004-0813 -References: - MISC:http://lkml.org/lkml/2004/7/30/147 - XF:linux-sgio-gain-privileges(17505) - URL:http://xforce.iss.net/xforce/xfdb/17505 -Description: - Unknown vulnerability in the SG_IO functionality in ide-cd allows local users - to bypass read-only access and perform unauthorized write and erase - operations. -Notes: - dannf> RedHat is still vulnerable, but there has been recent activity: - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=133098 - dannf> I wonder if one of the patches listed for CVE-2004-1190 fixes this? - horms> I'm pretty sure this is fixed by the series of patches for SG_IO - added upstream in 2.6.8 and the immediately following period. - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=300162 - That should clean things up for 2.6. - 2.4 doesn't suffer this problem exactly, unless - the permisions of /dev/sg* are botched. - Alan Cox seems to think that is bad, but I'm not so sure. - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=133098 - jmm> Marking 2.4 as N/A, as only local config mistakes would make that - jmm> a problem -Bugs: -upstream: fixed (2.6.10) -linux-2.6: N/A -2.6.8-sarge-security: released (2.6.8-14) -2.4.27-sarge-security: N/A -2.6.18-etch-security: N/A - diff --git a/active/CVE-2004-2135 b/active/CVE-2004-2135 deleted file mode 100644 index eabd4119..00000000 --- a/active/CVE-2004-2135 +++ /dev/null @@ -1,24 +0,0 @@ -Candidate: CVE-2004-2135 -References: - http://marc.theaimsgroup.com/?l=linux-kernel&m=107719798631935&w=2 - http://mareichelt.de/pub/notmine/diskenc.pdf - http://www.securiteam.com/exploits/5UP0P1PFPM.html - http://www.securityfocus.com/bid/13775 -Description: - cryptoloop on Linux kernel 2.6.x, when used on certain file systems with a - block size 1024 or greater, has certain "IV computation" weaknesses that - allow watermarked files to be detected without decryption. -Notes: - jmm> IIRC there was some serious flaming about the different disk encryption systems, - jmm> I'm not sure whether this has been addressed or how real it is - jmm> Plus, cryptoloop is marked DEPRECATED for a long time IIRC - jmm> It's not included in stock 2.4 kernels, but only available in kernel-patch-cryptoloop, - jmm> which is only part of sid and hasn't been shipped with neither Woody nor Sarge, so - jmm> I'm marking all these N/A -Bugs: -upstream: -linux-2.6: -2.6.8-sarge-security: ignored (2.6.8-16sarge5) -2.4.27-sarge-security: N/A -2.6.18-etch-security: ignored - diff --git a/active/CVE-2004-2136 b/active/CVE-2004-2136 deleted file mode 100644 index b058dc3a..00000000 --- a/active/CVE-2004-2136 +++ /dev/null @@ -1,20 +0,0 @@ -Candidate: CVE-2004-2136 -References: - http://marc.theaimsgroup.com/?l=linux-kernel&m=107719798631935&w=2 - http://mareichelt.de/pub/notmine/diskenc.pdf - http://www.securiteam.com/exploits/5UP0P1PFPM.html -Description: - dm-crypt on Linux kernel 2.6.x, when used on certain file systems with a - block size 1024 or greater, has certain "IV computation" weaknesses that - allow watermarked files to be detected without decryption. -Notes: - jmm> IIRC there was some serious flaming about the different disk encryption systems, - jmm> I'm not sure whether this has been addressed or how real it is - jmm> 2.4 doesn't have dm-crypt, though -Bugs: -upstream: -linux-2.6: -2.6.8-sarge-security: ignored (2.6.8-16sarge5) -2.4.27-sarge-security: N/A -2.6.18-etch-security: ignored - |