Retire some issues

6 files changed, 89 insertions, 0 deletions

diff --git a/retired/CVE-2017-1000 b/retired/CVE-2017-1000
new file mode 100644
index 000000000..55af51953
--- /dev/null
+++ b/retired/CVE-2017-1000
@@ -0,0 +1,16 @@
+Description:
+References:
+ https://source.android.com/security/bulletin/pixel/2018-07-01
+Notes:
+ carnil> This is a duplication of CVE-2017-1000112.
+ carnil> Will ask MITRE for proper rejection.
+ carnil> It is actually possibly not a duplicate assignment but just a truncation
+ carnil> of the CVE id in the 2018-07-01 advisory.
+ carnil> Submitted the issue to the Android team.
+Bugs:
+upstream: released (4.13-rc5) [85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa]
+4.9-upstream-stable: released (4.9.43) [33dc6a6a85f1d6ce71e7056d009b8a5fcbf10f70]
+3.16-upstream-stable: released (3.16.47) [08676246d893e3a42a541a2ef1291f2ea62c5b06]
+sid: released (4.12.6-1) [bugfix/all/udp-consistently-apply-ufo-or-fragmentation.patch]
+4.9-stretch-security: released (4.9.30-2+deb9u4) [bugfix/all/udp-consistently-apply-ufo-or-fragmentation.patch]
+3.16-jessie-security: released (3.16.43-2+deb8u4) [bugfix/all/udp-consistently-apply-ufo-or-fragmentation.patch]
diff --git a/retired/CVE-2017-18208 b/retired/CVE-2017-18208
new file mode 100644
index 000000000..86add4c8a
--- /dev/null
+++ b/retired/CVE-2017-18208
@@ -0,0 +1,14 @@
+Description: mm/madvise.c: fix madvise() infinite loop under special circumstances
+References:
+Notes:
+ bwh> This only affects XIP or DAX files.  We never enabled XIP, and DAX
+ bwh> has only been available since 4.0.
+Bugs:
+upstream: released (4.15-rc2) [6ea8d958a2c95a1d514015d4e29ba21a8c0a1a91]
+4.9-upstream-stable: released (4.9.67) [ba32d7dce43f14ef1a1cb0540959431526cf7fe0]
+3.16-upstream-stable: released (3.16.57) [302212255813b55c0daeb8f15bcf25ff542e36cf]
+3.2-upstream-stable: released (3.2.102) [3d886ff142e713000aec6bf6f82944eb03dab28c]
+sid: released (4.14.7-1)
+4.9-stretch-security: released (4.9.80-1)
+3.16-jessie-security: ignored "Only affects ARM with XIP enabled"
+3.2-wheezy-security: ignored "Only affects ARM with XIP enabled"
diff --git a/retired/CVE-2017-18255 b/retired/CVE-2017-18255
new file mode 100644
index 000000000..80e5e3fe8
--- /dev/null
+++ b/retired/CVE-2017-18255
@@ -0,0 +1,13 @@
+Description: DoS in perf_cpu_time_max_percent_handler
+References:
+Notes:
+ bwh> root is supposed to be able to deny service any way they want...
+Bugs:
+upstream: released (4.11-rc1) [1572e45a924f254d9570093abde46430c3172e3d]
+4.9-upstream-stable: released (4.9.99) [0f8a75e90963019cef486565f2b088bb570a7ddb]
+3.16-upstream-stable: ignored "not a security issue"
+3.2-upstream-stable: ignored "not a security issue"
+sid: released (4.11.6-1)
+4.9-stretch-security: released (4.9.107-1)
+3.16-jessie-security: ignored "not a security issue"
+3.2-wheezy-security: ignored "not a security issue"
diff --git a/retired/CVE-2018-10021 b/retired/CVE-2018-10021
new file mode 100644
index 000000000..7b66a887a
--- /dev/null
+++ b/retired/CVE-2018-10021
@@ -0,0 +1,16 @@
+Description: scsi: libsas: defer ata device eh commands to libata
+References:
+ https://bugzilla.suse.com/show_bug.cgi?id=1089281#c1
+Notes:
+ carnil> Negligable security impact, failure can only occur for physically
+ carnil> proximate attackers who unplug SAS Host Bus Adapter cables.
+ bwh> The vulnerable code was added in Linux 3.4.
+Bugs:
+upstream: released (4.16-rc7) [318aaf34f1179b39fa9c30fa0f3288b645beee39]
+4.9-upstream-stable: released (4.9.103) [e420d98384760f55ffac9951b9b5cccbf2edd752]
+3.16-upstream-stable: released (3.16.58) [scsi-libsas-defer-ata-device-eh-commands-to-libata.patch]
+3.2-upstream-stable: N/A "Vulnerable code not present"
+sid: released (4.15.17-1) [bugfix/all/scsi-libsas-defer-ata-device-eh-commands-to-libata.patch]
+4.9-stretch-security: released (4.9.107-1)
+3.16-jessie-security: released (3.16.59-1)
+3.2-wheezy-security: N/A "Vulnerable code not present"
diff --git a/retired/CVE-2018-10087 b/retired/CVE-2018-10087
new file mode 100644
index 000000000..b30812142
--- /dev/null
+++ b/retired/CVE-2018-10087
@@ -0,0 +1,15 @@
+Description: kernel/exit.c: avoid undefined behaviour when calling wait4()
+References:
+ https://news.ycombinator.com/item?id=2972021
+ http://lkml.kernel.org/r/1497264618-20212-1-git-send-email-zhongjiang@huawei.com
+Notes:
+ bwh> This looks very unlikely to have any security impact in reality.
+Bugs:
+upstream: released (4.13-rc1) [dd83c161fbcc5d8be637ab159c0de015cbff5ba4]
+4.9-upstream-stable: released (4.9.101) [04103c29b6cc1ffcf9efe167a07e882be68f8367]
+3.16-upstream-stable: ignored "Minor issue"
+3.2-upstream-stable: ignored "Minor issue"
+sid: released (4.13.4-1)
+4.9-stretch-security: released (4.9.107-1)
+3.16-jessie-security: ignored "Minor issue"
+3.2-wheezy-security: ignored "Minor issue"
diff --git a/retired/CVE-2018-10124 b/retired/CVE-2018-10124
new file mode 100644
index 000000000..c6c34c7be
--- /dev/null
+++ b/retired/CVE-2018-10124
@@ -0,0 +1,15 @@
+Description: kernel/signal.c: avoid undefined behaviour in kill_something_info
+References:
+ https://news.ycombinator.com/item?id=2972021
+ http://lkml.kernel.org/r/1496670008-59084-1-git-send-email-zhongjiang@huawei.com
+Notes:
+ bwh> This looks very unlikely to have any security impact in reality.
+Bugs:
+upstream: released (4.13-rc1) [4ea77014af0d6205b05503d1c7aac6eace11d473]
+4.9-upstream-stable: released (4.9.104) [ec1975ac988686eba0f105f87ed0b587da43d384]
+3.16-upstream-stable: ignored "Minor issue"
+3.2-upstream-stable: ignored "Minor issue"
+sid: released (4.13.4-1)
+4.9-stretch-security: released (4.9.107-1)
+3.16-jessie-security: ignored "Minor issue"
+3.2-wheezy-security: ignored "Minor issue"