retire three issues

git-svn-id: svn+ssh://svn.debian.org/svn/kernel-sec@2212 e094ebfe-e918-0410-adfb-c712417f3574

1 files changed, 27 insertions, 0 deletions

diff --git a/retired/CVE-2010-3437 b/retired/CVE-2010-3437
new file mode 100644
index 00000000..528110de
--- /dev/null
+++ b/retired/CVE-2010-3437
@@ -0,0 +1,27 @@
+Candidate: CVE-2010-3437
+Description: 
+ > ----- "Eugene Teo" <eugeneteo@kernel.sg> wrote:
+ > As Dan Rosenberg explained in the patch commit: The PKT_CTRL_CMD_STATUS 
+ > device ioctl retrieves a pointer to a pktcdvd_device from the global 
+ > pkt_devs array.  The index into this array is provided directly by the
+ > 
+ > user and is a signed integer, so the comparison to ensure that it falls 
+ > within the bounds of this array will fail when provided with a
+ > negative index.
+ > 
+ > This can be used to read arbitrary kernel memory or cause a crash due to 
+ > an invalid pointer dereference.  This can be exploited by users with 
+ > permission to open /dev/pktcdvd/control (on many distributions, this is 
+ > readable by group "cdrom").
+References:
+ https://bugzilla.redhat.com/show_bug.cgi?id=638085
+Notes:
+ exploit: http://jon.oberheide.org/files/cve-2010-3437.c
+ only an info disclosure, but seems to be able to dump any/all kernel memory
+ jmm> Submitted for 2.6.32.x on 2010-01-10.
+Bugs:
+upstream: released (2.6.36-rc6) [252a52aa4fa22a668f019e55b3aac3ff71ec1c29]
+2.6.32-upstream-stable: released (2.6.32.30)
+linux-2.6: released (2.6.32-25) [bugfix/all/fix-pktcdvd-ioctl-dev_minor-range-check.patch]
+2.6.26-lenny-security: released (2.6.26-26lenny1) [bugfix/all/fix-pktcdvd-ioctl-dev_minor-range-check.patch]
+2.6.32-squeeze-security: released (2.6.32-25) [bugfix/all/fix-pktcdvd-ioctl-dev_minor-range-check.patch]