diff options
author | Moritz Muehlenhoff <jmm@debian.org> | 2008-02-22 21:53:05 +0000 |
---|---|---|
committer | Moritz Muehlenhoff <jmm@debian.org> | 2008-02-22 21:53:05 +0000 |
commit | 0394957db79db8afcae11908388c24464b8d744f (patch) | |
tree | 8f82b84cda898d89f438bc4c4e7b00e8d0324b60 /retired | |
parent | 60e5f903d389fc77fb16d492f07f52e65c20be16 (diff) |
retire some issues
git-svn-id: svn+ssh://svn.debian.org/svn/kernel-sec@1140 e094ebfe-e918-0410-adfb-c712417f3574
Diffstat (limited to 'retired')
-rw-r--r-- | retired/CVE-2004-2731 | 31 | ||||
-rw-r--r-- | retired/CVE-2006-4814 | 21 | ||||
-rw-r--r-- | retired/CVE-2006-5753 | 25 | ||||
-rw-r--r-- | retired/CVE-2006-6053 | 22 | ||||
-rw-r--r-- | retired/CVE-2006-6106 | 25 | ||||
-rw-r--r-- | retired/CVE-2007-1592 | 23 | ||||
-rw-r--r-- | retired/CVE-2007-4311 | 19 |
7 files changed, 166 insertions, 0 deletions
diff --git a/retired/CVE-2004-2731 b/retired/CVE-2004-2731 new file mode 100644 index 00000000..1de93562 --- /dev/null +++ b/retired/CVE-2004-2731 @@ -0,0 +1,31 @@ +Candidate: CVE-2004-2731 +References: + http://www.securityfocus.com/bid/10632 + http://securitytracker.com/id?1010617 + http://git.kernel.org/?p=linux/kernel/git/wtarreau/linux-2.4.git;a=commit;h=996bad4803a2ebfebe7b27a431fbcae591f7d199 + http://git.kernel.org/?p=linux/kernel/git/wtarreau/linux-2.4.git;a=commit;h=a545dd4118eba7242bb390a76b2a1bb3dce0430e + http://git.kernel.org/?p=linux/kernel/git/wtarreau/linux-2.4.git;a=commit;h=6ab2cfa4f0a04c11932af701b5437879dd14d8bb + http://git.kernel.org/?p=linux/kernel/git/wtarreau/linux-2.4.git;a=commit;h=090a4d5713b462e039e2896ac8092769c42ea742 +Description: + Multiple integer overflows in Sbus PROM driver (drivers/sbus/char/openprom.c) + for the Linux kernel 2.4.x up to 2.4.27, 2.6.x up to 2.6.7, and possibly + later versions, allow local users to execute arbitrary code by specifying (1) + a small buffer size to the copyin_string function or (2) a negative buffer + size to the copyin function. +Ubuntu-Description: +Notes: + dannf> This appears to have been fixed in 2.5, but 2.4 is still + dannf> vulnerable to the second part. I've sent patches to + dannf> willy/davem for 2.4 consideration + dannf> + dannf> Patches have been accepted, see References section +Bugs: +upstream: released (2.5.33), released (2.4.35.4) +linux-2.6: N/A +2.6.18-etch-security: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: released (2.4.27-10sarge6) [249_openpromfs-signedness-bug.diff, 250_openpromfs-checks-1.diff, 251_openpromfs-checks-2.diff, 252_openpromfs-checks-3.diff] +2.6.15-dapper-security: N/A +2.6.17-edgy-security: N/A +2.6.20-feisty-security: N/A +2.6.22-gutsy-security: N/A diff --git a/retired/CVE-2006-4814 b/retired/CVE-2006-4814 new file mode 100644 index 00000000..93d4ae2a --- /dev/null +++ b/retired/CVE-2006-4814 @@ -0,0 +1,21 @@ +Candidate: CVE-2006-4814 +References: + http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=2f77d107050abc14bc393b34bdb7b91cf670c250 +Description: + The mincore function in the Linux kernel before 2.4.33.6 does not + properly lock access to user space, which has unspecified impact and + attack vectors, possibly related to a deadlock. +Ubuntu-Description: + Doug Chapman discovered an improper lock handling in the mincore() + function. A local attacker could exploit this to cause an eternal + hang in the kernel, rendering the machine unusable. +Notes: +Bugs: +upstream: released (2.6.20-rc2), released (2.4.34-rc3) +linux-2.6: released (2.6.18.dfsg.1-9) +2.6.18-etch-security: released (2.6.18.dfsg.1-9) +2.6.8-sarge-security: released (2.6.8-16sarge7) [mincore_hang.dpatch, mincore-fixes.dpatch] +2.4.27-sarge-security: released (2.4.27-10sarge6) [239_mincore-hang.diff] +2.6.12-breezy-security: released (2.6.12-10.43) +2.6.15-dapper-security: released (2.6.15-28.51) +2.6.17-edgy-security: released (2.6.17.1-11.35) diff --git a/retired/CVE-2006-5753 b/retired/CVE-2006-5753 new file mode 100644 index 00000000..442cf6a9 --- /dev/null +++ b/retired/CVE-2006-5753 @@ -0,0 +1,25 @@ +Candidate: CVE-2006-5753 +References: + http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=be6aab0e9fa6d3c6d75aa1e38ac972d8b4ee82b8 +Description: + The listxattr syscall can corrupt user space under certain + circumstances. The problem seems to be related to signed/unsigned + conversion during size promotion. The function return_EIO returns an + int but its used as a ssize_t with a comparison to 0. This causes the + range check to fail and copy_to_user copies way too much. + The command line "fsfuzz iso9660" can easily reproduce this behavior. +Ubuntu-Description: + Various syscalls (like listxattr()) misinterpreted the return value + of return_EIO() when encountering bad inodes. By issuing particular + system calls on a malformed file system, a local attacker could + exploit this to crash the kernel. +Notes: +Bugs: +upstream: released (2.6.20-rc5) +linux-2.6: released (2.6.20-1) +2.6.18-etch-security: released (2.6.18.dfsg.1-13) [bugfix/listxattr-mem-corruption.patch] +2.6.8-sarge-security: released (2.6.8-16sarge7) [listxattr-mem-corruption.dpatch] +2.4.27-sarge-security: released (2.4.27-10sarge6) [261_listxattr-mem-corruption.diff] +2.6.12-breezy-security: released (2.6.12-10.43) +2.6.15-dapper-security: released (2.6.15-28.51) +2.6.17-edgy-security: released (2.6.17.1-11.35) diff --git a/retired/CVE-2006-6053 b/retired/CVE-2006-6053 new file mode 100644 index 00000000..25356db5 --- /dev/null +++ b/retired/CVE-2006-6053 @@ -0,0 +1,22 @@ +Candidate: CVE-2006-6053 +References: + http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=40b851348fe9bf49c26025b34261d25142269b60 + MISC:http://projects.info-pull.com/mokb/MOKB-10-11-2006.html +Description: + The ext3fs_dirhash function in Linux kernel 2.6.x allows local users to cause + a denial of service (crash) via an ext3 stream with malformed data structures. +Ubuntu-Description: + The ext3 file system driver did not properly handle corrupted data + structures. By mounting a specially crafted ext3 file system, a local + attacker could exploit this to crash the kernel. +Notes: + dannf> only the dir.c bit applies to 2.4 +Bugs: +upstream: released (2.6.20-rc5) +linux-2.6: released (2.6.20-1) +2.6.18-etch-security: released (2.6.18.dfsg.1-10) [bugfix/2.6.16.38] +2.6.8-sarge-security: released (2.6.8-16sarge7) [ext3-fsfuzz.dpatch] +2.4.27-sarge-security: released (2.4.27-10sarge6) [242_ext3-fsfuzz.diff] +2.6.12-breezy-security: released (2.6.12-10.43) +2.6.15-dapper-security: released (2.6.15-28.51) +2.6.17-edgy-security: released (2.6.17.1-11.35) diff --git a/retired/CVE-2006-6106 b/retired/CVE-2006-6106 new file mode 100644 index 00000000..5b79430b --- /dev/null +++ b/retired/CVE-2006-6106 @@ -0,0 +1,25 @@ +Candidate: CVE-2006-6106 +References: + http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=f4777569204cb59f2f04fbe9ef4e9a6918209104 +Description: + Multiple buffer overflows in the cmtp_recv_interopmsg function in the + Bluetooth driver (net/bluetooth/cmtp/capi.c) in the Linux kernel + 2.4.22 up to 2.4.33.4 and 2.6.2 before 2.6.18.6, and 2.6.19.x, allow + remote attackers to cause a denial of service (crash) and possibly + execute arbitrary code via CAPI messages with a large value for the + length of the (1) manu (manufacturer) or (2) serial (serial number) + field. +Ubuntu-Description: + Marcel Holtman discovered several buffer overflows in the Bluetooth + driver. By sending Bluetooth packets with specially crafted CAPI + messages, a remote attacker could exploit these to crash the kernel. +Notes: +Bugs: +upstream: released (2.4.33.5), released (2.6.18.6) +linux-2.6: released (2.6.18.dfsg.1-9) [2.6.18.6] +2.6.18-etch-security: released (2.6.18.dfsg.1-9) [2.6.18.6] +2.6.8-sarge-security: released (2.6.8-16sarge7) [bluetooth-capi-size-checks.dpatch] +2.4.27-sarge-security: released (2.4.27-10sarge6) [241_bluetooth-capi-size-checks.diff] +2.6.12-breezy-security: released (2.6.12-10.43) +2.6.15-dapper-security: released (2.6.15-28.51) +2.6.17-edgy-security: released (2.6.17.1-11.35) diff --git a/retired/CVE-2007-1592 b/retired/CVE-2007-1592 new file mode 100644 index 00000000..dc23f1a2 --- /dev/null +++ b/retired/CVE-2007-1592 @@ -0,0 +1,23 @@ +Candidate: CVE-2007-1592 +References: + http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=d35690beda1429544d46c8eb34b2e3a8c37ab299 +Description: + net/ipv6/tcp_ipv6.c in Linux kernel 2.6.x up to 2.6.21-rc3 + inadvertently copies the ipv6_fl_socklist from a listening TCP socket + to child sockets, which allows local users to cause a denial of + service (OOPS) or double-free by opening a listening IPv6 socket, + attaching a flow label, and connecting to that socket. +Ubuntu-Description: + Masayuki Nakagawa discovered an error in the flowlabel handling of + IPv6 network sockets. A local attacker could exploit this to crash + the kernel. +Notes: +Bugs: +upstream: released (2.6.20.4, 2.6.21-rc5) +linux-2.6: released (2.6.20-1) +2.6.18-etch-security: released (2.6.18.dfsg.1-12etch1) [bugfix/ipv6_fl_socklist-no-share.patch] +2.6.8-sarge-security: released (2.6.8-16sarge7) [ipv6_fl_socklist-no-share.dpatch] +2.4.27-sarge-security: released (2.4.27-10sarge6) [243_ipv6_fl_socklist-no-share.diff] +2.6.15-dapper-security: released (2.6.15-28.54) +2.6.17-edgy-security: released (2.6.17.1-11.38) +2.6.20-feisty-security: released (2.6.20-16.28) diff --git a/retired/CVE-2007-4311 b/retired/CVE-2007-4311 new file mode 100644 index 00000000..d4788e39 --- /dev/null +++ b/retired/CVE-2007-4311 @@ -0,0 +1,19 @@ +Candidate: CVE-2007-4311 +References: + http://git.kernel.org/?p=linux/kernel/git/wtarreau/linux-2.4.git;a=commitdiff_plain;h=66438bd5651e892bc485c32762f7ce75637b686b +Description: +Ubuntu-Description: +Notes: + dannf> The reporter noted that this is fixed in current 2.6's. It does + dannf> appear that way in Debian's 2.6.8 and 2.6.18, but the code that + dannf> solves it is quite a bit different in both. I wouldn't necessarily + dannf> assume that kernels between 2.6.8 & 2.6.18 are invulnerable. +Bugs: +upstream: released (2.4.35-rc1) +linux-2.6: N/A +2.6.18-etch-security: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: released (2.4.27-10sarge6) [248_random-reseed-sizeof-fix.diff] +2.6.15-dapper-security: N/A +2.6.17-edgy-security: N/A +2.6.20-feisty-security: N/A |