Fill in status of CVE-2018-20449 and retire it

author: Ben Hutchings <ben@decadent.org.uk> 2019-04-25 16:36:00 +0100
committer: Ben Hutchings <ben@decadent.org.uk> 2019-04-25 20:41:22 +0100
commit: d98b5dfcad9328b959c258b480dec33c85c7e108 (patch)
tree: 4429fe0a08b471341c44180a80a42dbb25076925 /retired/CVE-2018-20449
parent: 8540216243495fe412b2365d73066c546481cd05 (diff)
1 files changed, 21 insertions, 0 deletions
diff --git a/retired/CVE-2018-20449 b/retired/CVE-2018-20449
new file mode 100644
index 00000000..9f0f8b53
--- /dev/null
+++ b/retired/CVE-2018-20449
@@ -0,0 +1,21 @@
+Description: information leak by reading "callback=" lines in a debugfs file
+References:
+ https://lists.debian.org/debian-security-tracker/2019/01/msg00029.html
+Notes:
+ carnil> Not very convinced about the report as it only was throwed in
+ carnil> earlier this year on the debian security-tracker mailinglist.
+ carnil> Was it reported upstream? hidma_dbg.c introduced with
+ carnil> 570d0176296f0d17c4b5ab206ad4a4bc027b863b in 4.7-rc1.
+ canril> Issue mitigated with commit
+ canril> ad67b74d2469d9b82aaa572d76474c95bc484d57 ("printk: hash
+ canril> addresses printed with %p").
+ bwh> I consider hashing pointers to be a complete fix.  Additionally
+ bwh> debugfs is only accessible to root by default.
+Bugs:
+upstream: released (4.15-rc2) [ad67b74d2469d9b82aaa572d76474c95bc484d57]
+4.19-upstream-stable: N/A "Fixed before branch point"
+4.9-upstream-stable: ignored "Minor issue"
+3.16-upstream-stable: N/A "Vulnerable code introduced later"
+sid: released (4.15.4-1)
+4.9-stretch-security: ignored "Minor issue"
+3.16-jessie-security: N/A "Vulnerable code introduced later"
author	Ben Hutchings <ben@decadent.org.uk>	2019-04-25 16:36:00 +0100
committer	Ben Hutchings <ben@decadent.org.uk>	2019-04-25 20:41:22 +0100
commit	d98b5dfcad9328b959c258b480dec33c85c7e108 (patch)
tree	4429fe0a08b471341c44180a80a42dbb25076925 /retired/CVE-2018-20449
parent	8540216243495fe412b2365d73066c546481cd05 (diff)