diff options
author | Moritz Muehlenhoff <jmm@debian.org> | 2010-12-12 11:56:40 +0000 |
---|---|---|
committer | Moritz Muehlenhoff <jmm@debian.org> | 2010-12-12 11:56:40 +0000 |
commit | 851360b91d5eeb8eee45fef3840b704a2972ff61 (patch) | |
tree | 9e5b3562205d264f3beeee78c311285f68080b7e /retired/CVE-2010-3442 | |
parent | 5b3db58ba24b67a0b5c4fade62fe1a508617a467 (diff) |
retire more issues
git-svn-id: svn+ssh://svn.debian.org/svn/kernel-sec@2084 e094ebfe-e918-0410-adfb-c712417f3574
Diffstat (limited to 'retired/CVE-2010-3442')
-rw-r--r-- | retired/CVE-2010-3442 | 24 |
1 files changed, 24 insertions, 0 deletions
diff --git a/retired/CVE-2010-3442 b/retired/CVE-2010-3442 new file mode 100644 index 00000000..d8250c29 --- /dev/null +++ b/retired/CVE-2010-3442 @@ -0,0 +1,24 @@ +Candidate: CVE-2010-3442 +Description: + > On 09/29/2010 03:01 PM, Marcus Meissner wrote: + > > On Wed, Sep 29, 2010 at 02:49:52PM +0800, Eugene Teo wrote: + > >> Reported by Dan Rosenberg. The snd_ctl_new() function in + > >> sound/core/control.c allocates space for a snd_kcontrol struct by + > >> performing arithmetic operations on a user-provided size without + > >> checking for integer overflow. If a user provides a large enough size + > >> an overflow will occur, the allocated chunk will be too small, and a + > >> second user-influenced value will be written repeatedly past the bounds + > >> of this chunk. This code is reachable by unprivileged users who have + > >> permission to open a /dev/snd/controlC* device (on many distros, this is + > >> group "audio") via the SNDRV_CTL_IOCTL_ELEM_ADD and + > >> SNDRV_CTL_IOCTL_ELEM_REPLACE ioctls. +References: + http://git.kernel.org/?p=linux/kernel/git/tiwai/sound-2.6.git;a=commitdiff;h=5591bf07225523600450edd9e6ad258bb877b779 +Notes: + jmm> 5591bf07225523600450edd9e6ad258bb877b779 +Bugs: +upstream: released (2.6.36) +2.6.32-upstream-stable: released (2.6.32.25) +linux-2.6: released (2.6.32-25) [bugfix/all/alsa-prevent-heap-corruption-in-snd_ctl_new.patch] +2.6.26-lenny-security: released (2.6.26-26lenny1) [bugfix/all/alsa-prevent-heap-corruption-in-snd_ctl_new.patch] +2.6.32-squeeze-security: released (2.6.32-25) [bugfix/all/alsa-prevent-heap-corruption-in-snd_ctl_new.patch] |