retire some issues now that Sarge support has ended

git-svn-id: svn+ssh://svn.debian.org/svn/kernel-sec@1154 e094ebfe-e918-0410-adfb-c712417f3574

10 files changed, 248 insertions, 0 deletions

diff --git a/retired/CVE-2005-0977 b/retired/CVE-2005-0977
new file mode 100644
index 00000000..77b44a61
--- /dev/null
+++ b/retired/CVE-2005-0977
@@ -0,0 +1,22 @@
+Candidate: CVE-2005-0977
+References: 
+ http://www.ubuntulinux.org/support/documentation/usn/usn-103-1
+ http://linux.bkbits.net:8080/linux-2.6/cset@420551fbRlv9-QG6Gw9Lw_bKVfPSsg
+ http://lkml.org/lkml/2005/2/5/111
+ http://www.securityfocus.com/bid/12970
+Description: 
+ The shmem_nopage function in shmem.c for the tmpfs driver in Linux kernel
+ 2.6 does not properly verify the address argument, which allows local users
+ to cause a denial of service (kernel crash) via an invalid address.
+Notes: 
+ dannf> 2.4 does look vulnerable, but the 2.6 fix won't work directly because
+ dannf> 2.4 doesn't have i_size_read().  The 2.6 i_size_read() uses seqlocks,
+ dannf> which aren't in 2.4, so the port isn't trivial for me.
+ dannf> Forwarded to Willy Tarreau on 2008.01.17
+Bugs: 303177
+upstream: released (2.6.11)
+linux-2.6: N/A
+2.6.8-sarge-security: released (2.6.8-16) [mm-shmem-truncate.dpatch]
+2.4.27-sarge-security: ignored (2.4.27-10sarge6) "need porting help"
+2.6.18-etch-security: N/A
+
diff --git a/retired/CVE-2005-1265 b/retired/CVE-2005-1265
new file mode 100644
index 00000000..c9175d46
--- /dev/null
+++ b/retired/CVE-2005-1265
@@ -0,0 +1,14 @@
+Candidate: CVE-2005-1265
+References: http://www.ubuntulinux.org/support/documentation/usn/usn-137-1
+Description: 
+ The mmap function in the Linux Kernel 2.6.10 can be used to create memory
+ maps with a start address beyond the end address, which allows local users
+ to cause a denial of service (kernel crash)
+Notes: 
+ jmm> I've pulled the patch by Linus from the above-mentioned Ubuntu advisory
+Bugs: 
+upstream: released (2.6.12)
+linux-2.6: N/A
+2.6.8-sarge-security: released (2.6.8-16sarge1) [mm-mmap-range-test.dpatch]
+2.4.27-sarge-security: ignored (2.4.27-10sarge6) "not sure if it affects 2.4 - code is very different; need porting help"
+2.6.18-etch-security: N/A
diff --git a/retired/CVE-2006-0558 b/retired/CVE-2006-0558
new file mode 100644
index 00000000..105ad3f8
--- /dev/null
+++ b/retired/CVE-2006-0558
@@ -0,0 +1,25 @@
+Candidate: CVE-2006-0558
+References: 
+ MLIST:[linux-ia64] [PATCH 1/1] ia64: perfmon.c trips BUG_ON in put_page_testzero
+ URL:http://marc.theaimsgroup.com/?l=linux-ia64&m=113882384921688
+ CONFIRM:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=185082
+ BID:17482
+ URL:http://www.securityfocus.com/bid/17482 
+Description: 
+ perfmon (perfmon.c) in Linux kernel on IA64 architectures allows local users
+ to cause a denial of service (crash) by interrupting a task while another
+ process is accessing the mm_struct, which triggers a BUG_ON action in the
+ put_page_testzero function.proc
+Notes: 
+ dannf> This issue is unreproducible in 2.6.16, according to:
+ dannf>  http://marc.theaimsgroup.com/?l=linux-ia64&m=114530938403347&w=2
+ dannf> So, I'm marking upstream as 2.6.16
+ .
+ dannf> I have a reproducer from SGI.  It causes 2.6.8 to oops, but needs to
+ dannf> be ported to the 2.4 perfmon API to test 2.4.27
+Bugs: 365375
+upstream: released (2.6.16)
+linux-2.6: released (2.6.16-1)
+2.6.8-sarge-security: released (2.6.8-16sarge3) [perfmon-exit-race.dpatch]
+2.4.27-sarge-security: ignored (2.4.27-10sarge6) "need porting help"
+2.6.18-etch-security: N/A
diff --git a/retired/CVE-2006-2448 b/retired/CVE-2006-2448
new file mode 100644
index 00000000..e345f7e2
--- /dev/null
+++ b/retired/CVE-2006-2448
@@ -0,0 +1,19 @@
+Candidate: CVE-2006-2448
+References: 
+ http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=7c85d1f9d358b24c5b05c3a2783a78423775a080
+Description: 
+ Linux kernel before 2.6.16.21 and 2.6.17, when running on PowerPC, does not
+ perform certain required access_ok checks, which allows local users to read
+ arbitrary kernel memory on 64-bit systems (signal_64.c) and cause a denial of
+ service (crash) and possibly read kernel memory on 32-bit systems
+ (signal_32.c).
+Notes: 
+ dannf> Code has changed significantly since 2.6.8, its not clear to me
+        if this fix is needed or how to apply it.
+Bugs: 
+upstream: released (2.6.16.21)
+linux-2.6: released (2.6.16-15)
+2.6.8-sarge-security: ignored (2.6.8-16sarge5)
+2.4.27-sarge-security: ignored (2.4.27-10sarge4)
+2.6.18-etch-security: N/A
+
diff --git a/retired/CVE-2006-3468 b/retired/CVE-2006-3468
new file mode 100644
index 00000000..380b97b0
--- /dev/null
+++ b/retired/CVE-2006-3468
@@ -0,0 +1,31 @@
+Candidate: CVE-2006-3468
+References: 
+ http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=2ccb48ebb4de139eef4fcefd5f2bb823cb0d81b9
+Description:
+ Linux kernel 2.6.x, when using both NFS and EXT3, allows remote
+ attackers to cause a denial of service (file system panic) via a
+ crafted UDP packet with a V2 lookup procedure that specifies a bad
+ file handle (inode number), which triggers an error and causes an
+ exported directory to be remounted read-only. 
+Ubuntu-Description:
+ James McKenzie discovered a Denial of Service vulnerability in the
+ NFS driver. When exporting an ext3 file system over NFS, a remote
+ attacker could exploit this to trigger a file system panic by sending
+ a specially crafted UDP packet.
+Notes: 
+ http://lkml.org/lkml/2006/7/20/1: proposed patch
+ unclear whether 2.4 is affected
+ dannf> Submitted to Adrian Bunk for inclusion in 2.6.16.x
+ dannf> ignoring 2.4 till a fix goes upstream
+Bugs: 
+ https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=199172
+upstream: released (2.6.17.8, 2.6.18-rc4)
+linux-2.6: released (2.6.18-1)
+2.6.8-sarge-security: released (2.6.8-16sarge5) [fs-ext3-bad-nfs-handle.dpatch]
+2.4.27-sarge-security: ignored (2.4.27-10sarge4)
+2.6.10-hoary-security: released (2.6.10-34.23)
+2.6.12-breezy-security: released (2.6.12-10.37)
+2.6.15-dapper-security: released (2.6.15-26.47)
+2.6.17-edgy: released (2.6.17-10.30)
+2.6.18-etch-security: N/A
+
diff --git a/retired/CVE-2006-4572 b/retired/CVE-2006-4572
new file mode 100644
index 00000000..6b5d7356
--- /dev/null
+++ b/retired/CVE-2006-4572
@@ -0,0 +1,25 @@
+Candidate: CVE-2006-4572
+References: 
+ URL:http://readlist.com/lists/vger.kernel.org/linux-kernel/55/275979.html
+ http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=6d381634d213580d40d431e7664dfb45f641b884
+ http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=51d8b1a65291a6956b79374b6adbbadc2263bcf6
+Description: 
+ Multiple unspecified vulnerabilities in netfilter for IPv6 code in Linux
+ kernel before 2.6.16.31 allow remote attackers to bypass intended restrictions
+ via unknown vectors, aka (1) "ip6_tables protocol bypass bug" and
+ (2) "ip6_tables extension header bypass bug".
+Ubuntu-Description:
+ Mark Dowd discovered that the netfilter iptables module did not
+ correcly handle fragmented packets. By sending specially crafted
+ packets, a remote attacker could exploit this to bypass firewall
+ rules.
+Notes: 
+ dannf> port to 2.4.27/2.6.8 is non-trivial, ignoring for now
+Bugs: 
+upstream: released (2.6.19)
+linux-2.6: released (2.6.18.dfsg.1-9)
+2.6.18-etch-security: released (2.6.18.dfsg.1-9)
+2.6.8-sarge-security: ignored (2.6.8-16sarge7)
+2.4.27-sarge-security: ignored (2.4.27-10sarge6)
+2.6.15-dapper-security: released (2.6.15-28.51)
+2.6.17-edgy-security: released (2.6.17.1-10.34)
diff --git a/retired/CVE-2006-5755 b/retired/CVE-2006-5755
new file mode 100644
index 00000000..3c21071d
--- /dev/null
+++ b/retired/CVE-2006-5755
@@ -0,0 +1,30 @@
+Candidate: CVE-2006-5755
+References:
+ http://kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=658fdbef66e5e9be79b457edc2cbbb3add840aa9
+Description: 
+ Linux kernel before 2.6.18, when running on x86_64 systems, does not
+ properly save or restore EFLAGS during a context switch, which allows
+ local users to cause a denial of service (crash) by causing SYSENTER
+ to set an NT flag, which can trigger a crash on the IRET of the next
+ task.
+Ubuntu-Description: 
+ The task switching code did not save and restore EFLAGS of processes.
+ By starting a specially crafted executable, a local attacker could
+ exploit this to eventually crash many other running processes. This
+ only affects the amd64 platform.
+Notes: 
+ jmm> 658fdbef66e5e9be79b457edc2cbbb3add840aa9
+ jmm> amd64 equivalent of CVE-2006-5173
+ jmm> http://www.mail-archive.com/kgdb-bugreport@lists.sourceforge.net/msg00559.html
+ dannf> marking sarge/2.4 N/A since we released no sarge/2.4/amd64 kernel
+ dannf> ignoring for sarge7 because backport is non-trivial
+ jmm> Affects xen
+Bugs: 
+upstream: released (2.6.18)
+linux-2.6: released (2.6.18-1)
+2.6.18-etch-security: released (2.6.18.dfsg.1-13etch4)
+2.6.8-sarge-security: ignored (2.6.8-16sarge7)
+2.4.27-sarge-security: N/A
+2.6.12-breezy-security: released (2.6.12-10.43)
+2.6.15-dapper-security: released (2.6.15-28.51)
+2.6.17-edgy-security: released (2.6.17.1-11.35)
diff --git a/retired/CVE-2006-6060 b/retired/CVE-2006-6060
new file mode 100644
index 00000000..5fb5a10e
--- /dev/null
+++ b/retired/CVE-2006-6060
@@ -0,0 +1,34 @@
+Candidate: CVE-2006-6060
+References: 
+ MISC:http://projects.info-pull.com/mokb/MOKB-19-11-2006.html
+Description: 
+ The NTFS filesystem code in Linux kernel 2.6.x up to 2.6.18, and possibly
+ other versions, allows local users to cause a denial of service (CPU
+ consumption) via a malformed NTFS file stream that triggers an infinite loop
+ in the __find_get_block_slow function.
+Ubuntu-Description: 
+Notes: 
+ fixed by patch for CVE-2006-5757 since the bug is in the common
+ __find_get_block_slow() function.
+ dannf> reproducer at http://projects.info-pull.com/mokb/MOKB-19-11-2006.html
+ dannf> I mounted the reproducer fs on an ia64/2.4.27 system and though
+        it didn't cause an infinite loop, the system did lock up hard
+ jmm> e5657933863f43cc6bb76a54d659303dafaa9e58 in Linus git
+ dannf> The reproducer causes i386/2.4.36 to oops; but if this patch is
+        backported and applied it will print:
+           NTFS: Problem with runlist in extended record
+        ... and then oops.
+        So, I'm guessing this patch makes things better, but I don't think
+        its worth the risk of applying it unless the other oops gets fixed
+        as well.
+ dannf> Unpatched 2.4.27 oopses and prints the same runlist message that
+        patched 2.4.36 prints
+Bugs: 
+upstream: released (2.6.19)
+linux-2.6: released (2.6.18.dfsg.1-10) [2.6.16.38]
+2.6.18-etch-security: released (2.6.18.dfsg.1-10) [2.6.16.38]
+2.6.8-sarge-security: released (2.6.8-16sarge7) [__find_get_block_slow-race.dpatch]
+2.4.27-sarge-security: ignored (2.4.27-10sarge6) "Fixes an oops, only to hit another oops"
+2.6.15-dapper-security: N/A - fixed in CVE-2006-5757
+2.6.17-edgy-security: N/A - already applied.
+2.6.20-feisty-security: N/A
diff --git a/retired/CVE-2007-0958 b/retired/CVE-2007-0958
new file mode 100644
index 00000000..6dedad67
--- /dev/null
+++ b/retired/CVE-2007-0958
@@ -0,0 +1,21 @@
+Candidate: CVE-2007-0958
+References: 
+ MISC:http://www.isec.pl/vulnerabilities/isec-0017-binfmt_elf.txt
+ CONFIRM:http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.20 
+Description: 
+ Linux kernel 2.6.x before 2.6.20 allows local users to read unreadable
+ binaries by using the interpreter (PT_INTERP) functionality and triggering
+ a core dump, a variant of CVE-2004-1073.
+Ubuntu-Description: 
+Notes: 
+ dannf> Red Hat's 2.4 isn't vulnerable; Willy Tarreau asked the reporter
+        for a reproducer in 2007.02. I sent Willy an e-mail on 2008.02.06
+        to see if he ever heard back. Until then, I'll assume 2.4 is ok.
+Bugs: 
+upstream: released (2.6.20)
+linux-2.6: released (2.6.20-1)
+2.6.18-etch-security: released (2.6.18.dfsg.1-12etch1) [bugfix/core-dump-unreadable-PT_INTERP.patch]
+2.6.8-sarge-security: released (2.6.8-16sarge7) [core-dump-unreadable-PT_INTERP.dpatch]
+2.4.27-sarge-security: ignored (2.4.27-10sarge6) "poked upstream on 2008.02.06"
+2.6.15-dapper-security: released (2.6.15-28.53)
+2.6.17-edgy-security: released (2.6.17.1-11.37)
diff --git a/retired/CVE-2007-2453 b/retired/CVE-2007-2453
new file mode 100644
index 00000000..8198ebf2
--- /dev/null
+++ b/retired/CVE-2007-2453
@@ -0,0 +1,27 @@
+Candidate: CVE-2007-2453
+References: 
+ http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=7f397dcdb78d699a20d96bfcfb595a2411a5bbd2
+ http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=602b6aeefe8932dd8bb15014e8fe6bb25d736361
+ http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.21.4
+Description: 
+ The random number feature in Linux kernel 2.6 before 2.6.20.13, and 2.6.21.x
+ before 2.6.21.4, (1) does not properly seed pools when there is no entropy,
+ or (2) uses an incorrect cast when extracting entropy, which might cause the
+ random number generator to provide the same values after reboots on systems
+ without an entropy source.
+Ubuntu-Description: 
+ The random number generator was hashing a subset of the available
+ entropy, leading to slightly less random numbers. Additionally, systems
+ without an entropy source would be seeded with the same inputs at boot
+ time, leading to a repeatable series of random numbers.
+Notes: 
+ dannf> started a thread on vendor-sec about a fix for 2.4 (2008.02.06)
+Bugs: 
+upstream: released (2.6.21.4)
+linux-2.6: released (2.6.21-5)
+2.6.18-etch-security: released (2.6.18.dfsg.1-13etch1) [bugfix/random-fix-seeding-with-zero-entropy.patch, bugfix/random-fix-error-in-entropy-extraction.patch]
+2.6.8-sarge-security: N/A "2.6.8 uses HASH_TRANSFORM, so I think its N/A"
+2.4.27-sarge-security: N/A "Matt Mackall says these don't affect 2.4 (though 2.4 has a number of other issues)"
+2.6.15-dapper-security: released (2.6.15-28.57)
+2.6.17-edgy-security: released (2.6.17.1-11.39)
+2.6.20-feisty-security: released (2.6.20-16.29)