diff options
author | dann frazier <dannf@debian.org> | 2008-07-20 21:58:00 +0000 |
---|---|---|
committer | dann frazier <dannf@debian.org> | 2008-07-20 21:58:00 +0000 |
commit | cffb363c568e15bb95549d0c5746068cca9c94bf (patch) | |
tree | e0434734275d36074875867c87f80245c22cc450 /retired | |
parent | 5573dc627c8198493da4d51a700922f187269fb9 (diff) |
Debian updates; retire several issues
git-svn-id: svn+ssh://svn.debian.org/svn/kernel-sec@1197 e094ebfe-e918-0410-adfb-c712417f3574
Diffstat (limited to 'retired')
37 files changed, 841 insertions, 0 deletions
diff --git a/retired/CVE-2006-6058 b/retired/CVE-2006-6058 new file mode 100644 index 00000000..61723554 --- /dev/null +++ b/retired/CVE-2006-6058 @@ -0,0 +1,37 @@ +Candidate: CVE-2006-6058 +References: + http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.23.y.git;a=commitdiff;h=f0ae3188daf70ed07a4dfbeb133bef3a92838a15 + MISC:http://projects.info-pull.com/mokb/MOKB-17-11-2006.html + FRSIRT:ADV-2006-4613 + URL:http://www.frsirt.com/english/advisories/2006/4613 + SECUNIA:23034 + URL:http://secunia.com/advisories/23034 +Description: + The minix filesystem code in Linux kernel 2.6.x up to 2.6.18, and possibly + other versions, allows local users to cause a denial of service (hang) via a + malformed minix file stream that triggers an infinite loop in the minix_bmap + function. NOTE: this issue might be due to an integer overflow or signedness + error. +Ubuntu-Description: + The minix filesystem did not properly validate certain filesystem values. + If a local attacker could trick the system into attempting to mount a + corrupted minix filesystem, the kernel could be made to hang for long + periods of time, resulting in a denial of service. +Notes: + dannf> ignored for sarge for now - only applies under very rare circumstances + and don't know if there's an upstream fix + jmm> We can ignore this, it has no practical ramifications + dannf> Though I agree its minor, I suspect its not so rare that admins + set user-mountable media's filesystem type to 'auto' in fstab, + allowing them to use any fs on the system. I could see this being + used to annoy sysadmins, e.g., in a university lab setting +Bugs: +upstream: released (2.6.23.7, 2.6.24-rc1) [f44ec6f3f89889a469773b1fd894f8fcc07c29cf] +linux-2.6: released (2.6.23-1) [bugfix/2.6.23.7.patch] +2.6.18-etch-security: released (2.6.18.dfsg.1-13etch6) [bugfix/minixfs-printk-hang.patch] +2.6.8-sarge-security: released (2.6.8-17sarge1) [minixfs-printk-hang.dpatch] +2.4.27-sarge-security: ignored (2.4.27-10sarge6) "no printk_ratelimit in 2.4 - needs port" +2.6.15-dapper-security: released (2.6.15-29.61) +2.6.17-edgy-security: released (2.6.17.1-12.42) +2.6.20-feisty-security: released (2.6.20-16.33) +2.6.22-gutsy-security: released (2.6.22-14.47) diff --git a/retired/CVE-2006-7229 b/retired/CVE-2006-7229 new file mode 100644 index 00000000..07677618 --- /dev/null +++ b/retired/CVE-2006-7229 @@ -0,0 +1,17 @@ +Candidate: CVE-2006-7229 +References: + https://bugs.launchpad.net/ubuntu/+source/linux-source-2.6.15/+bug/65631 +Description: +Ubuntu-Description: +Notes: + dannf> This appears to be Ubuntu-specific +Bugs: +upstream: N/A +linux-2.6: N/A +2.6.18-etch-security: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.6.15-dapper-security: released (2.6.15-29.61) +2.6.17-edgy-security: N/A +2.6.20-feisty-security: N/A +2.6.22-gutsy-security: N/A diff --git a/retired/CVE-2007-0004 b/retired/CVE-2007-0004 new file mode 100644 index 00000000..e0c5d132 --- /dev/null +++ b/retired/CVE-2007-0004 @@ -0,0 +1,29 @@ +Candidate: CVE-2007-0004 +Description: + The NFS client implementation in the kernel in Red Hat Enterprise Linux (RHEL) + 3, when a filesystem is mounted with the noacl option, checks permissions for + the open system call via vfs_permission (mode bits) data rather than an NFS + ACCESS call to the server, which allows local client processes to obtain a + false success status from open calls that the server would deny, and possibly + obtain sensitive information about file permissions on the server, as + demonstrated in a root_squash environment. NOTE: it is uncertain whether any + scenarios involving this issue cross privilege boundaries. +References: + https://bugzilla.redhat.com/show_bug.cgi?id=199715 +Ubuntu-Description: +Notes: + dannf> Don't know that this bug every affected upstream, but looks like we + may have introduced it into 2.4.27 w/ 084_ea_acl-2.diff + dannf> Unknown security implications (though certainly a bug), and RHEL3 + never included the patch in their bugzilla, so ignoring +Bugs: +upstream: N/A +linux-2.6: N/A +2.6.18-etch-security: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: ignored (2.4.27-10sarge6) +2.6.15-dapper-security: N/A +2.6.17-edgy-security: ignored (EOL) +2.6.20-feisty-security: N/A +2.6.22-gutsy-security: N/A +2.6.24-hardy-security: N/A diff --git a/retired/CVE-2007-2242 b/retired/CVE-2007-2242 new file mode 100644 index 00000000..b656dac1 --- /dev/null +++ b/retired/CVE-2007-2242 @@ -0,0 +1,33 @@ +Candidate: CVE-2007-2242 +References: + http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.20.y.git;a=commit;h=010831ab8436dfd9304b203467566fb6b135c24f + http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.20.y.git;a=commit;h=9d08f139275450f9366d85ba09b9a2e09bb33766 +Description: + The IPv6 protocol allows remote attackers to cause a denial of service via + crafted IPv6 type 0 route headers (IPV6_RTHDR_TYPE_0) that create network + amplification between two routers. +Ubuntu-Description: + A flaw was discovered in the IPv6 stack's handling of type 0 route headers. + By sending a specially crafted IPv6 packet, a remote attacker could cause + a denial of service between two IPv6 hosts. +Notes: + dannf> Some info from Vlad Yasevich: + <vlad> dannf: is someone including commits 010831ab8436dfd9304b203467566fb6b135c24f and 9d08f139275450f9366d85ba09b9a2e09bb33766 (IPv6 routing header changes) in the debian kernel? + ... + <dannf> vlad: right, but (010831ab8436dfd9304b203467566fb6b135c24f) is security, so it'll be included in etch if necessary + <dannf> s/necessary/affected/ + <vlad> dannf: you need the second one I listed as well, since the first one has a bug in it. + <dannf> vlad: oh, ok - thx + <vlad> dannf: although for the purposes of 2.6.18, the second one might be a no-op and the first one might need to be modified a bit. + jmm> Contacted Willy + dannf> functions are different, but 2.4 code looks similar + dannf> My 2.4 backport attempt causes a crash at boot time, ignoring for now +Bugs: 421595 +upstream: released (2.6.21) +linux-2.6: released (2.6.21-1) +2.6.18-etch-security: released (2.6.18.dfsg.1-13etch1) [bugfix/ipv6-disallow-RH0-by-default.patch] +2.6.8-sarge-security: needed +2.4.27-sarge-security: ignored (2.4.27-10sarge6) "needs port" +2.6.15-dapper-security: released (2.6.15-29.58) +2.6.17-edgy-security: released (2.6.17.1-11.39) [fee89820efa8e3479b39149dcfb2b1bccdaadedc] +2.6.20-feisty-security: released (2.6.20-16.28) diff --git a/retired/CVE-2007-3104 b/retired/CVE-2007-3104 new file mode 100644 index 00000000..a3b6a8f9 --- /dev/null +++ b/retired/CVE-2007-3104 @@ -0,0 +1,21 @@ +Candidate: CVE-2007-3104 +References: +Description: + The sysfs_readdir function in the Linux kernel in Red Hat Enterprise + Linux 4.5 allows local users to cause a denial of service (kernel OOPS) + by dereferencing a null pointer to an inode in a dentry. +Ubuntu-Description: + A flaw in the sysfs_readdir function allowed a local user to cause a + denial of service by dereferencing a NULL pointer. +Notes: + pkl> Bug fix available in RedHat kernel-2.6.9-55.0.2.EL.src.rpm release + jmm> 01da2425f327d7ac673e594bee5655523115970b +Bugs: +upstream: released (2.6.22.2) +linux-2.6: released (2.6.22-4) +2.6.18-etch-security: released (2.6.18.dfsg.1-13etch5) [bugfix/sysfs_readdir-NULL-deref-1.patch, bugfix/sysfs_readdir-NULL-deref-2.patch, bugfix/sysfs-fix-condition-check.patch] +2.6.8-sarge-security: needed "code is very different in 2.6.8, if no reproducer, ignore" +2.4.27-sarge-security: N/A +2.6.15-dapper-security: released (2.6.15-29.58) +2.6.17-edgy-security: released (2.6.17.1-12.40) [a8c3f241ea411211c4802098f23a8da309e8bbd1] +2.6.20-feisty-security: released (2.6.20-16.31) [5ca45c7e9e3d363c7bd3a5419742cb3368baf474] diff --git a/retired/CVE-2007-3513 b/retired/CVE-2007-3513 new file mode 100644 index 00000000..9bd02927 --- /dev/null +++ b/retired/CVE-2007-3513 @@ -0,0 +1,19 @@ +Candidate: CVE-2007-3513 +References: +Description: + The lcd_write function in drivers/usb/misc/usblcd.c in the Linux kernel + before 2.6.22-rc7 does not limit the amount of memory used by a caller, + which allows local users to cause a denial of service (memory consumption). +Ubuntu-Description: + A flaw was discovered in the usblcd driver. A local attacker could cause + large amounts of kernel memory consumption, leading to a denial of service. +Notes: +Bugs: +upstream: released (2.6.22-rc7) +linux-2.6: released (2.6.22-1) +2.6.18-etch-security: released (2.6.18.dfsg.1-13etch1) [bugfix/usblcd-limit-memory-consumption.patch] +2.6.8-sarge-security: ignored (2.6.8-17sarge1) "Too different" +2.4.27-sarge-security: ignored (2.4.27-10sarge6) "Too different" +2.6.15-dapper-security: released (2.6.15-28.57) +2.6.17-edgy-security: released (2.6.17.1-12.40) [85816b5fa3476f3fcf7758a1bd338d69184085d7] +2.6.20-feisty-security: released (2.6.20-16.31) [165018c61779a357d33947a2ae169148b6ab8d9f] diff --git a/retired/CVE-2007-3848 b/retired/CVE-2007-3848 new file mode 100644 index 00000000..05540cad --- /dev/null +++ b/retired/CVE-2007-3848 @@ -0,0 +1,22 @@ +Candidate: CVE-2007-3848 +References: + http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=d2d56c5f51028cb9f3d800882eb6f4cbd3f9099f +Description: + Linux kernel 2.4.35 and other versions allows local users to send + arbitrary signals to a child process that is running at higher privileges + by causing a setuid-root parent process to die, which delivers an + attacker-controlled parent process death signal (PR_SET_PDEATHSIG). +Ubuntu-Description: + It was discovered that certain setuid-root processes did not correctly + reset process death signal handlers. A local user could manipulate this + to send signals to processes they would not normally have access to. +Notes: +Bugs: +upstream: released (2.6.22.4) +linux-2.6: released (2.6.22-4) +2.6.18-etch-security: released (2.6.18.dfsg.1-13etch1) [bugfix/reset-pdeathsig-on-suid.patch] +2.6.8-sarge-security: pending (2.6.8-17sarge1) [reset-pdeathsig-on-suid.dpatch] +2.4.27-sarge-security: released (2.4.27-10sarge6) [247_reset-pdeathsig-on-suid.diff] +2.6.15-dapper-security: released (2.6.15-29.58) +2.6.17-edgy-security: released (2.6.17.1-12.40) +2.6.20-feisty-security: released (2.6.20-16.31) diff --git a/retired/CVE-2007-4130 b/retired/CVE-2007-4130 new file mode 100644 index 00000000..44ab1fdc --- /dev/null +++ b/retired/CVE-2007-4130 @@ -0,0 +1,20 @@ +Candidate: CVE-2007-4130 +Description: + The Linux kernel 2.6.9 before 2.6.9-67 in Red Hat Enterprise Linux (RHEL) 4 + on Itanium (ia64) does not properly handle page faults during NUMA memory + access, which allows local users to cause a denial of service (panic) via + invalid arguments to set_mempolicy in an MPOL_BIND operation. +References: +Ubuntu-Description: +Notes: +Bugs: +upstream: +linux-2.6: +2.6.18-etch-security: N/A +2.6.8-sarge-security: ignored (2.6.8-17sarge2) "no known upstream fix" +2.4.27-sarge-security: ignored (2.4.27-10sarge6) "no known upstream fix" +2.6.15-dapper-security: N/A +2.6.17-edgy-security: ignored (EOL) +2.6.20-feisty-security: N/A +2.6.22-gutsy-security: N/A +2.6.24-hardy-security: N/A diff --git a/retired/CVE-2007-4133 b/retired/CVE-2007-4133 new file mode 100644 index 00000000..e1c71246 --- /dev/null +++ b/retired/CVE-2007-4133 @@ -0,0 +1,26 @@ +Candidate: CVE-2007-4133 +References: + http://git.kernel.org/gitweb.cgi?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=856fc29505556cf263f3dcda2533cf3766c14ab6 + https://bugzilla.redhat.com/show_bug.cgi?id=253926 +Description: + The (1) hugetlb_vmtruncate_list and (2) hugetlb_vmtruncate functions + in fs/hugetlbfs/inode.c in the Linux kernel before 2.6.19-rc4 perform + certain prio_tree calculations using HPAGE_SIZE instead of PAGE_SIZE + units, which allows local users to cause a denial of service (panic) + via unspecified vectors. +Ubuntu-Description: + Certain calculations in the hugetlb code were not correct. A local + attacker could exploit this to cause a kernel panic, leading to a denial + of service. +Notes: + jmm> 2.4 doesn't contain hugetlbfs +Bugs: +upstream: released (2.6.19) +linux-2.6: released (2.6.20-1) +2.6.18-etch-security: released (2.6.18.dfsg.1-13etch4) [bugfix/hugetlb-prio_tree-unit-fix.patch] +2.6.8-sarge-security: released (2.6.8-17sarge1) [hugetlb-prio_tree-unit-fix.dpatch] +2.4.27-sarge-security: N/A +2.6.15-dapper-security: released (2.6.15-29.61) +2.6.17-edgy-security: released (2.6.17.1-12.42) +2.6.20-feisty-security: N/A +2.6.22-gutsy-security: N/A diff --git a/retired/CVE-2007-4571 b/retired/CVE-2007-4571 new file mode 100644 index 00000000..46103f5b --- /dev/null +++ b/retired/CVE-2007-4571 @@ -0,0 +1,30 @@ +Candidate: CVE-2007-4571 +References: + http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=ccec6e2c4a74adf76ed4e2478091a311b1806212 + http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.22.y.git;a=commitdiff;h=788450fa451454cc8ff3593b4f9fdb653c296583 + http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.22.8 + http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=600 +Description: + The snd_mem_proc_read function in sound/core/memalloc.c in the Advanced Linux + Sound Architecture (ALSA) in the Linux kernel before 2.6.22.8 does not return + the correct write size, which allows local users to obtain sensitive + information (kernel memory contents) via a small count argument, as + demonstrated by multiple reads of /proc/driver/snd-page-alloc. +Ubuntu-Description: + It was discovered that the ALSA /proc interface did not write the + correct number of bytes when reporting memory allocations. A local + attacker might be able to access sensitive kernel memory, leading to + a loss of privacy. +Notes: + dannf> ABI changer, was reverted from etch-security (r9547) +Bugs: +upstream: released (2.6.22.8) +linux-2.6: released (2.6.22-5) +2.6.18-etch-security: released (2.6.18.dfsg.1-17etch1) [bugfix/proc-snd-page-alloc-mem-leak.patch] +2.6.8-sarge-security: N/A "cannot reproduce w/ ALSA in 2.6.8, alsa-driver package was affected/fixed in DSA 1505" +2.4.27-sarge-security: N/A "alsa-driver package was affected/fixed in DSA 1505" +2.6.15-dapper-security: released (2.6.15-52.67) +2.6.17-edgy-security: ignored (EOL) +2.6.20-feisty-security: released (2.6.20-17.36) +2.6.22-gutsy-security: N/A +2.6.24-hardy-security: N/A diff --git a/retired/CVE-2007-4997 b/retired/CVE-2007-4997 new file mode 100644 index 00000000..d2b9c569 --- /dev/null +++ b/retired/CVE-2007-4997 @@ -0,0 +1,28 @@ +Candidate: CVE-2007-4997 +References: + http://git.kernel.org/?p=linux/kernel/git/avi/kvm.git;a=commitdiff;h=04045f98e0457aba7d4e6736f37eed189c48a5f7 + http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.23.y.git;a=commitdiff;h=04045f98e0457aba7d4e6736f37eed189c48a5f7 +Description: +Ubuntu-Description: + Chris Evans discovered that the 802.11 network stack did not correctly + handle certain QOS frames. A remote attacker on the local wireless network + could send specially crafted packets that would panic the kernel, resulting + in a denial of service. +Notes: + > The summary is that an evil 80211 frame can crash out a victim's + > machine. It only applies to drivers using the 80211 wireless code, and + > only then to certain drivers (and even then depends on a card's + > firmware not dropping a dubious packet). I must confess I'm not + > keeping track of Linux wireless support, and the different protocol + > stacks etc. + jmm> 04045f98e0457aba7d4e6736f37eed189c48a5f7 +Bugs: +upstream: released (2.6.23) +linux-2.6: released (2.6.23-1) +2.6.18-etch-security: released (2.6.18.dfsg.1-13etch5) [bugfix/ieee80211-underflow.patch] +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.6.15-dapper-security: released (2.6.15-29.61) +2.6.17-edgy-security: released (2.6.17.1-12.42) +2.6.20-feisty-security: released (2.6.20-16.33) +2.6.22-gutsy-security: released (2.6.22-14.47) diff --git a/retired/CVE-2007-5087 b/retired/CVE-2007-5087 new file mode 100644 index 00000000..f3fe237a --- /dev/null +++ b/retired/CVE-2007-5087 @@ -0,0 +1,24 @@ +Candidate: CVE-2007-5087 +References: + http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.4.35.y.git;a=commitdiff;h=b7ae15e7707050baafe5a35e3d4f2d175197d222 +Description: + The ATM module in the Linux kernel before 2.4.35.3, when CLIP support is + enabled, allows local users to cause a denial of service (kernel panic) by + reading /proc/net/atm/arp before the CLIP module has been loaded. +Ubuntu-Description: +Notes: +Bugs: + dannf> Vulnerable code was added to 2.4 in: + http://linux.bkbits.net:8080/linux-2.4/?PAGE=gnupatch&REV=1.1448.44.17 + which was after 2.4.27 + dannf> The commit notes that 2.6 isn't vulnerable because the arp entry is + handled in clip.c. I've verified this is true for both 2.6.8 and 2.6.18. +upstream: released (2.4.36-pre2) +linux-2.6: N/A +2.6.18-etch-security: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.6.15-dapper-security: N/A +2.6.17-edgy-security: ignored (EOL) +2.6.20-feisty-security: N/A +2.6.22-gutsy-security: N/A diff --git a/retired/CVE-2007-5093 b/retired/CVE-2007-5093 new file mode 100644 index 00000000..f18d7942 --- /dev/null +++ b/retired/CVE-2007-5093 @@ -0,0 +1,35 @@ +Candidate: CVE-2007-5093 +References: + http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6-stable.git;a=commitdiff;h=852ffe0acf89f959e8d35080bbd2bdc2d8f2e9e5 + http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.22.y.git;a=commitdiff;h=85237f202d46d55c1bffe0c5b1aa3ddc0f1dce4d + MLIST:20070902 Oops in pwc v4l driver + URL:http://marc.info/?l=linux-kernel&m=118873457814808&w=2 + MLIST:20070903 Re: Oops in pwc v4l driver + URL:http://marc.info/?l=linux-kernel&m=118880154122548&w=2 + CONFIRM:http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.22.6 + BID:25504 + URL:http://www.securityfocus.com/bid/25504 +Description: + The disconnect method in the Philips USB Webcam (pwc) driver in Linux kernel + 2.6.x before 2.6.22.6 "relies on user space to close the device," which + allows user-assisted local attackers to cause a denial of service (USB + subsystem hang and CPU consumption in khubd) by not closing the device after + the disconnect is invoked. NOTE: this rarely crosses privilege boundaries, + unless the attacker can convince the victim to unplug the affected device. +Ubuntu-Description: + The Philips USB Webcam driver did not correctly handle disconnects. + If a local attacker tricked another user into disconnecting a webcam + unsafely, the kernel could hang or consume CPU resources, leading to + a denial of service. +Notes: + kees> debug regression was fixed in http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.22.y.git;a=commitdiff;h=a3a066bffd7754e6d40c48972e698352f6cd6ce4 +Bugs: +upstream: released (2.6.22.6) +linux-2.6: released (2.6.23-1) +2.6.18-etch-security: released (2.6.18.dfsg.1-13etch4) [bugfix/usb-pwc-disconnect-block.patch] +2.6.8-sarge-security: released (2.6.8-17sarge1) [usb-pwc-disconnect-block.dpatch] +2.4.27-sarge-security: released (2.4.17-10sarge6) [263_usb-pwc-disconnect-block.diff] +2.6.15-dapper-security: released (2.6.15-29.61) +2.6.17-edgy-security: released (2.6.17.1-12.42) +2.6.20-feisty-security: released (2.6.20-16.33) +2.6.22-gutsy-security: N/A diff --git a/retired/CVE-2007-5494 b/retired/CVE-2007-5494 new file mode 100644 index 00000000..3c390e0e --- /dev/null +++ b/retired/CVE-2007-5494 @@ -0,0 +1,16 @@ +Candidate: CVE-2007-5494 +Description: +References: +Ubuntu-Description: +Notes: + jmm> Debian doesn't provide that patch +Bugs: +upstream: N/A +linux-2.6: N/A +2.6.18-etch-security: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.6.15-dapper-security: N/A +2.6.17-edgy-security: ignored (EOL) +2.6.20-feisty-security: N/A +2.6.22-gutsy-security: N/A diff --git a/retired/CVE-2007-5500 b/retired/CVE-2007-5500 new file mode 100644 index 00000000..9d5ad045 --- /dev/null +++ b/retired/CVE-2007-5500 @@ -0,0 +1,24 @@ +Candidate: CVE-2007-5500 +References: + http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.23.y.git;a=commitdiff;h=36ef66c5d137b9a31fd8c35d236fb9e26ef74f97 +Description: + wait_task_stopped: Check p->exit_state instead of TASK_TRACED +Ubuntu-Description: + Scott James Remnant discovered that the waitid function could be made + to hang the system. A local attacker could execute a specially crafted + program which would leave the system unresponsive, resulting in a denial + of service. +Notes: + kees> 2.6.15 does not actually lock up -- it just spins in userspace + jmm> This was introduced with commit 14bf01bb0599c89fc7f426d20353b76e12555308 + jmm> 2.6.14 is the first major release to be affected, marking earlier versions N/A +Bugs: +upstream: released (2.6.23.8) +linux-2.6: released (2.6.23-1) +2.6.18-etch-security: released (2.6.18.dfsg.1-13etch5) [bugfix/wait_task_stopped-hang.patch] +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.6.15-dapper-security: released (2.6.15-29.61) +2.6.17-edgy-security: released (2.6.17.1-12.42) +2.6.20-feisty-security: released (2.6.20-16.33) +2.6.22-gutsy-security: released (2.6.22-14.47) diff --git a/retired/CVE-2007-5904 b/retired/CVE-2007-5904 new file mode 100644 index 00000000..d1fe8b66 --- /dev/null +++ b/retired/CVE-2007-5904 @@ -0,0 +1,27 @@ +Candidate: CVE-2007-5904 +Description: + Multiple buffer overflows in CIFS VFS in Linux kernel 2.6.23 and earlier + allows remote attackers to cause a denial of service (crash) and possibly + execute arbitrary code via long SMB responses that trigger the overflows in + the SendReceive function. +References: + http://marc.info/?l=linux-kernel&m=119455843205403&w=2 + http://marc.info/?l=linux-kernel&m=119457447724276&w=2 + http://git.kernel.org/?p=linux/kernel/git/sfrench/cifs-2.6.git;a=commit;h=133672efbc1085f9af990bdc145e1822ea93bcf3 +Ubuntu-Description: + Multiple buffer overflows were discovered in the handling of CIFS + filesystems. A malicious CIFS server could cause a client system crash + or possibly execute arbitrary code with kernel privileges. +Notes: + kees> failed mount errors: a761ac579b89bc1f00212a42401398108deba65c +Bugs: +upstream: +linux-2.6: +2.6.18-etch-security: released (2.6.18.dfsg.1-13etch5) [bugfix/cifs-better-failed-mount-errors.patch, bugfix/cifs-corrupt-server-response-overflow.patch] +2.6.8-sarge-security: ignored (2.6.8-17sarge2) "needs port if vulnerable" +2.4.27-sarge-security: N/A "No CIFS" +2.6.15-dapper-security: released (2.6.15-52.67) +2.6.17-edgy-security: ignored (EOL) +2.6.20-feisty-security: released (2.6.20-17.36) +2.6.22-gutsy-security: released (2.6.22-15.54) +2.6.24-hardy-security: N/A diff --git a/retired/CVE-2007-5938 b/retired/CVE-2007-5938 new file mode 100644 index 00000000..43b3bdad --- /dev/null +++ b/retired/CVE-2007-5938 @@ -0,0 +1,23 @@ +Candidate: CVE-2007-5938 +Description: + The iwl_set_rate function in compatible/iwl3945-base.c in iwlwifi 1.1.21 and earlier + dereferences an iwl_get_hw_mode return value without checking for NULL, which might + allow remote attackers to cause a denial of service (kernel panic) via unspecified + vectors during module initialization. +References: + http://article.gmane.org/gmane.linux.drivers.ipw3945.devel/1618 + http://bugs.gentoo.org/show_bug.cgi?id=199209 +Ubuntu-Description: +Notes: + jmm> c4ba9621f4f241f8c4d4f620ad4257af59d21f3e +Bugs: +upstream: released (2.6.24-rc4) +linux-2.6: released (2.6.23-2) +2.6.18-etch-security: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.6.15-dapper-security: N/A +2.6.17-edgy-security: ignored (EOL) +2.6.20-feisty-security: N/A +2.6.22-gutsy-security: N/A +2.6.24-hardy-security: N/A diff --git a/retired/CVE-2007-5966 b/retired/CVE-2007-5966 new file mode 100644 index 00000000..cfcaf9cb --- /dev/null +++ b/retired/CVE-2007-5966 @@ -0,0 +1,17 @@ +Candidate: CVE-2007-5966 +Description: +References: + http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff_plain;h=62f0f61e6673e67151a7c8c0f9a09c7ea43fe2b5;hp=f194d132e4971111f85c18c96067acffb13cee6d +Ubuntu-Description: +Notes: + dannf> hrtimer.c file didn't exist in 2.4.27/2.6.8 +Bugs: +upstream: released (2.6.24-rc5) +linux-2.6: released (2.6.23-2) [bugfix/all/2.6.23.10] +2.6.18-etch-security: released (2.6.18.dfsg.1-13etch6) [bugfix/hrtimer-large-relative-timeouts-overflow.patch] +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.6.15-dapper-security: N/A +2.6.17-edgy-security: released (2.6.17.1-12.43) +2.6.20-feisty-security: released (2.6.20-16.34) +2.6.22-gutsy-security: released (2.6.22-14.48) diff --git a/retired/CVE-2007-6063 b/retired/CVE-2007-6063 new file mode 100644 index 00000000..5187ccc6 --- /dev/null +++ b/retired/CVE-2007-6063 @@ -0,0 +1,22 @@ +Candidate: CVE-2007-6063 +Description: + Buffer overflow in the isdn_net_setcfg function in isdn_net.c in Linux kernel + 2.6.23 allows local users to have an unknown impact via a crafted argument to + the isdn_ioctl function. +References: + http://bugzilla.kernel.org/show_bug.cgi?id=9416 + http://www.securityfocus.com/bid/26605 + http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=0f13864e5b24d9cbe18d125d41bfa4b726a82e40 +Ubuntu-Description: +Notes: + jmm> eafe1aa37e6ec2d56f14732b5240c4dd09f0613a +Bugs: +upstream: released (2.6.24-rc4) [0f13864e5b24d9cbe18d125d41bfa4b726a82e40] +linux-2.6: released (2.6.23-2) +2.6.18-etch-security: released (2.6.18.dfsg.1-13etch6) [bugfix/isdn-net-overflow.patch] +2.6.8-sarge-security: released (2.6.8-17sarge1) [isdn-net-overflow.dpatch] +2.4.27-sarge-security: released (2.4.27-10sarge6) [257_isdn-net-overflow.diff] +2.6.15-dapper-security: released (2.6.15-51.65) +2.6.17-edgy-security: released (2.6.17.1-12.43) +2.6.20-feisty-security: released (2.6.20-16.34) +2.6.22-gutsy-security: released (2.6.22-14.48) diff --git a/retired/CVE-2007-6151 b/retired/CVE-2007-6151 new file mode 100644 index 00000000..9e2973e4 --- /dev/null +++ b/retired/CVE-2007-6151 @@ -0,0 +1,19 @@ +Candidate: CVE-2007-6151 +References: + http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=eafe1aa37e6ec2d56f14732b5240c4dd09f0613a +Description: + The isdn_ioctl function in isdn_common.c in Linux kernel 2.6.23 allows + local users to cause a denial of service via a struct in which iocts is + not null terminated, which triggers a buffer overflow. +Ubuntu-Description: +Notes: +Bugs: +upstream: +linux-2.6: released (2.6.23-2) +2.6.18-etch-security: released (2.6.18.dfsg.1-17etch1) [bugfix/i4l-isdn_ioctl-mem-overrun.patch] +2.6.8-sarge-security: released (2.6.8-17sarge1) [i4l-isdn_ioctl-mem-overrun.dpatch] +2.4.27-sarge-security: released (2.4.27-10sarge6) [256_i4l-isdn_ioctl-mem-overrun.diff] +2.6.15-dapper-security: released (2.6.15-51.65) +2.6.17-edgy-security: released (2.6.17.1-12.43) +2.6.20-feisty-security: released (2.6.20-16.34) +2.6.22-gutsy-security: released (2.6.22-14.48) diff --git a/retired/CVE-2007-6206 b/retired/CVE-2007-6206 new file mode 100644 index 00000000..280260a8 --- /dev/null +++ b/retired/CVE-2007-6206 @@ -0,0 +1,21 @@ +Candidate: CVE-2007-6206 +Description: + Linux kernel 2.4.x and 2.6.x up to 2.6.24-rc3, and possibly other versions, + does not change the UID of a core dump file if it exists before a root process + creates a core dump in the same location, which might allow local users to + obtain sensitive information. +References: + http://bugzilla.kernel.org/show_bug.cgi?id=3043 + http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=c46f739dd39db3b07ab5deb4e3ec81e1c04a91af +Ubuntu-Description: +Notes: +Bugs: +upstream: pending (2.6.24) +linux-2.6: needed +2.6.18-etch-security: released (2.6.18.dfsg.1-13etch6) [bugfix/coredump-only-to-same-uid.patch] +2.6.8-sarge-security: released (2.6.8-17sarge1) [coredump-only-to-same-uid.dpatch] +2.4.27-sarge-security: released (2.4.27-10sarge6) [253_coredump-only-to-same-uid.diff] +2.6.15-dapper-security: released (2.6.15-51.65) +2.6.17-edgy-security: released (2.6.17.1-12.43) +2.6.20-feisty-security: released (2.6.20-16.34) +2.6.22-gutsy-security: released (2.6.22-14.48) diff --git a/retired/CVE-2007-6417 b/retired/CVE-2007-6417 new file mode 100644 index 00000000..63149b02 --- /dev/null +++ b/retired/CVE-2007-6417 @@ -0,0 +1,23 @@ +Candidate: CVE-2007-6417 +Description: + The shmem_getpage function (mm/shmem.c) in Linux kernel 2.6.11 through 2.6.23 does + not properly clear allocated memory in some rare circumstances, which might allow + local users to read sensitive kernel data or cause a denial of service (crash). +References: + http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e84e2e132c9c66d8498e7710d4ea532d1feaaac5 + http://marc.info/?l=linux-kernel&m=119627664702379&w=2 + http://marc.info/?l=linux-kernel&m=119743651829347&w=2 + http://marc.info/?l=linux-kernel&m=119769771026243&w=2 +Ubuntu-Description: +Notes: + dannf> Commit log suggests this was a regression introduced in 2.6.11 +Bugs: +upstream: released (2.6.22.15, 2.6.23.10, 2.6.24-rc4) [e84e2e132c9c66d8498e7710d4ea532d1feaaac5] +linux-2.6: released (2.6.23-2) [bugfix/all/2.6.23.10] +2.6.18-etch-security: released (2.6.18.dfsg.1-13etch6) [bugfix/tmpfs-restore-clear_highpage.patch] +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.6.15-dapper-security: released (2.6.15-51.65) +2.6.17-edgy-security: released (2.6.17.1-12.43) +2.6.20-feisty-security: released (2.6.20-16.34) +2.6.22-gutsy-security: released (2.6.22-14.48) diff --git a/retired/CVE-2007-6694 b/retired/CVE-2007-6694 new file mode 100644 index 00000000..15e09d05 --- /dev/null +++ b/retired/CVE-2007-6694 @@ -0,0 +1,28 @@ +Candidate: CVE-2007-6694 +Description: + The chrp_show_cpuinfo function (chrp/setup.c) in Linux kernel 2.4.21 + through 2.6.18-53, when running on PowerPC, might allow local users + to cause a denial of service (crash) via unknown vectors that cause + the of_get_property function to fail, which triggers a NULL pointer + dereference. +References: + http://marc.info/?l=linux-kernel&m=119576191029571&w=2 +Ubuntu-Description: + It was discovered that PowerPC kernels did not correctly handle reporting + certain system details. By requesting a specific set of information, + a local attacker could cause a system crash resulting in a denial + of service. +Notes: + jmm> This appears more of a regular bug with a specific piece of hw + jmm> than a security problem. Do we support the chrp POWER platform? +Bugs: +upstream: +linux-2.6: +2.6.18-etch-security: released (2.6.18.dfsg.1-18etch2) [bugfix/powerpc-chrp-null-deref.patch] +2.6.8-sarge-security: released (2.6.8-17sarge2) [powerpc-chrp-null-deref.dpatch] +2.4.27-sarge-security: released (2.4.27-10sarge6) [265_powerpc-chrp-null-deref.diff] +2.6.15-dapper-security: released (2.6.15-52.67) +2.6.17-edgy-security: ignored (EOL) +2.6.20-feisty-security: released (2.6.20-17.36) +2.6.22-gutsy-security: released (2.6.22-15.54) +2.6.24-hardy-security: released (2.6.24-19.34) diff --git a/retired/CVE-2007-6712 b/retired/CVE-2007-6712 new file mode 100644 index 00000000..c07bae11 --- /dev/null +++ b/retired/CVE-2007-6712 @@ -0,0 +1,19 @@ +Candidate: CVE-2007-6712 +Description: + Integer overflow in the hrtimer_forward function (hrtimer.c) in Linux + kernel 2.6.21-rc4, when running on 64-bit systems, allows local users to + cause a denial of service (infinite loop) via a timer with a large expiry + value, which causes the timer to always be expired. +References: + http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=5a7780e725d1bb4c3094fcc12f1c5c5faea1e988 +Ubuntu-Description: +Notes: +Bugs: +upstream: +linux-2.6: +2.6.18-etch-security: released (2.6.18.dfsg.1-18etch5) [bugfix/hrtimer-prevent-overrun.patch, bugfix/ktime-fix-MTIME_SEC_MAX-on-32-bit.patch] +2.6.24-etchnhalf-security: N/A +2.6.15-dapper-security: N/A +2.6.20-feisty-security: released (2.6.20-17.36) +2.6.22-gutsy-security: released (2.6.22-15.54) +2.6.24-hardy-security: N/A diff --git a/retired/CVE-2008-0001 b/retired/CVE-2008-0001 new file mode 100644 index 00000000..1539005c --- /dev/null +++ b/retired/CVE-2008-0001 @@ -0,0 +1,16 @@ +Candidate: CVE-2008-0001 +Description: +References: + http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=974a9f0b47da74e28f68b9c8645c3786aa5ace1a +Ubuntu-Description: +Notes: +Bugs: +upstream: released (2.6.23.14, 2.6.24-rc8) +linux-2.6: released (2.6.24-1) +2.6.18-etch-security: released (2.6.18.dfsg.1-17etch1) [bugfix/vfs-use-access-mode-flag.patch] +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.6.15-dapper-security: released (2.6.15-51.65) +2.6.17-edgy-security: released (2.6.17.1-12.43) +2.6.20-feisty-security: released (2.6.20-16.34) +2.6.22-gutsy-security: released (2.6.22-14.48) diff --git a/retired/CVE-2008-0007 b/retired/CVE-2008-0007 new file mode 100644 index 00000000..3f588fa9 --- /dev/null +++ b/retired/CVE-2008-0007 @@ -0,0 +1,23 @@ +Candidate: CVE-2008-0007 +Description: + Linux kernel before 2.6.22.17, when using certain drivers that register + a fault handler that does not perform range checks, allows local users + to access kernel memory via an out-of-range offset. +References: +Ubuntu-Description: + It was discovered that some device driver fault handlers did not + correctly verify memory ranges. A local attacker could exploit this + to access sensitive kernel memory, possibly leading to a loss of privacy. +Notes: +Bugs: +upstream: released (2.6.24.1) +linux-2.6: released (2.6.24-4) +2.6.18-etch-security: released (2.6.18.dfsg.1-18etch2) [bugfix/mmap-VM_DONTEXPAND.patch] +2.6.24-etchnhalf-security: released (2.6.24-4) [bugfix/all/stable/2.6.24.1.patch] +2.6.8-sarge-security: released (2.6.8-17sarge1) [mmap-VM_DONTEXPAND.dpatch] +2.4.27-sarge-security: released (2.4.27-10sarge6) [264_mmap-VM_DONTEXPAND.diff] +2.6.15-dapper-security: released (2.6.15-52.67) +2.6.17-edgy-security: ignored (EOL) +2.6.20-feisty-security: released (2.6.20-17.36) +2.6.22-gutsy-security: released (2.6.22-15.54) +2.6.24-hardy-security: N/A diff --git a/retired/CVE-2008-0009 b/retired/CVE-2008-0009 new file mode 100644 index 00000000..054dc29f --- /dev/null +++ b/retired/CVE-2008-0009 @@ -0,0 +1,17 @@ +Candidate: CVE-2008-0009 +Description: +References: +Ubuntu-Description: +Notes: +Bugs: +upstream: released (2.6.24.1) +linux-2.6: released (2.6.24-4) +2.6.18-etch-security: N/A +2.6.24-etchnhalf-security: released (2.6.24-4) [bugfix/all/stable/2.6.24.1.patch] +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.6.15-dapper-security: N/A +2.6.17-edgy-security: ignored (EOL) +2.6.20-feisty-security: N/A +2.6.22-gutsy-security: N/A +2.6.24-hardy-security: N/A diff --git a/retired/CVE-2008-0010 b/retired/CVE-2008-0010 new file mode 100644 index 00000000..5384b024 --- /dev/null +++ b/retired/CVE-2008-0010 @@ -0,0 +1,16 @@ +Candidate: CVE-2008-0010 +Description: +References: +Ubuntu-Description: +Notes: +Bugs: +upstream: released (2.6.24.1) +linux-2.6: released (2.6.24-4) +2.6.18-etch-security: released (2.6.18.dfsg.1-18etch1) +2.6.24-etchnhalf-security: released (2.6.24-4) [bugfix/all/stable/2.6.24.1.patch] +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.6.15-dapper-security: N/A +2.6.17-edgy-security: ignored (EOL) +2.6.20-feisty-security: N/A +2.6.22-gutsy-security: N/A diff --git a/retired/CVE-2008-0163 b/retired/CVE-2008-0163 new file mode 100644 index 00000000..77eddcc3 --- /dev/null +++ b/retired/CVE-2008-0163 @@ -0,0 +1,17 @@ +Candidate: CVE-2008-0163 +Description: +References: +Ubuntu-Description: +Notes: +Bugs: +upstream: N/A +linux-2.6: +2.6.18-etch-security: released (2.6.18.dfsg.1-18etch1) +2.6.24-etchnhalf-security: N/A "no vserver support" +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.6.15-dapper-security: N/A +2.6.17-edgy-security: ignored (EOL) +2.6.20-feisty-security: N/A +2.6.22-gutsy-security: N/A +2.6.24-hardy-security: N/A diff --git a/retired/CVE-2008-0352 b/retired/CVE-2008-0352 new file mode 100644 index 00000000..24ac94b8 --- /dev/null +++ b/retired/CVE-2008-0352 @@ -0,0 +1,25 @@ +Candidate: CVE-2008-0352 +Description: + The Linux kernel 2.6.20 through 2.6.21.1 allows remote attackers to cause a + denial of service (panic) via a certain IPv6 packet, possibly involving the + Jumbo Payload hop-by-hop option +References: + http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.21.2 +Ubuntu-Description: +Notes: + jmm> 08a6507044dd70c326de3ea484fd6d29b8101f17 + jmm> http://bugzilla.kernel.org/show_bug.cgi?id=8450 + dannf> Looks like this isn't an issue before + a11d206d0f88e092419877c7f706cafb5e1c2e57 + Which appeared between 2.6.19 and 2.6.20 + kees> this is a dup of CVE-2007-4567 +Bugs: +upstream: released (2.6.21.2) +linux-2.6: released (2.6.22-1) +2.6.18-etch-security: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.6.15-dapper-security: N/A +2.6.17-edgy-security: ignored (EOL) +2.6.20-feisty-security: N/A (dup of CVE-2007-4567) +2.6.22-gutsy-security: N/A diff --git a/retired/CVE-2008-0600 b/retired/CVE-2008-0600 new file mode 100644 index 00000000..23a12e99 --- /dev/null +++ b/retired/CVE-2008-0600 @@ -0,0 +1,22 @@ +Candidate: CVE-2008-0600 +Description: + The vmsplice_to_pipe function in Linux kernel 2.6.17 through 2.6.24.1 + does not validate a certain userspace pointer before dereference, which + allows local users to gain root privileges via crafted arguments in + a vmsplice system call, a different vulnerability than CVE-2008-0009 + and CVE-2008-0010. +References: +Ubuntu-Description: +Notes: +Bugs: +upstream: released (2.6.24.2) +linux-2.6: released (2.6.24-4) +2.6.18-etch-security: released (2.6.18.dfsg.1-18etch1) +2.6.24-etchnhalf-security: released (2.6.24-4) [bugfix/all/stable/2.6.24.2.patch] +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.6.15-dapper-security: N/A +2.6.17-edgy-security: released (2.6.17.1-12.44) +2.6.20-feisty-security: released (2.6.20-16.35) +2.6.22-gutsy-security: released (2.6.22-14.52) +2.6.24-hardy-security: N/A diff --git a/retired/CVE-2008-1294 b/retired/CVE-2008-1294 new file mode 100644 index 00000000..9f6ac748 --- /dev/null +++ b/retired/CVE-2008-1294 @@ -0,0 +1,27 @@ +Candidate: CVE-2008-1294 +Description: + Linux kernel 2.6.17, and other versions before 2.6.22, does not check + when a user attempts to set RLIMIT_CPU to 0 until after the change is + made, which allows local users to bypass intended resource limits. +References: +Ubuntu-Description: + It was discovered that CPU resource limits could be bypassed. + A malicious local user could exploit this to avoid administratively + imposed resource limits. +Notes: + https://launchpad.net/bugs/107209 + http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=419706 + http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=9926e4c74300c4b31dee007298c6475d33369df0 + kees> for pre-2.6.17 kernels, two additional commits are needed: + kees> ec9e16bacdba1da1ee15dd162384e22df5c87e09 + kees> e0661111e5441995f7a69dc4336c9f131cb9bc58 +Bugs: +upstream: +linux-2.6: +2.6.18-etch-security: released (2.6.18.dfsg.1-18etch2) [bugfix/RLIMIT_CPU-earlier-checking.patch] +2.6.24-etchnhalf-security: N/A +2.6.15-dapper-security: released (2.6.15-52.67) +2.6.17-edgy-security: ignored (EOL) +2.6.20-feisty-security: released (2.6.20-17.36) +2.6.22-gutsy-security: N/A +2.6.24-hardy-security: N/A diff --git a/retired/CVE-2008-1375 b/retired/CVE-2008-1375 new file mode 100644 index 00000000..27075c84 --- /dev/null +++ b/retired/CVE-2008-1375 @@ -0,0 +1,23 @@ +Candidate: CVE-2008-1375 +Description: + dnotify race +References: + http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=214b7049a7929f03bbd2786aaef04b8b79db34e2 +Ubuntu-Description: + A race condition was discovered between dnotify fcntl() and close() in + the kernel. If a local attacker performed malicious dnotify requests, + they could cause memory consumption leading to a denial of service, + or possibly send arbitrary signals to any process. +Notes: + kees> ABI changer due to header addition? + kees> http://svn.debian.org/wsvn/kernel/dists/etch-security/linux-2.6/debian/patches/bugfix/dnotify-race-avoid-abi-change.patch?op=file&rev=0&sc=0 +Bugs: +upstream: released (2.6.26-rc1) +linux-2.6: released (2.6.25-2) +2.6.18-etch-security: released (2.6.18.dfsg.1-18etch2) [bugfix/dnotify-race.patch] +2.6.24-etchnhalf-security: released (2.6.24-6~etchnhalf.2) [bugfix/all/stable/2.6.24.6.patch] +2.6.15-dapper-security: released (2.6.15-52.67) +2.6.17-edgy-security: ignored (EOL) +2.6.20-feisty-security: released (2.6.20-17.36) +2.6.22-gutsy-security: released (2.6.22-15.54) +2.6.24-hardy-security: released (2.6.24-19.34) diff --git a/retired/CVE-2008-1615 b/retired/CVE-2008-1615 new file mode 100644 index 00000000..9c297dd3 --- /dev/null +++ b/retired/CVE-2008-1615 @@ -0,0 +1,18 @@ +Candidate: CVE-2008-1615 +Description: + Linux kernel 2.6.18, and possibly other versions, when running on AMD64 + architectures, allows local users to cause a denial of service (crash) + via certain ptrace calls. +References: +Ubuntu-Description: +Notes: + kees> http://marc.info/?l=linux-kernel&m=120219781932243 +Bugs: +upstream: +linux-2.6: +2.6.18-etch-security: released (2.6.18.dfsg.1-18etch5) [bugfix/amd64-cs-corruption.patch] +2.6.24-etchnhalf-security: released (2.6.24-6~etchnhalf.3) [bugfix/amd64-cs-corruption.patch] +2.6.15-dapper-security: pending +2.6.20-feisty-security: pending +2.6.22-gutsy-security: pending +2.6.24-hardy-security: pending diff --git a/retired/CVE-2008-1669 b/retired/CVE-2008-1669 new file mode 100644 index 00000000..900a997a --- /dev/null +++ b/retired/CVE-2008-1669 @@ -0,0 +1,20 @@ +Candidate: CVE-2008-1669 +Description: + "add rcu_read_lock() to fs/locks.c and fix fcntl store/load" +References: +Ubuntu-Description: + On SMP systems, a race condition existed in fcntl(). Local attackers + could perform malicious locks, causing system crashes and leading to + a denial of service. +Notes: + kees> http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=0b2bac2f1ea0d33a3621b27ca68b9ae760fca2e9 + kees> linux-2.6.24.y: 0bbbae3bfd732f6c4d6b2a67121d77bf6b1c7f70 +Bugs: +upstream: released (2.6.24.7, 2.6.25.2) +linux-2.6: released (2.6.25-2) +2.6.18-etch-security: released (2.6.18.dfsg.1-18etch4) [bugfix/fcntl_setlk-close-race.patch] +2.6.24-etchnhalf-security: released (2.6.24-6~etchnhalf.2) [bugfix/all/stable/2.6.24.7.patch] +2.6.15-dapper-security: released (2.6.15-52.67) +2.6.20-feisty-security: released (2.6.20-17.36) +2.6.22-gutsy-security: released (2.6.22-15.54) +2.6.24-hardy-security: released (2.6.24-19.34) diff --git a/retired/CVE-2008-1675 b/retired/CVE-2008-1675 new file mode 100644 index 00000000..0e3f1637 --- /dev/null +++ b/retired/CVE-2008-1675 @@ -0,0 +1,20 @@ +Candidate: CVE-2008-1675 +Description: +References: + http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.24.y.git;a=commitdiff;h=a30678eb8ce99a7b4c716ad41c8c10a04d731127 + http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.24.y.git;a=commitdiff;h=f1b6098616f329d26199f278f228a7b27d36558d +Ubuntu-Description: + The tehuti network driver did not correctly handle certain IO functions. + A local attacker could perform malicious requests to the driver, + potentially accessing kernel memory, leading to privilege escalation + or access to private system information. +Notes: +Bugs: +upstream: released (2.6.24.6) +linux-2.6: released (2.6.24-7) +2.6.18-etch-security: N/A +2.6.24-etchnhalf-security: released (linux-2.6.24 2.6.24-6~etchnhalf.2) [bugfix/all/stable/2.6.24.6.patch] +2.6.15-dapper-security: N/A +2.6.20-feisty-security: N/A +2.6.22-gutsy-security: N/A +2.6.24-hardy-security: released (2.6.24-19.34) diff --git a/retired/block-all-signals-race b/retired/block-all-signals-race new file mode 100644 index 00000000..bfe3285b --- /dev/null +++ b/retired/block-all-signals-race @@ -0,0 +1,17 @@ +Candidate: Needed +References: + http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff_plain;h=c70d3d703ad94727dab2a3664aeee33d71e00715 + http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff_plain;h=9ac95f2f90e022c16d293d7978faddf7e779a1a9 + http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff_plain;h=1ff0be1534839dabec85f6d16dc36734f4e158bf + http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff_plain;h=21b4da78c941f292f6daf87abb562d6285216e51 +Description: + Race in copy_signhand()/do_sigaction that lets you create small processes that + block all signals, including SIGKILL. +Notes: +Bugs: +upstream: +linux-2.6: pending (2.6.15.5) +2.6.8-sarge-security: +2.4.27-sarge-security: +2.6.18-etch-security: N/A + |