retire more issues

git-svn-id: svn+ssh://svn.debian.org/svn/kernel-sec@2084 e094ebfe-e918-0410-adfb-c712417f3574

1 files changed, 24 insertions, 0 deletions

diff --git a/retired/CVE-2010-3442 b/retired/CVE-2010-3442
new file mode 100644
index 00000000..d8250c29
--- /dev/null
+++ b/retired/CVE-2010-3442
@@ -0,0 +1,24 @@
+Candidate: CVE-2010-3442
+Description:
+ > On 09/29/2010 03:01 PM, Marcus Meissner wrote:
+ > > On Wed, Sep 29, 2010 at 02:49:52PM +0800, Eugene Teo wrote:
+ > >> Reported by Dan Rosenberg. The snd_ctl_new() function in
+ > >> sound/core/control.c allocates space for a snd_kcontrol struct by
+ > >> performing arithmetic operations on a user-provided size without
+ > >> checking for integer overflow.  If a user provides a large enough size
+ > >> an overflow will occur, the allocated chunk will be too small, and a
+ > >> second user-influenced value will be written repeatedly past the bounds
+ > >> of this chunk. This code is reachable by unprivileged users who have
+ > >> permission to open a /dev/snd/controlC* device (on many distros, this is
+ >  >> group "audio") via the SNDRV_CTL_IOCTL_ELEM_ADD and
+ > >> SNDRV_CTL_IOCTL_ELEM_REPLACE ioctls.
+References:
+ http://git.kernel.org/?p=linux/kernel/git/tiwai/sound-2.6.git;a=commitdiff;h=5591bf07225523600450edd9e6ad258bb877b779
+Notes:
+ jmm> 5591bf07225523600450edd9e6ad258bb877b779
+Bugs:
+upstream: released (2.6.36)
+2.6.32-upstream-stable: released (2.6.32.25)
+linux-2.6: released (2.6.32-25) [bugfix/all/alsa-prevent-heap-corruption-in-snd_ctl_new.patch]
+2.6.26-lenny-security: released (2.6.26-26lenny1) [bugfix/all/alsa-prevent-heap-corruption-in-snd_ctl_new.patch]
+2.6.32-squeeze-security: released (2.6.32-25) [bugfix/all/alsa-prevent-heap-corruption-in-snd_ctl_new.patch]