Debian updates; retire several issues

git-svn-id: svn+ssh://svn.debian.org/svn/kernel-sec@1197 e094ebfe-e918-0410-adfb-c712417f3574
author: dann frazier <dannf@debian.org> 2008-07-20 21:58:00 +0000
committer: dann frazier <dannf@debian.org> 2008-07-20 21:58:00 +0000
commit: cffb363c568e15bb95549d0c5746068cca9c94bf (patch)
tree: e0434734275d36074875867c87f80245c22cc450 /retired
parent: 5573dc627c8198493da4d51a700922f187269fb9 (diff)
37 files changed, 841 insertions, 0 deletions
diff --git a/retired/CVE-2006-6058 b/retired/CVE-2006-6058
new file mode 100644
index 00000000..61723554
--- /dev/null
+++ b/retired/CVE-2006-6058
@@ -0,0 +1,37 @@
+Candidate: CVE-2006-6058
+References: 
+ http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.23.y.git;a=commitdiff;h=f0ae3188daf70ed07a4dfbeb133bef3a92838a15
+ MISC:http://projects.info-pull.com/mokb/MOKB-17-11-2006.html
+ FRSIRT:ADV-2006-4613
+ URL:http://www.frsirt.com/english/advisories/2006/4613
+ SECUNIA:23034
+ URL:http://secunia.com/advisories/23034 
+Description: 
+ The minix filesystem code in Linux kernel 2.6.x up to 2.6.18, and possibly
+ other versions, allows local users to cause a denial of service (hang) via a
+ malformed minix file stream that triggers an infinite loop in the minix_bmap
+ function. NOTE: this issue might be due to an integer overflow or signedness
+ error.
+Ubuntu-Description: 
+ The minix filesystem did not properly validate certain filesystem values.
+ If a local attacker could trick the system into attempting to mount a
+ corrupted minix filesystem, the kernel could be made to hang for long
+ periods of time, resulting in a denial of service.
+Notes: 
+ dannf> ignored for sarge for now - only applies under very rare circumstances
+        and don't know if there's an upstream fix
+ jmm> We can ignore this, it has no practical ramifications
+ dannf> Though I agree its minor, I suspect its not so rare that admins
+        set user-mountable media's filesystem type to 'auto' in fstab,
+        allowing them to use any fs on the system. I could see this being
+        used to annoy sysadmins, e.g., in a university lab setting
+Bugs: 
+upstream: released (2.6.23.7, 2.6.24-rc1) [f44ec6f3f89889a469773b1fd894f8fcc07c29cf]
+linux-2.6: released (2.6.23-1) [bugfix/2.6.23.7.patch]
+2.6.18-etch-security: released (2.6.18.dfsg.1-13etch6) [bugfix/minixfs-printk-hang.patch]
+2.6.8-sarge-security: released (2.6.8-17sarge1) [minixfs-printk-hang.dpatch]
+2.4.27-sarge-security: ignored (2.4.27-10sarge6) "no printk_ratelimit in 2.4 - needs port"
+2.6.15-dapper-security: released (2.6.15-29.61)
+2.6.17-edgy-security: released (2.6.17.1-12.42)
+2.6.20-feisty-security: released (2.6.20-16.33)
+2.6.22-gutsy-security: released (2.6.22-14.47)
diff --git a/retired/CVE-2006-7229 b/retired/CVE-2006-7229
new file mode 100644
index 00000000..07677618
--- /dev/null
+++ b/retired/CVE-2006-7229
@@ -0,0 +1,17 @@
+Candidate: CVE-2006-7229
+References: 
+ https://bugs.launchpad.net/ubuntu/+source/linux-source-2.6.15/+bug/65631
+Description: 
+Ubuntu-Description: 
+Notes: 
+ dannf> This appears to be Ubuntu-specific
+Bugs: 
+upstream: N/A
+linux-2.6: N/A
+2.6.18-etch-security: N/A
+2.6.8-sarge-security: N/A
+2.4.27-sarge-security: N/A
+2.6.15-dapper-security: released (2.6.15-29.61)
+2.6.17-edgy-security: N/A
+2.6.20-feisty-security: N/A
+2.6.22-gutsy-security: N/A
diff --git a/retired/CVE-2007-0004 b/retired/CVE-2007-0004
new file mode 100644
index 00000000..e0c5d132
--- /dev/null
+++ b/retired/CVE-2007-0004
@@ -0,0 +1,29 @@
+Candidate: CVE-2007-0004
+Description: 
+ The NFS client implementation in the kernel in Red Hat Enterprise Linux (RHEL)
+ 3, when a filesystem is mounted with the noacl option, checks permissions for
+ the open system call via vfs_permission (mode bits) data rather than an NFS
+ ACCESS call to the server, which allows local client processes to obtain a
+ false success status from open calls that the server would deny, and possibly
+ obtain sensitive information about file permissions on the server, as
+ demonstrated in a root_squash environment. NOTE: it is uncertain whether any
+ scenarios involving this issue cross privilege boundaries.
+References: 
+ https://bugzilla.redhat.com/show_bug.cgi?id=199715
+Ubuntu-Description: 
+Notes: 
+ dannf> Don't know that this bug every affected upstream, but looks like we
+        may have introduced it into 2.4.27 w/ 084_ea_acl-2.diff
+ dannf> Unknown security implications (though certainly a bug), and RHEL3
+        never included the patch in their bugzilla, so ignoring
+Bugs: 
+upstream: N/A
+linux-2.6: N/A
+2.6.18-etch-security: N/A
+2.6.8-sarge-security: N/A
+2.4.27-sarge-security: ignored (2.4.27-10sarge6)
+2.6.15-dapper-security: N/A
+2.6.17-edgy-security: ignored (EOL)
+2.6.20-feisty-security: N/A
+2.6.22-gutsy-security: N/A
+2.6.24-hardy-security: N/A
diff --git a/retired/CVE-2007-2242 b/retired/CVE-2007-2242
new file mode 100644
index 00000000..b656dac1
--- /dev/null
+++ b/retired/CVE-2007-2242
@@ -0,0 +1,33 @@
+Candidate: CVE-2007-2242
+References: 
+ http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.20.y.git;a=commit;h=010831ab8436dfd9304b203467566fb6b135c24f
+ http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.20.y.git;a=commit;h=9d08f139275450f9366d85ba09b9a2e09bb33766
+Description: 
+ The IPv6 protocol allows remote attackers to cause a denial of service via
+ crafted IPv6 type 0 route headers (IPV6_RTHDR_TYPE_0) that create network
+ amplification between two routers.
+Ubuntu-Description: 
+ A flaw was discovered in the IPv6 stack's handling of type 0 route headers.
+ By sending a specially crafted IPv6 packet, a remote attacker could cause
+ a denial of service between two IPv6 hosts.
+Notes: 
+ dannf> Some info from Vlad Yasevich:
+  <vlad> dannf: is someone including commits 010831ab8436dfd9304b203467566fb6b135c24f and 9d08f139275450f9366d85ba09b9a2e09bb33766 (IPv6 routing header changes) in the debian kernel?
+ ...
+ <dannf> vlad: right, but (010831ab8436dfd9304b203467566fb6b135c24f) is security, so it'll be included in etch if necessary
+ <dannf> s/necessary/affected/
+ <vlad> dannf: you need the second one I listed as well, since the first one has a bug in it.
+ <dannf> vlad: oh, ok - thx
+ <vlad> dannf: although for the purposes of 2.6.18, the second one might be a no-op and the first one might need to be modified a bit.
+ jmm> Contacted Willy
+ dannf> functions are different, but 2.4 code looks similar
+ dannf> My 2.4 backport attempt causes a crash at boot time, ignoring for now
+Bugs: 421595
+upstream: released (2.6.21)
+linux-2.6: released (2.6.21-1)
+2.6.18-etch-security: released (2.6.18.dfsg.1-13etch1) [bugfix/ipv6-disallow-RH0-by-default.patch]
+2.6.8-sarge-security: needed
+2.4.27-sarge-security: ignored (2.4.27-10sarge6) "needs port"
+2.6.15-dapper-security: released (2.6.15-29.58)
+2.6.17-edgy-security: released (2.6.17.1-11.39) [fee89820efa8e3479b39149dcfb2b1bccdaadedc]
+2.6.20-feisty-security: released (2.6.20-16.28)
diff --git a/retired/CVE-2007-3104 b/retired/CVE-2007-3104
new file mode 100644
index 00000000..a3b6a8f9
--- /dev/null
+++ b/retired/CVE-2007-3104
@@ -0,0 +1,21 @@
+Candidate: CVE-2007-3104
+References: 
+Description: 
+ The sysfs_readdir function in the Linux kernel in Red Hat Enterprise
+ Linux 4.5 allows local users to cause a denial of service (kernel OOPS)
+ by dereferencing a null pointer to an inode in a dentry.
+Ubuntu-Description: 
+ A flaw in the sysfs_readdir function allowed a local user to cause a
+ denial of service by dereferencing a NULL pointer.
+Notes: 
+ pkl> Bug fix available in RedHat kernel-2.6.9-55.0.2.EL.src.rpm release
+ jmm> 01da2425f327d7ac673e594bee5655523115970b
+Bugs: 
+upstream: released (2.6.22.2)
+linux-2.6: released (2.6.22-4)
+2.6.18-etch-security: released (2.6.18.dfsg.1-13etch5) [bugfix/sysfs_readdir-NULL-deref-1.patch, bugfix/sysfs_readdir-NULL-deref-2.patch, bugfix/sysfs-fix-condition-check.patch]
+2.6.8-sarge-security: needed "code is very different in 2.6.8, if no reproducer, ignore"
+2.4.27-sarge-security: N/A
+2.6.15-dapper-security: released (2.6.15-29.58)
+2.6.17-edgy-security: released (2.6.17.1-12.40) [a8c3f241ea411211c4802098f23a8da309e8bbd1]
+2.6.20-feisty-security: released (2.6.20-16.31) [5ca45c7e9e3d363c7bd3a5419742cb3368baf474]
diff --git a/retired/CVE-2007-3513 b/retired/CVE-2007-3513
new file mode 100644
index 00000000..9bd02927
--- /dev/null
+++ b/retired/CVE-2007-3513
@@ -0,0 +1,19 @@
+Candidate: CVE-2007-3513
+References: 
+Description: 
+ The lcd_write function in drivers/usb/misc/usblcd.c in the Linux kernel
+ before 2.6.22-rc7 does not limit the amount of memory used by a caller,
+ which allows local users to cause a denial of service (memory consumption). 
+Ubuntu-Description: 
+ A flaw was discovered in the usblcd driver.  A local attacker could cause
+ large amounts of kernel memory consumption, leading to a denial of service.
+Notes: 
+Bugs: 
+upstream: released (2.6.22-rc7)
+linux-2.6: released (2.6.22-1)
+2.6.18-etch-security: released (2.6.18.dfsg.1-13etch1) [bugfix/usblcd-limit-memory-consumption.patch]
+2.6.8-sarge-security: ignored (2.6.8-17sarge1) "Too different"
+2.4.27-sarge-security: ignored (2.4.27-10sarge6) "Too different"
+2.6.15-dapper-security: released (2.6.15-28.57)
+2.6.17-edgy-security: released (2.6.17.1-12.40) [85816b5fa3476f3fcf7758a1bd338d69184085d7]
+2.6.20-feisty-security: released (2.6.20-16.31) [165018c61779a357d33947a2ae169148b6ab8d9f]
diff --git a/retired/CVE-2007-3848 b/retired/CVE-2007-3848
new file mode 100644
index 00000000..05540cad
--- /dev/null
+++ b/retired/CVE-2007-3848
@@ -0,0 +1,22 @@
+Candidate: CVE-2007-3848
+References: 
+ http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=d2d56c5f51028cb9f3d800882eb6f4cbd3f9099f
+Description: 
+ Linux kernel 2.4.35 and other versions allows local users to send
+ arbitrary signals to a child process that is running at higher privileges
+ by causing a setuid-root parent process to die, which delivers an
+ attacker-controlled parent process death signal (PR_SET_PDEATHSIG).
+Ubuntu-Description: 
+ It was discovered that certain setuid-root processes did not correctly
+ reset process death signal handlers.  A local user could manipulate this
+ to send signals to processes they would not normally have access to.
+Notes: 
+Bugs: 
+upstream: released (2.6.22.4)
+linux-2.6: released (2.6.22-4)
+2.6.18-etch-security: released (2.6.18.dfsg.1-13etch1) [bugfix/reset-pdeathsig-on-suid.patch]
+2.6.8-sarge-security: pending (2.6.8-17sarge1) [reset-pdeathsig-on-suid.dpatch]
+2.4.27-sarge-security: released (2.4.27-10sarge6) [247_reset-pdeathsig-on-suid.diff]
+2.6.15-dapper-security: released (2.6.15-29.58)
+2.6.17-edgy-security: released (2.6.17.1-12.40)
+2.6.20-feisty-security: released (2.6.20-16.31)
diff --git a/retired/CVE-2007-4130 b/retired/CVE-2007-4130
new file mode 100644
index 00000000..44ab1fdc
--- /dev/null
+++ b/retired/CVE-2007-4130
@@ -0,0 +1,20 @@
+Candidate: CVE-2007-4130
+Description: 
+ The Linux kernel 2.6.9 before 2.6.9-67 in Red Hat Enterprise Linux (RHEL) 4
+ on Itanium (ia64) does not properly handle page faults during NUMA memory
+ access, which allows local users to cause a denial of service (panic) via
+ invalid arguments to set_mempolicy in an MPOL_BIND operation.
+References: 
+Ubuntu-Description: 
+Notes: 
+Bugs: 
+upstream: 
+linux-2.6: 
+2.6.18-etch-security: N/A
+2.6.8-sarge-security: ignored (2.6.8-17sarge2) "no known upstream fix"
+2.4.27-sarge-security: ignored (2.4.27-10sarge6) "no known upstream fix"
+2.6.15-dapper-security: N/A
+2.6.17-edgy-security: ignored (EOL)
+2.6.20-feisty-security: N/A
+2.6.22-gutsy-security: N/A
+2.6.24-hardy-security: N/A
diff --git a/retired/CVE-2007-4133 b/retired/CVE-2007-4133
new file mode 100644
index 00000000..e1c71246
--- /dev/null
+++ b/retired/CVE-2007-4133
@@ -0,0 +1,26 @@
+Candidate: CVE-2007-4133
+References: 
+ http://git.kernel.org/gitweb.cgi?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=856fc29505556cf263f3dcda2533cf3766c14ab6
+ https://bugzilla.redhat.com/show_bug.cgi?id=253926
+Description: 
+ The (1) hugetlb_vmtruncate_list and (2) hugetlb_vmtruncate functions
+ in fs/hugetlbfs/inode.c in the Linux kernel before 2.6.19-rc4 perform
+ certain prio_tree calculations using HPAGE_SIZE instead of PAGE_SIZE
+ units, which allows local users to cause a denial of service (panic)
+ via unspecified vectors.
+Ubuntu-Description: 
+ Certain calculations in the hugetlb code were not correct.  A local
+ attacker could exploit this to cause a kernel panic, leading to a denial
+ of service.
+Notes: 
+ jmm> 2.4 doesn't contain hugetlbfs
+Bugs: 
+upstream: released (2.6.19)
+linux-2.6: released (2.6.20-1)
+2.6.18-etch-security: released (2.6.18.dfsg.1-13etch4) [bugfix/hugetlb-prio_tree-unit-fix.patch]
+2.6.8-sarge-security: released (2.6.8-17sarge1) [hugetlb-prio_tree-unit-fix.dpatch]
+2.4.27-sarge-security: N/A
+2.6.15-dapper-security: released (2.6.15-29.61)
+2.6.17-edgy-security: released (2.6.17.1-12.42)
+2.6.20-feisty-security: N/A
+2.6.22-gutsy-security: N/A
diff --git a/retired/CVE-2007-4571 b/retired/CVE-2007-4571
new file mode 100644
index 00000000..46103f5b
--- /dev/null
+++ b/retired/CVE-2007-4571
@@ -0,0 +1,30 @@
+Candidate: CVE-2007-4571
+References: 
+ http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=ccec6e2c4a74adf76ed4e2478091a311b1806212 
+ http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.22.y.git;a=commitdiff;h=788450fa451454cc8ff3593b4f9fdb653c296583
+ http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.22.8
+ http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=600
+Description: 
+ The snd_mem_proc_read function in sound/core/memalloc.c in the Advanced Linux
+ Sound Architecture (ALSA) in the Linux kernel before 2.6.22.8 does not return
+ the correct write size, which allows local users to obtain sensitive
+ information (kernel memory contents) via a small count argument, as
+ demonstrated by multiple reads of /proc/driver/snd-page-alloc. 
+Ubuntu-Description: 
+ It was discovered that the ALSA /proc interface did not write the
+ correct number of bytes when reporting memory allocations.  A local
+ attacker might be able to access sensitive kernel memory, leading to
+ a loss of privacy.
+Notes: 
+ dannf> ABI changer, was reverted from etch-security (r9547)
+Bugs: 
+upstream: released (2.6.22.8)
+linux-2.6: released (2.6.22-5)
+2.6.18-etch-security: released (2.6.18.dfsg.1-17etch1) [bugfix/proc-snd-page-alloc-mem-leak.patch]
+2.6.8-sarge-security: N/A "cannot reproduce w/ ALSA in 2.6.8, alsa-driver package was affected/fixed in DSA 1505"
+2.4.27-sarge-security: N/A "alsa-driver package was affected/fixed in DSA 1505"
+2.6.15-dapper-security: released (2.6.15-52.67)
+2.6.17-edgy-security: ignored (EOL)
+2.6.20-feisty-security: released (2.6.20-17.36)
+2.6.22-gutsy-security: N/A
+2.6.24-hardy-security: N/A
diff --git a/retired/CVE-2007-4997 b/retired/CVE-2007-4997
new file mode 100644
index 00000000..d2b9c569
--- /dev/null
+++ b/retired/CVE-2007-4997
@@ -0,0 +1,28 @@
+Candidate: CVE-2007-4997
+References: 
+ http://git.kernel.org/?p=linux/kernel/git/avi/kvm.git;a=commitdiff;h=04045f98e0457aba7d4e6736f37eed189c48a5f7
+ http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.23.y.git;a=commitdiff;h=04045f98e0457aba7d4e6736f37eed189c48a5f7
+Description: 
+Ubuntu-Description: 
+ Chris Evans discovered that the 802.11 network stack did not correctly
+ handle certain QOS frames.  A remote attacker on the local wireless network
+ could send specially crafted packets that would panic the kernel, resulting
+ in a denial of service.
+Notes: 
+ > The summary is that an evil 80211 frame can crash out a victim's
+ > machine. It only applies to drivers using the 80211 wireless code, and
+ > only then to certain drivers (and even then depends on a card's
+ > firmware not dropping a dubious packet). I must confess I'm not
+ > keeping track of Linux wireless support, and the different protocol
+ > stacks etc.
+ jmm> 04045f98e0457aba7d4e6736f37eed189c48a5f7
+Bugs: 
+upstream: released (2.6.23)
+linux-2.6: released (2.6.23-1)
+2.6.18-etch-security: released (2.6.18.dfsg.1-13etch5) [bugfix/ieee80211-underflow.patch]
+2.6.8-sarge-security: N/A
+2.4.27-sarge-security: N/A
+2.6.15-dapper-security: released (2.6.15-29.61)
+2.6.17-edgy-security: released (2.6.17.1-12.42)
+2.6.20-feisty-security: released (2.6.20-16.33)
+2.6.22-gutsy-security: released (2.6.22-14.47)
diff --git a/retired/CVE-2007-5087 b/retired/CVE-2007-5087
new file mode 100644
index 00000000..f3fe237a
--- /dev/null
+++ b/retired/CVE-2007-5087
@@ -0,0 +1,24 @@
+Candidate: CVE-2007-5087
+References: 
+ http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.4.35.y.git;a=commitdiff;h=b7ae15e7707050baafe5a35e3d4f2d175197d222
+Description: 
+ The ATM module in the Linux kernel before 2.4.35.3, when CLIP support is
+ enabled, allows local users to cause a denial of service (kernel panic) by
+ reading /proc/net/atm/arp before the CLIP module has been loaded.
+Ubuntu-Description: 
+Notes: 
+Bugs: 
+ dannf> Vulnerable code was added to 2.4 in:
+   http://linux.bkbits.net:8080/linux-2.4/?PAGE=gnupatch&REV=1.1448.44.17
+  which was after 2.4.27
+ dannf> The commit notes that 2.6 isn't vulnerable because the arp entry is
+  handled in clip.c. I've verified this is true for both 2.6.8 and 2.6.18.
+upstream: released (2.4.36-pre2)
+linux-2.6: N/A
+2.6.18-etch-security: N/A
+2.6.8-sarge-security: N/A
+2.4.27-sarge-security: N/A
+2.6.15-dapper-security: N/A
+2.6.17-edgy-security: ignored (EOL)
+2.6.20-feisty-security: N/A
+2.6.22-gutsy-security: N/A
diff --git a/retired/CVE-2007-5093 b/retired/CVE-2007-5093
new file mode 100644
index 00000000..f18d7942
--- /dev/null
+++ b/retired/CVE-2007-5093
@@ -0,0 +1,35 @@
+Candidate: CVE-2007-5093
+References: 
+ http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6-stable.git;a=commitdiff;h=852ffe0acf89f959e8d35080bbd2bdc2d8f2e9e5
+ http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.22.y.git;a=commitdiff;h=85237f202d46d55c1bffe0c5b1aa3ddc0f1dce4d
+ MLIST:20070902 Oops in pwc v4l driver
+ URL:http://marc.info/?l=linux-kernel&m=118873457814808&w=2
+ MLIST:20070903 Re: Oops in pwc v4l driver
+ URL:http://marc.info/?l=linux-kernel&m=118880154122548&w=2
+ CONFIRM:http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.22.6
+ BID:25504
+ URL:http://www.securityfocus.com/bid/25504 
+Description: 
+ The disconnect method in the Philips USB Webcam (pwc) driver in Linux kernel
+ 2.6.x before 2.6.22.6 "relies on user space to close the device," which
+ allows user-assisted local attackers to cause a denial of service (USB
+ subsystem hang and CPU consumption in khubd) by not closing the device after
+ the disconnect is invoked. NOTE: this rarely crosses privilege boundaries,
+ unless the attacker can convince the victim to unplug the affected device.
+Ubuntu-Description: 
+ The Philips USB Webcam driver did not correctly handle disconnects.
+ If a local attacker tricked another user into disconnecting a webcam
+ unsafely, the kernel could hang or consume CPU resources, leading to
+ a denial of service.
+Notes: 
+ kees> debug regression was fixed in http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.22.y.git;a=commitdiff;h=a3a066bffd7754e6d40c48972e698352f6cd6ce4
+Bugs: 
+upstream: released (2.6.22.6)
+linux-2.6: released (2.6.23-1)
+2.6.18-etch-security: released (2.6.18.dfsg.1-13etch4) [bugfix/usb-pwc-disconnect-block.patch]
+2.6.8-sarge-security: released (2.6.8-17sarge1) [usb-pwc-disconnect-block.dpatch]
+2.4.27-sarge-security: released (2.4.17-10sarge6) [263_usb-pwc-disconnect-block.diff]
+2.6.15-dapper-security: released (2.6.15-29.61)
+2.6.17-edgy-security: released (2.6.17.1-12.42)
+2.6.20-feisty-security: released (2.6.20-16.33)
+2.6.22-gutsy-security: N/A
diff --git a/retired/CVE-2007-5494 b/retired/CVE-2007-5494
new file mode 100644
index 00000000..3c390e0e
--- /dev/null
+++ b/retired/CVE-2007-5494
@@ -0,0 +1,16 @@
+Candidate: CVE-2007-5494
+Description: 
+References: 
+Ubuntu-Description: 
+Notes: 
+ jmm> Debian doesn't provide that patch
+Bugs: 
+upstream: N/A
+linux-2.6: N/A
+2.6.18-etch-security: N/A
+2.6.8-sarge-security: N/A
+2.4.27-sarge-security: N/A
+2.6.15-dapper-security: N/A
+2.6.17-edgy-security: ignored (EOL)
+2.6.20-feisty-security: N/A
+2.6.22-gutsy-security: N/A
diff --git a/retired/CVE-2007-5500 b/retired/CVE-2007-5500
new file mode 100644
index 00000000..9d5ad045
--- /dev/null
+++ b/retired/CVE-2007-5500
@@ -0,0 +1,24 @@
+Candidate: CVE-2007-5500
+References: 
+ http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.23.y.git;a=commitdiff;h=36ef66c5d137b9a31fd8c35d236fb9e26ef74f97
+Description: 
+ wait_task_stopped: Check p->exit_state instead of TASK_TRACED
+Ubuntu-Description: 
+ Scott James Remnant discovered that the waitid function could be made
+ to hang the system.  A local attacker could execute a specially crafted
+ program which would leave the system unresponsive, resulting in a denial
+ of service.
+Notes: 
+ kees> 2.6.15 does not actually lock up -- it just spins in userspace
+ jmm> This was introduced with commit 14bf01bb0599c89fc7f426d20353b76e12555308
+ jmm> 2.6.14 is the first major release to be affected, marking earlier versions N/A
+Bugs: 
+upstream: released (2.6.23.8)
+linux-2.6: released (2.6.23-1)
+2.6.18-etch-security: released (2.6.18.dfsg.1-13etch5) [bugfix/wait_task_stopped-hang.patch]
+2.6.8-sarge-security: N/A
+2.4.27-sarge-security: N/A
+2.6.15-dapper-security: released (2.6.15-29.61)
+2.6.17-edgy-security: released (2.6.17.1-12.42)
+2.6.20-feisty-security: released (2.6.20-16.33)
+2.6.22-gutsy-security: released (2.6.22-14.47)
diff --git a/retired/CVE-2007-5904 b/retired/CVE-2007-5904
new file mode 100644
index 00000000..d1fe8b66
--- /dev/null
+++ b/retired/CVE-2007-5904
@@ -0,0 +1,27 @@
+Candidate: CVE-2007-5904
+Description: 
+ Multiple buffer overflows in CIFS VFS in Linux kernel 2.6.23 and earlier
+ allows remote attackers to cause a denial of service (crash) and possibly
+ execute arbitrary code via long SMB responses that trigger the overflows in
+ the SendReceive function.
+References: 
+ http://marc.info/?l=linux-kernel&m=119455843205403&w=2
+ http://marc.info/?l=linux-kernel&m=119457447724276&w=2
+ http://git.kernel.org/?p=linux/kernel/git/sfrench/cifs-2.6.git;a=commit;h=133672efbc1085f9af990bdc145e1822ea93bcf3
+Ubuntu-Description: 
+ Multiple buffer overflows were discovered in the handling of CIFS
+ filesystems.  A malicious CIFS server could cause a client system crash
+ or possibly execute arbitrary code with kernel privileges.
+Notes: 
+ kees> failed mount errors: a761ac579b89bc1f00212a42401398108deba65c
+Bugs: 
+upstream: 
+linux-2.6: 
+2.6.18-etch-security: released (2.6.18.dfsg.1-13etch5) [bugfix/cifs-better-failed-mount-errors.patch, bugfix/cifs-corrupt-server-response-overflow.patch]
+2.6.8-sarge-security: ignored (2.6.8-17sarge2) "needs port if vulnerable"
+2.4.27-sarge-security: N/A "No CIFS"
+2.6.15-dapper-security: released (2.6.15-52.67)
+2.6.17-edgy-security: ignored (EOL)
+2.6.20-feisty-security: released (2.6.20-17.36)
+2.6.22-gutsy-security: released (2.6.22-15.54)
+2.6.24-hardy-security: N/A
diff --git a/retired/CVE-2007-5938 b/retired/CVE-2007-5938
new file mode 100644
index 00000000..43b3bdad
--- /dev/null
+++ b/retired/CVE-2007-5938
@@ -0,0 +1,23 @@
+Candidate: CVE-2007-5938
+Description:
+ The iwl_set_rate function in compatible/iwl3945-base.c in iwlwifi 1.1.21 and earlier
+ dereferences an iwl_get_hw_mode return value without checking for NULL, which might
+ allow remote attackers to cause a denial of service (kernel panic) via unspecified
+ vectors during module initialization.
+References: 
+ http://article.gmane.org/gmane.linux.drivers.ipw3945.devel/1618
+ http://bugs.gentoo.org/show_bug.cgi?id=199209
+Ubuntu-Description: 
+Notes:
+ jmm> c4ba9621f4f241f8c4d4f620ad4257af59d21f3e  
+Bugs: 
+upstream: released (2.6.24-rc4)
+linux-2.6: released (2.6.23-2)
+2.6.18-etch-security: N/A
+2.6.8-sarge-security: N/A
+2.4.27-sarge-security: N/A
+2.6.15-dapper-security: N/A
+2.6.17-edgy-security: ignored (EOL)
+2.6.20-feisty-security: N/A
+2.6.22-gutsy-security: N/A
+2.6.24-hardy-security: N/A
diff --git a/retired/CVE-2007-5966 b/retired/CVE-2007-5966
new file mode 100644
index 00000000..cfcaf9cb
--- /dev/null
+++ b/retired/CVE-2007-5966
@@ -0,0 +1,17 @@
+Candidate: CVE-2007-5966
+Description: 
+References: 
+ http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff_plain;h=62f0f61e6673e67151a7c8c0f9a09c7ea43fe2b5;hp=f194d132e4971111f85c18c96067acffb13cee6d
+Ubuntu-Description: 
+Notes: 
+ dannf> hrtimer.c file didn't exist in 2.4.27/2.6.8
+Bugs: 
+upstream: released (2.6.24-rc5)
+linux-2.6: released (2.6.23-2) [bugfix/all/2.6.23.10]
+2.6.18-etch-security: released (2.6.18.dfsg.1-13etch6) [bugfix/hrtimer-large-relative-timeouts-overflow.patch]
+2.6.8-sarge-security: N/A
+2.4.27-sarge-security: N/A
+2.6.15-dapper-security: N/A
+2.6.17-edgy-security: released (2.6.17.1-12.43)
+2.6.20-feisty-security: released (2.6.20-16.34)
+2.6.22-gutsy-security: released (2.6.22-14.48)
diff --git a/retired/CVE-2007-6063 b/retired/CVE-2007-6063
new file mode 100644
index 00000000..5187ccc6
--- /dev/null
+++ b/retired/CVE-2007-6063
@@ -0,0 +1,22 @@
+Candidate: CVE-2007-6063
+Description: 
+ Buffer overflow in the isdn_net_setcfg function in isdn_net.c in Linux kernel
+ 2.6.23 allows local users to have an unknown impact via a crafted argument to
+ the isdn_ioctl function.
+References: 
+ http://bugzilla.kernel.org/show_bug.cgi?id=9416
+ http://www.securityfocus.com/bid/26605
+ http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=0f13864e5b24d9cbe18d125d41bfa4b726a82e40
+Ubuntu-Description: 
+Notes: 
+ jmm> eafe1aa37e6ec2d56f14732b5240c4dd09f0613a 
+Bugs: 
+upstream: released (2.6.24-rc4) [0f13864e5b24d9cbe18d125d41bfa4b726a82e40]
+linux-2.6: released (2.6.23-2)
+2.6.18-etch-security: released (2.6.18.dfsg.1-13etch6) [bugfix/isdn-net-overflow.patch]
+2.6.8-sarge-security: released (2.6.8-17sarge1) [isdn-net-overflow.dpatch]
+2.4.27-sarge-security: released (2.4.27-10sarge6) [257_isdn-net-overflow.diff]
+2.6.15-dapper-security: released (2.6.15-51.65)
+2.6.17-edgy-security: released (2.6.17.1-12.43)
+2.6.20-feisty-security: released (2.6.20-16.34)
+2.6.22-gutsy-security: released (2.6.22-14.48)
diff --git a/retired/CVE-2007-6151 b/retired/CVE-2007-6151
new file mode 100644
index 00000000..9e2973e4
--- /dev/null
+++ b/retired/CVE-2007-6151
@@ -0,0 +1,19 @@
+Candidate: CVE-2007-6151
+References:
+ http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=eafe1aa37e6ec2d56f14732b5240c4dd09f0613a
+Description:
+ The isdn_ioctl function in isdn_common.c in Linux kernel 2.6.23 allows
+ local users to cause a denial of service via a struct in which iocts is
+ not null terminated, which triggers a buffer overflow.
+Ubuntu-Description: 
+Notes: 
+Bugs: 
+upstream: 
+linux-2.6: released (2.6.23-2)
+2.6.18-etch-security: released (2.6.18.dfsg.1-17etch1) [bugfix/i4l-isdn_ioctl-mem-overrun.patch]
+2.6.8-sarge-security: released (2.6.8-17sarge1) [i4l-isdn_ioctl-mem-overrun.dpatch]
+2.4.27-sarge-security: released (2.4.27-10sarge6) [256_i4l-isdn_ioctl-mem-overrun.diff]
+2.6.15-dapper-security: released (2.6.15-51.65)
+2.6.17-edgy-security: released (2.6.17.1-12.43)
+2.6.20-feisty-security: released (2.6.20-16.34)
+2.6.22-gutsy-security: released (2.6.22-14.48)
diff --git a/retired/CVE-2007-6206 b/retired/CVE-2007-6206
new file mode 100644
index 00000000..280260a8
--- /dev/null
+++ b/retired/CVE-2007-6206
@@ -0,0 +1,21 @@
+Candidate: CVE-2007-6206
+Description: 
+ Linux kernel 2.4.x and 2.6.x up to 2.6.24-rc3, and possibly other versions,
+ does not change the UID of a core dump file if it exists before a root process
+ creates a core dump in the same location, which might allow local users to
+ obtain sensitive information.
+References: 
+ http://bugzilla.kernel.org/show_bug.cgi?id=3043
+ http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=c46f739dd39db3b07ab5deb4e3ec81e1c04a91af 
+Ubuntu-Description: 
+Notes: 
+Bugs: 
+upstream: pending (2.6.24)
+linux-2.6: needed
+2.6.18-etch-security: released (2.6.18.dfsg.1-13etch6) [bugfix/coredump-only-to-same-uid.patch]
+2.6.8-sarge-security: released (2.6.8-17sarge1) [coredump-only-to-same-uid.dpatch]
+2.4.27-sarge-security: released (2.4.27-10sarge6) [253_coredump-only-to-same-uid.diff]
+2.6.15-dapper-security: released (2.6.15-51.65)
+2.6.17-edgy-security: released (2.6.17.1-12.43)
+2.6.20-feisty-security: released (2.6.20-16.34)
+2.6.22-gutsy-security: released (2.6.22-14.48)
diff --git a/retired/CVE-2007-6417 b/retired/CVE-2007-6417
new file mode 100644
index 00000000..63149b02
--- /dev/null
+++ b/retired/CVE-2007-6417
@@ -0,0 +1,23 @@
+Candidate: CVE-2007-6417
+Description: 
+ The shmem_getpage function (mm/shmem.c) in Linux kernel 2.6.11 through 2.6.23 does
+ not properly clear allocated memory in some rare circumstances, which might allow
+ local users to read sensitive kernel data or cause a denial of service (crash).
+References: 
+ http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e84e2e132c9c66d8498e7710d4ea532d1feaaac5
+ http://marc.info/?l=linux-kernel&m=119627664702379&w=2
+ http://marc.info/?l=linux-kernel&m=119743651829347&w=2
+ http://marc.info/?l=linux-kernel&m=119769771026243&w=2
+Ubuntu-Description: 
+Notes: 
+ dannf> Commit log suggests this was a regression introduced in 2.6.11
+Bugs: 
+upstream: released (2.6.22.15, 2.6.23.10, 2.6.24-rc4) [e84e2e132c9c66d8498e7710d4ea532d1feaaac5]
+linux-2.6: released (2.6.23-2) [bugfix/all/2.6.23.10]
+2.6.18-etch-security: released (2.6.18.dfsg.1-13etch6) [bugfix/tmpfs-restore-clear_highpage.patch]
+2.6.8-sarge-security: N/A
+2.4.27-sarge-security: N/A
+2.6.15-dapper-security: released (2.6.15-51.65)
+2.6.17-edgy-security: released (2.6.17.1-12.43)
+2.6.20-feisty-security: released (2.6.20-16.34)
+2.6.22-gutsy-security: released (2.6.22-14.48)
diff --git a/retired/CVE-2007-6694 b/retired/CVE-2007-6694
new file mode 100644
index 00000000..15e09d05
--- /dev/null
+++ b/retired/CVE-2007-6694
@@ -0,0 +1,28 @@
+Candidate: CVE-2007-6694
+Description: 
+ The chrp_show_cpuinfo function (chrp/setup.c) in Linux kernel 2.4.21
+ through 2.6.18-53, when running on PowerPC, might allow local users
+ to cause a denial of service (crash) via unknown vectors that cause
+ the of_get_property function to fail, which triggers a NULL pointer
+ dereference. 
+References: 
+ http://marc.info/?l=linux-kernel&m=119576191029571&w=2
+Ubuntu-Description: 
+ It was discovered that PowerPC kernels did not correctly handle reporting
+ certain system details.  By requesting a specific set of information,
+ a local attacker could cause a system crash resulting in a denial
+ of service.
+Notes: 
+ jmm> This appears more of a regular bug with a specific piece of hw
+ jmm> than a security problem. Do we support the chrp POWER platform?
+Bugs: 
+upstream: 
+linux-2.6: 
+2.6.18-etch-security: released (2.6.18.dfsg.1-18etch2) [bugfix/powerpc-chrp-null-deref.patch]
+2.6.8-sarge-security: released (2.6.8-17sarge2) [powerpc-chrp-null-deref.dpatch]
+2.4.27-sarge-security: released (2.4.27-10sarge6) [265_powerpc-chrp-null-deref.diff]
+2.6.15-dapper-security: released (2.6.15-52.67)
+2.6.17-edgy-security: ignored (EOL)
+2.6.20-feisty-security: released (2.6.20-17.36)
+2.6.22-gutsy-security: released (2.6.22-15.54)
+2.6.24-hardy-security: released (2.6.24-19.34)
diff --git a/retired/CVE-2007-6712 b/retired/CVE-2007-6712
new file mode 100644
index 00000000..c07bae11
--- /dev/null
+++ b/retired/CVE-2007-6712
@@ -0,0 +1,19 @@
+Candidate: CVE-2007-6712
+Description: 
+ Integer overflow in the hrtimer_forward function (hrtimer.c) in Linux
+ kernel 2.6.21-rc4, when running on 64-bit systems, allows local users to
+ cause a denial of service (infinite loop) via a timer with a large expiry
+ value, which causes the timer to always be expired.
+References: 
+ http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=5a7780e725d1bb4c3094fcc12f1c5c5faea1e988
+Ubuntu-Description: 
+Notes: 
+Bugs: 
+upstream: 
+linux-2.6: 
+2.6.18-etch-security: released (2.6.18.dfsg.1-18etch5) [bugfix/hrtimer-prevent-overrun.patch, bugfix/ktime-fix-MTIME_SEC_MAX-on-32-bit.patch]
+2.6.24-etchnhalf-security: N/A
+2.6.15-dapper-security: N/A
+2.6.20-feisty-security: released (2.6.20-17.36)
+2.6.22-gutsy-security: released (2.6.22-15.54)
+2.6.24-hardy-security: N/A
diff --git a/retired/CVE-2008-0001 b/retired/CVE-2008-0001
new file mode 100644
index 00000000..1539005c
--- /dev/null
+++ b/retired/CVE-2008-0001
@@ -0,0 +1,16 @@
+Candidate: CVE-2008-0001
+Description:
+References: 
+ http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=974a9f0b47da74e28f68b9c8645c3786aa5ace1a
+Ubuntu-Description: 
+Notes: 
+Bugs: 
+upstream: released (2.6.23.14, 2.6.24-rc8)
+linux-2.6: released (2.6.24-1)
+2.6.18-etch-security: released (2.6.18.dfsg.1-17etch1) [bugfix/vfs-use-access-mode-flag.patch]
+2.6.8-sarge-security: N/A
+2.4.27-sarge-security: N/A
+2.6.15-dapper-security: released (2.6.15-51.65)
+2.6.17-edgy-security: released (2.6.17.1-12.43)
+2.6.20-feisty-security: released (2.6.20-16.34)
+2.6.22-gutsy-security: released (2.6.22-14.48)
diff --git a/retired/CVE-2008-0007 b/retired/CVE-2008-0007
new file mode 100644
index 00000000..3f588fa9
--- /dev/null
+++ b/retired/CVE-2008-0007
@@ -0,0 +1,23 @@
+Candidate: CVE-2008-0007
+Description: 
+ Linux kernel before 2.6.22.17, when using certain drivers that register
+ a fault handler that does not perform range checks, allows local users
+ to access kernel memory via an out-of-range offset.
+References: 
+Ubuntu-Description: 
+ It was discovered that some device driver fault handlers did not
+ correctly verify memory ranges.  A local attacker could exploit this
+ to access sensitive kernel memory, possibly leading to a loss of privacy.
+Notes: 
+Bugs: 
+upstream: released (2.6.24.1)
+linux-2.6: released (2.6.24-4)
+2.6.18-etch-security: released (2.6.18.dfsg.1-18etch2) [bugfix/mmap-VM_DONTEXPAND.patch]
+2.6.24-etchnhalf-security: released (2.6.24-4) [bugfix/all/stable/2.6.24.1.patch]
+2.6.8-sarge-security: released (2.6.8-17sarge1) [mmap-VM_DONTEXPAND.dpatch]
+2.4.27-sarge-security: released (2.4.27-10sarge6) [264_mmap-VM_DONTEXPAND.diff]
+2.6.15-dapper-security: released (2.6.15-52.67)
+2.6.17-edgy-security: ignored (EOL)
+2.6.20-feisty-security: released (2.6.20-17.36)
+2.6.22-gutsy-security: released (2.6.22-15.54)
+2.6.24-hardy-security: N/A
diff --git a/retired/CVE-2008-0009 b/retired/CVE-2008-0009
new file mode 100644
index 00000000..054dc29f
--- /dev/null
+++ b/retired/CVE-2008-0009
@@ -0,0 +1,17 @@
+Candidate: CVE-2008-0009
+Description: 
+References: 
+Ubuntu-Description: 
+Notes: 
+Bugs: 
+upstream: released (2.6.24.1)
+linux-2.6: released (2.6.24-4)
+2.6.18-etch-security: N/A
+2.6.24-etchnhalf-security: released (2.6.24-4) [bugfix/all/stable/2.6.24.1.patch]
+2.6.8-sarge-security: N/A
+2.4.27-sarge-security: N/A
+2.6.15-dapper-security: N/A
+2.6.17-edgy-security: ignored (EOL)
+2.6.20-feisty-security: N/A
+2.6.22-gutsy-security: N/A
+2.6.24-hardy-security: N/A
diff --git a/retired/CVE-2008-0010 b/retired/CVE-2008-0010
new file mode 100644
index 00000000..5384b024
--- /dev/null
+++ b/retired/CVE-2008-0010
@@ -0,0 +1,16 @@
+Candidate: CVE-2008-0010
+Description: 
+References: 
+Ubuntu-Description: 
+Notes: 
+Bugs: 
+upstream: released (2.6.24.1)
+linux-2.6: released (2.6.24-4)
+2.6.18-etch-security: released (2.6.18.dfsg.1-18etch1)
+2.6.24-etchnhalf-security: released (2.6.24-4) [bugfix/all/stable/2.6.24.1.patch]
+2.6.8-sarge-security: N/A
+2.4.27-sarge-security: N/A
+2.6.15-dapper-security: N/A
+2.6.17-edgy-security: ignored (EOL)
+2.6.20-feisty-security: N/A
+2.6.22-gutsy-security: N/A
diff --git a/retired/CVE-2008-0163 b/retired/CVE-2008-0163
new file mode 100644
index 00000000..77eddcc3
--- /dev/null
+++ b/retired/CVE-2008-0163
@@ -0,0 +1,17 @@
+Candidate: CVE-2008-0163
+Description: 
+References: 
+Ubuntu-Description: 
+Notes: 
+Bugs: 
+upstream: N/A
+linux-2.6: 
+2.6.18-etch-security: released (2.6.18.dfsg.1-18etch1)
+2.6.24-etchnhalf-security: N/A "no vserver support"
+2.6.8-sarge-security: N/A
+2.4.27-sarge-security: N/A
+2.6.15-dapper-security: N/A
+2.6.17-edgy-security: ignored (EOL)
+2.6.20-feisty-security: N/A
+2.6.22-gutsy-security: N/A
+2.6.24-hardy-security: N/A
diff --git a/retired/CVE-2008-0352 b/retired/CVE-2008-0352
new file mode 100644
index 00000000..24ac94b8
--- /dev/null
+++ b/retired/CVE-2008-0352
@@ -0,0 +1,25 @@
+Candidate: CVE-2008-0352
+Description: 
+ The Linux kernel 2.6.20 through 2.6.21.1 allows remote attackers to cause a
+ denial of service (panic) via a certain IPv6 packet, possibly involving the
+ Jumbo Payload hop-by-hop option
+References:
+ http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.21.2
+Ubuntu-Description: 
+Notes: 
+ jmm> 08a6507044dd70c326de3ea484fd6d29b8101f17
+ jmm> http://bugzilla.kernel.org/show_bug.cgi?id=8450
+ dannf> Looks like this isn't an issue before
+        a11d206d0f88e092419877c7f706cafb5e1c2e57
+        Which appeared between 2.6.19 and 2.6.20
+ kees> this is a dup of CVE-2007-4567
+Bugs: 
+upstream: released (2.6.21.2)
+linux-2.6: released (2.6.22-1)
+2.6.18-etch-security: N/A
+2.6.8-sarge-security: N/A
+2.4.27-sarge-security: N/A
+2.6.15-dapper-security: N/A
+2.6.17-edgy-security: ignored (EOL)
+2.6.20-feisty-security: N/A (dup of CVE-2007-4567)
+2.6.22-gutsy-security: N/A
diff --git a/retired/CVE-2008-0600 b/retired/CVE-2008-0600
new file mode 100644
index 00000000..23a12e99
--- /dev/null
+++ b/retired/CVE-2008-0600
@@ -0,0 +1,22 @@
+Candidate: CVE-2008-0600
+Description: 
+ The vmsplice_to_pipe function in Linux kernel 2.6.17 through 2.6.24.1
+ does not validate a certain userspace pointer before dereference, which
+ allows local users to gain root privileges via crafted arguments in
+ a vmsplice system call, a different vulnerability than CVE-2008-0009
+ and CVE-2008-0010.
+References: 
+Ubuntu-Description: 
+Notes: 
+Bugs: 
+upstream: released (2.6.24.2)
+linux-2.6: released (2.6.24-4)
+2.6.18-etch-security: released (2.6.18.dfsg.1-18etch1)
+2.6.24-etchnhalf-security: released (2.6.24-4) [bugfix/all/stable/2.6.24.2.patch]
+2.6.8-sarge-security: N/A
+2.4.27-sarge-security: N/A
+2.6.15-dapper-security: N/A
+2.6.17-edgy-security: released (2.6.17.1-12.44)
+2.6.20-feisty-security: released (2.6.20-16.35)
+2.6.22-gutsy-security: released (2.6.22-14.52)
+2.6.24-hardy-security: N/A
diff --git a/retired/CVE-2008-1294 b/retired/CVE-2008-1294
new file mode 100644
index 00000000..9f6ac748
--- /dev/null
+++ b/retired/CVE-2008-1294
@@ -0,0 +1,27 @@
+Candidate: CVE-2008-1294
+Description: 
+ Linux kernel 2.6.17, and other versions before 2.6.22, does not check
+ when a user attempts to set RLIMIT_CPU to 0 until after the change is
+ made, which allows local users to bypass intended resource limits.
+References: 
+Ubuntu-Description: 
+ It was discovered that CPU resource limits could be bypassed.
+ A malicious local user could exploit this to avoid administratively
+ imposed resource limits.
+Notes: 
+ https://launchpad.net/bugs/107209
+ http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=419706
+ http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=9926e4c74300c4b31dee007298c6475d33369df0
+ kees> for pre-2.6.17 kernels, two additional commits are needed:
+ kees>  ec9e16bacdba1da1ee15dd162384e22df5c87e09
+ kees>  e0661111e5441995f7a69dc4336c9f131cb9bc58
+Bugs: 
+upstream: 
+linux-2.6: 
+2.6.18-etch-security: released (2.6.18.dfsg.1-18etch2) [bugfix/RLIMIT_CPU-earlier-checking.patch]
+2.6.24-etchnhalf-security: N/A
+2.6.15-dapper-security: released (2.6.15-52.67)
+2.6.17-edgy-security: ignored (EOL)
+2.6.20-feisty-security: released (2.6.20-17.36)
+2.6.22-gutsy-security: N/A
+2.6.24-hardy-security: N/A
diff --git a/retired/CVE-2008-1375 b/retired/CVE-2008-1375
new file mode 100644
index 00000000..27075c84
--- /dev/null
+++ b/retired/CVE-2008-1375
@@ -0,0 +1,23 @@
+Candidate: CVE-2008-1375
+Description: 
+ dnotify race
+References: 
+ http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=214b7049a7929f03bbd2786aaef04b8b79db34e2
+Ubuntu-Description: 
+ A race condition was discovered between dnotify fcntl() and close() in
+ the kernel.  If a local attacker performed malicious dnotify requests,
+ they could cause memory consumption leading to a denial of service,
+ or possibly send arbitrary signals to any process.
+Notes: 
+ kees> ABI changer due to header addition?
+ kees> http://svn.debian.org/wsvn/kernel/dists/etch-security/linux-2.6/debian/patches/bugfix/dnotify-race-avoid-abi-change.patch?op=file&rev=0&sc=0
+Bugs: 
+upstream: released (2.6.26-rc1)
+linux-2.6: released (2.6.25-2)
+2.6.18-etch-security: released (2.6.18.dfsg.1-18etch2) [bugfix/dnotify-race.patch]
+2.6.24-etchnhalf-security: released (2.6.24-6~etchnhalf.2) [bugfix/all/stable/2.6.24.6.patch]
+2.6.15-dapper-security: released (2.6.15-52.67)
+2.6.17-edgy-security: ignored (EOL)
+2.6.20-feisty-security: released (2.6.20-17.36)
+2.6.22-gutsy-security: released (2.6.22-15.54)
+2.6.24-hardy-security: released (2.6.24-19.34)
diff --git a/retired/CVE-2008-1615 b/retired/CVE-2008-1615
new file mode 100644
index 00000000..9c297dd3
--- /dev/null
+++ b/retired/CVE-2008-1615
@@ -0,0 +1,18 @@
+Candidate: CVE-2008-1615
+Description: 
+ Linux kernel 2.6.18, and possibly other versions, when running on AMD64
+ architectures, allows local users to cause a denial of service (crash)
+ via certain ptrace calls.
+References: 
+Ubuntu-Description: 
+Notes: 
+ kees> http://marc.info/?l=linux-kernel&m=120219781932243
+Bugs: 
+upstream:
+linux-2.6: 
+2.6.18-etch-security: released (2.6.18.dfsg.1-18etch5) [bugfix/amd64-cs-corruption.patch]
+2.6.24-etchnhalf-security: released (2.6.24-6~etchnhalf.3) [bugfix/amd64-cs-corruption.patch]
+2.6.15-dapper-security: pending
+2.6.20-feisty-security: pending
+2.6.22-gutsy-security: pending
+2.6.24-hardy-security: pending
diff --git a/retired/CVE-2008-1669 b/retired/CVE-2008-1669
new file mode 100644
index 00000000..900a997a
--- /dev/null
+++ b/retired/CVE-2008-1669
@@ -0,0 +1,20 @@
+Candidate: CVE-2008-1669
+Description: 
+ "add rcu_read_lock() to fs/locks.c and fix fcntl store/load"
+References: 
+Ubuntu-Description: 
+ On SMP systems, a race condition existed in fcntl().  Local attackers
+ could perform malicious locks, causing system crashes and leading to
+ a denial of service.
+Notes: 
+ kees> http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=0b2bac2f1ea0d33a3621b27ca68b9ae760fca2e9
+ kees> linux-2.6.24.y: 0bbbae3bfd732f6c4d6b2a67121d77bf6b1c7f70
+Bugs: 
+upstream: released (2.6.24.7, 2.6.25.2)
+linux-2.6: released (2.6.25-2)
+2.6.18-etch-security: released (2.6.18.dfsg.1-18etch4) [bugfix/fcntl_setlk-close-race.patch]
+2.6.24-etchnhalf-security: released (2.6.24-6~etchnhalf.2) [bugfix/all/stable/2.6.24.7.patch]
+2.6.15-dapper-security: released (2.6.15-52.67)
+2.6.20-feisty-security: released (2.6.20-17.36)
+2.6.22-gutsy-security: released (2.6.22-15.54)
+2.6.24-hardy-security: released (2.6.24-19.34)
diff --git a/retired/CVE-2008-1675 b/retired/CVE-2008-1675
new file mode 100644
index 00000000..0e3f1637
--- /dev/null
+++ b/retired/CVE-2008-1675
@@ -0,0 +1,20 @@
+Candidate: CVE-2008-1675
+Description: 
+References: 
+ http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.24.y.git;a=commitdiff;h=a30678eb8ce99a7b4c716ad41c8c10a04d731127
+ http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.24.y.git;a=commitdiff;h=f1b6098616f329d26199f278f228a7b27d36558d
+Ubuntu-Description: 
+ The tehuti network driver did not correctly handle certain IO functions.
+ A local attacker could perform malicious requests to the driver,
+ potentially accessing kernel memory, leading to privilege escalation
+ or access to private system information.
+Notes: 
+Bugs: 
+upstream: released (2.6.24.6)
+linux-2.6: released (2.6.24-7)
+2.6.18-etch-security: N/A
+2.6.24-etchnhalf-security: released (linux-2.6.24 2.6.24-6~etchnhalf.2) [bugfix/all/stable/2.6.24.6.patch]
+2.6.15-dapper-security: N/A
+2.6.20-feisty-security: N/A
+2.6.22-gutsy-security: N/A
+2.6.24-hardy-security: released (2.6.24-19.34)
diff --git a/retired/block-all-signals-race b/retired/block-all-signals-race
new file mode 100644
index 00000000..bfe3285b
--- /dev/null
+++ b/retired/block-all-signals-race
@@ -0,0 +1,17 @@
+Candidate: Needed
+References: 
+ http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff_plain;h=c70d3d703ad94727dab2a3664aeee33d71e00715
+ http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff_plain;h=9ac95f2f90e022c16d293d7978faddf7e779a1a9
+ http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff_plain;h=1ff0be1534839dabec85f6d16dc36734f4e158bf
+ http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff_plain;h=21b4da78c941f292f6daf87abb562d6285216e51
+Description: 
+ Race in copy_signhand()/do_sigaction that lets you create small processes that
+ block all signals, including SIGKILL.
+Notes: 
+Bugs: 
+upstream: 
+linux-2.6: pending (2.6.15.5)
+2.6.8-sarge-security: 
+2.4.27-sarge-security: 
+2.6.18-etch-security: N/A
+
author	dann frazier <dannf@debian.org>	2008-07-20 21:58:00 +0000
committer	dann frazier <dannf@debian.org>	2008-07-20 21:58:00 +0000
commit	cffb363c568e15bb95549d0c5746068cca9c94bf (patch)
tree	e0434734275d36074875867c87f80245c22cc450 /retired
parent	5573dc627c8198493da4d51a700922f187269fb9 (diff)