diff options
author | Moritz Muehlenhoff <jmm@debian.org> | 2008-04-04 08:22:59 +0000 |
---|---|---|
committer | Moritz Muehlenhoff <jmm@debian.org> | 2008-04-04 08:22:59 +0000 |
commit | e824eab7fea625551e3ee27c390cf894cfbfba04 (patch) | |
tree | 239de3139175e9b98d4e2a45e1962aa10beb2e92 /retired | |
parent | 60ddf7542af3875373d9827c167f1d51926a8f6d (diff) |
retire some issues now that Sarge support has ended
git-svn-id: svn+ssh://svn.debian.org/svn/kernel-sec@1154 e094ebfe-e918-0410-adfb-c712417f3574
Diffstat (limited to 'retired')
-rw-r--r-- | retired/CVE-2005-0977 | 22 | ||||
-rw-r--r-- | retired/CVE-2005-1265 | 14 | ||||
-rw-r--r-- | retired/CVE-2006-0558 | 25 | ||||
-rw-r--r-- | retired/CVE-2006-2448 | 19 | ||||
-rw-r--r-- | retired/CVE-2006-3468 | 31 | ||||
-rw-r--r-- | retired/CVE-2006-4572 | 25 | ||||
-rw-r--r-- | retired/CVE-2006-5755 | 30 | ||||
-rw-r--r-- | retired/CVE-2006-6060 | 34 | ||||
-rw-r--r-- | retired/CVE-2007-0958 | 21 | ||||
-rw-r--r-- | retired/CVE-2007-2453 | 27 |
10 files changed, 248 insertions, 0 deletions
diff --git a/retired/CVE-2005-0977 b/retired/CVE-2005-0977 new file mode 100644 index 00000000..77b44a61 --- /dev/null +++ b/retired/CVE-2005-0977 @@ -0,0 +1,22 @@ +Candidate: CVE-2005-0977 +References: + http://www.ubuntulinux.org/support/documentation/usn/usn-103-1 + http://linux.bkbits.net:8080/linux-2.6/cset@420551fbRlv9-QG6Gw9Lw_bKVfPSsg + http://lkml.org/lkml/2005/2/5/111 + http://www.securityfocus.com/bid/12970 +Description: + The shmem_nopage function in shmem.c for the tmpfs driver in Linux kernel + 2.6 does not properly verify the address argument, which allows local users + to cause a denial of service (kernel crash) via an invalid address. +Notes: + dannf> 2.4 does look vulnerable, but the 2.6 fix won't work directly because + dannf> 2.4 doesn't have i_size_read(). The 2.6 i_size_read() uses seqlocks, + dannf> which aren't in 2.4, so the port isn't trivial for me. + dannf> Forwarded to Willy Tarreau on 2008.01.17 +Bugs: 303177 +upstream: released (2.6.11) +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-16) [mm-shmem-truncate.dpatch] +2.4.27-sarge-security: ignored (2.4.27-10sarge6) "need porting help" +2.6.18-etch-security: N/A + diff --git a/retired/CVE-2005-1265 b/retired/CVE-2005-1265 new file mode 100644 index 00000000..c9175d46 --- /dev/null +++ b/retired/CVE-2005-1265 @@ -0,0 +1,14 @@ +Candidate: CVE-2005-1265 +References: http://www.ubuntulinux.org/support/documentation/usn/usn-137-1 +Description: + The mmap function in the Linux Kernel 2.6.10 can be used to create memory + maps with a start address beyond the end address, which allows local users + to cause a denial of service (kernel crash) +Notes: + jmm> I've pulled the patch by Linus from the above-mentioned Ubuntu advisory +Bugs: +upstream: released (2.6.12) +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-16sarge1) [mm-mmap-range-test.dpatch] +2.4.27-sarge-security: ignored (2.4.27-10sarge6) "not sure if it affects 2.4 - code is very different; need porting help" +2.6.18-etch-security: N/A diff --git a/retired/CVE-2006-0558 b/retired/CVE-2006-0558 new file mode 100644 index 00000000..105ad3f8 --- /dev/null +++ b/retired/CVE-2006-0558 @@ -0,0 +1,25 @@ +Candidate: CVE-2006-0558 +References: + MLIST:[linux-ia64] [PATCH 1/1] ia64: perfmon.c trips BUG_ON in put_page_testzero + URL:http://marc.theaimsgroup.com/?l=linux-ia64&m=113882384921688 + CONFIRM:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=185082 + BID:17482 + URL:http://www.securityfocus.com/bid/17482 +Description: + perfmon (perfmon.c) in Linux kernel on IA64 architectures allows local users + to cause a denial of service (crash) by interrupting a task while another + process is accessing the mm_struct, which triggers a BUG_ON action in the + put_page_testzero function.proc +Notes: + dannf> This issue is unreproducible in 2.6.16, according to: + dannf> http://marc.theaimsgroup.com/?l=linux-ia64&m=114530938403347&w=2 + dannf> So, I'm marking upstream as 2.6.16 + . + dannf> I have a reproducer from SGI. It causes 2.6.8 to oops, but needs to + dannf> be ported to the 2.4 perfmon API to test 2.4.27 +Bugs: 365375 +upstream: released (2.6.16) +linux-2.6: released (2.6.16-1) +2.6.8-sarge-security: released (2.6.8-16sarge3) [perfmon-exit-race.dpatch] +2.4.27-sarge-security: ignored (2.4.27-10sarge6) "need porting help" +2.6.18-etch-security: N/A diff --git a/retired/CVE-2006-2448 b/retired/CVE-2006-2448 new file mode 100644 index 00000000..e345f7e2 --- /dev/null +++ b/retired/CVE-2006-2448 @@ -0,0 +1,19 @@ +Candidate: CVE-2006-2448 +References: + http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=7c85d1f9d358b24c5b05c3a2783a78423775a080 +Description: + Linux kernel before 2.6.16.21 and 2.6.17, when running on PowerPC, does not + perform certain required access_ok checks, which allows local users to read + arbitrary kernel memory on 64-bit systems (signal_64.c) and cause a denial of + service (crash) and possibly read kernel memory on 32-bit systems + (signal_32.c). +Notes: + dannf> Code has changed significantly since 2.6.8, its not clear to me + if this fix is needed or how to apply it. +Bugs: +upstream: released (2.6.16.21) +linux-2.6: released (2.6.16-15) +2.6.8-sarge-security: ignored (2.6.8-16sarge5) +2.4.27-sarge-security: ignored (2.4.27-10sarge4) +2.6.18-etch-security: N/A + diff --git a/retired/CVE-2006-3468 b/retired/CVE-2006-3468 new file mode 100644 index 00000000..380b97b0 --- /dev/null +++ b/retired/CVE-2006-3468 @@ -0,0 +1,31 @@ +Candidate: CVE-2006-3468 +References: + http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=2ccb48ebb4de139eef4fcefd5f2bb823cb0d81b9 +Description: + Linux kernel 2.6.x, when using both NFS and EXT3, allows remote + attackers to cause a denial of service (file system panic) via a + crafted UDP packet with a V2 lookup procedure that specifies a bad + file handle (inode number), which triggers an error and causes an + exported directory to be remounted read-only. +Ubuntu-Description: + James McKenzie discovered a Denial of Service vulnerability in the + NFS driver. When exporting an ext3 file system over NFS, a remote + attacker could exploit this to trigger a file system panic by sending + a specially crafted UDP packet. +Notes: + http://lkml.org/lkml/2006/7/20/1: proposed patch + unclear whether 2.4 is affected + dannf> Submitted to Adrian Bunk for inclusion in 2.6.16.x + dannf> ignoring 2.4 till a fix goes upstream +Bugs: + https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=199172 +upstream: released (2.6.17.8, 2.6.18-rc4) +linux-2.6: released (2.6.18-1) +2.6.8-sarge-security: released (2.6.8-16sarge5) [fs-ext3-bad-nfs-handle.dpatch] +2.4.27-sarge-security: ignored (2.4.27-10sarge4) +2.6.10-hoary-security: released (2.6.10-34.23) +2.6.12-breezy-security: released (2.6.12-10.37) +2.6.15-dapper-security: released (2.6.15-26.47) +2.6.17-edgy: released (2.6.17-10.30) +2.6.18-etch-security: N/A + diff --git a/retired/CVE-2006-4572 b/retired/CVE-2006-4572 new file mode 100644 index 00000000..6b5d7356 --- /dev/null +++ b/retired/CVE-2006-4572 @@ -0,0 +1,25 @@ +Candidate: CVE-2006-4572 +References: + URL:http://readlist.com/lists/vger.kernel.org/linux-kernel/55/275979.html + http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=6d381634d213580d40d431e7664dfb45f641b884 + http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=51d8b1a65291a6956b79374b6adbbadc2263bcf6 +Description: + Multiple unspecified vulnerabilities in netfilter for IPv6 code in Linux + kernel before 2.6.16.31 allow remote attackers to bypass intended restrictions + via unknown vectors, aka (1) "ip6_tables protocol bypass bug" and + (2) "ip6_tables extension header bypass bug". +Ubuntu-Description: + Mark Dowd discovered that the netfilter iptables module did not + correcly handle fragmented packets. By sending specially crafted + packets, a remote attacker could exploit this to bypass firewall + rules. +Notes: + dannf> port to 2.4.27/2.6.8 is non-trivial, ignoring for now +Bugs: +upstream: released (2.6.19) +linux-2.6: released (2.6.18.dfsg.1-9) +2.6.18-etch-security: released (2.6.18.dfsg.1-9) +2.6.8-sarge-security: ignored (2.6.8-16sarge7) +2.4.27-sarge-security: ignored (2.4.27-10sarge6) +2.6.15-dapper-security: released (2.6.15-28.51) +2.6.17-edgy-security: released (2.6.17.1-10.34) diff --git a/retired/CVE-2006-5755 b/retired/CVE-2006-5755 new file mode 100644 index 00000000..3c21071d --- /dev/null +++ b/retired/CVE-2006-5755 @@ -0,0 +1,30 @@ +Candidate: CVE-2006-5755 +References: + http://kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=658fdbef66e5e9be79b457edc2cbbb3add840aa9 +Description: + Linux kernel before 2.6.18, when running on x86_64 systems, does not + properly save or restore EFLAGS during a context switch, which allows + local users to cause a denial of service (crash) by causing SYSENTER + to set an NT flag, which can trigger a crash on the IRET of the next + task. +Ubuntu-Description: + The task switching code did not save and restore EFLAGS of processes. + By starting a specially crafted executable, a local attacker could + exploit this to eventually crash many other running processes. This + only affects the amd64 platform. +Notes: + jmm> 658fdbef66e5e9be79b457edc2cbbb3add840aa9 + jmm> amd64 equivalent of CVE-2006-5173 + jmm> http://www.mail-archive.com/kgdb-bugreport@lists.sourceforge.net/msg00559.html + dannf> marking sarge/2.4 N/A since we released no sarge/2.4/amd64 kernel + dannf> ignoring for sarge7 because backport is non-trivial + jmm> Affects xen +Bugs: +upstream: released (2.6.18) +linux-2.6: released (2.6.18-1) +2.6.18-etch-security: released (2.6.18.dfsg.1-13etch4) +2.6.8-sarge-security: ignored (2.6.8-16sarge7) +2.4.27-sarge-security: N/A +2.6.12-breezy-security: released (2.6.12-10.43) +2.6.15-dapper-security: released (2.6.15-28.51) +2.6.17-edgy-security: released (2.6.17.1-11.35) diff --git a/retired/CVE-2006-6060 b/retired/CVE-2006-6060 new file mode 100644 index 00000000..5fb5a10e --- /dev/null +++ b/retired/CVE-2006-6060 @@ -0,0 +1,34 @@ +Candidate: CVE-2006-6060 +References: + MISC:http://projects.info-pull.com/mokb/MOKB-19-11-2006.html +Description: + The NTFS filesystem code in Linux kernel 2.6.x up to 2.6.18, and possibly + other versions, allows local users to cause a denial of service (CPU + consumption) via a malformed NTFS file stream that triggers an infinite loop + in the __find_get_block_slow function. +Ubuntu-Description: +Notes: + fixed by patch for CVE-2006-5757 since the bug is in the common + __find_get_block_slow() function. + dannf> reproducer at http://projects.info-pull.com/mokb/MOKB-19-11-2006.html + dannf> I mounted the reproducer fs on an ia64/2.4.27 system and though + it didn't cause an infinite loop, the system did lock up hard + jmm> e5657933863f43cc6bb76a54d659303dafaa9e58 in Linus git + dannf> The reproducer causes i386/2.4.36 to oops; but if this patch is + backported and applied it will print: + NTFS: Problem with runlist in extended record + ... and then oops. + So, I'm guessing this patch makes things better, but I don't think + its worth the risk of applying it unless the other oops gets fixed + as well. + dannf> Unpatched 2.4.27 oopses and prints the same runlist message that + patched 2.4.36 prints +Bugs: +upstream: released (2.6.19) +linux-2.6: released (2.6.18.dfsg.1-10) [2.6.16.38] +2.6.18-etch-security: released (2.6.18.dfsg.1-10) [2.6.16.38] +2.6.8-sarge-security: released (2.6.8-16sarge7) [__find_get_block_slow-race.dpatch] +2.4.27-sarge-security: ignored (2.4.27-10sarge6) "Fixes an oops, only to hit another oops" +2.6.15-dapper-security: N/A - fixed in CVE-2006-5757 +2.6.17-edgy-security: N/A - already applied. +2.6.20-feisty-security: N/A diff --git a/retired/CVE-2007-0958 b/retired/CVE-2007-0958 new file mode 100644 index 00000000..6dedad67 --- /dev/null +++ b/retired/CVE-2007-0958 @@ -0,0 +1,21 @@ +Candidate: CVE-2007-0958 +References: + MISC:http://www.isec.pl/vulnerabilities/isec-0017-binfmt_elf.txt + CONFIRM:http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.20 +Description: + Linux kernel 2.6.x before 2.6.20 allows local users to read unreadable + binaries by using the interpreter (PT_INTERP) functionality and triggering + a core dump, a variant of CVE-2004-1073. +Ubuntu-Description: +Notes: + dannf> Red Hat's 2.4 isn't vulnerable; Willy Tarreau asked the reporter + for a reproducer in 2007.02. I sent Willy an e-mail on 2008.02.06 + to see if he ever heard back. Until then, I'll assume 2.4 is ok. +Bugs: +upstream: released (2.6.20) +linux-2.6: released (2.6.20-1) +2.6.18-etch-security: released (2.6.18.dfsg.1-12etch1) [bugfix/core-dump-unreadable-PT_INTERP.patch] +2.6.8-sarge-security: released (2.6.8-16sarge7) [core-dump-unreadable-PT_INTERP.dpatch] +2.4.27-sarge-security: ignored (2.4.27-10sarge6) "poked upstream on 2008.02.06" +2.6.15-dapper-security: released (2.6.15-28.53) +2.6.17-edgy-security: released (2.6.17.1-11.37) diff --git a/retired/CVE-2007-2453 b/retired/CVE-2007-2453 new file mode 100644 index 00000000..8198ebf2 --- /dev/null +++ b/retired/CVE-2007-2453 @@ -0,0 +1,27 @@ +Candidate: CVE-2007-2453 +References: + http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=7f397dcdb78d699a20d96bfcfb595a2411a5bbd2 + http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=602b6aeefe8932dd8bb15014e8fe6bb25d736361 + http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.21.4 +Description: + The random number feature in Linux kernel 2.6 before 2.6.20.13, and 2.6.21.x + before 2.6.21.4, (1) does not properly seed pools when there is no entropy, + or (2) uses an incorrect cast when extracting entropy, which might cause the + random number generator to provide the same values after reboots on systems + without an entropy source. +Ubuntu-Description: + The random number generator was hashing a subset of the available + entropy, leading to slightly less random numbers. Additionally, systems + without an entropy source would be seeded with the same inputs at boot + time, leading to a repeatable series of random numbers. +Notes: + dannf> started a thread on vendor-sec about a fix for 2.4 (2008.02.06) +Bugs: +upstream: released (2.6.21.4) +linux-2.6: released (2.6.21-5) +2.6.18-etch-security: released (2.6.18.dfsg.1-13etch1) [bugfix/random-fix-seeding-with-zero-entropy.patch, bugfix/random-fix-error-in-entropy-extraction.patch] +2.6.8-sarge-security: N/A "2.6.8 uses HASH_TRANSFORM, so I think its N/A" +2.4.27-sarge-security: N/A "Matt Mackall says these don't affect 2.4 (though 2.4 has a number of other issues)" +2.6.15-dapper-security: released (2.6.15-28.57) +2.6.17-edgy-security: released (2.6.17.1-11.39) +2.6.20-feisty-security: released (2.6.20-16.29) |