retire some issues

git-svn-id: svn+ssh://svn.debian.org/svn/kernel-sec@1140 e094ebfe-e918-0410-adfb-c712417f3574

7 files changed, 166 insertions, 0 deletions

diff --git a/retired/CVE-2004-2731 b/retired/CVE-2004-2731
new file mode 100644
index 00000000..1de93562
--- /dev/null
+++ b/retired/CVE-2004-2731
@@ -0,0 +1,31 @@
+Candidate: CVE-2004-2731
+References: 
+ http://www.securityfocus.com/bid/10632
+ http://securitytracker.com/id?1010617
+ http://git.kernel.org/?p=linux/kernel/git/wtarreau/linux-2.4.git;a=commit;h=996bad4803a2ebfebe7b27a431fbcae591f7d199
+ http://git.kernel.org/?p=linux/kernel/git/wtarreau/linux-2.4.git;a=commit;h=a545dd4118eba7242bb390a76b2a1bb3dce0430e
+ http://git.kernel.org/?p=linux/kernel/git/wtarreau/linux-2.4.git;a=commit;h=6ab2cfa4f0a04c11932af701b5437879dd14d8bb
+ http://git.kernel.org/?p=linux/kernel/git/wtarreau/linux-2.4.git;a=commit;h=090a4d5713b462e039e2896ac8092769c42ea742
+Description: 
+ Multiple integer overflows in Sbus PROM driver (drivers/sbus/char/openprom.c)
+ for the Linux kernel 2.4.x up to 2.4.27, 2.6.x up to 2.6.7, and possibly
+ later versions, allow local users to execute arbitrary code by specifying (1)
+ a small buffer size to the copyin_string function or (2) a negative buffer
+ size to the copyin function.
+Ubuntu-Description: 
+Notes: 
+ dannf> This appears to have been fixed in 2.5, but 2.4 is still
+ dannf> vulnerable to the second part. I've sent patches to
+ dannf> willy/davem for 2.4 consideration
+ dannf>
+ dannf> Patches have been accepted, see References section
+Bugs: 
+upstream: released (2.5.33), released (2.4.35.4)
+linux-2.6: N/A
+2.6.18-etch-security: N/A
+2.6.8-sarge-security: N/A
+2.4.27-sarge-security: released (2.4.27-10sarge6) [249_openpromfs-signedness-bug.diff, 250_openpromfs-checks-1.diff, 251_openpromfs-checks-2.diff, 252_openpromfs-checks-3.diff]
+2.6.15-dapper-security: N/A
+2.6.17-edgy-security: N/A
+2.6.20-feisty-security: N/A
+2.6.22-gutsy-security: N/A
diff --git a/retired/CVE-2006-4814 b/retired/CVE-2006-4814
new file mode 100644
index 00000000..93d4ae2a
--- /dev/null
+++ b/retired/CVE-2006-4814
@@ -0,0 +1,21 @@
+Candidate: CVE-2006-4814
+References: 
+ http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=2f77d107050abc14bc393b34bdb7b91cf670c250
+Description: 
+ The mincore function in the Linux kernel before 2.4.33.6 does not
+ properly lock access to user space, which has unspecified impact and
+ attack vectors, possibly related to a deadlock.
+Ubuntu-Description: 
+ Doug Chapman discovered an improper lock handling in the mincore()
+ function. A local attacker could exploit this to cause an eternal
+ hang in the kernel, rendering the machine unusable.
+Notes: 
+Bugs: 
+upstream: released (2.6.20-rc2), released (2.4.34-rc3)
+linux-2.6: released (2.6.18.dfsg.1-9)
+2.6.18-etch-security: released (2.6.18.dfsg.1-9)
+2.6.8-sarge-security: released (2.6.8-16sarge7) [mincore_hang.dpatch, mincore-fixes.dpatch]
+2.4.27-sarge-security: released (2.4.27-10sarge6) [239_mincore-hang.diff]
+2.6.12-breezy-security: released (2.6.12-10.43)
+2.6.15-dapper-security: released (2.6.15-28.51)
+2.6.17-edgy-security: released (2.6.17.1-11.35)
diff --git a/retired/CVE-2006-5753 b/retired/CVE-2006-5753
new file mode 100644
index 00000000..442cf6a9
--- /dev/null
+++ b/retired/CVE-2006-5753
@@ -0,0 +1,25 @@
+Candidate: CVE-2006-5753
+References: 
+ http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=be6aab0e9fa6d3c6d75aa1e38ac972d8b4ee82b8
+Description: 
+ The listxattr syscall can corrupt user space under certain
+ circumstances. The problem seems to be related to signed/unsigned
+ conversion during size promotion. The function return_EIO returns an
+ int but its used as a ssize_t with a comparison to 0. This causes the
+ range check to fail and copy_to_user copies way too much.
+ The command line "fsfuzz iso9660" can easily reproduce this behavior.
+Ubuntu-Description: 
+ Various syscalls (like listxattr()) misinterpreted the return value
+ of return_EIO() when encountering bad inodes. By issuing particular
+ system calls on a malformed file system, a local attacker could
+ exploit this to crash the kernel. 
+Notes: 
+Bugs: 
+upstream: released (2.6.20-rc5)
+linux-2.6: released (2.6.20-1)
+2.6.18-etch-security: released (2.6.18.dfsg.1-13) [bugfix/listxattr-mem-corruption.patch]
+2.6.8-sarge-security: released (2.6.8-16sarge7) [listxattr-mem-corruption.dpatch]
+2.4.27-sarge-security: released (2.4.27-10sarge6) [261_listxattr-mem-corruption.diff]
+2.6.12-breezy-security: released (2.6.12-10.43)
+2.6.15-dapper-security: released (2.6.15-28.51)
+2.6.17-edgy-security: released (2.6.17.1-11.35)
diff --git a/retired/CVE-2006-6053 b/retired/CVE-2006-6053
new file mode 100644
index 00000000..25356db5
--- /dev/null
+++ b/retired/CVE-2006-6053
@@ -0,0 +1,22 @@
+Candidate: CVE-2006-6053
+References: 
+ http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=40b851348fe9bf49c26025b34261d25142269b60
+ MISC:http://projects.info-pull.com/mokb/MOKB-10-11-2006.html
+Description: 
+ The ext3fs_dirhash function in Linux kernel 2.6.x allows local users to cause
+ a denial of service (crash) via an ext3 stream with malformed data structures.
+Ubuntu-Description: 
+ The ext3 file system driver did not properly handle corrupted data
+ structures. By mounting a specially crafted ext3 file system, a local
+ attacker could exploit this to crash the kernel.
+Notes: 
+ dannf> only the dir.c bit applies to 2.4
+Bugs: 
+upstream: released (2.6.20-rc5)
+linux-2.6: released (2.6.20-1)
+2.6.18-etch-security: released (2.6.18.dfsg.1-10) [bugfix/2.6.16.38]
+2.6.8-sarge-security: released (2.6.8-16sarge7) [ext3-fsfuzz.dpatch]
+2.4.27-sarge-security: released (2.4.27-10sarge6) [242_ext3-fsfuzz.diff]
+2.6.12-breezy-security: released (2.6.12-10.43)
+2.6.15-dapper-security: released (2.6.15-28.51)
+2.6.17-edgy-security: released (2.6.17.1-11.35)
diff --git a/retired/CVE-2006-6106 b/retired/CVE-2006-6106
new file mode 100644
index 00000000..5b79430b
--- /dev/null
+++ b/retired/CVE-2006-6106
@@ -0,0 +1,25 @@
+Candidate: CVE-2006-6106
+References:
+ http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=f4777569204cb59f2f04fbe9ef4e9a6918209104
+Description: 
+ Multiple buffer overflows in the cmtp_recv_interopmsg function in the
+ Bluetooth driver (net/bluetooth/cmtp/capi.c) in the Linux kernel
+ 2.4.22 up to 2.4.33.4 and 2.6.2 before 2.6.18.6, and 2.6.19.x, allow
+ remote attackers to cause a denial of service (crash) and possibly
+ execute arbitrary code via CAPI messages with a large value for the
+ length of the (1) manu (manufacturer) or (2) serial (serial number)
+ field.
+Ubuntu-Description: 
+ Marcel Holtman discovered several buffer overflows in the Bluetooth
+ driver. By sending Bluetooth packets with specially crafted CAPI
+ messages, a remote attacker could exploit these to crash the kernel.
+Notes: 
+Bugs: 
+upstream: released (2.4.33.5), released (2.6.18.6)
+linux-2.6: released (2.6.18.dfsg.1-9) [2.6.18.6]
+2.6.18-etch-security: released (2.6.18.dfsg.1-9) [2.6.18.6]
+2.6.8-sarge-security: released (2.6.8-16sarge7) [bluetooth-capi-size-checks.dpatch]
+2.4.27-sarge-security: released (2.4.27-10sarge6) [241_bluetooth-capi-size-checks.diff]
+2.6.12-breezy-security: released (2.6.12-10.43)
+2.6.15-dapper-security: released (2.6.15-28.51)
+2.6.17-edgy-security: released (2.6.17.1-11.35)
diff --git a/retired/CVE-2007-1592 b/retired/CVE-2007-1592
new file mode 100644
index 00000000..dc23f1a2
--- /dev/null
+++ b/retired/CVE-2007-1592
@@ -0,0 +1,23 @@
+Candidate: CVE-2007-1592
+References: 
+ http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=d35690beda1429544d46c8eb34b2e3a8c37ab299
+Description: 
+ net/ipv6/tcp_ipv6.c in Linux kernel 2.6.x up to 2.6.21-rc3
+ inadvertently copies the ipv6_fl_socklist from a listening TCP socket
+ to child sockets, which allows local users to cause a denial of
+ service (OOPS) or double-free by opening a listening IPv6 socket,
+ attaching a flow label, and connecting to that socket.
+Ubuntu-Description: 
+ Masayuki Nakagawa discovered an error in the flowlabel handling of
+ IPv6 network sockets. A local attacker could exploit this to crash
+ the kernel.
+Notes: 
+Bugs: 
+upstream: released (2.6.20.4, 2.6.21-rc5)
+linux-2.6: released (2.6.20-1)
+2.6.18-etch-security: released (2.6.18.dfsg.1-12etch1) [bugfix/ipv6_fl_socklist-no-share.patch]
+2.6.8-sarge-security: released (2.6.8-16sarge7) [ipv6_fl_socklist-no-share.dpatch]
+2.4.27-sarge-security: released (2.4.27-10sarge6) [243_ipv6_fl_socklist-no-share.diff]
+2.6.15-dapper-security: released (2.6.15-28.54)
+2.6.17-edgy-security: released (2.6.17.1-11.38)
+2.6.20-feisty-security: released (2.6.20-16.28)
diff --git a/retired/CVE-2007-4311 b/retired/CVE-2007-4311
new file mode 100644
index 00000000..d4788e39
--- /dev/null
+++ b/retired/CVE-2007-4311
@@ -0,0 +1,19 @@
+Candidate: CVE-2007-4311
+References: 
+ http://git.kernel.org/?p=linux/kernel/git/wtarreau/linux-2.4.git;a=commitdiff_plain;h=66438bd5651e892bc485c32762f7ce75637b686b
+Description: 
+Ubuntu-Description: 
+Notes: 
+ dannf> The reporter noted that this is fixed in current 2.6's. It does
+ dannf> appear that way in Debian's 2.6.8 and 2.6.18, but the code that
+ dannf> solves it is quite a bit different in both. I wouldn't necessarily
+ dannf> assume that kernels between 2.6.8 & 2.6.18 are invulnerable.
+Bugs: 
+upstream: released (2.4.35-rc1)
+linux-2.6: N/A
+2.6.18-etch-security: N/A
+2.6.8-sarge-security: N/A
+2.4.27-sarge-security: released (2.4.27-10sarge6) [248_random-reseed-sizeof-fix.diff]
+2.6.15-dapper-security: N/A
+2.6.17-edgy-security: N/A
+2.6.20-feisty-security: N/A