Explain why CVE-2014-9892 is bullshit, and retire it

git-svn-id: svn+ssh://svn.debian.org/svn/kernel-sec@5002 e094ebfe-e918-0410-adfb-c712417f3574

1 files changed, 20 insertions, 0 deletions

diff --git a/retired/CVE-2014-9892 b/retired/CVE-2014-9892
new file mode 100644
index 00000000..4e8e37bd
--- /dev/null
+++ b/retired/CVE-2014-9892
@@ -0,0 +1,20 @@
+Description: [disputed] infoleak in ioctl(SNDRV_COMPRESS_TSTAMP)
+References:
+ http://source.android.com/security/bulletin/2016-08-01.html
+ https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=591b1f455c32206704cbcf426bb30911c260c33e 
+Notes:
+ jmm> Fixed in Android 3.10 kernel, but unfixed in Linux mainline
+ bwh> This doesn't make sense - there should be no padding in a
+ bwh> structure that has all 32-bit members, unless the natural
+ bwh> alignment is explicitly overridden.  I consider this invalid.
+ bwh> Additionally, snd_compr_tstamp and all the other sound
+ bwh> compression related structures now have their alignment
+ bwh> explicitly set to 4 to avoid compat issues on i386/amd64.
+Bugs:
+upstream: N/A "Invalid"
+4.9-upstream-stable: N/A "Invalid"
+3.16-upstream-stable: N/A "Invalid"
+3.2-upstream-stable: N/A "Supposedly vulnerable code not present"
+sid: N/A "Invalid"
+3.16-jessie-security: N/A "Invalid"
+3.2-wheezy-security: N/A "Supposedly vulnerable code not present"