Retire several CVEs

12 files changed, 209 insertions, 0 deletions

diff --git a/retired/CVE-2017-5715 b/retired/CVE-2017-5715
new file mode 100644
index 00000000..4d7687ab
--- /dev/null
+++ b/retired/CVE-2017-5715
@@ -0,0 +1,35 @@
+Description: Branch target injection
+References:
+ https://spectreattack.com/
+ https://lkml.org/lkml/2018/1/4/955
+Notes:
+ carnil> partial mitigations via 0cb5b30698fdc8f6b4646012e3acb4ddce430788
+ carnil> "kvm: vmx: Scrub hardware GPRs at VM-exit" in 4.15-rc7
+ carnil> Initial support for mitigation work for Spectre variant 2
+ carnil> (indirect branch speculation) vulnerability included in
+ carnil> 4.15-rc8, 4.14.14-rc1, 4.9.77-rc1.
+ carnil> Mark the entries which included initial retpoline support
+ carnil> to mitigate Spectre v2 as the 'fixed' ones. Still work on
+ carnil> microcode and/or gcc is needed to be effective.
+ carnil> Unclear if we should as well mark it as pending for the
+ carnil> Debian branches, so not yet added a marking for the sid
+ carnil> branch accordingly.
+ carnil> 4.14.17-1 upload enforces a dependency on the used compiler
+ carnil> with retpoline support.
+ carnil> 4.9.82-1+deb9u1 upload enforces a dependency on the used
+ carnil> compiler with retpoline support.
+ bwh> The list of upstream commits and the status below are for x86 only.
+ bwh> For arm64, we would probably need: be04a6d1126b02c6a28741155b899d648739fc5b, 0f15adbb2861ce6f75ccfc5a92b19eae0ef327d0, f3d795d9b360523beca6d13ba64c2c532f601149
+ bwh> For s390x, we would probably need: d768bd892fc8f066cd3aa000eb1867bcf32db0ee, f19fbd5ed642dc31c809596412dab1ed56f2f156
+ bwh> 3.2.101 and 3.16.56 stable updates included retpoline support.
+ bwh> Microcode-based support is pending for 3.16 but I won't try
+ bwh> backporting it to 3.2.
+Bugs:
+upstream: released (4.16-rc4) [99c6fa2511d8a683e61468be91b83f85452115fa, 87590ce6e373d1a5401f6539f0c59ef92dd924a9, 61dc0f555b5c761cdafb0ba5bd41ecf22d68a4c4, e4d0e84e490790798691aaa0f2e598637f1867ec, 39b735332cb8b33a27c28592d969e4016c86c3ea, 258c76059cece01bebae098e81bacb1af2edad17, 76b043848fd22dbf7f8bf3a1452f8c70d557b860, da285121560e769cc31797bba6422eea71d473e0, 9697fa39efd3fc3692f2949d4045f393ec58450b, 2641f08bb7fc63a636a2b18173221d7040a3512e, 9351803bd803cdbeb9b5a7850b7b6f464806e3db, e70e5892b28c18f517f29ab6e83bd57705104b31, ea08816d5b185ab3d09e95e393f265af54560350, 5096732f6f695001fa2d6f1335a2680b37912c69, 7614e913db1f40fff819b36216484dc3808995d4, 117cc7a908c83697b0b737d15ae1eb5943afe35b, b8b9ce4b5aec8de9e23cabb0a26b78641f9ab1d6, c995efd5a740d9cbafbf58bde4973e8b50b4d761, 28d437d550e1e39f805d99f9f8ac399c778827b7, 6f41c34d69eb005e7848716bbcafc979b35037d5, 736e80a4213e9bbce40a7c050337047128b472ac, 3f7d875566d8e79c5e0b2c9a413e91b2c29e0854, 1a29b5b7f347a1a9230c1e0af5b37e3e571588ab, c940a3fb1e2e9b7d03228ab28f375fb5a47ff699, caf7501a1b4ec964190f31f9c3f163de252273b8, 95ca0ee8636059ea2800dfbac9ecac6212d6b38f, fc67dd70adb711a45d2ef34e12d1a8be75edde61, 5d10cbc91d9eb5537998b65608441b592eec65e7, 1e340c60d0dd3ae07b5bedc16a0469c14b9f3410, a5b2966364538a0e68c9fa29bc0a3a1651799035, 20ffa1caecca4db8f79fe665acdeaa5af815a24d, 7a32fc51ca938e67974cbb9db31e1a43f98345a9, 55fa19d3e51f33d9cd4056d25836d93abf9438db, de3a0021a60635de96aa92713c1a31a96747d72c, f21f165ef922c2146cc5bdc620f542953c41714b, e383095c7fe8d218e00ec0f83e4b95ed4e627b02, 2961298efe1ea1b6fc0d7ee8b76018fa6c0bcef2, a845c7cf4b4cb5e9e3b2823867892b27646f3a98, 17bc33914bcc98ba3c6b426fd1c49587a25c0597, 9471eee9186a46893726e22ebb54cade3f9bc043, e698dcdfcda41efd0984de539767b4cddd235f1e, 7fcae1118f5fd44a862aa5c3525248e35ee67c3b, 18bf3c3ea8ece8f03b6fc58508f2dfd23c7711c7, 12c69f1e94c89d40696e83804dd2f0965b5250cd, 904e14fb7cb96401a7dc803ca2863fd5ba32ffe6, 9005c6834c0ffdfe46afa76656bd9276cca864f6, af189c95a371b59f493dbe0f50c0a09724868881, 15d45071523d89b3fb7372e2135fbd72f6af9506, d28b387fb74da95d69d2615732f50cceb38e9a4d, 1751342095f0d2b36fa8114d8e12c5688c455ac4, d37fc6d360a404b208547ba112e7dabb6533c7fc, ea00f301285ea2f07393678cd2b6057878320c9d, 9de29eac8d2189424d81c0d840cd0469aa3d41c8, dd84441a797150dcc49298ec95c459a8891d8bb1, d72f4e29e6d84b7ec02ae93088aa459ac70e733b, a493a87f38cfa48caaa95c9347be2d914c6fdf29, ecb586bd29c99fb4de599dec388658e74388daad]
+4.9-upstream-stable: released (4.9.88)
+3.16-upstream-stable: released (3.16.57) [x86-cpufeatures-add-intel-feature-bits-for-speculation-control.patch, x86-cpufeatures-add-amd-feature-bits-for-speculation-control.patch, x86-msr-add-definitions-for-new-speculation-control-msrs.patch, x86-cpufeature-blacklist-spec_ctrl-pred_cmd-on-early-spectre-v2-microcodes.patch, x86-speculation-add-basic-ibpb-indirect-branch-prediction-barrier-support.patch, kvm-nvmx-eliminate-vmcs02-pool.patch, kvm-vmx-introduce-alloc_loaded_vmcs.patch, x86-cpufeatures-clean-up-spectre-v2-related-cpuid-flags.patch, x86-cpuid-fix-up-virtual-ibrs-ibpb-stibp-feature-bits-on-intel.patch, x86-speculation-use-indirect-branch-prediction-barrier-in-context-switch.patch, kvm-vmx-make-msr-bitmaps-per-vcpu.patch, kvm-x86-add-ibpb-support.patch, kvm-vmx-allow-direct-access-to-msr_ia32_spec_ctrl.patch, x86-speculation-update-speculation-control-microcode-blacklist.patch, x86-speculation-correct-speculation-control-microcode-blacklist-again.patch, x86-speculation-use-ibrs-if-available-before-calling-into-firmware.patch, x86-speculation-move-firmware_restrict_branch_speculation_-from-c-to-cpp.patch, kvm-x86-remove-indirect-msr-op-calls-from-spec_ctrl.patch]
+3.2-upstream-stable: released (3.2.101)
+sid: released (4.15.11-1)
+4.9-stretch-security: released (4.9.88-1)
+3.16-jessie-security: released (3.16.57-1)
+3.2-wheezy-security: released (3.2.101-1)
diff --git a/retired/CVE-2017-5753 b/retired/CVE-2017-5753
new file mode 100644
index 00000000..b8380b79
--- /dev/null
+++ b/retired/CVE-2017-5753
@@ -0,0 +1,20 @@
+Description: bounds check bypass
+References:
+ https://spectreattack.com/
+Notes:
+ carnil> partial mitigations via 0cb5b30698fdc8f6b4646012e3acb4ddce430788
+ carnil> "kvm: vmx: Scrub hardware GPRs at VM-exit" in 4.15-rc7
+ carnil> Further work went in in 4.16-rc1, 4.15.2 and 4.9.81 and following
+ carnil> for mitigations (Mitigation: __user pointer sanitization).
+ bwh> The list of upstream commits and the status below are for x86 only.
+ bwh> For arm64, we would probably need: 669474e772b952b14f4de4845a1558fd4c0414a4, 022620eed3d0bc4bf2027326f599f5ad71c2ea3f, 51369e398d0d33e8f524314e672b07e8cf870e79, 4d8efc2d5ee4c9ccfeb29ee8afd47a8660d0c0ce, 6314d90e64936c584f300a52ef173603fb2461b5, c2f0ad4fc089cff81cef6a13d04b399980ecbfcc, 91b2d3442f6a44dce875670d702af22737ad5eff
+ bwh> Optimisation for s390x: e2dd833389cc4069a96b57bdd24227b5f52288f5
+Bugs:
+upstream: released (4.16-rc4) [99c6fa2511d8a683e61468be91b83f85452115fa, 87590ce6e373d1a5401f6539f0c59ef92dd924a9, 61dc0f555b5c761cdafb0ba5bd41ecf22d68a4c4, b2157399cc9898260d6031c5bfe45fe137c1fbe7, e4d0e84e490790798691aaa0f2e598637f1867ec, be95a845cc4402272994ce290e3ad928aff06cb9, bbeb6e4323dad9b5e0ee9f60c223dd532e2403b1, 7a32fc51ca938e67974cbb9db31e1a43f98345a9, 21d375b6b34ff511a507de27bf316b3dde6938d9, f84a56f73dddaeac1dba8045b007f742f61cd2da, f3804203306e098dae9ca51540fcd5eb700d7f40, babdde2698d482b6c0de1eab4f697cf5856c5859, b3d7ad85b80bbc404635dca80f5b129f6242bc7a, b3bbfb3fb5d25776b8e3f361d2eedaabb0b496cd, b5c4ae4f35325d520b230bab6eb3310613b72ac1, 304ec1b050310548db33063e567123fae8fd0301, c7f631cb07e7da06ac1d231ca178452339e32a94, 2fbd7af5af8665d18bcefae3e9700be07e22b681, 56c30ba7b348b90484969054d561f711ba196507, 259d8c1e984318497c84eef547bbb6b1d9f4eb05, edfbae53dab8348fca778531be9f4855d2ca0360, 085331dfc6bbe3501fb936e657331ca943827600, 3968523f855050b8195134da951b87c20bd66130, 8fa80c503b484ddc1abbd10c7cb2ab81f3824a50, 1d91c1d2c80cb70e2e553845e278b87a960c04da, eb6174f6d1be16b19cfa43dac296bfed003ce1a6]
+4.9-upstream-stable: released (4.9.88)
+3.16-upstream-stable: released (3.16.56)
+3.2-upstream-stable: released (3.2.101)
+sid: released (4.15.11-1)
+4.9-stretch-security: released (4.9.88-1)
+3.16-jessie-security: released (3.16.56-1)
+3.2-wheezy-security: released (3.2.101-1)
diff --git a/retired/CVE-2018-10840 b/retired/CVE-2018-10840
new file mode 100644
index 00000000..6bdee79d
--- /dev/null
+++ b/retired/CVE-2018-10840
@@ -0,0 +1,13 @@
+Description: ext4: correctly handle a zero-length xattr with a non-zero e_value_offs
+References:
+Notes:
+Bugs:
+ https://bugzilla.kernel.org/show_bug.cgi?id=199347
+upstream: released (4.18-rc1) [8a2b307c21d4b290e3cbe33f768f194286d07c23]
+4.9-upstream-stable: N/A "Vulnerable code introduced in 4.13-rc1 with dec214d00e0d78a08b947d7dccdfdb84407a9f4d"
+3.16-upstream-stable: N/A "Vulnerable code introduced in 4.13-rc1 with dec214d00e0d78a08b947d7dccdfdb84407a9f4d"
+3.2-upstream-stable: N/A "Vulnerable code introduced in 4.13-rc1 with dec214d00e0d78a08b947d7dccdfdb84407a9f4d"
+sid: released (4.17.3-1)
+4.9-stretch-security: N/A "Vulnerable code not present"
+3.16-jessie-security: N/A "Vulnerable code not present"
+3.2-wheezy-security: N/A "Vulnerable code not present"
diff --git a/retired/CVE-2018-1093 b/retired/CVE-2018-1093
new file mode 100644
index 00000000..f9e3981b
--- /dev/null
+++ b/retired/CVE-2018-1093
@@ -0,0 +1,20 @@
+Description: Out of bounds read in ext4/balloc.c:ext4_valid_block_bitmap() causes crash with crafted ext4 image
+References:
+Notes:
+ carnil> Ben noticed that the fix is not correct in Message-ID:
+ carnil> <30c688b5783a5779811ce68893b7001390b9e200.camel@decadent.org.uk>
+ carnil> and fix needs a followup.
+ carnil> Caused other regressions:
+ carnil> https://marc.info/?l=linux-ext4&m=152416385122029&w=2
+ bwh> Regressions should be fixed by commit 22be37acce25 "ext4: fix bitmap
+ bwh> position validation".
+Bugs:
+ https://bugzilla.kernel.org/show_bug.cgi?id=199181
+upstream: released (4.17-rc1) [7dac4a1726a9c64a517d595c40e95e2d0d135f6f]
+4.9-upstream-stable: released (4.9.98) [76964816c83d3e4e8a6a393777b30f22a6f9cd51, 1fd7c778ebf0f74e0aadcdf112800736cfdbca00]
+3.16-upstream-stable: released (3.16.57) [91a9c8e8ac7da66d7159fd758464808d2a1c979a, 73cc97df78e4fbc22a34b0eeedbaaf30b47d7ee5]
+3.2-upstream-stable: released (3.2.102) [f278235ce148485cdb9dc990673943addafbd577, 02a37ffd681be59775c9f13686e20621f7097f7e]
+sid: released (4.15.17-1) [bugfix/all/ext4-add-validity-checks-for-bitmap-block-numbers.patch]
+4.9-stretch-security: released (4.9.88-1) [bugfix/all/ext4-add-validity-checks-for-bitmap-block-numbers.patch, bugfix/all/ext4-fix-bitmap-position-validation.patch]
+3.16-jessie-security: released (3.16.57-1)
+3.2-wheezy-security: released (3.2.102-1)
diff --git a/retired/CVE-2018-10940 b/retired/CVE-2018-10940
new file mode 100644
index 00000000..7716020c
--- /dev/null
+++ b/retired/CVE-2018-10940
@@ -0,0 +1,12 @@
+Description: cdrom: information leak in cdrom_ioctl_media_changed()
+References:
+Notes:
+Bugs:
+upstream: released (4.17-rc3) [9de4ee40547fd315d4a0ed1dd15a2fa3559ad707]
+4.9-upstream-stable: released (4.9.97) [4bd744b86114a406efb563c8717e5bea7672d427]
+3.16-upstream-stable: released (3.16.57) [319975e893eebe88c6695c6876ab75d316aa518b]
+3.2-upstream-stable: released (3.2.102) [15bad6c8291a04692b928e9037844fde6f32a798]
+sid: released (4.16.12-1)
+4.9-stretch-security: released (4.9.107-1)
+3.16-jessie-security: released (3.16.57-1)
+3.2-wheezy-security: released (3.2.102-1)
diff --git a/retired/CVE-2018-1118 b/retired/CVE-2018-1118
new file mode 100644
index 00000000..8610b9c7
--- /dev/null
+++ b/retired/CVE-2018-1118
@@ -0,0 +1,16 @@
+Description: vhost: Information disclosure in vhost/vhost.c:vhost_new_msg()
+References:
+ http://www.openwall.com/lists/oss-security/2018/05/09/1
+ https://lkml.org/lkml/2018/4/27/833
+ https://bugzilla.redhat.com/show_bug.cgi?id=1573699
+Notes:
+ carnil> Introduced in 4.8-rc1 [6b1e6cc7855b09a0a9bfa1d9f30172ba366f161c]
+Bugs:
+upstream: released (4.18-rc1) [670ae9caaca467ea1bfd325cb2a5c98ba87f94ad]
+4.9-upstream-stable: released (4.9.110) [9681c3bdb098f6c87a0422b6b63912c1b90ad197]
+3.16-upstream-stable: N/A "Vulnerable code introduced later"
+3.2-upstream-stable: N/A "Vulnerable code introduced later"
+sid: released (4.17.3-1)
+4.9-stretch-security: released (4.9.110-1)
+3.16-jessie-security: N/A "Vulnerable code not present"
+3.2-wheezy-security: N/A "Vulnerable code not present"
diff --git a/retired/CVE-2018-1130 b/retired/CVE-2018-1130
new file mode 100644
index 00000000..f9bdbb7e
--- /dev/null
+++ b/retired/CVE-2018-1130
@@ -0,0 +1,14 @@
+Description: dccp: check sk for closed state in dccp_sendmsg()
+References:
+ https://syzkaller.appspot.com/bug?id=833568de043e0909b2aeaef7be136db39d21ba94
+ https://marc.info/?t=152036611500003&r=1&w=2
+Notes:
+Bugs:
+upstream: released (4.16-rc7) [67f93df79aeefc3add4e4b31a752600f834236e2]
+4.9-upstream-stable: released (4.9.92) [1fdc00c1503f2164893454958cf62c3bf4eff8d6]
+3.16-upstream-stable: released (3.16.57) [e86c8c8cdf47ce06f29a080f9ab9ee8eee71b374]
+3.2-upstream-stable: released (3.2.102) [109503b8cccb3b803d875b88d21d49eab921969e]
+sid: released (4.15.17-1)
+4.9-stretch-security: released (4.9.107-1)
+3.16-jessie-security: released (3.16.57-1)
+3.2-wheezy-security: released (3.2.102-1)
diff --git a/retired/CVE-2018-11412 b/retired/CVE-2018-11412
new file mode 100644
index 00000000..de730157
--- /dev/null
+++ b/retired/CVE-2018-11412
@@ -0,0 +1,19 @@
+Description: ext4: out-of-bounds memcpy via non-inline system.data xattr
+References:
+ https://bugs.chromium.org/p/project-zero/issues/detail?id=1580
+ https://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git/commit/?h=dev&id=117166efb1ee8f13c38f9e96b258f16d4923f888
+Notes:
+ carnil> fixed in ext4.git via 117166efb1ee8f13c38f9e96b258f16d4923f888
+ carnil> Might be needed to add as well the followup commit
+ carnil> eb9b5f01c33adebc31cbc236c02695f605b0e417
+ carnil> which relates to the fix for CVE-2018-11412.
+Bugs:
+ https://bugzilla.kernel.org/show_bug.cgi?id=199803
+upstream: released (4.18-rc1) [117166efb1ee8f13c38f9e96b258f16d4923f888]
+4.9-upstream-stable: N/A "Vulnerable code introduced in 4.13-rc1"
+3.16-upstream-stable: N/A "Vulnerable code introduced in 4.13-rc1"
+3.2-upstream-stable: N/A "Vulnerable code introduced in 4.13-rc1"
+sid: released (4.17.3-1)
+4.9-stretch-security: N/A "Vulnerable code introduced later"
+3.16-jessie-security: N/A "Vulnerable code introduced later"
+3.2-wheezy-security: N/A "Vulnerable code introduced later"
diff --git a/retired/CVE-2018-12232 b/retired/CVE-2018-12232
new file mode 100644
index 00000000..581e97bc
--- /dev/null
+++ b/retired/CVE-2018-12232
@@ -0,0 +1,14 @@
+Description: socket: close race condition between sock_close() and sockfs_setattr()
+References:
+ https://lkml.org/lkml/2018/6/5/14
+ https://patchwork.ozlabs.org/patch/926519/
+Notes:
+ bwh> Introduced in 4.10 by commit 86741ec25462 "net: core: Add a UID
+ bwh> field to struct sock."
+Bugs:
+upstream: released (4.18-rc1) [6d8c50dcb029872b298eea68cc6209c866fd3e14]
+4.9-upstream-stable: N/A "Vulnerable code not present"
+3.16-upstream-stable: N/A "Vulnerable code not present"
+sid: released (4.17.3-1)
+4.9-stretch-security: N/A "Vulnerable code not present"
+3.16-jessie-security: N/A "Vulnerable code not present"
diff --git a/retired/CVE-2018-12633 b/retired/CVE-2018-12633
new file mode 100644
index 00000000..020f3e3d
--- /dev/null
+++ b/retired/CVE-2018-12633
@@ -0,0 +1,13 @@
+Description: race condition in vboxguest
+References:
+ http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=bd23a7269834dc7c1f93e83535d16ebc44b75eba
+ https://bugzilla.kernel.org/show_bug.cgi?id=200131
+Notes:
+ bwh> We haven't yet enabled the VirtualBox guest drivers in official builds
+Bugs:
+upstream: released (4.18-rc1) [bd23a7269834dc7c1f93e83535d16ebc44b75eba]
+4.9-upstream-stable: N/A "Vulnerable code not present"
+3.16-upstream-stable: N/A "Vulnerable code not present"
+sid: released (4.17.3-1) [bugfix/x86/virt-vbox-Only-copy_from_user-the-request-header-onc.patch]
+4.9-stretch-security: N/A "Vulnerable code not present"
+3.16-jessie-security: N/A "Vulnerable code not present"
diff --git a/retired/CVE-2018-6412 b/retired/CVE-2018-6412
new file mode 100644
index 00000000..174bc2f5
--- /dev/null
+++ b/retired/CVE-2018-6412
@@ -0,0 +1,14 @@
+Description: Fixing arbitrary kernel leak in case FBIOGETCMAP_SPARC in sbusfb_ioctl_helper()
+References:
+ https://marc.info/?l=linux-fbdev&m=151734425901499&w=2
+Notes:
+ bwh> The issue only affects SPARC systems.
+Bugs:
+upstream: released (4.16-rc5) [250c6c49e3b68756b14983c076183568636e2bde]
+4.9-upstream-stable: released (4.9.104) [05b4268070b14dbd77ac6f5986b77a80a458fffa]
+3.16-upstream-stable: released (3.16.57) [b57ed0f08e1ef7bb138f92f71f143e03a5d52136]
+3.2-upstream-stable: released (3.2.102) [e553bcf09a6390e7f52e47132b27b4574d0ad71a]
+sid: released (4.16.5-1)
+4.9-stretch-security: released (4.9.107-1)
+3.16-jessie-security: released (3.16.57-1)
+3.2-wheezy-security: released (3.2.102-1)
diff --git a/retired/CVE-2018-9415 b/retired/CVE-2018-9415
new file mode 100644
index 00000000..6615fa00
--- /dev/null
+++ b/retired/CVE-2018-9415
@@ -0,0 +1,19 @@
+Description:
+References:
+ https://source.android.com/security/bulletin/pixel/2018-07-01
+ https://patchwork.kernel.org/patch/9946759/
+Notes:
+ jmm> Unclear, might affect drivers/amba in some way?
+ bwh> The Android bulletin links to a patch for PCI that *wasn't*
+ bwh> applied upstream (and isn't needed), but based on the
+ bwh> description as "AMBA driver" I found what I think is the actual
+ bwh> upstream fix.
+ bwh> Introduced in Linux 4.0 by commit 3cf385713460 "ARM: 8256/1:
+ bwh> driver coamba: add device binding path 'driver_override'".
+Bugs:
+upstream: released (4.17-rc3) [d2ffed5185df9d8d9ccd150e4340e3b6f96a8381]
+4.9-upstream-stable: released (4.9.98) [8970c12ac9b917b27e42c0537ab7fce0357f0cf3]
+3.16-upstream-stable: N/A "Vulnerable code not present"
+sid: released (4.16.12-1)
+4.9-stretch-security: released (4.9.107-1)
+3.16-jessie-security: N/A "Vulnerable code not present"