diff options
author | Ben Hutchings <benh@debian.org> | 2017-02-23 21:55:28 +0000 |
---|---|---|
committer | Ben Hutchings <benh@debian.org> | 2017-02-23 21:55:28 +0000 |
commit | c77a05b32b2f63a5cefb610c25affbe3a5afe807 (patch) | |
tree | 83c44ec760bac31786ce6385a318fbf76a8d8e81 /retired | |
parent | 8006483d9aab4dfb5da87b728df3166107707e9e (diff) |
Retire many issues now released (or N/A or ignored) in all branches
git-svn-id: svn+ssh://svn.debian.org/svn/kernel-sec@5001 e094ebfe-e918-0410-adfb-c712417f3574
Diffstat (limited to 'retired')
-rw-r--r-- | retired/CVE-2012-6704 | 22 | ||||
-rw-r--r-- | retired/CVE-2014-9888 | 13 | ||||
-rw-r--r-- | retired/CVE-2014-9895 | 12 | ||||
-rw-r--r-- | retired/CVE-2014-9914 | 11 | ||||
-rw-r--r-- | retired/CVE-2015-8962 | 10 | ||||
-rw-r--r-- | retired/CVE-2015-8963 | 10 | ||||
-rw-r--r-- | retired/CVE-2015-8964 | 18 | ||||
-rw-r--r-- | retired/CVE-2016-10088 | 15 | ||||
-rw-r--r-- | retired/CVE-2016-6786 | 12 | ||||
-rw-r--r-- | retired/CVE-2016-6787 | 12 | ||||
-rw-r--r-- | retired/CVE-2016-7911 | 11 | ||||
-rw-r--r-- | retired/CVE-2016-7912 | 12 | ||||
-rw-r--r-- | retired/CVE-2016-7915 | 10 | ||||
-rw-r--r-- | retired/CVE-2016-7917 | 19 | ||||
-rw-r--r-- | retired/CVE-2016-8399 | 13 | ||||
-rw-r--r-- | retired/CVE-2016-8405 | 11 | ||||
-rw-r--r-- | retired/CVE-2016-8636 | 12 | ||||
-rw-r--r-- | retired/CVE-2016-8645 | 25 | ||||
-rw-r--r-- | retired/CVE-2016-8650 | 12 | ||||
-rw-r--r-- | retired/CVE-2016-8655 | 14 | ||||
-rw-r--r-- | retired/CVE-2016-9120 | 10 | ||||
-rw-r--r-- | retired/CVE-2016-9178 | 17 | ||||
-rw-r--r-- | retired/CVE-2016-9191 | 13 | ||||
-rw-r--r-- | retired/CVE-2016-9555 | 10 | ||||
-rw-r--r-- | retired/CVE-2016-9576 | 18 | ||||
-rw-r--r-- | retired/CVE-2016-9756 | 11 | ||||
-rw-r--r-- | retired/CVE-2016-9793 | 13 | ||||
-rw-r--r-- | retired/CVE-2016-9794 | 10 | ||||
-rw-r--r-- | retired/CVE-2017-6001 | 13 |
29 files changed, 389 insertions, 0 deletions
diff --git a/retired/CVE-2012-6704 b/retired/CVE-2012-6704 new file mode 100644 index 00000000..38f08b67 --- /dev/null +++ b/retired/CVE-2012-6704 @@ -0,0 +1,22 @@ +Description: net: Negative socket receive buffer size permitted +References: +Notes: + bwh> Prior to commit 82981930125a "net: cleanups in sock_setsockopt()": + bwh> - The comparison with SOCK_MIN_SNDBUF used type int, so it + bwh> rejected negative values + bwh> - The comparison with SOCK_MIN_RCVBUF used type size_t, so it did + bwh> *not* reject negative values + bwh> - The comparisons of val with sysctl_wmem_max used type u32, so + bwh> they rejected negative values *unless* sysctl_wmem_max >= + bwh> 1 << 30 (and why would you set it that high?!) + bwh> So it was possible to set a negative value for sock::sk_rcvbuf + bwh> through SO_RCVBUFFORCE (escalation from CAP_NET_ADMIN to kernel) + bwh> or through SO_RCVBUF (escalation from user to kernel) iff + bwh> sysctl_wmem_max was large enough. +Bugs: +upstream: released (3.5-rc1) [82981930125abfd39d7c8378a9cfdf5e1be2002b] +3.16-upstream-stable: N/A "Fixed before initial 3.16 release" +3.2-upstream-stable: released (3.2.85) [net-cleanups-in-sock_setsockopt.patch] +sid: released (3.8.11-1) +3.16-jessie-security: N/A "Fixed before initial 3.16 release" +3.2-wheezy-security: released (3.2.84-1) [bugfix/all/net-cleanups-in-sock_setsockopt.patch] diff --git a/retired/CVE-2014-9888 b/retired/CVE-2014-9888 new file mode 100644 index 00000000..38027afd --- /dev/null +++ b/retired/CVE-2014-9888 @@ -0,0 +1,13 @@ +Description: arch/arm/mm/dma-mapping.c in the Linux kernel before 3.13 on ARM platforms, as used in Android before 2016-08-05 on Nexus 5 and 7 (2013) devices, does not prevent executable DMA mappings, which might allow local users to gain privileges via a crafted application, aka Android internal bug 28803642 and Qualcomm internal bug CR642735. +References: + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9888 + http://source.android.com/security/bulletin/2016-08-01.html + https://source.codeaurora.org/quic/la/kernel/msm/commit/?id=f044936caab337a4384fbfe64a4cbae33c7e22a1 +Notes: +Bugs: +upstream: released (3.13-rc1) [0ea1ec713f04bdfac343c9702b21cd3a7c711826] +3.16-upstream-stable: N/A +3.2-upstream-stable: released (3.2.85) [arm-dma-mapping-don-t-allow-dma-mappings-to-be-marked-executable.patch] +sid: released (3.13.4-1) +3.16-jessie-security: N/A +3.2-wheezy-security: released (3.2.84-2) [bugfix/arm/arm-dma-mapping-don-t-allow-dma-mappings-to-be-marked-executable.patch] diff --git a/retired/CVE-2014-9895 b/retired/CVE-2014-9895 new file mode 100644 index 00000000..a7a47a42 --- /dev/null +++ b/retired/CVE-2014-9895 @@ -0,0 +1,12 @@ +Description: +References: + http://source.android.com/security/bulletin/2016-08-01.html + https://source.codeaurora.org/quic/la/kernel/msm/commit/?id=cc4b26575602e492efd986e9a6ffc4278cee53b5 +Notes: +Bugs: +upstream: released (3.11-rc1) [c88e739b1fad662240e99ecbd0bdaac871717987] +3.16-upstream-stable: N/A +3.2-upstream-stable: released (3.2.85) [media-info-leak-in-__media_device_enum_links.patch] +sid: released (3.11.5-1) +3.16-jessie-security: N/A +3.2-wheezy-security: released (3.2.84-2) [bugfix/all/media-info-leak-in-__media_device_enum_links.patch] diff --git a/retired/CVE-2014-9914 b/retired/CVE-2014-9914 new file mode 100644 index 00000000..ce5d3c27 --- /dev/null +++ b/retired/CVE-2014-9914 @@ -0,0 +1,11 @@ +Description: Race condition in the ip4_datagram_release_cb function in net/ipv4/datagram.c +References: + http://source.android.com/security/bulletin/2017-02-01.html +Notes: +Bugs: +upstream: released (3.16-rc1) [9709674e68646cee5a24e3000b3558d25412203a] +3.16-upstream-stable: N/A +3.2-upstream-stable: N/A "Introduced in 3.8-rc6 with 8141ed9fcedb278f4a3a78680591bef1e55f75fb" +sid: released (3.16.2-1) +3.16-jessie-security: N/A +3.2-wheezy-security: N/A "Vulnerable code not present" diff --git a/retired/CVE-2015-8962 b/retired/CVE-2015-8962 new file mode 100644 index 00000000..466d9bbd --- /dev/null +++ b/retired/CVE-2015-8962 @@ -0,0 +1,10 @@ +Description: Double-free in sg driver after hot-unplug during I/O +References: +Notes: +Bugs: +upstream: released (4.4-rc1) [f3951a3709ff50990bf3e188c27d346792103432] +3.16-upstream-stable: released (3.16.40) [sg-fix-double-free-when-drives-detach-during-sg_io.patch] +3.2-upstream-stable: released (3.2.85) [sg-fix-double-free-when-drives-detach-during-sg_io.patch] +sid: released (4.4.2-1) +3.16-jessie-security: released (3.16.39-1) [bugfix/all/sg-fix-double-free-when-drives-detach-during-sg_io.patch] +3.2-wheezy-security: released (3.2.84-1) [bugfix/all/sg-fix-double-free-when-drives-detach-during-sg_io.patch] diff --git a/retired/CVE-2015-8963 b/retired/CVE-2015-8963 new file mode 100644 index 00000000..ee515a90 --- /dev/null +++ b/retired/CVE-2015-8963 @@ -0,0 +1,10 @@ +Description: Use-after-free in perf subsystem after CPU hot-unplug +References: +Notes: +Bugs: +upstream: released (4.4) [12ca6ad2e3a896256f086497a7c7406a547ee373] +3.16-upstream-stable: released (3.16.40) [perf-fix-race-in-swevent-hash.patch] +3.2-upstream-stable: released (3.2.85) [perf-fix-race-in-swevent-hash.patch] +sid: released (4.4.2-1) +3.16-jessie-security: released (3.16.39-1) [bugfix/all/perf-fix-race-in-swevent-hash.patch] +3.2-wheezy-security: released (3.2.84-1) [bugfix/all/perf-fix-race-in-swevent-hash.patch] diff --git a/retired/CVE-2015-8964 b/retired/CVE-2015-8964 new file mode 100644 index 00000000..97e0f859 --- /dev/null +++ b/retired/CVE-2015-8964 @@ -0,0 +1,18 @@ +Description: Potential information leak or use-after-free in tty subsystem +References: + https://source.android.com/security/bulletin/2016-11-01.html +Notes: + bwh> A known use-after-free bug in N_X25 has already been fixed + bwh> (commit ee9159ddce14, no CVE assigned). The Android security + bwh> bulletin says this fixes an information leak, presumably because + bwh> if receive_room is too large it will permit reading beyond a + bwh> buffer. We also need commit fd98e9419d8d ("isdn/gigaset: reset + bwh> tty->receive_room when attaching ser_gigaset") to avoid a + bwh> regression. +Bugs: +upstream: released (4.5-rc1) [dd42bf1197144ede075a9d4793123f7689e164bc] +3.16-upstream-stable: released (3.16.40) [tty-prevent-ldisc-drivers-from-re-using-stale-tty-fields.patch] +3.2-upstream-stable: released (3.2.85) [tty-prevent-ldisc-drivers-from-re-using-stale-tty-fields.patch] +sid: released (4.5.1-1) +3.16-jessie-security: released (3.16.39-1) [bugfix/all/tty-prevent-ldisc-drivers-from-re-using-stale-tty-fi.patch] +3.2-wheezy-security: released (3.2.84-1) [bugfix/all/tty-prevent-ldisc-drivers-from-re-using-stale-tty-fi.patch] diff --git a/retired/CVE-2016-10088 b/retired/CVE-2016-10088 new file mode 100644 index 00000000..31fdb7c8 --- /dev/null +++ b/retired/CVE-2016-10088 @@ -0,0 +1,15 @@ +Description: Memory corruption in SCSI generic device interface +References: + https://marc.info/?l=linux-scsi&m=148010092224801&w=2 + https://gist.githubusercontent.com/dvyukov/80cd94b4e4c288f16ee4c787d404118b/raw/10536069562444da51b758bb39655b514ff93b45/gistfile1.txt + http://www.openwall.com/lists/oss-security/2016/12/30/1 +Notes: + bwh> This is the vulnerabilbility left after fixing CVE-2016-9576. +Bugs: +upstream: released (4.10-rc1) [128394eff343fc6d2f32172f03e24829539c5835] +4.9-upstream-stable: released (4.9.2) [3f3a6bbe6f9f5e895d8945494173594ee51632da] +3.16-upstream-stable: released (3.16.40) [sg_write-bsg_write-is-not-fit-to-be-called-under-kernel_ds.patch] +3.2-upstream-stable: released (3.2.85) [sg_write-bsg_write-is-not-fit-to-be-called-under-kernel_ds.patch] +sid: released (4.8.15-2) [bugfix/all/sg_write-bsg_write-is-not-fit-to-be-called-under-KER.patch] +3.16-jessie-security: released (3.16.39-1) [bugfix/all/sg_write-bsg_write-is-not-fit-to-be-called-under-ker.patch] +3.2-wheezy-security: released (3.2.84-1) [bugfix/all/sg_write-bsg_write-is-not-fit-to-be-called-under-ker.patch] diff --git a/retired/CVE-2016-6786 b/retired/CVE-2016-6786 new file mode 100644 index 00000000..1fc23400 --- /dev/null +++ b/retired/CVE-2016-6786 @@ -0,0 +1,12 @@ +Description: Possible privilege escalation due to lack of locking around changing event->ctx +References: +Notes: + bwh> The upstream fix was not complete; see CVE-2017-6001 +Bugs: + https://bugzilla.redhat.com/show_bug.cgi?id=1403842 +upstream: released (4.0-rc1) [f63a8daa5812afef4f06c962351687e1ff9ccb2b] +3.16-upstream-stable: released (3.16.40) [perf-fix-event-ctx-locking.patch] +3.2-upstream-stable: released (3.2.85) [perf-fix-event-ctx-locking.patch] +sid: released (4.0.2-1) +3.16-jessie-security: released (3.16.39-1+deb8u1) [bugfix/all/perf-Fix-event-ctx-locking.patch] +3.2-wheezy-security: released (3.2.84-2) [bugfix/all/perf-fix-event-ctx-locking.patch] diff --git a/retired/CVE-2016-6787 b/retired/CVE-2016-6787 new file mode 100644 index 00000000..1fc23400 --- /dev/null +++ b/retired/CVE-2016-6787 @@ -0,0 +1,12 @@ +Description: Possible privilege escalation due to lack of locking around changing event->ctx +References: +Notes: + bwh> The upstream fix was not complete; see CVE-2017-6001 +Bugs: + https://bugzilla.redhat.com/show_bug.cgi?id=1403842 +upstream: released (4.0-rc1) [f63a8daa5812afef4f06c962351687e1ff9ccb2b] +3.16-upstream-stable: released (3.16.40) [perf-fix-event-ctx-locking.patch] +3.2-upstream-stable: released (3.2.85) [perf-fix-event-ctx-locking.patch] +sid: released (4.0.2-1) +3.16-jessie-security: released (3.16.39-1+deb8u1) [bugfix/all/perf-Fix-event-ctx-locking.patch] +3.2-wheezy-security: released (3.2.84-2) [bugfix/all/perf-fix-event-ctx-locking.patch] diff --git a/retired/CVE-2016-7911 b/retired/CVE-2016-7911 new file mode 100644 index 00000000..9b57dbf0 --- /dev/null +++ b/retired/CVE-2016-7911 @@ -0,0 +1,11 @@ +Description: Use-after-free in ioprio_get() implementation +References: +Notes: + bwh> Implementation was in fs/ioprio.c before v3.16 +Bugs: +upstream: released (4.7-rc7) 8ba8682107ee2ca3347354e018865d8e1967c5f4] +3.16-upstream-stable: released (3.16.37) +3.2-upstream-stable: released (3.2.85) [block-fix-use-after-free-in-sys_ioprio_get.patch] +sid: released (4.7.2-1) +3.16-jessie-security: released (3.16.39-1) +3.2-wheezy-security: released (3.2.84-1) [bugfix/all/block-fix-use-after-free-in-sys_ioprio_get.patch] diff --git a/retired/CVE-2016-7912 b/retired/CVE-2016-7912 new file mode 100644 index 00000000..5f7d3bc5 --- /dev/null +++ b/retired/CVE-2016-7912 @@ -0,0 +1,12 @@ +Description: Use-after-free in USB gadget functionfs +References: +Notes: + carnil> Introduced in 3.15-rc1 with 2e4c7553cd6f9c68bb741582dcb614edcbeca70f + carnil> but might have been backported. +Bugs: +upstream: released (4.6-rc5) [38740a5b87d53ceb89eb2c970150f6e94e00373a] +3.16-upstream-stable: released (3.16.40) [usb-gadget-f_fs-fix-use-after-free.patch] +3.2-upstream-stable: N/A "Vulnerable code not present" +sid: released (4.5.3-1) +3.16-jessie-security: released (3.16.39-1) [bugfix/all/usb-gadget-f_fs-fix-use-after-free.patch] +3.2-wheezy-security: N/A "Vulnerable code not present" diff --git a/retired/CVE-2016-7915 b/retired/CVE-2016-7915 new file mode 100644 index 00000000..94fb1504 --- /dev/null +++ b/retired/CVE-2016-7915 @@ -0,0 +1,10 @@ +Description: Out-of-bounds read in hid-core +References: +Notes: +Bugs: +upstream: released (4.6-rc1) [50220dead1650609206efe91f0cc116132d59b3f] +3.16-upstream-stable: released (3.16.40) [hid-core-prevent-out-of-bound-readings.patch] +3.2-upstream-stable: released (3.2.85) [hid-core-prevent-out-of-bound-readings.patch] +sid: released (4.6.1-1) +3.16-jessie-security: released (3.16.39-1) [bugfix/all/hid-core-prevent-out-of-bound-readings.patch] +3.2-wheezy-security: released (3.2.84-1) [bugfix/all/hid-core-prevent-out-of-bound-readings.patch] diff --git a/retired/CVE-2016-7917 b/retired/CVE-2016-7917 new file mode 100644 index 00000000..78f54448 --- /dev/null +++ b/retired/CVE-2016-7917 @@ -0,0 +1,19 @@ +Description: + The nfnetlink_rcv_batch function in net/netfilter/nfnetlink.c in the Linux kernel before 4.5 does + not check whether a batch message's length field is large enough, which allows local users to + obtain sensitive information from kernel memory or cause a denial of service (infinite loop or + out-of-bounds read) by leveraging the CAP_NET_ADMIN capability. +References: + http://source.android.com/security/bulletin/2016-11-01.html +Notes: + carnil> Introduced in 3.19-rc5 with 9ea2aa8b7dba9e99544c4187cc298face254569f but needs double + carnil> check if backported. + bwh> It was backported to 3.16-stable as commit d922a1cee45e (among other + bwh> stable branches) +Bugs: +upstream: released (4.5-rc6) [c58d6c93680f28ac58984af61d0a7ebf4319c241] +3.16-upstream-stable: released (3.16.40) [netfilter-nfnetlink-correctly-validate-length-of-batch-messages.patch] +3.2-upstream-stable: N/A "Vulnerable code not present" +sid: released (4.5.1-1) +3.16-jessie-security: released (3.16.39-1) [bugfix/all/netfilter-nfnetlink-correctly-validate-length-of-bat.patch] +3.2-wheezy-security: N/A "Vulnerable code not present" diff --git a/retired/CVE-2016-8399 b/retired/CVE-2016-8399 new file mode 100644 index 00000000..1809fffd --- /dev/null +++ b/retired/CVE-2016-8399 @@ -0,0 +1,13 @@ +Description: net: ping: check minimum size on ICMP header length +References: +Notes: + bwh> Access to ping sockets is limited to a range of groups, defaulting + bwh> to an empty range. As Debian's ping still uses raw sockets, we + bwh> don't change that default and this is not exploitable. +Bugs: +upstream: released (4.9) [0eab121ef8750a5c8637d51534d5e9143fb0633f] +3.16-upstream-stable: released (3.16.40) [net-ping-check-minimum-size-on-icmp-header-length.patch] +3.2-upstream-stable: released (3.2.85) [net-ping-check-minimum-size-on-icmp-header-length.patch] +sid: released (4.8.15-1) +3.16-jessie-security: released (3.16.39-1) [bugfix/all/net-ping-check-minimum-size-on-icmp-header-length.patch] +3.2-wheezy-security: released (3.2.84-1) [bugfix/all/net-ping-check-minimum-size-on-icmp-header-length.patch] diff --git a/retired/CVE-2016-8405 b/retired/CVE-2016-8405 new file mode 100644 index 00000000..854a117b --- /dev/null +++ b/retired/CVE-2016-8405 @@ -0,0 +1,11 @@ +Description: fbdev: color map copying bounds checking +References: +Notes: +Bugs: +upstream: released (4.10-rc6) [2dc705a9930b4806250fbf5a76e55266e59389f2] +4.9-upstream-stable: released (4.9.7) [544160b6ea18670196d1173c099f2cced5075132] +3.16-upstream-stable: released (3.16.40) [fbdev-color-map-copying-bounds-checking.patch] +3.2-upstream-stable: released (3.2.85) [fbdev-color-map-copying-bounds-checking.patch] +sid: released (4.9.6-1) [bugfix/all/fbdev-color-map-coying-bounds-checking.patch] +3.16-jessie-security: released (3.16.39-1+deb8u1) [bugfix/all/fbdev-color-map-copying-bounds-checking.patch] +3.2-wheezy-security: released (3.2.84-2) [bugfix/all/fbdev-color-map-copying-bounds-checking.patch] diff --git a/retired/CVE-2016-8636 b/retired/CVE-2016-8636 new file mode 100644 index 00000000..2873ad81 --- /dev/null +++ b/retired/CVE-2016-8636 @@ -0,0 +1,12 @@ +Description: IB/rxe: mem_check_range integer overflow +References: + https://eyalitkin.wordpress.com/2017/02/11/cve-publication-cve-2016-8636/ +Notes: +Bugs: +upstream: released (4.10-rc8) [647bf3d8a8e5777319da92af672289b2a6c4dc66] +4.9-upstream-stable: released (4.9.10) [b7dd5edc3dd9191f2cb1bd508279b0ff7274c5aa] +3.16-upstream-stable: N/A "Vulnerable code not present, introduced in 4.8" +3.2-upstream-stable: N/A "Vulnerable code not present, introduced in 4.8" +sid: released (4.9.10-1) +3.16-jessie-security: N/A "Vulnerable code not present, introduced in 4.8" +3.2-wheezy-security: N/A "Vulnerable code not present, introduced in 4.8" diff --git a/retired/CVE-2016-8645 b/retired/CVE-2016-8645 new file mode 100644 index 00000000..1f1158c4 --- /dev/null +++ b/retired/CVE-2016-8645 @@ -0,0 +1,25 @@ +Description: net: a BUG() statement can be hit in net/ipv4/tcp_input.c +References: + http://www.spinics.net/lists/stable/msg150470.html + http://www.spinics.net/lists/netdev/msg403701.html + http://marc.info/?l=linux-netdev&m=147878925724283&w=2 + http://marc.info/?t=147878927800005&r=1&w=2 # the whole thread + https://bugzilla.redhat.com/show_bug.cgi?id=1393904 + http://marc.info/?l=linux-netdev&m=147881188232264&w=2 + http://marc.info/?t=147881111500001&r=1&w=2&n=2 # the whole thread + http://marc.info/?l=linux-netdev&m=147881236332369&w=2 # patch v2 + http://www.spinics.net/lists/netdev/msg403787.html + http://www.spinics.net/lists/netdev/msg403789.html # patch v2 +Notes: + carnil> Issue introduced with the tcp-fastopen feature. Cf. + carnil> http://www.openwall.com/lists/oss-security/2016/11/30/3 + carnil> Introduced in 3.6-rc1 with cf60af03ca4e71134206809ea892e49b92a88896 + bwh> Eric Dumazet disputes that tcp-fastopen introduced the issue. + bwh> Only the specific case found by syzkaller seems to depend on it. +Bugs: +upstream: released (4.9-rc6) [ac6e780070e30e4c35bd395acfe9191e6268bdd3] +3.16-upstream-stable: released (3.16.40) [tcp-take-care-of-truncations-done-by-sk_filter.patch] +3.2-upstream-stable: released (3.2.85) [tcp-take-care-of-truncations-done-by-sk_filter.patch] +sid: released (4.8.11-1) [2b5f22e4f7fd208c8d392e5c3755cea1f562cb98] +3.16-jessie-security: released (3.16.39-1) [bugfix/all/tcp-take-care-of-truncations-done-by-sk_filter.patch] +3.2-wheezy-security: released (3.2.84-1) [bugfix/all/tcp-take-care-of-truncations-done-by-sk_filter.patch] diff --git a/retired/CVE-2016-8650 b/retired/CVE-2016-8650 new file mode 100644 index 00000000..14cf9f69 --- /dev/null +++ b/retired/CVE-2016-8650 @@ -0,0 +1,12 @@ +Description: Null pointer dereference via keyctl +References: + https://lkml.org/lkml/2016/11/23/477 + http://seclists.org/fulldisclosure/2016/Nov/76 +Notes: +Bugs: +upstream: released (4.9-rc7) [f5527fffff3f002b0a6b376163613b82f69de073] +3.16-upstream-stable: released (3.16.40) [mpi-fix-null-ptr-dereference-in-mpi_powm.patch] +3.2-upstream-stable: N/A "Vulnerable code introduced in 3.3-rc1 with cdec9cb5167ab1113ba9c58e395f664d9d3f9acb" +sid: released (4.8.11-1) [bugfix/all/mpi-Fix-NULL-ptr-dereference-in-mpi_powm-ver-3.patch] +3.16-jessie-security: released (3.16.39-1) [bugfix/all/mpi-fix-null-ptr-dereference-in-mpi_powm-ver-3.patch] +3.2-wheezy-security: N/A "Vulnerable code not present" diff --git a/retired/CVE-2016-8655 b/retired/CVE-2016-8655 new file mode 100644 index 00000000..5b6228df --- /dev/null +++ b/retired/CVE-2016-8655 @@ -0,0 +1,14 @@ +Description: Linux af_packet.c race condition +References: + http://www.openwall.com/lists/oss-security/2016/12/06/1 +Notes: + carnil> Introduced in 3.2-rc1 with f6fb8f100b807378fda19e83e5ac6828b638603a + bwh> But AF_PACKET is only usable with CAP_NET_RAW, so is not so serious a + bwh> vulnerability without unprivileged user namespaces enabled. +Bugs: +upstream: released (4.9-rc8) [84ac7260236a49c79eede91617700174c2c19b0c] +3.16-upstream-stable: released (3.16.40) [packet-fix-race-condition-in-packet_set_ring.patch] +3.2-upstream-stable: released (3.2.85) [packet-fix-race-condition-in-packet_set_ring.patch] +sid: released (4.8.15-1) +3.16-jessie-security: released (3.16.39-1) [bugfix/all/packet-fix-race-condition-in-packet_set_ring.patch] +3.2-wheezy-security: released (3.2.84-1) [bugfix/all/packet-fix-race-condition-in-packet_set_ring.patch] diff --git a/retired/CVE-2016-9120 b/retired/CVE-2016-9120 new file mode 100644 index 00000000..1809b39f --- /dev/null +++ b/retired/CVE-2016-9120 @@ -0,0 +1,10 @@ +Description: Race condition in Android ion_ioctl function +References: +Notes: +Bugs: +upstream: released (4.6-rc1) [9590232bb4f4cc824f3425a6e1349afbe6d6d2b7] +3.16-upstream-stable: released (3.16.40) [staging-android-ion-fix-a-race-condition-in-the-ion-driver.patch] +3.2-upstream-stable: N/A "Vulnerable code not present" +sid: released (4.6.1-1) +3.16-jessie-security: ignored "Debian is not Android" +3.2-wheezy-security: N/A "Vulnerable code not present" diff --git a/retired/CVE-2016-9178 b/retired/CVE-2016-9178 new file mode 100644 index 00000000..54181c77 --- /dev/null +++ b/retired/CVE-2016-9178 @@ -0,0 +1,17 @@ +Description: minor information leak in get_user_ex() +References: +Notes: + carnil> If this issue is fixed, then one needs to assure + carnil> to not introduce the privilege escalation issue + carnil> as present in 4.4.22 through 4.4.28 (cf. + carnil> CVE-2016-9644) due to a wrong backport/missing + carnil> backport of 548acf19234dbda5a52d5a8e7e205af46e9da840 + carnil> as well. See notes in CVE-2016-9644 + jmm> Linus prepared a backport for 4.4.31: dc1555e670c373bfa4ca2e1e2f839d5fe2b4501a +Bugs: +upstream: released (4.8-rc7) [1c109fabbd51863475cd12ac206bdd249aee35af] +3.16-upstream-stable: released (3.16.40) [fix-potential-infoleak-in-older-kernels.patch] +3.2-upstream-stable: released (3.2.85) [fix-potential-infoleak-in-older-kernels.patch] +sid: released (4.7.5-1) +3.16-jessie-security: released (3.16.39-1) [bugfix/x86/fix-potential-infoleak-in-older-kernels.patch] +3.2-wheezy-security: released (3.2.84-1) [bugfix/x86/fix-potential-infoleak-in-older-kernels.patch] diff --git a/retired/CVE-2016-9191 b/retired/CVE-2016-9191 new file mode 100644 index 00000000..c540c324 --- /dev/null +++ b/retired/CVE-2016-9191 @@ -0,0 +1,13 @@ +Description: local DoS with cgroup offline code +References: + http://www.openwall.com/lists/oss-security/2016/11/04/13 +Notes: + Introduced with f0c3b5093addc8bfe9fe3a5b01acb7ec7969eafa in 3.11-rc1 +Bugs: +upstream: released (4.10-rc4) [93362fa47fe98b62e4a34ab408c4a418432e7939] +4.9-upstream-stable: released (4.9.5) [00cf64fbaa1e99d0420f2934f301c671ba298342] +3.16-upstream-stable: released (3.16.40) [sysctl-drop-reference-added-by-grab_header-in-proc_sys_readdir.patch] +3.2-upstream-stable: N/A "Vulnerable code introduced in 3.11-rc1" +sid: released (4.9.6-1) +3.16-jessie-security: released (3.16.39-1+deb8u1) [bugfix/all/sysctl-drop-reference-added-by-grab_header-in-proc_sys_readdir.patch] +3.2-wheezy-security: N/A "Vulnerable code not present" diff --git a/retired/CVE-2016-9555 b/retired/CVE-2016-9555 new file mode 100644 index 00000000..7270e36d --- /dev/null +++ b/retired/CVE-2016-9555 @@ -0,0 +1,10 @@ +Description: net/sctp: slab-out-of-bounds in sctp_sf_ootb +References: +Notes: +Bugs: +upstream: released (4.9-rc4) [bf911e985d6bbaa328c20c3e05f4eb03de11fdd6] +3.16-upstream-stable: released (3.16.40) [sctp-validate-chunk-len-before-actually-using-it.patch] +3.2-upstream-stable: released (3.2.85) [sctp-validate-chunk-len-before-actually-using-it.patch] +sid: released (4.8.11-1) +3.16-jessie-security: released (3.16.39-1) [bugfix/all/sctp-validate-chunk-len-before-actually-using-it.patch] +3.2-wheezy-security: released (3.2.84-1) [bugfix/all/sctp-validate-chunk-len-before-actually-using-it.patch] diff --git a/retired/CVE-2016-9576 b/retired/CVE-2016-9576 new file mode 100644 index 00000000..0e72544b --- /dev/null +++ b/retired/CVE-2016-9576 @@ -0,0 +1,18 @@ +Description: Memory corruption in SCSI generic device interface +References: + https://marc.info/?l=linux-scsi&m=148010092224801&w=2 + https://gist.githubusercontent.com/dvyukov/80cd94b4e4c288f16ee4c787d404118b/raw/10536069562444da51b758bb39655b514ff93b45/gistfile1.txt +Notes: + bwh> This CVE is for the vulnerability fixed by commit a0ac402cfcdc + bwh> "Don't feed anything but regular iovec's to blk_rq_map_user_iov", + bwh> but that only addresses half the problem. The remaining issue is + bwh> covered by CVE-2016-10088, and commit 128394eff343 "sg_write()/ + bwh> bsg_write() is not fit to be called under KERNEL_DS" is a + bwh> complete fix for both CVEs. +Bugs: +upstream: released (4.9) [a0ac402cfcdc904f9772e1762b3fda112dcc56a0] +3.16-upstream-stable: released (3.16.40) [sg_write-bsg_write-is-not-fit-to-be-called-under-kernel_ds.patch] +3.2-upstream-stable: released (3.2.85) [sg_write-bsg_write-is-not-fit-to-be-called-under-kernel_ds.patch] +sid: released (4.8.15-1) +3.16-jessie-security: released (3.16.39-1) [bugfix/all/sg_write-bsg_write-is-not-fit-to-be-called-under-ker.patch] +3.2-wheezy-security: released (3.2.84-1) [bugfix/all/sg_write-bsg_write-is-not-fit-to-be-called-under-ker.patch] diff --git a/retired/CVE-2016-9756 b/retired/CVE-2016-9756 new file mode 100644 index 00000000..f550eaf1 --- /dev/null +++ b/retired/CVE-2016-9756 @@ -0,0 +1,11 @@ +Description: kvm: stack memory information leakage +References: +Notes: +Bugs: + https://bugzilla.redhat.com/show_bug.cgi?id=1400468 +upstream: released (4.9-rc7) [2117d5398c81554fbf803f5fd1dc55eb78216c0c] +3.16-upstream-stable: released (3.16.40) [kvm-x86-drop-error-recovery-in-em_jmp_far-and-em_ret_far.patch] +3.2-upstream-stable: released (3.2.85) [kvm-x86-drop-error-recovery-in-em_jmp_far-and-em_ret_far.patch] +sid: released (4.8.15-1) +3.16-jessie-security: released (3.16.39-1) [bugfix/x86/kvm-x86-drop-error-recovery-in-em_jmp_far-and-em_ret.patch] +3.2-wheezy-security: released (3.2.84-1) [bugfix/x86/kvm-x86-drop-error-recovery-in-em_jmp_far-and-em_ret.patch] diff --git a/retired/CVE-2016-9793 b/retired/CVE-2016-9793 new file mode 100644 index 00000000..9c6b1314 --- /dev/null +++ b/retired/CVE-2016-9793 @@ -0,0 +1,13 @@ +Description: signed overflows for SO_{SND|RCV}BUFFORCE +References: +Notes: + bwh> Introduced in 3.5 by commit 82981930125a "net: cleanups in + bwh> sock_setsockopt()". But that should be applied to the 3.2 branches + bwh> to fix CVE-2012-6704, so this will be needed on those branches too. +Bugs: +upstream: released (4.9-rc8) [b98b0bc8c431e3ceb4b26b0dfc8db509518fb290] +3.16-upstream-stable: released (3.16.40) [net-avoid-signed-overflows-for-so_-snd-rcv-bufforce.patch] +3.2-upstream-stable: released (3.2.85) [net-avoid-signed-overflows-for-so_-snd-rcv-bufforce.patch] +sid: released (4.8.15-1) +3.16-jessie-security: released (3.16.39-1) [bugfix/all/net-avoid-signed-overflows-for-so_-snd-rcv-bufforce.patch] +3.2-wheezy-security: released (3.2.84-1) [bugfix/all/net-avoid-signed-overflows-for-so_-snd-rcv-bufforce.patch] diff --git a/retired/CVE-2016-9794 b/retired/CVE-2016-9794 new file mode 100644 index 00000000..720d892d --- /dev/null +++ b/retired/CVE-2016-9794 @@ -0,0 +1,10 @@ +Description: ALSA: use-after-free in,kill_fasync +References: +Notes: +Bugs: +upstream: released (4.7-rc1) [3aa02cb664c5fb1042958c8d1aa8c35055a2ebc4] +3.16-upstream-stable: released (3.16.40) [alsa-pcm-call-kill_fasync-in-stream-lock.patch] +3.2-upstream-stable: released (3.2.85) [alsa-pcm-call-kill_fasync-in-stream-lock.patch] +sid: released (4.7.2-1) +3.16-jessie-security: released (3.16.39-1) [bugfix/all/alsa-pcm-call-kill_fasync-in-stream-lock.patch] +3.2-wheezy-security: released (3.2.84-1) [bugfix/all/alsa-pcm-call-kill_fasync-in-stream-lock.patch] diff --git a/retired/CVE-2017-6001 b/retired/CVE-2017-6001 new file mode 100644 index 00000000..cb3f940e --- /dev/null +++ b/retired/CVE-2017-6001 @@ -0,0 +1,13 @@ +Description: Possible privilege escalation due to lack of locking around changing event->ctx +References: +Notes: + bwh> This is left over from an incomplete fix for CVE-2016-6786. + bwh> Note dependency on commit 130056275ade "perf: Do not double free". +Bugs: +upstream: released (4.10-rc4) [321027c1fe77f892f4ea07846aeae08cefbbb290] +4.9-upstream-stable: released (4.9.7) [922813f4d66fb317e8602d058d03a1619af1ffd0] +3.16-upstream-stable: released (3.16.40) [perf-core-fix-concurrent-sys_perf_event_open-vs.-move_group-race.patch] +3.2-upstream-stable: released (3.2.85) [perf-core-fix-concurrent-sys_perf_event_open-vs.-move_group-race.patch] +sid: released (4.9.10-1) +3.16-jessie-security: released (3.16.39-1+deb8u1) [bugfix/all/perf-core-Fix-concurrent-sys_perf_event_open-vs.-mov.patch] +3.2-wheezy-security: released (3.2.84-2) [bugfix/all/perf-core-fix-concurrent-sys_perf_event_open-vs.-mov.patch] |