Retire several CVEs

git-svn-id: svn+ssh://svn.debian.org/svn/kernel-sec@4591 e094ebfe-e918-0410-adfb-c712417f3574

1 files changed, 24 insertions, 0 deletions

diff --git a/retired/CVE-2016-5728 b/retired/CVE-2016-5728
new file mode 100644
index 00000000..235407c5
--- /dev/null
+++ b/retired/CVE-2016-5728
@@ -0,0 +1,24 @@
+Description: Race condition vulnerability in VOP driver
+References:
+Notes:
+ From Red Hat Bugzilla: The VOP driver is "new" in the 4.6 kernel only
+ in that the functionality was moved out of the host MIC driver into a
+ new driver entirely with commit
+ 61e9c905df78c253752971e200f0ac6d8667dda6.  Prior to that, the
+ functionality was in the drivers/misc/mic/host/mic_virtio.c host driver,
+ which was introduced with commit f69bcbf3b4c4 (v3.13).
+ .
+ If you look at versions of the kernel prior to 4.6, you will see the
+ code sequence that is fixed by the mentioned upstream patch is still in
+ the host driver in the mic_copy_dp_entry function.  That needs to be
+ patched with a similar fix.
+ .
+ Introduced in 3.13-rc1 with f69bcbf3b4c4b333dcd7a48eaf868bf0c88edab5
+Bugs:
+ https://bugzilla.kernel.org/show_bug.cgi?id=116651
+upstream: released (v4.7-rc1) [9bf292bfca94694a721449e3fd752493856710f6]
+3.16-upstream-stable: released (3.16.37) [misc-mic-fix-for-double-fetch-security-bug-in-vop-driver.patch]
+3.2-upstream-stable: N/A "Vulnerable code introduced in 3.13-rc1 with f69bcbf3b4c4b333dcd7a48eaf868bf0c88edab5"
+sid: released (4.6.1-1) [2a9369456a384d84c521c8ebb48d247e8738f84f]
+3.16-jessie-security: released (3.16.7-ckt25-2+deb8u3) [bugfix/x86/misc-mic-fix-for-double-fetch-security-bug-in-vop-dr.patch]
+3.2-wheezy-security: N/A "Vulnerable code not present"