Triage and retire various issues that don't need to be fixed anywhere

1 files changed, 22 insertions, 0 deletions

diff --git a/retired/CVE-2017-15116 b/retired/CVE-2017-15116
new file mode 100644
index 00000000..01dc4693
--- /dev/null
+++ b/retired/CVE-2017-15116
@@ -0,0 +1,22 @@
+Description: crypto: drbg - null pointer dereference
+References:
+ https://bugzilla.redhat.com/show_bug.cgi?id=1485815 (not accessible)
+ https://bugzilla.redhat.com/show_bug.cgi?id=1514609
+Notes:
+ bwh> Clearly we can't apply the upstream fix for this, but need to guard
+ bwh> against the null pointer somehow.  I can't work out which pointer
+ bwh> can be null though.
+ bwh> I've now looked at the RHEL 7 update, and the comment indicates
+ bwh> that the vulnerable code is in crypto/drbg.c.  I verified that
+ bwh> it does have a weird special case for slen == 0 && seed != NULL
+ bwh> which no other RNG does.  This was added in mainline in 3.17 and
+ bwh> then backported to RHEL's 3.10 branch.
+Bugs:
+upstream: released (4.2-rc1) [94f1bb15bed84ad6c893916b7e7b9db6f1d7eec6]
+4.9-upstream-stable: N/A "Fixed before branching point"
+3.16-upstream-stable: N/A "Vulnerable code not present"
+3.2-upstream-stable: N/A "Vulnerable code not present"
+sid: released (4.2.1-1)
+4.9-stretch-security: N/A "Fixed before branching point"
+3.16-jessie-security: N/A "Vulnerable code not present"
+3.2-wheezy-security: N/A "Vulnerable code not present"