diff options
author | dann frazier <dannf@debian.org> | 2006-08-17 00:24:25 +0000 |
---|---|---|
committer | dann frazier <dannf@debian.org> | 2006-08-17 00:24:25 +0000 |
commit | f3581ec9b2d48c6103c22fecb46f713217d834e8 (patch) | |
tree | 16359328df8385089d75b771a15c849bc9d052ea /retired | |
parent | fcaf6d1f99829e04e46b5eb27e1aac3451308455 (diff) |
move retired to the top level hierarchy so people can easily checkout just the active issues
git-svn-id: svn+ssh://svn.debian.org/svn/kernel-sec@548 e094ebfe-e918-0410-adfb-c712417f3574
Diffstat (limited to 'retired')
229 files changed, 6672 insertions, 0 deletions
diff --git a/retired/CVE-2002-0429 b/retired/CVE-2002-0429 new file mode 100644 index 00000000..6d6e59f5 --- /dev/null +++ b/retired/CVE-2002-0429 @@ -0,0 +1,29 @@ +Candidate: CVE-2002-0429 +References: + CONFIRM:http://linux.bkbits.net:8080/linux-2.4/cset@3dd4f4b1MbvSSVddY8E_Yx0bGPux8w?nav=index.html|src/|src/arch|src/arch/i386|src/arch/i386/kernel|related/arch/i386/kernel/entry.S + BUGTRAQ:20020308 linux <=2.4.18 x86 traps.c problem + CONFIRM:http://www.openwall.com/linux/ + DEBIAN:DSA-311 + DEBIAN:DSA-312 + DEBIAN:DSA-332 + DEBIAN:DSA-336 + DEBIAN:DSA-442 + REDHAT:RHSA-2002:158 + BID:4259 + XF:linux-ibcs-lcall-process(8420) +Description: + The iBCS routines in arch/i386/kernel/traps.c for Linux kernels 2.4.18 and earlier on x86 systems allow local + users to kill arbitrary processes via a a binary compatibility interface (lcall). +Notes: +Bugs: +upstream: released (2.4.20) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: released (2.4.19-4.woody3) +2.4.18-woody-security: released (2.4.18-6) +2.4.17-woody-security: released (2.4.17-1woody1) +2.4.16-woody-security: released (2.4.16-1woody3) +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A +2.4.18-woody-security-hppa: released (62.4) diff --git a/retired/CVE-2003-0001 b/retired/CVE-2003-0001 new file mode 100644 index 00000000..7cd7abbd --- /dev/null +++ b/retired/CVE-2003-0001 @@ -0,0 +1,38 @@ +Candidate: CVE-2003-0001 +References: + ATSTAKE:A010603-1 + URL:http://www.atstake.com/research/advisories/2003/a010603-1.txt + BUGTRAQ:20030110 More information regarding Etherleak + URL:http://marc.theaimsgroup.com/?l=bugtraq&m=104222046632243&w=2 + VULNWATCH:20030110 More information regarding Etherleak + URL:http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0016.html + MISC:http://www.atstake.com/research/advisories/2003/atstake_etherleak_report.pdf + CERT-VN:VU#412115 + URL:http://www.kb.cert.org/vuls/id/412115 + REDHAT:RHSA-2003:025 + URL:http://www.redhat.com/support/errata/RHSA-2003-025.html + OVAL:OVAL2665 + URL:http://oval.mitre.org/oval/definitions/data/oval2665.html +Description: + Multiple ethernet Network Interface Card (NIC) device drivers do not pad + frames with null bytes, which allows remote attackers to obtain information + from previous packets or kernel memory by using malformed packets, as + demonstrated by Etherleak. +Notes: + dannf> A number of drivers had to be fixed, but when looking to see where this + dannf> patch had been applied, I just tracked the de600.c file changes. My + dannf> assumption is that all of the other drivers got fixed at the same time. + . + dannf> I've e-mailed the security team + mdz, asking for a patch +Bugs: +upstream: released (2.4.21-pre4) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: needed +2.4.18-woody-security: released (2.4.18-7) +2.4.17-woody-security: released (2.4.17-1woody1) +2.4.16-woody-security: needed +2.4.17-woody-security-hppa: needed +2.4.17-woody-security-ia64: needed +2.4.18-woody-security-hppa: diff --git a/retired/CVE-2003-0018 b/retired/CVE-2003-0018 new file mode 100644 index 00000000..d89c0b09 --- /dev/null +++ b/retired/CVE-2003-0018 @@ -0,0 +1,38 @@ +Candidate: CVE-2003-0018 +References: + DEBIAN:DSA-358 + DEBIAN:DSA-423 + MANDRAKE:MDKSA-2003:014 + REDHAT:RHSA-2003:025 + BID:6763 + XF:linux-odirect-information-leak(11249) +Description: + Linux kernel 2.4.10 through 2.4.21-pre4 does not properly handle the + O_DIRECT feature, which allows local attackers with write privileges to + read portions of previously deleted files, or cause file system + corruption. +Notes: + dannf> It looks like the fix that was used in woody is to diable + dannf> O_DIRECT. Is this the upstream fix? + dannf> http://linux.bkbits.net:8080/linux-2.4/cset@3da0af3a87N78_-K9uAzGF_5cLsRkA?nav=index.html|tags|ChangeSet@..1.717.1.11 + dannf> I've asked hch via e-mail + . + dannf> and here's his response: + . + The big O_DIRECT issues we had a while ago involved redoing large parts of + the locking so it's definitily not the patch above. It was fixed in 2.4.2x + for x = 2 or 3 IIRC. The 2.5.27 kernels in sarge ff are definitly okay. + . + dannf> Therefore, I'm marking >= sarge kernels N/A +Bugs: +upstream: +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: released (2.4.19-4.woody3) +2.4.18-woody-security: released (2.4.18-10) +2.4.17-woody-security: released (2.4.17-1woody4) +2.4.16-woody-security: released (2.4.16-1woody3) +2.4.17-woody-security-hppa: released (32.5) +2.4.17-woody-security-ia64: released (011226.14.1) +2.4.18-woody-security-hppa: released (62.4) diff --git a/retired/CVE-2003-0127 b/retired/CVE-2003-0127 new file mode 100644 index 00000000..b1b4b1cd --- /dev/null +++ b/retired/CVE-2003-0127 @@ -0,0 +1,62 @@ +Candidate: CVE-2003-0127 +References: + VULNWATCH:20030317 Fwd: Ptrace hole / Linux 2.2.25 + URL:http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0134.html + REDHAT:RHSA-2003:098 + URL:http://rhn.redhat.com/errata/RHSA-2003-098.html + REDHAT:RHSA-2003:088 + URL:http://rhn.redhat.com/errata/RHSA-2003-088.html + SUSE:SuSE-SA:2003:021 + ENGARDE:ESA-20030318-009 + DEBIAN:DSA-270 + URL:http://www.debian.org/security/2003/dsa-270 + DEBIAN:DSA-276 + URL:http://www.debian.org/security/2003/dsa-276 + DEBIAN:DSA-311 + URL:http://www.debian.org/security/2003/dsa-311 + DEBIAN:DSA-312 + URL:http://www.debian.org/security/2003/dsa-312 + DEBIAN:DSA-332 + URL:http://www.debian.org/security/2003/dsa-332 + DEBIAN:DSA-336 + URL:http://www.debian.org/security/2003/dsa-336 + DEBIAN:DSA-423 + URL:http://www.debian.org/security/2004/dsa-423 + DEBIAN:DSA-495 + URL:http://www.debian.org/security/2004/dsa-495 + MANDRAKE:MDKSA-2003:038 + URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:038 + MANDRAKE:MDKSA-2003:039 + URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:039 + CALDERA:CSSA-2003-020.0 + URL:ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2003-020.0.txt + ENGARDE:ESA-20030515-017 + URL:http://marc.theaimsgroup.com/?l=bugtraq&m=105301461726555&w=2 + REDHAT:RHSA-2003:145 + URL:http://www.redhat.com/support/errata/RHSA-2003-145.html + GENTOO:GLSA-200303-17 + URL:http://security.gentoo.org/glsa/glsa-200303-17.xml + CERT-VN:VU#628849 + URL:http://www.kb.cert.org/vuls/id/628849 + OVAL:OVAL254 + URL:http://oval.mitre.org/oval/definitions/data/oval254.html +Description: + The kernel module loader in Linux kernel 2.2.x before 2.2.25, and + 2.4.x before 2.4.21, allows local users to gain root privileges by + using ptrace to attach to a child process that is spawned by the + kernel. +Notes: + Changeset comments say "Linux 2.5 is not believed to be vulnerable.", + so marking this issue as N/A for 2.6. +Bugs: +upstream: released (2.4.21-pre6) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: released (2.4.19-4.woody2) +2.4.18-woody-security: released (2.4.18-7) +2.4.17-woody-security: released (2.4.17-1woody1) +2.4.16-woody-security: released (2.4.16-1woody2) +2.4.17-woody-security-hppa: released (32.5) +2.4.17-woody-security-ia64: released (011226.14.1) +2.4.18-woody-security-hppa: released (62.4) diff --git a/retired/CVE-2003-0187 b/retired/CVE-2003-0187 new file mode 100644 index 00000000..44f10428 --- /dev/null +++ b/retired/CVE-2003-0187 @@ -0,0 +1,25 @@ +Candidate: CVE-2003-0187 +References: + http://marc.theaimsgroup.com/?l=bugtraq&m=105986028426824&w=2 + http://oval.mitre.org/oval/definitions/data/oval260.html +Description: + The connection tracking core of Netfilter for Linux 2.4.20, with + CONFIG_IP_NF_CONNTRACK enabled or the ip_conntrack module loaded, allows remote + attackers to cause a denial of service (resource consumption) due to an + inconsistency with Linux 2.4.20's support of linked lists, which causes + Netfilter to fail to identify connections with an UNCONFIRMED status and + use large timeouts. +Notes: + This was fixed before 2.6.0: + http://linux.bkbits.net:8080/linux-2.6/cset@3e631f9evO15b8EcYa8btEi07F2mYQ?nav=index.html|src/|src/include|src/include/linux|src/include/linux/netfilter_ipv4|related/include/linux/netfilter_ipv4/ip_conntrack.h +Bugs: +upstream: released (2.4.21) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/retired/CVE-2003-0244 b/retired/CVE-2003-0244 new file mode 100644 index 00000000..50f54848 --- /dev/null +++ b/retired/CVE-2003-0244 @@ -0,0 +1,50 @@ +Candidate: CVE-2003-0244 +References: + VULNWATCH:20030517 Algorithmic Complexity Attacks and the Linux Networking Code + URL:http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0073.html + MISC:http://www.enyo.de/fw/security/notes/linux-dst-cache-dos.html + MISC:http://marc.theaimsgroup.com/?l=linux-kernel&m=104956079213417 + REDHAT:RHSA-2003:145 + URL:http://www.redhat.com/support/errata/RHSA-2003-145.html + REDHAT:RHSA-2003:147 + URL:http://www.redhat.com/support/errata/RHSA-2003-147.html + REDHAT:RHSA-2003:172 + URL:http://www.redhat.com/support/errata/RHSA-2003-172.html + ENGARDE:ESA-20030515-017 + URL:http://marc.theaimsgroup.com/?l=bugtraq&m=105301461726555&w=2 + DEBIAN:DSA-311 + URL:http://www.debian.org/security/2003/dsa-311 + DEBIAN:DSA-312 + URL:http://www.debian.org/security/2003/dsa-312 + DEBIAN:DSA-332 + URL:http://www.debian.org/security/2003/dsa-332 + DEBIAN:DSA-336 + URL:http://www.debian.org/security/2003/dsa-336 + DEBIAN:DSA-442 + URL:http://www.debian.org/security/2004/dsa-442 + MANDRAKE:MDKSA-2003:066 + URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:066 + MANDRAKE:MDKSA-2003:074 + URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:074 + BUGTRAQ:20030618 [slackware-security] 2.4.21 kernels available (SSA:2003-168-01) + URL:http://marc.theaimsgroup.com/?l=bugtraq&m=105595901923063&w=2 + OVAL:OVAL261 + URL:http://oval.mitre.org/oval/definitions/data/oval261.html +Description: + The route cache implementation in Linux 2.4, and the Netfilter IP conntrack + module, allows remote attackers to cause a denial of service (CPU consumption) + via packets with forged source addresses that cause a large number of hash + table collisions. +Notes: +Bugs: +upstream: released (2.4.21-rc2) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: released +2.4.18-woody-security: released (2.4.18-8) +2.4.17-woody-security: released (2.4.17-1woody1) +2.4.16-woody-security: released (2.4.16-1woody3) +2.4.17-woody-security-hppa: released (32.5) +2.4.17-woody-security-ia64: released (011226.14.1) +2.4.18-woody-security-hppa: released (62.4) diff --git a/retired/CVE-2003-0246 b/retired/CVE-2003-0246 new file mode 100644 index 00000000..6ad4dddd --- /dev/null +++ b/retired/CVE-2003-0246 @@ -0,0 +1,50 @@ +Candidate: CVE-2003-0246 +References: + REDHAT:RHSA-2003:172 + URL:http://www.redhat.com/support/errata/RHSA-2003-172.html + REDHAT:RHSA-2003:147 + URL:http://www.redhat.com/support/errata/RHSA-2003-147.html + ENGARDE:ESA-20030515-017 + URL:http://marc.theaimsgroup.com/?l=bugtraq&m=105301461726555&w=2 + DEBIAN:DSA-311 + URL:http://www.debian.org/security/2003/dsa-311 + DEBIAN:DSA-312 + URL:http://www.debian.org/security/2003/dsa-312 + DEBIAN:DSA-332 + URL:http://www.debian.org/security/2003/dsa-332 + DEBIAN:DSA-336 + URL:http://www.debian.org/security/2003/dsa-336 + DEBIAN:DSA-442 + URL:http://www.debian.org/security/2004/dsa-442 + MANDRAKE:MDKSA-2003:066 + URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:066 + MANDRAKE:MDKSA-2003:074 + URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:074 + TURBO:TLSA-2003-41 + URL:http://www.turbolinux.com/security/TLSA-2003-41.txt + VULNWATCH:20030520 Linux 2.4 kernel ioperm vuln + URL:http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0076.html + OVAL:OVAL278 + URL:http://oval.mitre.org/oval/definitions/data/oval278.html +Description: + The ioperm system call in Linux kernel 2.4.20 and earlier does not properly + restrict privileges, which allows local users to gain read or write access to + certain I/O ports. +Notes: + It looks like the patch originally included in woody was just a one line + change; whereas there were two larger patches that went upstream. I'm + moving our trees forward to the upstream one. + . + Patch is x86 only. +Bugs: +upstream: released (2.4.21-rc4) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: released (2.4.19-4.woody3) +2.4.18-woody-security: pending (2.4.18-14.5) +2.4.17-woody-security: released (2.4.17-1woody4) +2.4.16-woody-security: released (2.4.16-1woody3) +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: released (011226.14.1) +2.4.18-woody-security-hppa: N/A diff --git a/retired/CVE-2003-0247 b/retired/CVE-2003-0247 new file mode 100644 index 00000000..45159ec0 --- /dev/null +++ b/retired/CVE-2003-0247 @@ -0,0 +1,42 @@ +Candidate: CVE-2003-0247 +References: + REDHAT:RHSA-2003:187 + URL:http://www.redhat.com/support/errata/RHSA-2003-187.html + REDHAT:RHSA-2003:195 + URL:http://www.redhat.com/support/errata/RHSA-2003-195.html + REDHAT:RHSA-2003:198 + URL:http://www.redhat.com/support/errata/RHSA-2003-198.html + DEBIAN:DSA-311 + URL:http://www.debian.org/security/2003/dsa-311 + DEBIAN:DSA-312 + URL:http://www.debian.org/security/2003/dsa-312 + DEBIAN:DSA-332 + URL:http://www.debian.org/security/2003/dsa-332 + DEBIAN:DSA-336 + URL:http://www.debian.org/security/2003/dsa-336 + DEBIAN:DSA-442 + URL:http://www.debian.org/security/2004/dsa-442 + MANDRAKE:MDKSA-2003:066 + URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:066 + MANDRAKE:MDKSA-2003:074 + URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:074 + TURBO:TLSA-2003-41 + URL:http://www.turbolinux.com/security/TLSA-2003-41.txt + OVAL:OVAL284 + URL:http://oval.mitre.org/oval/definitions/data/oval284.html +Description: + Unknown vulnerability in the TTY layer of the Linux kernel 2.4 allows + attackers to cause a denial of service ("kernel oops"). +Notes: +Bugs: +upstream: released (2.4.21-rc3) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: released (2.4.19-4.woody3) +2.4.18-woody-security: released (2.4.18-9) +2.4.17-woody-security: released (2.4.17-1woody1) +2.4.16-woody-security: released (2.4.16-1woody3) +2.4.17-woody-security-hppa: released (32.5) +2.4.17-woody-security-ia64: released (011226.14.1) +2.4.18-woody-security-hppa: released (62.4) diff --git a/retired/CVE-2003-0248 b/retired/CVE-2003-0248 new file mode 100644 index 00000000..9ce634f6 --- /dev/null +++ b/retired/CVE-2003-0248 @@ -0,0 +1,42 @@ +Candidate: CVE-2003-0248 +References: + REDHAT:RHSA-2003:187 + URL:http://www.redhat.com/support/errata/RHSA-2003-187.html + REDHAT:RHSA-2003:195 + URL:http://www.redhat.com/support/errata/RHSA-2003-195.html + DEBIAN:DSA-311 + URL:http://www.debian.org/security/2003/dsa-311 + DEBIAN:DSA-312 + URL:http://www.debian.org/security/2003/dsa-312 + DEBIAN:DSA-332 + URL:http://www.debian.org/security/2003/dsa-332 + DEBIAN:DSA-336 + URL:http://www.debian.org/security/2003/dsa-336 + DEBIAN:DSA-442 + URL:http://www.debian.org/security/2004/dsa-442 + MANDRAKE:MDKSA-2003:066 + URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:066 + MANDRAKE:MDKSA-2003:074 + URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:074 + TURBO:TLSA-2003-41 + URL:http://www.turbolinux.com/security/TLSA-2003-41.txt + OVAL:OVAL292 + URL:http://oval.mitre.org/oval/definitions/data/oval292.html +Description: + The mxcsr code in Linux kernel 2.4 allows attackers to modify CPU state + registers via a malformed address. +Notes: + dannf> I think this is the patch: + dannf> http://linux.bkbits.net:8080/linux-2.4/cset@3f293760h0HL1XxaPHNYxPXmpO1k8g?nav=index.html|src/|src/arch|src/arch/i386|src/arch/i386/kernel|related/arch/i386/kernel/i387.c +Bugs: +upstream: released (2.4.22-pre10) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: released (2.4.19-4.woody3) +2.4.18-woody-security: released (2.4.18-9) +2.4.17-woody-security: released (2.4.17-1woody1) +2.4.16-woody-security: released (2.4.16-1woody3) +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: released (011226.14.1) +2.4.18-woody-security-hppa: N/A diff --git a/retired/CVE-2003-0364 b/retired/CVE-2003-0364 new file mode 100644 index 00000000..1cc1ba9b --- /dev/null +++ b/retired/CVE-2003-0364 @@ -0,0 +1,40 @@ +Candidate: CVE-2003-0364 +References: + REDHAT:RHSA-2003:187 + URL:http://www.redhat.com/support/errata/RHSA-2003-187.html + REDHAT:RHSA-2003:195 + URL:http://www.redhat.com/support/errata/RHSA-2003-195.html + REDHAT:RHSA-2003:198 + URL:http://www.redhat.com/support/errata/RHSA-2003-198.html + DEBIAN:DSA-311 + URL:http://www.debian.org/security/2003/dsa-311 + DEBIAN:DSA-312 + URL:http://www.debian.org/security/2003/dsa-312 + DEBIAN:DSA-332 + URL:http://www.debian.org/security/2003/dsa-332 + DEBIAN:DSA-336 + URL:http://www.debian.org/security/2003/dsa-336 + DEBIAN:DSA-442 + URL:http://www.debian.org/security/2004/dsa-442 + TURBO:TLSA-2003-41 + URL:http://www.turbolinux.com/security/TLSA-2003-41.txt + OVAL:OVAL295 + URL:http://oval.mitre.org/oval/definitions/data/oval295.html +Description: + The TCP/IP fragment reassembly handling in the Linux kernel 2.4 allows remote + attackers to cause a denial of service (CPU consumption) via certain packets that + cause a large number of hash table collisions. +Notes: +Bugs: +upstream: released (2.4.21-rc7) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.2.20-woody-security: released (2.2.20-5woody2) +2.4.19-woody-security: released (2.4.19-4.woody3) +2.4.18-woody-security: released (2.4.18-9) +2.4.17-woody-security: released (2.4.17-1woody1) +2.4.16-woody-security: released (2.4.16-1woody3) +2.4.17-woody-security-hppa: released (32.5) +2.4.17-woody-security-ia64: released (011226.14.1) +2.4.18-woody-security-hppa: released (62.4) diff --git a/retired/CVE-2003-0418 b/retired/CVE-2003-0418 new file mode 100644 index 00000000..f20986e7 --- /dev/null +++ b/retired/CVE-2003-0418 @@ -0,0 +1,21 @@ +Candidate: CVE-2003-0418 +References: + http://marc.theaimsgroup.com/?l=bugtraq&m=105519179005065&w=2 + http://www.cartel-securite.fr/pbiondi/adv/CARTSA-20030314-icmpleak.txt + http://www.kb.cert.org/vuls/id/471084 +Description: + The Linux 2.0 kernel IP stack does not properly calculate the size of an ICMP + citation, which causes it to include portions of unauthorized memory in ICMP + error responses. +Notes: +Bugs: +upstream: +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/retired/CVE-2003-0461 b/retired/CVE-2003-0461 new file mode 100644 index 00000000..c947ee68 --- /dev/null +++ b/retired/CVE-2003-0461 @@ -0,0 +1,36 @@ +Candidate: CVE-2003-0461 +References: + MISC:http://rsbac.dyndns.org/pipermail/rsbac/2002-May/000162.html + REDHAT:RHSA-2003:238 + URL:http://www.redhat.com/support/errata/RHSA-2003-238.html + REDHAT:RHSA-2004:188 + URL:http://www.redhat.com/support/errata/RHSA-2004-188.html + DEBIAN:DSA-358 + URL:http://www.debian.org/security/2004/dsa-358 + DEBIAN:DSA-423 + URL:http://www.debian.org/security/2004/dsa-423 + OVAL:OVAL304 + URL:http://oval.mitre.org/oval/definitions/data/oval304.html + OVAL:OVAL997 + URL:http://oval.mitre.org/oval/definitions/data/oval997.html + Description: + /proc/tty/driver/serial in Linux 2.4.x reveals the exact number + of characters used in serial links, which could allow local users + to obtain potentially sensitive information such as the length of + passwords. +Notes: + dannf> Here's the patches I used: + http://linux.bkbits.net:8080/linux-2.4/cset@41a6020dX1GoVx_Eydy1jUOqc11tpw?nav=index.html|src/|src/fs|src/fs/proc|related/fs/proc/proc_tty.c + http://linux.bkbits.net:8080/linux-2.4/cset@41aca810DvutJ8aEj43OuUqJ4e1EIw?nav=index.html|src/|src/include|src/include/linux|related/include/linux/proc_fs.h +Bugs: +upstream: released (2.4.29-pre2, 2.6.1) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: released (2.4.27-1) [025_proc_tty_security.diff] +2.4.19-woody-security: released (2.4.19-4.woody3) +2.4.18-woody-security: released (2.4.18-10) +2.4.17-woody-security: released (2.4.17-1woody4) +2.4.16-woody-security: released (2.4.16-1woody3) +2.4.17-woody-security-hppa: released (32.5) +2.4.17-woody-security-ia64: released (011226.14.1) +2.4.18-woody-security-hppa: released (62.4) diff --git a/retired/CVE-2003-0462 b/retired/CVE-2003-0462 new file mode 100644 index 00000000..b5d9c8b4 --- /dev/null +++ b/retired/CVE-2003-0462 @@ -0,0 +1,47 @@ +Candidate: CVE-2003-0462 +References: + REDHAT:RHSA-2003:198 + URL:http://www.redhat.com/support/errata/RHSA-2003-198.html + REDHAT:RHSA-2003:238 + URL:http://www.redhat.com/support/errata/RHSA-2003-238.html + DEBIAN:DSA-358 + URL:http://www.debian.org/security/2004/dsa-358 + DEBIAN:DSA-423 + URL:http://www.debian.org/security/2004/dsa-423 + OVAL:OVAL309 + URL:http://oval.mitre.org/oval/definitions/data/oval309.html +Description: + A race condition in the way env_start and env_end pointers are + initialized in the execve system call and used in fs/proc/base.c + on Linux 2.4 allows local users to cause a denial of service + (crash). +Notes: + The fix for 2.4 went into a larger patch: + http://linux.bkbits.net:8080/linux-2.4/cset@41c68e9bogrpceA9rUJa-xHwBd-P6g?nav=index.html|src/|src/fs|src/fs/proc|related/fs/proc/base.c + However, the patch for 2.6 is much simpler: + http://linux.bkbits.net:8080/linux-2.6/cset@3ff1101fZfOZMtqtcvKc_s-agJpLrQ?nav=index.html|src/|src/fs|src/fs/proc|related/fs/proc/base.c + Unfortunately, it doesn't apply cleanly to 2.4. It looks like + the fix included in 2.4.18-10 just re-typed len in + proc_pid_environ; while in 2.6 len was also retyped in + proc_pid_cmdline. Only the former deals with evn_end/env_start + pointers and the latter doesn't apply cleanly to 2.4, so I'm + just making the proc_pid_environ change. + . + hrm.. maybe there was an earlier patch to 2.4; the above 2.4 + patch didn't go in till 2.4.29, yet it looks like this was + already fixed in our 2.4.27 .orig.tar.gz + . + jmm> I assume this was fixed upstream in 2.4.22-pre10? + jmm> o Fix /proc/self security issue +Bugs: +upstream: released (2.6.1), released (2.4.22-pre10) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: released (2.4.19-4.woody3) +2.4.18-woody-security: released (2.4.18-10) +2.4.17-woody-security: released (2.4.17-1woody4) +2.4.16-woody-security: released (2.4.16-1woody3) +2.4.17-woody-security-hppa: released (32.5) +2.4.17-woody-security-ia64: released (011226.14.1) +2.4.18-woody-security-hppa: released (62.4) diff --git a/retired/CVE-2003-0464 b/retired/CVE-2003-0464 new file mode 100644 index 00000000..6fe42cf6 --- /dev/null +++ b/retired/CVE-2003-0464 @@ -0,0 +1,27 @@ +Candidate: CVE-2003-0464 +References: + http://www.redhat.com/support/errata/RHSA-2003-238.html + http://oval.mitre.org/oval/definitions/data/oval311.html +Description: + The RPC code in Linux kernel 2.4 sets the reuse flag when sockets are created, + which could allow local users to bind to UDP ports that are used by privileged + services such as nfsd. +Notes: + I couldn't locate the patches RedHat & SuSE used, but Connectiva apparently + just #if 0'd out the sock->sk->reuse = 1; line in svcsock.c:svc_create_socket. + Upstream didn't disable it altogether; just for UDP + http://linux.bkbits.net:8080/linux-2.4/cset@3f1bdcc9r8An_GKkjlXeHBYDYOY11A?nav=index.html|src/|src/net|src/net/sunrpc|related/net/sunrpc/svcsock.c + I'm guessing this is a UDP-only problem, so that is probably the fix we want. + . + This fix was in before 2.6.0. +Bugs: +upstream: released (2.4.22-pre8) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: diff --git a/retired/CVE-2003-0465 b/retired/CVE-2003-0465 new file mode 100644 index 00000000..8ef0a954 --- /dev/null +++ b/retired/CVE-2003-0465 @@ -0,0 +1,34 @@ +Candidate: CVE-2003-0465 +References: + CONFIRM:http://marc.theaimsgroup.com/?l=linux-kernel&m=105796021120436&w=2 + CONFIRM:http://marc.theaimsgroup.com/?l=linux-kernel&m=105796415223490&w=2 + REDHAT:RHSA-2004:188 + URL:http://www.redhat.com/support/errata/RHSA-2004-188.html +Description: + The kernel strncpy function in Linux 2.4 and 2.5 does not %NUL pad + the buffer on architectures other than x86, as opposed to the expected + behavior of strncpy as implemented in libc, which could lead to + information leaks. +Notes: + 2.4.27-8 fixes s390x, ppc64 and s390 but leaves mips & alpha unfixed. + . + horms> N.B. This bug appears to be minor at best + horms> http://marc.theaimsgroup.com/?l=linux-kernel&m=105796021120436&w=2 + . + dannf> Since this is minor, I'm gonna consider the existing patch "good enough" + dannf> and mark the 2.4 issues as complete. + jmm> Alan Cox wrote in above URL that these will be addressed during the 2.5 + jmm> cycle, so I guess it's pretty safe to make all the 2.6 kernels as fixed + jmm> The ramifications are minor anyway +Bugs: +upstream: +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: released (2.4.27-8) +2.4.19-woody-security: released (2.4.19-4.woody3) +2.4.18-woody-security: needed +2.4.17-woody-security: released (2.4.17-1woody4) +2.4.16-woody-security: released (2.4.16-1woody3) +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A +2.4.18-woody-security-hppa: N/A diff --git a/retired/CVE-2003-0467 b/retired/CVE-2003-0467 new file mode 100644 index 00000000..b51f352f --- /dev/null +++ b/retired/CVE-2003-0467 @@ -0,0 +1,25 @@ +Candidate: CVE-2003-0467 +References: + http://marc.theaimsgroup.com/?l=bugtraq&m=105985703724758&w=2 +Description: + Unknown vulnerability in ip_nat_sack_adjust of Netfilter in Linux kernels + 2.4.20, and some 2.5.x, when CONFIG_IP_NF_NAT_FTP or CONFIG_IP_NF_NAT_IRC is + enabled, or the ip_nat_ftp or ip_nat_irc modules are loaded, allows remote + attackers to cause a denial of service (crash) in systems using NAT, possibly + due to an integer signedness error. +Notes: + http://linux.bkbits.net:8080/linux-2.4/cset@3ea42919d7UMn5WVhEYYcN5hnvM6fA?nav=index.html|src/|src/net|src/net/ipv4|src/net/ipv4/netfilter|related/net/ipv4/netfilter/ip_nat_helper.c + . + Looks like this was fixed before 2.6.0: + http://linux.bkbits.net:8080/linux-2.6/cset@3eb76c8aWimEpZAEU5Xbu-LPK-NxeA?nav=index.html|src/|src/net|src/net/ipv4|src/net/ipv4/netfilter|related/net/ipv4/netfilter/ip_nat_helper.c +Bugs: +upstream: released (2.4.21-rc1) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: diff --git a/retired/CVE-2003-0476 b/retired/CVE-2003-0476 new file mode 100644 index 00000000..03d471c1 --- /dev/null +++ b/retired/CVE-2003-0476 @@ -0,0 +1,37 @@ +Candidate: CVE-2003-0476 +References: + BUGTRAQ:20030626 Linux 2.4.x execve() file read race vulnerability + URL:http://marc.theaimsgroup.com/?l=bugtraq&m=105664924024009&w=2 + MANDRAKE:MDKSA-2003:074 + URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:074 + REDHAT:RHSA-2003:238 + URL:http://www.redhat.com/support/errata/RHSA-2003-238.html + REDHAT:RHSA-2003:368 + URL:http://www.redhat.com/support/errata/RHSA-2003-368.html + REDHAT:RHSA-2003:408 + URL:http://www.redhat.com/support/errata/RHSA-2003-408.html + SUSE:SuSE-SA:2003:034 + DEBIAN:DSA-358 + URL:http://www.debian.org/security/2004/dsa-358 + DEBIAN:DSA-423 + URL:http://www.debian.org/security/2004/dsa-423 + OVAL:OVAL327 + URL:http://oval.mitre.org/oval/definitions/data/oval327.html +Description: + The execve system call in Linux 2.4.x records the file + descriptor of the executable process in the file table of the + calling process, which allows local users to gain read access to + restricted file descriptors. +Notes: +Bugs: +upstream: released (2.4.22-pre4, 2.6.1) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: released (2.4.19-4.woody3) +2.4.18-woody-security: released (2.4.18-10) +2.4.17-woody-security: released (2.4.17-1woody4) +2.4.16-woody-security: released (2.4.16-1woody3) +2.4.17-woody-security-hppa: released (32.5) +2.4.17-woody-security-ia64: released (011226.14.1) +2.4.18-woody-security-hppa: released (62.4) diff --git a/retired/CVE-2003-0501 b/retired/CVE-2003-0501 new file mode 100644 index 00000000..abd9ec50 --- /dev/null +++ b/retired/CVE-2003-0501 @@ -0,0 +1,33 @@ +Candidate: CVE-2003-0501 +References: + BUGTRAQ:20030620 Linux /proc sensitive information disclosure + URL:http://marc.theaimsgroup.com/?l=bugtraq&m=105621758104242 + REDHAT:RHSA-2003:198 + URL:http://www.redhat.com/support/errata/RHSA-2003-198.html + REDHAT:RHSA-2003:238 + URL:http://www.redhat.com/support/errata/RHSA-2003-238.html + SUSE:SuSE-SA:2003:034 + DEBIAN:DSA-358 + URL:http://www.debian.org/security/2004/dsa-358 + DEBIAN:DSA-423 + URL:http://www.debian.org/security/2004/dsa-423 + OVAL:OVAL328 + URL:http://oval.mitre.org/oval/definitions/data/oval328.html +Description: + The /proc filesystem in Linux allows local users to obtain + sensitive information by opening various entries in /proc/self + before executing a setuid program, which causes the program to + fail to change the ownership and permissions of those entries. +Notes: +Bugs: +upstream: released (2.4.22-pre10) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: released (2.4.19-4.woody3) +2.4.18-woody-security: released (2.4.18-10) +2.4.17-woody-security: released (2.4.17-1woody4) +2.4.16-woody-security: released (2.4.16-1woody3) +2.4.17-woody-security-hppa: released (32.5) +2.4.17-woody-security-ia64: released (011226.14.1) +2.4.18-woody-security-hppa: released (62.4) diff --git a/retired/CVE-2003-0550 b/retired/CVE-2003-0550 new file mode 100644 index 00000000..ab06812f --- /dev/null +++ b/retired/CVE-2003-0550 @@ -0,0 +1,26 @@ +Candidate: CVE-2003-0550 +References: + REDHAT:RHSA-2003:238 + URL:http://www.redhat.com/support/errata/RHSA-2003-238.html + DEBIAN:DSA-358 + URL:http://www.debian.org/security/2004/dsa-358 + DEBIAN:DSA-423 + URL:http://www.debian.org/security/2004/dsa-423 + OVAL:OVAL380 + URL:http://oval.mitre.org/oval/definitions/data/oval380.html +Description: + The STP protocol, as enabled in Linux 2.4.x, does not provide sufficient + security by design, which allows attackers to modify the bridge topology. +Notes: +Bugs: +upstream: released (2.4.22-pre3) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: released (2.4.19-4.woody3) +2.4.18-woody-security: released (2.4.18-10) +2.4.17-woody-security: released (2.4.17-1woody4) +2.4.16-woody-security: released (2.4.16-1woody3) +2.4.17-woody-security-hppa: released (32.5) +2.4.17-woody-security-ia64: released (011226.14.1) +2.4.18-woody-security-hppa: released (62.4) diff --git a/retired/CVE-2003-0551 b/retired/CVE-2003-0551 new file mode 100644 index 00000000..7e5161bc --- /dev/null +++ b/retired/CVE-2003-0551 @@ -0,0 +1,28 @@ +Candidate: CVE-2003-0551 +References: + REDHAT:RHSA-2003:198 + URL:http://www.redhat.com/support/errata/RHSA-2003-198.html + REDHAT:RHSA-2003:238 + URL:http://www.redhat.com/support/errata/RHSA-2003-238.html + DEBIAN:DSA-358 + URL:http://www.debian.org/security/2004/dsa-358 + DEBIAN:DSA-423 + URL:http://www.debian.org/security/2004/dsa-423 + OVAL:OVAL384 + URL:http://oval.mitre.org/oval/definitions/data/oval384.html +Description: + The STP protocol implementation in Linux 2.4.x does not properly verify + certain lengths, which could allow attackers to cause a denial of service. +Notes: +Bugs: +upstream: released (2.4.22-pre3) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: released (2.4.19-4.woody3) +2.4.18-woody-security: released (2.4.18-10) +2.4.17-woody-security: released (2.4.17-1woody4) +2.4.16-woody-security: released (2.4.16-1woody3) +2.4.17-woody-security-hppa: released (32.5) +2.4.17-woody-security-ia64: released (011226.14.1) +2.4.18-woody-security-hppa: released (62.4) diff --git a/retired/CVE-2003-0552 b/retired/CVE-2003-0552 new file mode 100644 index 00000000..c3f39485 --- /dev/null +++ b/retired/CVE-2003-0552 @@ -0,0 +1,28 @@ +Candidate: CVE-2003-0552 +References: + REDHAT:RHSA-2003:198 + URL:http://www.redhat.com/support/errata/RHSA-2003-198.html + REDHAT:RHSA-2003:238 + URL:http://www.redhat.com/support/errata/RHSA-2003-238.html + DEBIAN:DSA-358 + URL:http://www.debian.org/security/2004/dsa-358 + DEBIAN:DSA-423 + URL:http://www.debian.org/security/2004/dsa-423 + OVAL:OVAL385 + URL:http://oval.mitre.org/oval/definitions/data/oval385.html +Description: + Linux 2.4.x allows remote attackers to spoof the bridge Forwarding table + via forged packets whose source addresses are the same as the target. +Notes: +Bugs: +upstream: released (2.4.22-pre3) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: released (2.4.19-4.woody3) +2.4.18-woody-security: released (2.4.18-10) +2.4.17-woody-security: released (2.4.17-1woody4) +2.4.16-woody-security: released (2.4.16-1woody3) +2.4.17-woody-security-hppa: released (32.5) +2.4.17-woody-security-ia64: released (011226.14.1) +2.4.18-woody-security-hppa: released (62.4) diff --git a/retired/CVE-2003-0643 b/retired/CVE-2003-0643 new file mode 100644 index 00000000..64a7d8b1 --- /dev/null +++ b/retired/CVE-2003-0643 @@ -0,0 +1,25 @@ +Candidate: CVE-2003-0643 +References: + http://www.ultramonkey.org/bugs/cve/CAN-2003-0643.shtml + http://www.ultramonkey.org/bugs/cve-patch/CAN-2003-0643.patch + http://gentoo.kems.net/gentoo-x86-portage/sys-kernel/gentoo-sources/ChangeLog + http://mirror.clarkson.edu/pub/distributions/gentoo-portage/sys-kernel/wolk-sources/ChangeLog + http://ftp.belnet.be/linux/gentoo-portage/sys-kernel/gentoo-sources/files/gentoo-sources-2.4.CAN-2003-0643.patch +Description: + Integer signedness error in the Linux Socket Filter implementation (filter.c) + in Linux 2.4.3-pre3 to 2.4.22-pre10 allows attackers to cause a denial of + service (crash). +Notes: + Fixed before 2.6.0: + http://linux.bkbits.net:8080/linux-2.4/cset@3f216072qjoeL8BVUjH-swPkd1CRgA?nav=index.html|src/|src/net|src/net/core|related/net/core/filter.c +Bugs: +upstream: released (2.4.22-pre10) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: diff --git a/retired/CVE-2003-0699 b/retired/CVE-2003-0699 new file mode 100644 index 00000000..615d0588 --- /dev/null +++ b/retired/CVE-2003-0699 @@ -0,0 +1,24 @@ +Candidate: CVE-2003-0699 +References: + http://www.redhat.com/support/errata/RHSA-2003-198.html + http://www.redhat.com/support/errata/RHSA-2003-238.html + http://oval.mitre.org/oval/definitions/data/oval387.html +Description: + The C-Media PCI sound driver in Linux before 2.4.21 does not use the get_user + function to access userspace, which crosses security boundaries and may + facilitate the exploitation of vulnerabilities, a different vulnerability than + CVE-2003-0700. +Notes: + Fixed before 2.6.0. 2.4 patch: + http://linux.bkbits.net:8080/linux-2.4/cset@3eb6f77bdzIdwwIbhYPVK6Cu16OhBQ?nav=index.html|src/|src/drivers|src/drivers/sound|related/drivers/sound/cmpci.c +Bugs: +upstream: released (2.4.21-rc2) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: diff --git a/retired/CVE-2003-0700 b/retired/CVE-2003-0700 new file mode 100644 index 00000000..9e0299e5 --- /dev/null +++ b/retired/CVE-2003-0700 @@ -0,0 +1,24 @@ +Candidate: CVE-2003-0700 +References: + http://www.redhat.com/support/errata/RHSA-2003-238.html + http://www.redhat.com/support/errata/RHSA-2004-044.html + http://oval.mitre.org/oval/definitions/data/oval401.html +Description: + The C-Media PCI sound driver in Linux before 2.4.22 does not use the get_user + function to access userspace in certain conditions, which crosses security + boundaries and may facilitate the exploitation of vulnerabilities, a different + vulnerability than CVE-2003-0699. +Notes: + Fixed before 2.6.0. 2.4 patch: + http://linux.bkbits.net:8080/linux-2.4/cset@3f0350ec7Wnpix3ihDCUMMnS-czskg?nav=index.html|src/|src/drivers|src/drivers/sound|related/drivers/sound/cmpci.c +Bugs: +upstream: released (2.4.22-pre3) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: diff --git a/retired/CVE-2003-0961 b/retired/CVE-2003-0961 new file mode 100644 index 00000000..6db82f64 --- /dev/null +++ b/retired/CVE-2003-0961 @@ -0,0 +1,67 @@ +Candidate: CVE-2003-0961 +References: + BUGTRAQ:20031204 [iSEC] Linux kernel do_brk() vulnerability details + URL:http://marc.theaimsgroup.com/?l=bugtraq&m=107064798706473&w=2 + MISC:http://isec.pl/papers/linux_kernel_do_brk.pdf + REDHAT:RHSA-2003:368 + URL:http://www.redhat.com/support/errata/RHSA-2003-368.html + REDHAT:RHSA-2003:389 + URL:http://www.redhat.com/support/errata/RHSA-2003-389.html + DEBIAN:DSA-403 + URL:http://www.debian.org/security/2003/dsa-403 + DEBIAN:DSA-417 + URL:http://www.debian.org/security/2004/dsa-417 + DEBIAN:DSA-423 + URL:http://www.debian.org/security/2004/dsa-423 + DEBIAN:DSA-433 + URL:http://www.debian.org/security/2004/dsa-433 + DEBIAN:DSA-439 + URL:http://www.debian.org/security/2004/dsa-439 + DEBIAN:DSA-440 + URL:http://www.debian.org/security/2004/dsa-440 + DEBIAN:DSA-442 + URL:http://www.debian.org/security/2004/dsa-442 + DEBIAN:DSA-450 + URL:http://www.debian.org/security/2004/dsa-450 + DEBIAN:DSA-470 + URL:http://www.debian.org/security/2004/dsa-470 + DEBIAN:DSA-475 + URL:http://www.debian.org/security/2004/dsa-475 + MANDRAKE:MDKSA-2003:110 + URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:110 + CONECTIVA:CLA-2003:796 + URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000796 + SUSE:SuSE-SA:2003:049 + URL:http://www.novell.com/linux/security/advisories/2003_049_kernel.html + BUGTRAQ:20031204 Hot fix for do_brk bug + URL:http://marc.theaimsgroup.com/?l=bugtraq&m=107064830206816&w=2 + BUGTRAQ:20040112 SmoothWall Project Security Advisory SWP-2004:001 + URL:http://marc.theaimsgroup.com/?l=bugtraq&m=107394143105081&w=2 + CERT-VN:VU#301156 + URL:http://www.kb.cert.org/vuls/id/301156 + SECUNIA:10328 + URL:http://secunia.com/advisories/10328 + SECUNIA:10329 + URL:http://secunia.com/advisories/10329 + SECUNIA:10330 + URL:http://secunia.com/advisories/10330 + SECUNIA:10333 + URL:http://secunia.com/advisories/10333 + SECUNIA:10338 + URL:http://secunia.com/advisories/10338 +Description: + Integer overflow in the do_brk function for the brk system call in Linux + kernel 2.4.22 and earlier allows local users to gain root privileges. +Notes: +Bugs: +upstream: released (2.4.23-pre7) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: released (2.4.19-4.woody1) +2.4.18-woody-security: released (2.4.18-14) +2.4.17-woody-security: released (2.4.17-1woody2) +2.4.16-woody-security: released (2.4.16-1woody2) +2.4.17-woody-security-hppa: released (32.3) +2.4.17-woody-security-ia64: released (011226.14.1) +2.4.18-woody-security-hppa: released (62.2) diff --git a/retired/CVE-2003-0984 b/retired/CVE-2003-0984 new file mode 100644 index 00000000..73760da7 --- /dev/null +++ b/retired/CVE-2003-0984 @@ -0,0 +1,46 @@ +Candidate: CVE-2003-0984 +References: + SUSE:SuSE-SA:2003:049 + URL:http://www.novell.com/linux/security/advisories/2003_049_kernel.html + CONECTIVA:CLA-2004:799 + URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000799 + ENGARDE:ESA-20040105-001 + URL:http://www.linuxsecurity.com/advisories/engarde_advisory-3904.html + REDHAT:RHSA-2003:417 + URL:http://www.redhat.com/support/errata/RHSA-2003-417.html + REDHAT:RHSA-2004:188 + URL:http://www.redhat.com/support/errata/RHSA-2004-188.html + MANDRAKE:MDKSA-2004:001 + URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:001 + BUGTRAQ:20040112 SmoothWall Project Security Advisory SWP-2004:001 + URL:http://marc.theaimsgroup.com/?l=bugtraq&m=107394143105081&w=2 + XF:linux-rtc-memory-leak(13943) + URL:http://xforce.iss.net/xforce/xfdb/13943 + OVAL:OVAL1013 + URL:http://oval.mitre.org/oval/definitions/data/oval1013.html + OVAL:OVAL859 + URL:http://oval.mitre.org/oval/definitions/data/oval859.html +Description: + Real time clock (RTC) routines in Linux kernel 2.4.23 and earlier do not + properly initialize their structures, which could leak kernel data to user + space. +Notes: + backport from dilinger; though it isn't quite what appears to have gone + upstream: + http://linux.bkbits.net:8080/linux-2.4/cset@3fd7827aNFUTifwp7_u4babSUA8Bkg?nav=index.html|src/|src/drivers|src/drivers/sbus|src/drivers/sbus/char|related/drivers/sbus/char/rtc.c + http://linux.bkbits.net:8080/linux-2.4/cset@3ff8697bFIYfsvIbsqw27h6C_rbCEA?nav=index.html|src/|src/drivers|src/drivers/sbus|src/drivers/sbus/char|related/drivers/sbus/char/rtc.c + jmm> This was fixed upstream in 2.4.24-rc1: + jmm> | <trini:mvista.com>: + jmm> | o /dev/rtc can leak parts of kernel memory to unpriviledged users +Bugs: +upstream: released (2.4.24-rc1, 2.6.2) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: released (2.4.19-4.woody3) +2.4.18-woody-security: released (2.4.18-14.4) +2.4.17-woody-security: released (2.4.17-1woody4) +2.4.16-woody-security: released (2.4.16-1woody3) +2.4.17-woody-security-hppa: released (32.5) +2.4.17-woody-security-ia64: released (011226.18) +2.4.18-woody-security-hppa: released (62.4) diff --git a/retired/CVE-2003-0985 b/retired/CVE-2003-0985 new file mode 100644 index 00000000..16f58f01 --- /dev/null +++ b/retired/CVE-2003-0985 @@ -0,0 +1,54 @@ +Candidate: CVE-2003-0985 +References: + BUGTRAQ:20040105 Linux kernel mremap vulnerability + MISC:http://isec.pl/vulnerabilities/isec-0013-mremap.txt + BUGTRAQ:20040105 Linux kernel do_mremap() proof-of-concept exploit code + BUGTRAQ:20040106 Linux mremap bug correction + DEBIAN:DSA-423 + DEBIAN:DSA-450 + SUSE:SuSE-SA:2004:001 + SUSE:SuSE-SA:2004:003 + CONECTIVA:CLA-2004:799 + ENGARDE:ESA-20040105-001 + REDHAT:RHSA-2003:416 + REDHAT:RHSA-2003:417 + REDHAT:RHSA-2003:418 + REDHAT:RHSA-2003:419 + DEBIAN:DSA-413 + DEBIAN:DSA-417 + DEBIAN:DSA-427 + DEBIAN:DSA-439 + DEBIAN:DSA-440 + DEBIAN:DSA-442 + DEBIAN:DSA-470 + DEBIAN:DSA-475 + IMMUNIX:IMNX-2004-73-001-01 + MANDRAKE:MDKSA-2004:001 + SGI:20040102-01-U + TRUSTIX:2004-0001 + BUGTRAQ:20040107 [slackware-security] Kernel security update (SSA:2004-006-01) + BUGTRAQ:20040108 [slackware-security] Slackware 8.1 kernel security update (SSA:2004-008-01) + BUGTRAQ:20040112 SmoothWall Project Security Advisory SWP-2004:001 + XF:linux-domremap-gain-privileges(14135) + OSVDB:3315 + OVAL:OVAL860 + OVAL:OVAL867 +Description: + The mremap system call (do_mremap) in Linux kernel 2.4.x before 2.4.21 + does not properly perform bounds checks, which allows local users to + cause a denial of service and possibly gain privileges by causing a + remapping of a virtual memory area (VMA) to create a zero length VMA, + a different vulnerability than CAN-2004-0077. +Notes: +Bugs: +upstream: released (2.4.24-rc1), released (2.6.1) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: released (2.4.19-4.woody1) +2.4.18-woody-security: released (2.4.18-14.1) +2.4.17-woody-security: released (2.4.17-1woody2) +2.4.16-woody-security: released (2.4.16-1woody2) +2.4.17-woody-security-hppa: released (32.3, 62.3) +2.4.17-woody-security-ia64: released (011226.15) +2.4.18-woody-security-hppa: released (62.2) diff --git a/retired/CVE-2003-1040 b/retired/CVE-2003-1040 new file mode 100644 index 00000000..b4e7a03e --- /dev/null +++ b/retired/CVE-2003-1040 @@ -0,0 +1,28 @@ +Candidate: CVE-2003-1040 +References: + ftp://patches.sgi.com/support/free/security/advisories/20040204-01-U.asc + http://www.novell.com/linux/security/advisories/2003_049_kernel.html + http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000820 + http://www.redhat.com/support/errata/RHSA-2004-065.html + http://www.redhat.com/support/errata/RHSA-2004-069.html + http://www.redhat.com/support/errata/RHSA-2004-106.html + http://www.redhat.com/support/errata/RHSA-2004-188.html + http://linux.bkbits.net:8080/linux-2.4/diffs/kernel/kmod.c@1.6?nav=index.html|src/|src/kernel|hist/kernel/kmod.c + http://xforce.iss.net/xforce/xfdb/15577 +Description: + kmod in the Linux kernel does not set its uid, suid, gid, or sgid to 0, which + allows local users to cause a denial of service (crash) by sending certain + signals to kmod. +Notes: + fixed before 2.6 released +Bugs: +upstream: released (2.4.23) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: needed +2.4.18-woody-security: needed +2.4.17-woody-security: needed +2.4.16-woody-security: needed +2.4.17-woody-security-hppa: needed +2.4.17-woody-security-ia64: needed diff --git a/retired/CVE-2004-0003 b/retired/CVE-2004-0003 new file mode 100644 index 00000000..73002472 --- /dev/null +++ b/retired/CVE-2004-0003 @@ -0,0 +1,89 @@ +Candidate: CVE-2004-0003 +References: + CONFIRM:http://www.linuxcompatible.org/print25630.html + DEBIAN:DSA-479 + URL:http://www.debian.org/security/2004/dsa-479 + DEBIAN:DSA-480 + URL:http://www.debian.org/security/2004/dsa-480 + DEBIAN:DSA-481 + URL:http://www.debian.org/security/2004/dsa-481 + DEBIAN:DSA-482 + URL:http://www.debian.org/security/2004/dsa-482 + DEBIAN:DSA-489 + URL:http://www.debian.org/security/2004/dsa-489 + DEBIAN:DSA-491 + URL:http://www.debian.org/security/2004/dsa-491 + DEBIAN:DSA-495 + URL:http://www.debian.org/security/2004/dsa-495 + MANDRAKE:MDKSA-2004:029 + URL:http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2004:029 + REDHAT:RHSA-2004:044 + URL:http://www.redhat.com/support/errata/RHSA-2004-044.html + REDHAT:RHSA-2004:065 + URL:http://www.redhat.com/support/errata/RHSA-2004-065.html + REDHAT:RHSA-2004:106 + URL:http://www.redhat.com/support/errata/RHSA-2004-106.html + REDHAT:RHSA-2004:166 + URL:http://www.redhat.com/support/errata/RHSA-2004-166.html + SUSE:SuSE-SA:2004:005 + URL:http://www.novell.com/linux/security/advisories/2004_05_linux_kernel.html + TURBO:TLSA-2004-14 + URL:http://www.turbolinux.com/security/2004/TLSA-2004-14.txt + CIAC:O-082 + URL:http://www.ciac.org/ciac/bulletins/o-082.shtml + CIAC:O-121 + URL:http://www.ciac.org/ciac/bulletins/o-121.shtml + CIAC:O-126 + URL:http://www.ciac.org/ciac/bulletins/o-126.shtml + CIAC:O-127 + URL:http://www.ciac.org/ciac/bulletins/o-127.shtml + CIAC:O-145 + URL:http://www.ciac.org/ciac/bulletins/o-145.shtml + BID:9570 + URL:http://www.securityfocus.com/bid/9570 + SECUNIA:10782 + URL:http://secunia.com/advisories/10782 + SECUNIA:10911 + URL:http://secunia.com/advisories/10911 + SECUNIA:10912 + URL:http://secunia.com/advisories/10912 + SECUNIA:11202 + URL:http://secunia.com/advisories/11202 + SECUNIA:11361 + URL:http://secunia.com/advisories/11361 + SECUNIA:11362 + URL:http://secunia.com/advisories/11362 + SECUNIA:11369 + URL:http://secunia.com/advisories/11369 + SECUNIA:11370 + URL:http://secunia.com/advisories/11370 + SECUNIA:11376 + URL:http://secunia.com/advisories/11376 + SECUNIA:11464 + URL:http://secunia.com/advisories/11464 + SECUNIA:11891 + URL:http://secunia.com/advisories/11891 + SECUNIA:12075 + URL:http://secunia.com/advisories/12075 + OVAL:OVAL1017 + URL:http://oval.mitre.org/oval/definitions/data/oval1017.html + OVAL:OVAL834 + URL:http://oval.mitre.org/oval/definitions/data/oval834.html + XF:linux-r128-gain-priviliges(15029) + URL:http://xforce.iss.net/xforce/xfdb/15029 +Description: + Unknown vulnerability in Linux kernel before 2.4.22 allows local users to + gain privileges, related to "R128 DRI limits checking." +Notes: +Bugs: +upstream: released (2.4.26-rc4, 2.6.4) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: released (2.4.19-4.woody2) +2.4.18-woody-security: released (2.4.18-14.3) +2.4.17-woody-security: released (2.4.17-1woody3) +2.4.16-woody-security: released (2.4.16-1woody2) +2.4.17-woody-security-hppa: released (32.4, 62.3) +2.4.17-woody-security-ia64: released (011226.17) +2.4.18-woody-security-hppa: released (62.3) diff --git a/retired/CVE-2004-0010 b/retired/CVE-2004-0010 new file mode 100644 index 00000000..5420ca92 --- /dev/null +++ b/retired/CVE-2004-0010 @@ -0,0 +1,16 @@ +Candidate: CVE-2004-0010 +References: +Description: +Notes: +Bugs: +upstream: released (2.4.25-pre7), released (2.6.3) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: released (2.4.19-4.woody2) +2.4.18-woody-security: released (2.4.18-14.3) +2.4.17-woody-security: released (2.4.17-1woody3) +2.4.16-woody-security: released (2.4.16-1woody2) +2.4.17-woody-security-hppa: released (32.4, 62.3) +2.4.17-woody-security-ia64: released (011226.17) +2.4.18-woody-security-hppa: released (62.3) diff --git a/retired/CVE-2004-0077 b/retired/CVE-2004-0077 new file mode 100644 index 00000000..02f16cd4 --- /dev/null +++ b/retired/CVE-2004-0077 @@ -0,0 +1,57 @@ +Candidate: CVE-2004-0077 +References: + BUGTRAQ:20040218 Second critical mremap() bug found in all Linux kernels + VULNWATCH:20040218 Second critical mremap() bug found in all Linux kernels + MISC:http://isec.pl/vulnerabilities/isec-0014-mremap-unmap.txt + CONECTIVA:CLA-2004:820 + DEBIAN:DSA-438 + DEBIAN:DSA-439 + DEBIAN:DSA-440 + DEBIAN:DSA-441 + DEBIAN:DSA-442 + DEBIAN:DSA-444 + DEBIAN:DSA-450 + DEBIAN:DSA-453 + DEBIAN:DSA-454 + DEBIAN:DSA-456 + DEBIAN:DSA-466 + DEBIAN:DSA-470 + DEBIAN:DSA-514 + DEBIAN:DSA-475 + REDHAT:RHSA-2004:065 + REDHAT:RHSA-2004:066 + REDHAT:RHSA-2004:069 + REDHAT:RHSA-2004:106 + SLACKWARE:SSA:2004-049 + SUSE:SuSE-SA:2004:005 + TRUSTIX:2004-0007 + TRUSTIX:2004-0008 + GENTOO:GLSA-200403-02 + CERT-VN:VU#981222 + XF:linux-mremap-gain-privileges(15244) + BID:9686 + OSVDB:3986 + OVAL:OVAL825 + OVAL:OVAL837 +Description: + The do_mremap function for the mremap system call in Linux 2.2 to 2.2.25, 2.4 + to 2.4.24, and 2.6 to 2.6.2, does not properly check the return value from the + do_munmap function when the maximum number of VMA descriptors is exceeded, + which allows local users to gain root privileges, a different vulnerability + than CAN-2003-0985. +Notes: + dannf> we think these are the patches: + 2.6: http://www.kernel.org/git/?p=linux/kernel/git/tglx/history.git;a=commitdiff;h=59287e5eef8d33dcd842852a898b43a81fe0b2c2 + 2.4: http://linux.bkbits.net:8080/linux-2.4/cset@40327d9fxQLz7BU9yAATPsFlWiSG0A?nav=index.html|src/|src/mm|related/mm/mremap.c +Bugs: +upstream: released (2.4.25-rc4, 2.6.3) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: released (2.4.19-4.woody1) +2.4.18-woody-security: released (2.4.18-14.2) +2.4.17-woody-security: released (2.4.17-1woody2) +2.4.16-woody-security: released (2.4.16-1woody2) +2.4.17-woody-security-hppa: released (32.3, 62.3) +2.4.17-woody-security-ia64: released (011226.16) +2.4.18-woody-security-hppa: released (62.2) diff --git a/retired/CVE-2004-0109 b/retired/CVE-2004-0109 new file mode 100644 index 00000000..fc67f753 --- /dev/null +++ b/retired/CVE-2004-0109 @@ -0,0 +1,16 @@ +Candidate: +References: +Description: +Notes: +Bugs: +upstream: released (2.4.26-rc4), released (2.6.6) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: released (2.4.19-4.woody2) +2.4.18-woody-security: released (2.4.18-14.3) +2.4.17-woody-security: released (2.4.17-1woody3) +2.4.16-woody-security: released (2.4.16-1woody2) +2.4.17-woody-security-hppa: released (32.4, 62.3) +2.4.17-woody-security-ia64: released (011226.17) +2.4.18-woody-security-hppa: released (62.3) diff --git a/retired/CVE-2004-0133 b/retired/CVE-2004-0133 new file mode 100644 index 00000000..dd6420aa --- /dev/null +++ b/retired/CVE-2004-0133 @@ -0,0 +1,29 @@ +Candidate: CVE-2004-0133 +References: + http://www.linuxsecurity.com/advisories/engarde_advisory-4285.html + http://security.gentoo.org/glsa/glsa-200407-02.xml + http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:029 + ftp://patches.sgi.com/support/free/security/advisories/20040405-01-U.asc + http://marc.theaimsgroup.com/?l=bugtraq&m=108213675028441&w=2 + http://www.securityfocus.com/bid/10151 + http://secunia.com/advisories/11362 + http://xforce.iss.net/xforce/xfdb/15901 +Description: + The XFS file system code in Linux 2.4.x has an information leak in which + in-memory data is written to the device for the XFS file system, which + allows local users to obtain sensitive information by reading the raw device. +Notes: + jmm> Woody is not affected, as XFS was only added to the kernel in 2.4.25 + dannf> I never did find the actual patch - upstream fixed versions are + dannf> based on the securityfocus page above. +Bugs: +upstream: released (2.4.26-rc2, 2.6.5) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/retired/CVE-2004-0136 b/retired/CVE-2004-0136 new file mode 100644 index 00000000..77047ee2 --- /dev/null +++ b/retired/CVE-2004-0136 @@ -0,0 +1,46 @@ +Candidate: CVE-2004-0136 +References: + REDHAT:RHSA-2004:549 + URL:http://www.redhat.com/support/errata/RHSA-2004-549.html + SGI:20040601-01-P + URL:ftp://patches.sgi.com/support/free/security/advisories/20040601-01-P.asc + XF:irix-mapelf32exec-dos(16416) + URL:http://xforce.iss.net/xforce/xfdb/16416 + BID:10547 + URL:http://www.securityfocus.com/bid/10547 +Description: + The mapelf32exec function call in IRIX 6.5.20 through 6.5.24 allows local + users to cause a denial of service (system crash) via a "corrupted binary." +Notes: + Strange description, but I think this is actually a Linux issue; note the + RedHat URLs above. + dannf> I think I've traced this issue back to a flawed bug report, and that + dannf> this is really CAN-2004-0138. + + mitre references a RedHat advisory for this, RHSA-2004:504-13 + + RHSA-2004:504-13 does in fact reference CVE-2004-0136 + + RedHat notes that their fixed src.rpm is kernel-2.4.18-e.52.src.rpm + + The changelog in the spec file in the above .src.rpm contains the following + entry: + * Tue Nov 16 2004 Jim Paradis <jparadis@redhat.com> + - Fixes for security holes in binfmt_elf loader (Dave Anderson, + Jim Paradis), bugs 127916, 134876 + + https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=127916 references + CVE-2004-0136, but the patches it links to are the fixes for + CVE-2004-0138 + jmm> Red Hat accidentally used CVE-2004-0138 for this in an advisory, pulling + jmm> over the entries from it + jmm> I've verified that the fix from + jmm> http://linux.bkbits.net:8080/linux-2.4/gnupatch@4021346f79nBb-4X_usRikR3Iyb4Vg + jmm> is included in 2.6.8, thus marking 2.6.8 and linux-2.6 N/A +Bugs: +upstream: released (2.4.25-rc1) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: released (2.4.19-4.woody3) +2.4.18-woody-security: released (2.4.18-14.4) +2.4.17-woody-security: released (2.4.17-1woody4) +2.4.16-woody-security: released (2.4.16-1woody3) +2.4.17-woody-security-hppa: released (32.5) +2.4.17-woody-security-ia64: released (011226.18) +2.4.18-woody-security-hppa: released (62.4) diff --git a/retired/CVE-2004-0138 b/retired/CVE-2004-0138 new file mode 100644 index 00000000..e2f1e3b5 --- /dev/null +++ b/retired/CVE-2004-0138 @@ -0,0 +1,23 @@ +Candidate: CVE-2004-0138 +References: +Description: +Notes: + Still marked **RESERVED** + dannf> However, it was already fixed in woody, whose changelog says: + * Applied patch by Chris Wright to denial of service in the ELF loader + when the interpreter architecture doesn't match the current one + <http://linux.bkbits.net:8080/linux-2.4/cset@4021346f79nBb-4X_usRikR3Iyb4Vg> + [fs/binfmt_elf.c, CAN-2004-0138] + jmm> This was a previous Red Hat internal name for CVE-2004-0136, so + jmm> Red hat advisories, which fix this are in fact for CVE-2004-0136 +Bugs: +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A +2.4.18-woody-security-hppa: N/A diff --git a/retired/CVE-2004-0177 b/retired/CVE-2004-0177 new file mode 100644 index 00000000..f42298e4 --- /dev/null +++ b/retired/CVE-2004-0177 @@ -0,0 +1,28 @@ +Candidate: CVE-2004-0177 +References: +Description: +Notes: + jmm> This is resolved by the following patch by tytso: + jmm>--- kernel-source-2.4.18-2.4.18.orig/fs/jbd/journal.c + jmm>+++ kernel-source-2.4.18-2.4.18/fs/jbd/journal.c + jmm>@@ -671,6 +671,7 @@ + jmm> + jmm> bh = getblk(journal->j_dev, blocknr, journal->j_blocksize); + jmm> lock_buffer(bh); + jmm>+ memset(bh->b_data, 0, journal->j_blocksize); + jmm> BUFFER_TRACE(bh, "return this buffer"); + jmm> return journal_add_journal_head(bh); + jmm> } + jmm> This fix is present in 2.4.27 and 2.6.8, so marking them and l-2.6 N/A +Bugs: +upstream: released (2.4.26-pre4) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: released (2.4.19-4.woody2) +2.4.18-woody-security: released (2.4.18-14.3) +2.4.17-woody-security: released (2.4.17-1woody3) +2.4.16-woody-security: released (2.4.16-1woody2) +2.4.17-woody-security-hppa: released (32.4, 62.3) +2.4.17-woody-security-ia64: released (011226.17) +2.4.18-woody-security-hppa: released (62.3) diff --git a/retired/CVE-2004-0178 b/retired/CVE-2004-0178 new file mode 100644 index 00000000..3594c976 --- /dev/null +++ b/retired/CVE-2004-0178 @@ -0,0 +1,40 @@ +Candidate: CVE-2004-0178 +References: + http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000846 + http://www.debian.org/security/2004/dsa-479 + http://www.debian.org/security/2004/dsa-480 + http://www.debian.org/security/2004/dsa-481 + http://www.debian.org/security/2004/dsa-482 + http://www.debian.org/security/2004/dsa-489 + http://www.debian.org/security/2004/dsa-491 + http://www.debian.org/security/2004/dsa-495 + http://security.gentoo.org/glsa/glsa-200407-02.xml + http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:029 + http://www.redhat.com/support/errata/RHSA-2004-413.html + http://www.redhat.com/support/errata/RHSA-2004-437.html + ftp://patches.sgi.com/support/free/security/advisories/20040804-01-U.asc + http://linux.bkbits.net:8080/linux-2.4/cset@404ce5967rY2Ryu6Z_uNbYh643wuFA + http://www.ciac.org/ciac/bulletins/o-121.shtml + http://www.ciac.org/ciac/bulletins/o-127.shtml + http://www.ciac.org/ciac/bulletins/o-193.shtml + http://www.securityfocus.com/bid/9985 + http://xforce.iss.net/xforce/xfdb/15868 +Description: + The OSS code for the Sound Blaster (sb16) driver in Linux 2.4.x + before 2.4.26, when operating in 16 bit mode, does not properly + handle certain sample sizes, which allows local users to cause a + denial of service (crash) via a sample with an odd number of bytes. +Notes: + jmm> I've verified that above patch is included in 2.6.8 +Bugs: +upstream: released (2.4.26-pre3) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: released (2.4.19-4.woody2) +2.4.18-woody-security: released (2.4.18-14.3) +2.4.17-woody-security: released (2.4.17-1woody3) +2.4.16-woody-security: released (2.4.16-1woody2) +2.4.17-woody-security-hppa: released (32.4, 62.3) +2.4.17-woody-security-ia64: released (011226.17) +2.4.18-woody-security-hppa: released (62.3) diff --git a/retired/CVE-2004-0181 b/retired/CVE-2004-0181 new file mode 100644 index 00000000..0d56ff39 --- /dev/null +++ b/retired/CVE-2004-0181 @@ -0,0 +1,27 @@ +Candidate: CVE-2004-0181 +References: + http://www.linuxsecurity.com/advisories/engarde_advisory-4285.html + http://security.gentoo.org/glsa/glsa-200407-02.xml + http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:029 + http://marc.theaimsgroup.com/?l=bugtraq&m=108213675028441&w=2 + http://www.turbolinux.com/security/2004/TLSA-2004-14.txt + http://www.securityfocus.com/bid/10143 + http://xforce.iss.net/xforce/xfdb/15902 +Description: + The JFS file system code in Linux 2.4.x has an information leak in which + in-memory data is written to the device for the JFS file system, which allows + local users to obtain sensitive information by reading the raw device. +Notes: + jmm> JFS was merged into the 2.4 kernel in 2.4.20-pre4 and into 2.6 at 2.6.5-rc2, + jmm> so I'm marking all versions N/A +Bugs: +upstream: released (2.4.26-pre5), released (2.6.5-rc2) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/retired/CVE-2004-0228 b/retired/CVE-2004-0228 new file mode 100644 index 00000000..4b6758bb --- /dev/null +++ b/retired/CVE-2004-0228 @@ -0,0 +1,33 @@ +Candidate: CVE-2004-0228 +References: + http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000852 + http://www.redhat.com/archives/fedora-announce-list/2004-April/msg00010.html + http://security.gentoo.org/glsa/glsa-200407-02.xml + http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:050 + http://www.novell.com/linux/security/advisories/2004_10_kernel.html + http://secunia.com/advisories/11429 + http://secunia.com/advisories/11464 + http://secunia.com/advisories/11486 + http://secunia.com/advisories/11491 + http://secunia.com/advisories/11683 + http://xforce.iss.net/xforce/xfdb/15951 +Description: + Integer signedness error in the cpufreq proc handler (cpufreq_procctl) in + Linux kernel 2.6 allows local users to gain privileges. +Notes: + jmm> 2.4 does not have cpufreq + jmm> In 2.6 the affected code has changed to drivers/cpufreq/cpufreq_userspace.c + jmm> I've verified that the isolated patch from + jmm> http://www.ultramonkey.org/bugs/cve-patch/CAN-2004-0228.patch + jmm> is included in 2.6.8 +Bugs: +upstream: +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/retired/CVE-2004-0229 b/retired/CVE-2004-0229 new file mode 100644 index 00000000..08ee5079 --- /dev/null +++ b/retired/CVE-2004-0229 @@ -0,0 +1,16 @@ +Candidate: CVE-2004-0229 +References: +Description: +Notes: + jmm> 2.4 is not affected by this problem. +Bugs: +upstream: released (2.6.6) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/retired/CVE-2004-0394 b/retired/CVE-2004-0394 new file mode 100644 index 00000000..438a4600 --- /dev/null +++ b/retired/CVE-2004-0394 @@ -0,0 +1,39 @@ +Candidate: CVE-2004-0394 +References: + CONECTIVA:CLA-2004:846 + URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000846 + GENTOO:GLSA-200407-02 + URL:http://security.gentoo.org/glsa/glsa-200407-02.xml + MANDRAKE:MDKSA-2004:037 + URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:037 + MLIST:[fedora-announce] 20040422 Fedora alert FEDORA-2004-111 (kernel) + URL:http://lwn.net/Articles/81773/ + ENGARDE:ESA-20040428-004 + URL:http://www.linuxsecurity.com/advisories/engarde_advisory-4285.html + SGI:20040504-01-U + URL:ftp://patches.sgi.com/support/free/security/advisories/20040504-01-U.asc + SGI:20040505-01-U + URL:ftp://patches.sgi.com/support/free/security/advisories/20040505-01-U.asc + SUSE:SuSE-SA:2004:010 + URL:http://www.novell.com/linux/security/advisories/2004_10_kernel.html + XF:linux-panic-bo(15953) + URL:http://xforce.iss.net/xforce/xfdb/15953 +Description: + A "potential" buffer overflow exists in the panic() function in Linux 2.4.x, + although it may not be exploitable due to the functionality of panic. +Notes: + jmm> I've verified 2.6.8 to contain the correct vsnprintf() call + jmm> For 2.4 it's fixed in 2.4.32, but unfixed in 2.4.27. I'm marking it + jmm> needed, although I guess it's not exploitable +Bugs: +upstream: released (2.4.28-pre1) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: released (2.4.27-1) +2.4.19-woody-security: released (2.4.19-4.woody3) +2.4.18-woody-security: released (2.4.18-14.4) +2.4.17-woody-security: released (2.4.17-1woody4) +2.4.16-woody-security: released (2.4.16-1woody3) +2.4.17-woody-security-hppa: released (32.5) +2.4.17-woody-security-ia64: released (011226.18) +2.4.18-woody-security-hppa: released (62.4) diff --git a/retired/CVE-2004-0415 b/retired/CVE-2004-0415 new file mode 100644 index 00000000..89c5fdc0 --- /dev/null +++ b/retired/CVE-2004-0415 @@ -0,0 +1,42 @@ +Candidate: CVE-2004-0415 +References: + CONECTIVA:CLA-2004:879 + URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000879 + GENTOO:GLSA-200408-24 + URL:http://www.gentoo.org/security/en/glsa/glsa-200408-24.xml + MANDRAKE:MDKSA-2004:087 + URL:http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2004:087 + REDHAT:RHSA-2004:413 + URL:http://www.redhat.com/support/errata/RHSA-2004-413.html + REDHAT:RHSA-2004:418 + URL:http://www.redhat.com/support/errata/RHSA-2004-418.html + SGI:20040804-01-U + URL:ftp://patches.sgi.com/support/free/security/advisories/20040804-01-U.asc + XF:linux-pointer-info-disclosure(16877) + URL:http://xforce.iss.net/xforce/xfdb/16877 +Description: + Linux kernel does not properly convert 64-bit file offset pointers to 32 bits, + which allows local users to access portions of kernel memory. +Notes: + dannf> Based on the 2.4.27 changelog, I think this is the 2.4 fix: + http://linux.bkbits.net:8080/linux-2.4/cset@411064f7uz3rKDb73dEb4vCqbjEIdw?nav=index.html|src/|src/drivers|src/drivers/char|related/drivers/char/i8k.c + and + http://linux.bkbits.net:8080/linux-2.4/cset@41113629fBqsXgKVAey-EzhZOkS2Lw?nav=index.html|src/|src/net|src/net/atm|related/net/atm/br2684.c + Which doesn't look like it ever made 2.6. + . + dannf> I've asked Al Viro & Marcelo for more info + dannf> Marcelo says: + 2.6 avoids the file offset race by having a copy of it at the high + level VFS functions, its safe. +Bugs: +upstream: released (2.4.27-rc5) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/retired/CVE-2004-0427 b/retired/CVE-2004-0427 new file mode 100644 index 00000000..048cc7e6 --- /dev/null +++ b/retired/CVE-2004-0427 @@ -0,0 +1,70 @@ +Candidate: CVE-2004-0427 +References: + MLIST:[linux-kernel] 20040408 [PATCH]: 2.4/2.6 do_fork() error path memory leak + URL:http://marc.theaimsgroup.com/?l=linux-kernel&m=108139073506983&w=2 + CONECTIVA:CLA-2004:846 + URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000846 + ENGARDE:ESA-20040428-004 + FEDORA:FEDORA-2004-111 + URL:http://fedoranews.org/updates/FEDORA-2004-111.shtml + GENTOO:GLSA-200407-02 + URL:http://security.gentoo.org/glsa/glsa-200407-02.xml + MANDRAKE:MDKSA-2004:037 + URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:037 + REDHAT:RHSA-2004:255 + URL:http://www.redhat.com/support/errata/RHSA-2004-255.html + REDHAT:RHSA-2004:260 + URL:http://www.redhat.com/support/errata/RHSA-2004-260.html + REDHAT:RHSA-2004:327 + URL:http://www.redhat.com/support/errata/RHSA-2004-327.html + SGI:20040504-01-U + URL:ftp://patches.sgi.com/support/free/security/advisories/20040504-01-U.asc + SGI:20040505-01-U + URL:ftp://patches.sgi.com/support/free/security/advisories/20040505-01-U.asc + SUSE:SuSE-SA:2004:010 + URL:http://www.novell.com/linux/security/advisories/2004_10_kernel.html + TURBO:TLSA-2004-14 + URL:http://www.turbolinux.com/security/2004/TLSA-2004-14.txt + MISC:http://linux.bkbits.net:8080/linux-2.4/cset@407bf20eDeeejm8t36_tpvSE-8EFHA + MISC:http://linux.bkbits.net:8080/linux-2.6/cset@407b1217x4jtqEkpFW2g_-RcF0726A + CIAC:O-164 + URL:http://www.ciac.org/ciac/bulletins/o-164.shtml + BID:10221 + URL:http://www.securityfocus.com/bid/10221 + SECUNIA:11429 + URL:http://secunia.com/advisories/11429 + SECUNIA:11464 + URL:http://secunia.com/advisories/11464 + SECUNIA:11486 + URL:http://secunia.com/advisories/11486 + SECUNIA:11541 + URL:http://secunia.com/advisories/11541 + SECUNIA:11861 + URL:http://secunia.com/advisories/11861 + SECUNIA:11891 + URL:http://secunia.com/advisories/11891 + SECUNIA:11892 + URL:http://secunia.com/advisories/11892 + OVAL:OVAL2819 + URL:http://oval.mitre.org/oval/definitions/data/oval2819.html + XF:linux-dofork-memory-leak(16002) + URL:http://xforce.iss.net/xforce/xfdb/16002 +Description: + The do_fork function in Linux 2.4.x before 2.4.26, and 2.6.x before 2.6.6, + does not properly decrement the mm_count counter when an error occurs after + the mm_struct for a child process has been activated, which triggers a memory + leak that allows local users to cause a denial of service (memory exhaustion) + via the clone (CLONE_VM) system call. +Notes: +Bugs: +upstream: released (2.4.26, 2.6.6) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: released (2.4.19-4.woody3) +2.4.18-woody-security: released (2.4.18-14.4) +2.4.17-woody-security: released (2.4.17-1woody4) +2.4.16-woody-security: released (2.4.16-1woody3) +2.4.17-woody-security-hppa: released (32.5) +2.4.17-woody-security-ia64: released (011226.18) +2.4.18-woody-security-hppa: released (62.4) diff --git a/retired/CVE-2004-0447 b/retired/CVE-2004-0447 new file mode 100644 index 00000000..b3c51eef --- /dev/null +++ b/retired/CVE-2004-0447 @@ -0,0 +1,37 @@ +Candidate: CVE-2004-0447 +References: + MLIST:[owl-users] 20040619 Linux 2.4.26-ow2 + URL:http://archives.neohapsis.com/archives/linux/owl/2004-q2/0038.html + GENTOO:GLSA-200407-16 + URL:http://security.gentoo.org/glsa/glsa-200407-16.xml + REDHAT:RHSA-2004:413 + URL:http://www.redhat.com/support/errata/RHSA-2004-413.html + SGI:20040804-01-U + URL:ftp://patches.sgi.com/support/free/security/advisories/20040804-01-U.asc + CIAC:O-193 + URL:http://www.ciac.org/ciac/bulletins/o-193.shtml + BID:10783 + URL:http://www.securityfocus.com/bid/10783 + XF:linux-ia64-dos(16661) + URL:http://xforce.iss.net/xforce/xfdb/16661 +Description: + Unknown vulnerability in Linux before 2.4.26 for IA64 allows local users to + cause a denial of service, with unknown impact. NOTE: due to a typo, this + issue was accidentally assigned CVE-2004-0477. This is the proper candidate to + use for the Linux local DoS. +Notes: + jmm> I've verified that the patch from David Mosberger available at + jmm> http://marc.theaimsgroup.com/?l=linux-ia64&m=108026377907667&w=2 + jmm> is included in stock 2.4.27 and 2.6.8, so it's N/A. +Bugs: +upstream: +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: released (2.4.19-4.woody3) +2.4.18-woody-security: released (2.4.18-14.4) +2.4.17-woody-security: released (2.4.17-1woody4) +2.4.16-woody-security: released (2.4.16-1woody3) +2.4.17-woody-security-hppa: released (32.5) +2.4.17-woody-security-ia64: released (011226.18) +2.4.18-woody-security-hppa: released (62.4) diff --git a/retired/CVE-2004-0491 b/retired/CVE-2004-0491 new file mode 100644 index 00000000..245dac3b --- /dev/null +++ b/retired/CVE-2004-0491 @@ -0,0 +1,27 @@ +Candidate: CVE-2004-0491 +References: + CONFIRM:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=126411 + MLIST:[linux-kernel] 20040402 Re: disable-cap-mlock + URL:http://marc.theaimsgroup.com/?l=linux-kernel&m=108087017610947&w=2 + OVAL:OVAL1117 + URL:http://oval.mitre.org/oval/definitions/data/oval1117.html +Description: + The linux-2.4.21-mlock.patch in Red Hat Enterprise Linux 3 does not properly + maintain the mlock page count when one process unlocks pages that belong to + another process, which allows local users to mlock more memory than specified + by the rlimit. +Notes: + dannf> It doesn't look like the code in linux-2.4.21-mlock.patch was ever + dannf> accepted upstream in 2.4 or 2.6, so it doesn't apply to us. +Bugs: +upstream: N/A +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A +2.4.18-woody-security-hppa: N/A diff --git a/retired/CVE-2004-0495 b/retired/CVE-2004-0495 new file mode 100644 index 00000000..d0aed8aa --- /dev/null +++ b/retired/CVE-2004-0495 @@ -0,0 +1,48 @@ +Candidate: CVE-2004-0495 +References: + CONECTIVA:CLA-2004:845 + URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000845 + CONECTIVA:CLA-2004:846 + URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000846 + FEDORA:FEDORA-2004-186 + URL:http://lwn.net/Articles/91155/ + GENTOO:GLSA-200407-02 + URL:http://security.gentoo.org/glsa/glsa-200407-02.xml + MANDRAKE:MDKSA-2004:066 + URL:http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2004:066 + REDHAT:RHSA-2004:255 + URL:http://www.redhat.com/support/errata/RHSA-2004-255.html + REDHAT:RHSA-2004:260 + URL:http://www.redhat.com/support/errata/RHSA-2004-260.html + SUSE:SUSE-SA:2004:020 + URL:http://www.novell.com/linux/security/advisories/2004_20_kernel.html + OVAL:OVAL2961 + URL:http://oval.mitre.org/oval/definitions/data/oval2961.html + XF:linux-drivers-gain-privileges(16449) + URL:http://xforce.iss.net/xforce/xfdb/16449 + BID:10566 + URL:http://www.securityfocus.com/bid/10566 +Description: + Multiple unknown vulnerabilities in Linux kernel 2.4 and 2.6 allow local users + to gain privileges or access kernel memory, as found by the Sparse source code + checking tool. +Notes: + dannf> 2.4 patches: + http://linux.bkbits.net:8080/linux-2.4/cset@40d972a19cY-Al1qQickpmg8z_gxmg?nav=index.html|src/|src/net|src/net/decnet|related/net/decnet/dn_dev.c + http://linux.bkbits.net:8080/linux-2.4/cset@40d97303iUWCFF5wizAKNT5CC5ctJg?nav=index.html|src/|src/drivers|src/drivers/sound|related/drivers/sound/mpu401.c + http://linux.bkbits.net:8080/linux-2.4/cset@40d973835aLERLaEv4dP6Hjw31Nn5A?nav=index.html|src/|src/drivers|src/drivers/sound|related/drivers/sound/msnd.h + http://linux.bkbits.net:8080/linux-2.4/cset@40d973d9FCCgP1ZDVGknBTDKgDXw6w?nav=index.html|src/|src/drivers|src/drivers/sound|related/drivers/sound/pss.c + http://linux.bkbits.net:8080/linux-2.4/cset@40d9743al24lCKKm8wbRs-S_2CgWTA?nav=index.html|src/|src/drivers|src/drivers/net|src/drivers/net/wireless|related/drivers/net/wireless/airo.c + http://linux.bkbits.net:8080/linux-2.4/cset@40d975a2Ttlhd2amhkcgbfzndDMUZA?nav=index.html|src/|src/drivers|src/drivers/acpi|related/drivers/acpi/asus_acpi.c +Bugs: +upstream: released (2.4.27-rc2, 2.6.7) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/retired/CVE-2004-0496 b/retired/CVE-2004-0496 new file mode 100644 index 00000000..762a0bb0 --- /dev/null +++ b/retired/CVE-2004-0496 @@ -0,0 +1,26 @@ +Candidate: CVE-2004-0496 +References: + http://www.novell.com/linux/security/advisories/2004_20_kernel.html + http://xforce.iss.net/xforce/xfdb/16625 +Description: + Multiple unknown vulnerabilities in Linux kernel 2.6 allow local users to gain + privileges or access kernel memory, a different set of vulnerabilities than + those identified in CVE-2004-0495, as found by the Sparse source code checking + tool. +Notes: + dannf> I wasn't able to find the patches for this, but the description and + dannf> vendor advisories only note 2.6, so I'm assuming these are 2.6-only. + dannf> The description says this affects < 2.6.7. 2.6.7 contains a bunch + dannf> of sparse fixes in the changelog, so I'll label upstream + dannf> as fixed in 2.6.7. +Bugs: +upstream: released (2.6.7) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/retired/CVE-2004-0497 b/retired/CVE-2004-0497 new file mode 100644 index 00000000..2addb710 --- /dev/null +++ b/retired/CVE-2004-0497 @@ -0,0 +1,33 @@ +Candidate: CVE-2004-0497 +References: + CONECTIVA:CLA-2004:852 + URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000852 + MANDRAKE:MDKSA-2004:066 + URL:http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2004:066 + REDHAT:RHSA-2004:354 + URL:http://www.redhat.com/support/errata/RHSA-2004-354.html + REDHAT:RHSA-2004:360 + URL:http://www.redhat.com/support/errata/RHSA-2004-360.html + SUSE:SUSE-SA:2004:020 + URL:http://www.novell.com/linux/security/advisories/2004_20_kernel.html + XF:linux-fchown-groupid-modify(16599) + URL:http://xforce.iss.net/xforce/xfdb/16599 +Description: + Unknown vulnerability in Linux kernel 2.x may allow local users to modify the + group ID of files, such as NFS exported files in kernel 2.4. +Notes: + Changelog shows fixed in 2.4.26-3 + 2.6 patch: + http://linux.bkbits.net:8080/linux-2.6/cset@40e62e18vom8K1fHgbJfe1oQ6mdkkQ?nav=index.html|src/|src/fs|related/fs/attr.c +Bugs: +upstream: released (2.4.27, 2.6.8) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: released (2.4.27-1) +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/retired/CVE-2004-0535 b/retired/CVE-2004-0535 new file mode 100644 index 00000000..63948c79 --- /dev/null +++ b/retired/CVE-2004-0535 @@ -0,0 +1,44 @@ +Candidate: CVE-2004-0535 +References: + CONFIRM:http://www.kernel.org/pub/linux/kernel/v2.4/testing/patch-2.4.27.log + CONFIRM:http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=125168 + CONECTIVA:CLA-2004:845 + URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000845 + FEDORA:FEDORA-2004-186 + URL:http://lwn.net/Articles/91155/ + GENTOO:GLSA-200407-02 + URL:http://security.gentoo.org/glsa/glsa-200407-02.xml + MANDRAKE:MDKSA-2004:062 + URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:062 + REDHAT:RHSA-2004:413 + URL:http://www.redhat.com/support/errata/RHSA-2004-413.html + REDHAT:RHSA-2004:418 + URL:http://www.redhat.com/support/errata/RHSA-2004-418.html + SGI:20040804-01-U + URL:ftp://patches.sgi.com/support/free/security/advisories/20040804-01-U.asc + SUSE:SUSE-SA:2004:020 + URL:http://www.novell.com/linux/security/advisories/2004_20_kernel.html + XF:linux-e1000-bo(16159) + URL:http://xforce.iss.net/xforce/xfdb/16159 + BID:10352 + URL:http://www.securityfocus.com/bid/10352 +Description: + The e1000 driver for Linux kernel 2.4.26 and earlier does not properly + initialize memory before using it, which allows local users to read portions + of kernel memory. NOTE: this issue was originally incorrectly reported as a + "buffer overflow" by some sources. +Notes: + Patch: + http://linux.bkbits.net:8080/linux-2.6/cset@4084025a6AP3ORKQ7iaTFCmOGvTJXw?nav=index.html|src/|src/drivers|src/drivers/net|src/drivers/net/e1000|related/drivers/net/e1000/e1000_ethtool.c +Bugs: +upstream: released (2.4.27, 2.6.6) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: needed +2.4.18-woody-security-hppa: N/A diff --git a/retired/CVE-2004-0554 b/retired/CVE-2004-0554 new file mode 100644 index 00000000..6e11727f --- /dev/null +++ b/retired/CVE-2004-0554 @@ -0,0 +1,54 @@ +Candidate: CVE-2004-0554 +References: + MISC:http://gcc.gnu.org/bugzilla/show_bug.cgi?id=15905 + MISC:http://linuxreviews.org/news/2004-06-11_kernel_crash/index.html + MLIST:[linux-kernel] 20040609 timer + fpu stuff locks my console race + URL:http://marc.theaimsgroup.com/?l=linux-kernel&m=108681568931323&w=2 + CONECTIVA:CLA-2004:845 + URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000845 + ENGARDE:ESA-20040621-005 + URL:http://marc.theaimsgroup.com/?l=bugtraq&m=108793699910896&w=2 + FEDORA:FEDORA-2004-186 + URL:http://lwn.net/Articles/91155/ + GENTOO:GLSA-200407-02 + URL:http://security.gentoo.org/glsa/glsa-200407-02.xml + MANDRAKE:MDKSA-2004:062 + URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:062 + REDHAT:RHSA-2004:255 + URL:http://www.redhat.com/support/errata/RHSA-2004-255.html + REDHAT:RHSA-2004:260 + URL:http://www.redhat.com/support/errata/RHSA-2004-260.html + SUSE:SuSE-SA:2004:017 + URL:http://www.novell.com/linux/security/advisories/2004_17_kernel.html + TRUSTIX:2004-0034 + URL:http://www.trustix.net/errata/2004/0034/ + BUGTRAQ:20040620 TSSA-2004-011 - kernel + URL:http://marc.theaimsgroup.com/?l=bugtraq&m=108786114032681&w=2 + CERT-VN:VU#973654 + URL:http://www.kb.cert.org/vuls/id/973654 + OVAL:OVAL2915 + URL:http://oval.mitre.org/oval/definitions/data/oval2915.html + XF:linux-dos(16412) + URL:http://xforce.iss.net/xforce/xfdb/16412 + BID:10566 + URL:http://www.securityfocus.com/bid/10566 +Description: + Linux kernel 2.4.x and 2.6.x for x86 allows local users to cause a denial of + service (system crash), possibly via an infinite loop that triggers a signal + handler with a certain sequence of fsave and frstor instructions, as + originally demonstrated using a "crash.c" program. +Notes: + jmm> I don't know at which version this was merged, but I've verified that + jmm> the stock 2.4.27 and 2.6.8 contain the fix +Bugs: 261521 +upstream: +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: released (2.4.19-4.woody3) +2.4.18-woody-security: released (2.4.18-14.4) +2.4.17-woody-security: released (2.4.17-1woody4) +2.4.16-woody-security: released (2.4.16-1woody3) +2.4.17-woody-security-hppa: released (32.5) +2.4.17-woody-security-ia64: released (011226.18) +2.4.18-woody-security-hppa: released (62.4) diff --git a/retired/CVE-2004-0565 b/retired/CVE-2004-0565 new file mode 100644 index 00000000..a49abb1f --- /dev/null +++ b/retired/CVE-2004-0565 @@ -0,0 +1,30 @@ +Candidate: CVE-2004-0565 +References: + MISC:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=124734 + MLIST:[owl-users] 20040619 Linux 2.4.26-ow2 + URL:http://archives.neohapsis.com/archives/linux/owl/2004-q2/0038.html + MANDRAKE:MDKSA-2004:066 + URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:066 + XF:linux-ia64-info-disclosure(16644) + URL:http://xforce.iss.net/xforce/xfdb/16644 +Description: + Floating point information leak in the context switch code for Linux 2.4.x + only checks the MFH bit but does not verify the FPH owner, which allows local + users to read register values of other processes by setting the MFH bit. +Notes: + jmm> I've verified that the check for FPH ownership is included in stock 2.6.8: + jmm> # define switch_to(prev,next,last) do { \ + jmm> if (ia64_psr(ia64_task_regs(prev))->mfh && ia64_is_local_fpu_owner(prev)) { + jmm> So it's N/A, but I don't know at which time it was fixed upstream +Bugs: +upstream: released (2.4.27) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: released (2.4.19-4.woody3) +2.4.18-woody-security: released (2.4.18-14.4) +2.4.17-woody-security: released (2.4.17-1woody4) +2.4.16-woody-security: released (2.4.16-1woody3) +2.4.17-woody-security-hppa: released (32.5) +2.4.17-woody-security-ia64: released (011226.18) +2.4.18-woody-security-hppa: released (62.4) diff --git a/retired/CVE-2004-0587 b/retired/CVE-2004-0587 new file mode 100644 index 00000000..72028b0d --- /dev/null +++ b/retired/CVE-2004-0587 @@ -0,0 +1,41 @@ +Candidate: CVE-2004-0587 +References: + FEDORA:FEDORA-2004-186 + URL:http://lwn.net/Articles/91155/ + MANDRAKE:MDKSA-2004:066 + URL:http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2004:066 + REDHAT:RHSA-2004:413 + URL:http://www.redhat.com/support/errata/RHSA-2004-413.html + REDHAT:RHSA-2004:418 + URL:http://www.redhat.com/support/errata/RHSA-2004-418.html + SGI:20040804-01-U + URL:ftp://patches.sgi.com/support/free/security/advisories/20040804-01-U.asc + SUSE:SuSE-SA:2004:010 + URL:http://www.novell.com/linux/security/advisories/2004_10_kernel.html + BID:10279 + URL:http://www.securityfocus.com/bid/10279 + SECTRACK:1010057 + URL:http://securitytracker.com/id?1010057 + XF:suse-hbaapinode-dos(16062) + URL:http://xforce.iss.net/xforce/xfdb/16062 +Description: + Insecure permissions for the /proc/scsi/qla2300/HbaApiNode file in Linux + allows local users to cause a denial of service. +Notes: + 2.4.26-3 has the note: + CVE-2004-0587 code is not present, not vulnerable + So the question is, did the code get added when we moved to 2.4.27, and + was it still vulnerable? + dannf> Nope; qla2xxx isn't in 2.4.27 +Bugs: +upstream: +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: needed +2.4.18-woody-security-hppa: N/A diff --git a/retired/CVE-2004-0596 b/retired/CVE-2004-0596 new file mode 100644 index 00000000..1ab8f835 --- /dev/null +++ b/retired/CVE-2004-0596 @@ -0,0 +1,24 @@ +Candidate: CVE-2004-0596 +References: + CONFIRM:http://linux.bkbits.net:8080/linux-2.6/cset@40d4aa72hPLWy-jMLr0eJAXMxHcNZg + XF:linux-eql-dos(16694) + URL:http://xforce.iss.net/xforce/xfdb/16694 + BID:10730 + URL:http://www.securityfocus.com/bid/10730 +Description: + The Equalizer Load-balancer for serial network interfaces (eql.c) in Linux + kernel 2.6.x up to 2.6.7 allows local users to cause a denial of service via a + non-existent device name that triggers a null dereference. +Notes: +Bugs: +upstream: released (2.4.27-rc2) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/retired/CVE-2004-0619 b/retired/CVE-2004-0619 new file mode 100644 index 00000000..1cb869e3 --- /dev/null +++ b/retired/CVE-2004-0619 @@ -0,0 +1,28 @@ +Candidate: CVE-2004-0619 +References: + http://marc.theaimsgroup.com/?l=bugtraq&m=108802653409053&w=2 + http://www.redhat.com/support/errata/RHSA-2004-549.html + http://www.redhat.com/support/errata/RHSA-2005-283.html + http://www.ciac.org/ciac/bulletins/p-047.shtml + http://www.securityfocus.com/bid/10599 + http://secunia.com/advisories/11936 + http://xforce.iss.net/xforce/xfdb/16459 +Description: + Integer overflow in the ubsec_keysetup function for Linux Broadcom 5820 + cryptonet driver allows local users to cause a denial of service (crash) + and possibly execute arbitrary code via a negative add_dsa_buf_bytes + variable, which leads to a buffer overflow. +Notes: + jmm> I've checked 2.6.8, 2.4.27 and 2.6.14, this is not included in the + jmm> stock kernel, only in Red Hat's. I'm marking Woody N/A as well. +Bugs: +upstream: N/A +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/retired/CVE-2004-0626 b/retired/CVE-2004-0626 new file mode 100644 index 00000000..8f50960d --- /dev/null +++ b/retired/CVE-2004-0626 @@ -0,0 +1,27 @@ +Candidate: CVE-2004-0626 +References: + http://marc.theaimsgroup.com/?l=bugtraq&m=108861141304495&w=2 + http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000852 + http://lwn.net/Articles/91964/ + http://www.gentoo.org/security/en/glsa/glsa-200407-12.xml + http://www.novell.com/linux/security/advisories/2004_20_kernel.html + http://xforce.iss.net/xforce/xfdb/16554 +Description: + The tcp_find_option function of the netfilter subsystem in Linux kernel 2.6, + when using iptables and TCP options rules, allows remote attackers to cause a + denial of service (CPU consumption by infinite loop) via a large option length + that produces a negative integer after a casting operation to the char type. +Notes: + jmm> The bug was introduced during a rewrite of the code that accesses the skb's + jmm> during earlier 2.6 kernels. 2.4 has the correct u_int8_t declaration. +Bugs: +upstream: released (2.6.8) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/retired/CVE-2004-0685 b/retired/CVE-2004-0685 new file mode 100644 index 00000000..131c021d --- /dev/null +++ b/retired/CVE-2004-0685 @@ -0,0 +1,36 @@ +Candidate: CVE-2004-0685 +References: + FEDORA:FLSA:2336 + URL:https://bugzilla.fedora.us/show_bug.cgi?id=2336 + GENTOO:GLSA-200408-24 + URL:http://www.gentoo.org/security/en/glsa/glsa-200408-24.xml + TRUSTIX:2004-0041 + URL:http://www.trustix.net/errata/2004/0041/ + CONFIRM:http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=127921 + CERT-VN:VU#981134 + URL:http://www.kb.cert.org/vuls/id/981134 + BID:10892 + URL:http://www.securityfocus.com/bid/10892 + XF:linux-usb-gain-privileges(16931) + URL:http://xforce.iss.net/xforce/xfdb/16931 + MISC:http://www.securityspace.com/smysecure/catid.html?id=14580 +Description: + Certain USB drivers in the Linux 2.4 kernel use the copy_to_user function on + uninitialized structures, which could allow local users to obtain sensitive + information by reading memory that was not cleared from previous usage. +Notes: + jmm> This was commited into the 2.5/2.6 version before in this changeset: + jmm> http://linux.bkbits.net:8080/linux-2.6/cset@3f986b35LyBKc-OxB8G6k22oOjgYTQ + jmm> So I'm marking all 2.6 versions N/A +Bugs: +upstream: released (2.4.27) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: released (2.4.19-4.woody3) +2.4.18-woody-security: released (2.4.18-14.4) +2.4.17-woody-security: released (2.4.17-1woody4) +2.4.16-woody-security: released (2.4.16-1woody3) +2.4.17-woody-security-hppa: released (32.5) +2.4.17-woody-security-ia64: released (011226.18) +2.4.18-woody-security-hppa: released (62.4) diff --git a/retired/CVE-2004-0790 b/retired/CVE-2004-0790 new file mode 100644 index 00000000..765295f8 --- /dev/null +++ b/retired/CVE-2004-0790 @@ -0,0 +1,44 @@ +Candidate: CVE-2004-0790 +References: + MISC:http://www.watersprings.org/pub/id/draft-gont-tcpm-icmp-attacks-03.txt + MISC:http://www.uniras.gov.uk/niscc/docs/al-20050412-00308.html?lang=en + MISC:http://www.gont.com.ar/drafts/icmp-attacks-against-tcp.html + HP:HPSBTU01210 + URL:http://marc.theaimsgroup.com/?l=bugtraq&m=112861397904255&w=2 + HP:SSRT4743 + URL:http://marc.theaimsgroup.com/?l=bugtraq&m=112861397904255&w=2 + HP:SSRT4884 + URL:http://marc.theaimsgroup.com/?l=bugtraq&m=112861397904255&w=2 + MS:MS05-019 + URL:http://www.microsoft.com/technet/security/bulletin/ms05-019.mspx + SUNALERT:57746 + URL:http://sunsolve.sun.com/search/document.do?assetkey=1-26-57746-1 + OVAL:OVAL3458 + URL:http://oval.mitre.org/oval/definitions/data/oval3458.html + OVAL:OVAL1910 + URL:http://oval.mitre.org/oval/definitions/data/oval1910.html + OVAL:OVAL4804 + URL:http://oval.mitre.org/oval/definitions/data/oval4804.html +Description: + Multiple TCP/IP and ICMP implementations allow remote attackers to cause a + denial of service (reset TCP connections) via spoofed ICMP error messages, aka + the "blind connection-reset attack." NOTE: CVE-2004-0790, CVE-2004-0791, and + CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, + CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that + are SPLIT based on the underlying vulnerability. While CVE normally SPLITs + based on vulnerability, the attack-based identifiers exist due to the variety + and number of affected implementations and solutions that address the attacks + instead of the underlying vulnerabilities. +Notes: +Bugs: 305655 305664 +upstream: +linux-2.6: +2.6.8-sarge-security: released (2.6.8-16) [net-ipv4-icmp-quench.dpatch] +2.4.27-sarge-security: released (2.4.27-10) [164_net-ipv4-icmp-quench.diff] +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/retired/CVE-2004-0812 b/retired/CVE-2004-0812 new file mode 100644 index 00000000..f6fba4ae --- /dev/null +++ b/retired/CVE-2004-0812 @@ -0,0 +1,36 @@ +Candidate: CVE-2004-0812 +References: + REDHAT:RHSA-2004:549 + URL:http://www.redhat.com/support/errata/RHSA-2004-549.html + CONFIRM:http://linux.bkbits.net:8080/linux-2.6/cset@3fad673ber4GuU7iWppydzNIyLntEQ + CIAC:P-047 + URL:http://www.ciac.org/ciac/bulletins/p-047.shtml + BID:11794 + URL:http://www.securityfocus.com/bid/11794 + SECUNIA:13359 + URL:http://secunia.com/advisories/13359 + XF:linux-tss-gain-privilege(18346) + URL:http://xforce.iss.net/xforce/xfdb/18346 +Description: + Unknown vulnerability in the Linux kernel before 2.4.23, on the AMD AMD64 and + Intel EM64T architectures, associated with "setting up TSS limits," allows + local users to cause a denial of service (crash) and possibly execute + arbitrary code. +Notes: + jmm> I've verified that above bkbits fixed is included in 2.6.8, so I'm + jmm> marking 2.6 N/A + jmm> The vulnerable code doesn't seem to be present in 2.4.27. Plus, 2.4 + jmm> is unsupported for amd64 anyway, so I'm marking it N/A as well for + jmm> the 2.4 kernels +Bugs: +upstream: released (2.6.0-test10) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A +2.4.18-woody-security-hppa: N/A diff --git a/retired/CVE-2004-0814 b/retired/CVE-2004-0814 new file mode 100644 index 00000000..6623e502 --- /dev/null +++ b/retired/CVE-2004-0814 @@ -0,0 +1,38 @@ +Candidate: CVE-2004-0814 +References: + BUGTRAQ:20041020 CVE-2004-0814: Linux terminal layer races + URL:http://www.securityfocus.com/archive/1/379005 + CONFIRM:http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=131672 + CONFIRM:http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=133110 + FEDORA:FLSA:2336 + URL:https://bugzilla.fedora.us/show_bug.cgi?id=2336 + MANDRAKE:MDKSA-2005:022 + URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:022 + BUGTRAQ:20041214 [USN-38-1] Linux kernel vulnerabilities + URL:http://marc.theaimsgroup.com/?l=bugtraq&m=110306397320336&w=2 + BID:11491 + URL:http://www.securityfocus.com/bid/11491 + BID:11492 + URL:http://www.securityfocus.com/bid/11492 + XF:linux-tiocsetd-race-condition(17816) + URL:http://xforce.iss.net/xforce/xfdb/17816 +Description: + Multiple race conditions in the terminal layer in Linux 2.4.x, and 2.6.x + before 2.6.9, allow (1) local users to obtain portions of kernel data via a + TIOCSETD ioctl call to a terminal interface that is being accessed by another + thread, or (2) remote attackers to cause a denial of service (panic) by + switching from console to PPP line discipline, then quickly sending data that + is received during the switch. +Notes: +Bugs: +upstream: released (2.6.9) +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-8) [tty-locking-fixes.dpatch, tty-locking-fixes2.dpatch, tty-locking-fixes3.dpatch, tty-locking-fixes4.dpatch, tty-locking-fixes5.dpatch, tty-locking-fixes6.dpatch, tty-locking-fixes7.dpatch, tty-locking-fixes8.dpatch] +2.4.27-sarge-security: released (2.4.27-7) [093_tty_lockup.diff, 093_tty_lockup-2.diff, 115_tty_lockup-3.diff, 093-tty_lockup-3.diff] +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/retired/CVE-2004-0816 b/retired/CVE-2004-0816 new file mode 100644 index 00000000..db95f003 --- /dev/null +++ b/retired/CVE-2004-0816 @@ -0,0 +1,35 @@ +Candidate: CVE-2004-0816 +References: + MANDRAKE:MDKSA-2005:022 + URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:022 + SUSE:SUSE-SA:2004:037 + URL:http://www.novell.com/linux/security/advisories/2004_37_kernel.html + BID:11488 + URL:http://www.securityfocus.com/bid/11488 + SECUNIA:11202 + URL:http://secunia.com/advisories/11202/ + XF:linux-ip-packet-dos(17800) + URL:http://xforce.iss.net/xforce/xfdb/17800 +Description: + Integer underflow in the firewall logging rules for iptables in Linux before + 2.6.8 allows remote attackers to cause a denial of service (application crash) + via a malformed IP packet. +Notes: + jmm> Quoting from http://groups.google.com/group/nz.comp/msg/71ec927b491f247d: + jmm> The bug, discovered by Richard Hart, does not affect the 2.4 series kernel + jmm> Quoting from http://www.novell.com/linux/security/advisories/2004_37_kernel.html: + jmm> This problem has already been fixed in the 2.6.8 upstream Linux kernel, + jmm> this update contains a backport of the fix. + jmm> So I'm marking all kernels N/A +Bugs: +upstream: +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A +2.4.18-woody-security-hppa: N/A diff --git a/retired/CVE-2004-0883 b/retired/CVE-2004-0883 new file mode 100644 index 00000000..fc843e97 --- /dev/null +++ b/retired/CVE-2004-0883 @@ -0,0 +1,48 @@ +Candidate: CVE-2004-0883 +References: + BUGTRAQ:20041117 Advisory 14/2004: Linux 2.x smbfs multiple remote vulnerabilities + URL:http://marc.theaimsgroup.com/?l=bugtraq&m=110072140811965&w=2 + MISC:http://security.e-matters.de/advisories/142004.html + BUGTRAQ:20041118 [USN-30-1] Linux kernel vulnerabilities + URL:http://marc.theaimsgroup.com/?l=bugtraq&m=110082989725345&w=2 + FEDORA:FLSA:2336 + URL:https://bugzilla.fedora.us/show_bug.cgi?id=2336 + MANDRAKE:MDKSA-2005:022 + URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:022 + REDHAT:RHSA-2004:537 + URL:http://www.redhat.com/support/errata/RHSA-2004-537.html + CERT-VN:VU#726198 + URL:http://www.kb.cert.org/vuls/id/726198 + SECUNIA:13232 + URL:http://secunia.com/advisories/13232/ + BID:11695 + URL:http://www.securityfocus.com/bid/11695 + XF:linux-smbprocreadxdata-dos(18135) + URL:http://xforce.iss.net/xforce/xfdb/18135 + XF:linux-smb-response-dos(18134) + URL:http://xforce.iss.net/xforce/xfdb/18134 + XF:linux-smbreceivetrans2-dos(18136) + URL:http://xforce.iss.net/xforce/xfdb/18136 +Description: + Multiple vulnerabilities in the samba filesystem (smbfs) in Linux kernel 2.4 + and 2.6 allow remote samba servers to cause a denial of service (crash) or + gain sensitive information from kernel memory via a samba server (1) returning + more data than requested to the smb_proc_read function, (2) returning a data + offset from outside the samba packet to the smb_proc_readX function, (3) + sending a certain TRANS2 fragmented packet to the smb_receive_trans2 function, + (4) sending a samba packet with a certain header size to the + smb_proc_readX_data function, or (5) sending a certain packet based offset for + the data in a packet to the smb_receive_trans2 function. +Notes: +Bugs: +upstream: released (2.4.28-rc3), released (2.6.10) +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-9) [smbfs-overflow-fixes-2.dpatch] +2.4.27-sarge-security: released (2.4.27-6) [111-smb-client-overflow-fix-1.diff, 111-smb-client-overflow-fix-2.diff] +2.4.19-woody-security: released (2.4.19-4.woody3) +2.4.18-woody-security: released (2.4.18-14.4) +2.4.17-woody-security: released (2.4.17-1woody4) +2.4.16-woody-security: released (2.4.16-1woody3) +2.4.17-woody-security-hppa: released (32.5) +2.4.17-woody-security-ia64: released (011226.18) +2.4.18-woody-security-hppa: released (62.4) diff --git a/retired/CVE-2004-0887 b/retired/CVE-2004-0887 new file mode 100644 index 00000000..a9b4ef2e --- /dev/null +++ b/retired/CVE-2004-0887 @@ -0,0 +1,23 @@ +Candidate: CVE-2004-0887 +References: + http://www.novell.com/linux/security/advisories/2004_37_kernel.html + http://www.securityfocus.com/bid/11489 + http://xforce.iss.net/xforce/xfdb/17801 +Description: + SUSE Linux Enterprise Server 9 on the S/390 platform does not properly + handle a certain privileged instruction, which allows local users to + gain root privileges. +Notes: + dannf> 2.4 looks vulnerable; I've asked waldi's advice on applying it. +Bugs: +upstream: +linux-2.6: +2.6.8-sarge-security: released (2.6.8-10) [s390-sacf-fix.dpatch] +2.4.27-sarge-security: released (2.4.27-10sarge2) [206_s390-sacf-fix.diff] +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/retired/CVE-2004-0949 b/retired/CVE-2004-0949 new file mode 100644 index 00000000..8c716e2d --- /dev/null +++ b/retired/CVE-2004-0949 @@ -0,0 +1,40 @@ +Candidate: CVE-2004-0949 +References: + BUGTRAQ:20041117 Advisory 14/2004: Linux 2.x smbfs multiple remote vulnerabilities + URL:http://marc.theaimsgroup.com/?l=bugtraq&m=110072140811965&w=2 + MISC:http://security.e-matters.de/advisories/142004.html + FEDORA:FLSA:2336 + URL:https://bugzilla.fedora.us/show_bug.cgi?id=2336 + MANDRAKE:MDKSA-2005:022 + URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:022 + REDHAT:RHSA-2004:537 + URL:http://www.redhat.com/support/errata/RHSA-2004-537.html + TRUSTIX:2004-0061 + URL:http://www.trustix.org/errata/2004/0061/ + UBUNTU:USN-30-1 + URL:http://marc.theaimsgroup.com/?l=bugtraq&m=110082989725345&w=2 + XF:linux-smbrecvtrans2-memory-leak(18137) + URL:http://xforce.iss.net/xforce/xfdb/18137 + BID:11695 + URL:http://www.securityfocus.com/bid/11695 + SECUNIA:13232 + URL:http://secunia.com/advisories/13232/ +Description: + The smb_recv_trans2 function call in the samba filesystem (smbfs) in Linux + kernel 2.4 and 2.6 does not properly handle the re-assembly of fragmented + packets correctly, which could allow remote samba servers to (1) read + arbitrary kernel information or (2) raise a counter value to an arbitrary + number by sending the first part of the fragmented packet multiple times. +Notes: +Bugs: +upstream: released (2.4.28-rc3), released (2.6.10) +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-13) [smbfs-overrun.dpatch] +2.4.27-sarge-security: released (2.4.27-6) [111-smb-client-overflow-fix-1.diff, 111-smb-client-overflow-fix-2.diff] +2.4.19-woody-security: released (2.4.19-4.woody3) +2.4.18-woody-security: released (2.4.18-14.4) +2.4.17-woody-security: released (2.4.17-1woody4) +2.4.16-woody-security: released (2.4.16-1woody3) +2.4.17-woody-security-hppa: released (32.5) +2.4.17-woody-security-ia64: released (011226.18) +2.4.18-woody-security-hppa: released (62.4) diff --git a/retired/CVE-2004-1016 b/retired/CVE-2004-1016 new file mode 100644 index 00000000..191860c5 --- /dev/null +++ b/retired/CVE-2004-1016 @@ -0,0 +1,36 @@ +Candidate: CVE-2004-1016 +References: + VULNWATCH:20041214 Linux kernel scm_send local DoS + MISC:http://isec.pl/vulnerabilities/isec-0019-scm.txt + UBUNTU:USN-38-1 + URL:http://marc.theaimsgroup.com/?l=bugtraq&m=110306397320336&w=2 + FEDORA:FLSA:2336 + URL:https://bugzilla.fedora.us/show_bug.cgi?id=2336 + MANDRAKE:MDKSA-2005:022 + URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:022 + REDHAT:RHSA-2004:689 + URL:http://www.redhat.com/support/errata/RHSA-2004-689.html + XF:linux-scmsend-dos(18483) + URL:http://xforce.iss.net/xforce/xfdb/18483 +Description: + The scm_send function in the scm layer for Linux kernel 2.4.x up to 2.4.28, + and 2.6.x up to 2.6.9, allows local users to cause a denial of service (system + hang) via crafted auxiliary messages that are passed to the sendmsg function, + which causes a deadlock condition. +Notes: + dannf> 2.4.27 has a reference to CVE-2004-1016 in the changelog, but it looks + like it referred to the wrong issue - our 2.4.27 may still be + vulnerable. + dannf> on second review, those patches look correct +Bugs: +upstream: +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-11) [scm_send-dos-fix.dpatch, scm_send-dos-fix2.dpatch] +2.4.27-sarge-security: released (2.4.27-7) [116-cmsg-validation-checks.patch, 118-cmsg-validation-checks-compat.patch] +2.4.19-woody-security: released (2.4.19-4.woody3) +2.4.18-woody-security: released (2.4.18-14.4) +2.4.17-woody-security: released (2.4.17-1woody4) +2.4.16-woody-security: released (2.4.16-1woody3) +2.4.17-woody-security-hppa: released (32.5) +2.4.17-woody-security-ia64: released (011226.18) +2.4.18-woody-security-hppa: released (62.4) diff --git a/retired/CVE-2004-1017 b/retired/CVE-2004-1017 new file mode 100644 index 00000000..20d4709b --- /dev/null +++ b/retired/CVE-2004-1017 @@ -0,0 +1,27 @@ +Candidate: CVS-2004-1017 +References: + FEDORA:FLSA:2336 + URL:https://bugzilla.fedora.us/show_bug.cgi?id=2336 + REDHAT:RHSA-2004:689 + URL:http://www.redhat.com/support/errata/RHSA-2004-689.html + XF:linux-ioedgeport-bo(18433) + URL:http://xforce.iss.net/xforce/xfdb/18433 +Description: + Multiple "overflows" in the io_edgeport driver for Linux kernel 2.4.x have + unknown impact and unknown attack vectors. +Notes: + jmm> I've checked 2.6.14, but I didn't find the exact upstream version when + jmm> this was fixed + jmm> The fix is required for 2.6.8 +Bugs: +upstream: +linux-2.6: released (2.4.31-rc1, 2.6.10) +2.6.8-sarge-security: released (2.6.8-16sarge2) [io_edgeport_overflow.dpatch] +2.4.27-sarge-security: released (2.4.27-9) [137_io_edgeport_overflow.diff] +2.4.19-woody-security: released (2.4.19-4.woody3) +2.4.18-woody-security: released (2.4.18-14.4) +2.4.17-woody-security: released (2.4.17-1woody4) +2.4.16-woody-security: released (2.4.16-1woody3) +2.4.17-woody-security-hppa: released (32.5) +2.4.17-woody-security-ia64: released (011226.18) +2.4.18-woody-security-hppa: released (62.4) diff --git a/retired/CVE-2004-1056 b/retired/CVE-2004-1056 new file mode 100644 index 00000000..e768cfaa --- /dev/null +++ b/retired/CVE-2004-1056 @@ -0,0 +1,27 @@ +Candidate: CVE-2004-1056 +References: + UBUNTU:USN-38-1 + URL:http://marc.theaimsgroup.com/?l=bugtraq&m=110306397320336&w=2 + FEDORA:FLSA:2336 + URL:https://bugzilla.fedora.us/show_bug.cgi?id=2336 + REDHAT:RHSA-2005:092 + URL:http://www.redhat.com/support/errata/RHSA-2005-092.html + XF:linux-i810-dma-dos(15972) + URL:http://xforce.iss.net/xforce/xfdb/15972 +Description: + Direct Rendering Manager (DRM) driver in Linux kernel 2.6 does not properly + check the DMA lock, which could allow remote attackers or local users to cause + a denial of service (X Server crash) and possibly modify the video output. +Notes: +Bugs: +upstream: +linux-2.6: +2.6.8-sarge-security: released (2.6.8-11) [drm-locking-fixes.dpatch] +2.4.27-sarge-security: released (2.4.27-8) [121_drm-locking-checks-1.diff, 121_drm-locking-checks-2.diff] +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/retired/CVE-2004-1057 b/retired/CVE-2004-1057 new file mode 100644 index 00000000..fab0fac1 --- /dev/null +++ b/retired/CVE-2004-1057 @@ -0,0 +1,27 @@ +Candidate: CVE-2004-1057 +References: + MISC:http://www.kernel.org/pub/linux/kernel/people/andrea/kernels/v2.4/2.4.23aa3/00_VM_IO-4 + REDHAT:RHSA-2005:016 + URL:http://www.redhat.com/support/errata/RHSA-2005-016.html + CONFIRM:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=137821 + XF:linux-kernel-vmio-dos(19275) + URL:http://xforce.iss.net/xforce/xfdb/19275 +Description: + Multiple drivers in Linux kernel 2.4.19 and earlier do not properly mark + memory with the VM_IO flag, which causes incorrect reference counts and may + lead to a denial of service (kernel panic) when accessing freed kernel pages. +Notes: + dannf> I see the PageReserved() check in the 2.6 code, going back to 2.4.0 + dannf> so I'll mark 2.6 N/A +Bugs: +upstream: +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: released (2.4.27-10) [165_VM_IO.diff] +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/retired/CVE-2004-1058 b/retired/CVE-2004-1058 new file mode 100644 index 00000000..b5445d34 --- /dev/null +++ b/retired/CVE-2004-1058 @@ -0,0 +1,28 @@ +Candidate: CVE-2004-1058 +References: + FEDORA:FLSA:152532 + URL:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152532 + GENTOO:GLSA-200408-24 + URL:http://www.gentoo.org/security/en/glsa/glsa-200408-24.xml + MANDRAKE:MDKSA-2005:022 + URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:022 + UBUNTU:USN-38-1 + URL:http://www.ubuntulinux.org/support/documentation/usn/usn-38-1 + XF:linux-spawning-race-condition(17151) + URL:http://xforce.iss.net/xforce/xfdb/17151 +Description: + Race condition in Linux kernel 2.6 allows local users to read the environment + variables of another process that is still spawning via /proc/.../cmdline. +Notes: +Bugs: +upstream: released (2.4.33-pre2) +linux-2.6: +2.6.8-sarge-security: released (2.6.8-14) [proc-cmdline-mmput-leak.dpatch] +2.4.27-sarge-security: released (2.4.27-10sarge2) [203_proc_pid_cmdline_race.diff] +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/retired/CVE-2004-1068 b/retired/CVE-2004-1068 new file mode 100644 index 00000000..55015143 --- /dev/null +++ b/retired/CVE-2004-1068 @@ -0,0 +1,33 @@ +Candidate: CVE-2004-1068 +References: + BUGTRAQ:20041119 Addendum, recent Linux <= 2.4.27 vulnerabilities + URL:http://www.securityfocus.com/archive/1/381689 + FEDORA:FLSA:2336 + URL:https://bugzilla.fedora.us/show_bug.cgi?id=2336 + MANDRAKE:MDKSA-2005:022 + URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:022 + REDHAT:RHSA-2004:537 + URL:http://www.redhat.com/support/errata/RHSA-2004-537.html + BUGTRAQ:20041214 [USN-38-1] Linux kernel vulnerabilities + URL:http://marc.theaimsgroup.com/?l=bugtraq&m=110306397320336&w=2 + BID:11715 + URL:http://www.securityfocus.com/bid/11715 + XF:linux-afunix-race-condition(18230) + URL:http://xforce.iss.net/xforce/xfdb/18230 +Description: + A "missing serialization" error in the unix_dgram_recvmsg function in Linux + 2.4.27 and earlier, and 2.6.x up to 2.6.9, allows local users to gain + privileges via a race condition. +Notes: +Bugs: +upstream: released (2.4.27, 2.6.9) +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-11) +2.4.27-sarge-security: released (2.4.27-7) +2.4.19-woody-security: released (2.4.19-4.woody3) +2.4.18-woody-security: released (2.4.18-14.4) +2.4.17-woody-security: released (2.4.17-1woody4) +2.4.16-woody-security: released (2.4.16-1woody3) +2.4.17-woody-security-hppa: released (32.5) +2.4.17-woody-security-ia64: released (011226.18) +2.4.18-woody-security-hppa: released (62.4) diff --git a/retired/CVE-2004-1069 b/retired/CVE-2004-1069 new file mode 100644 index 00000000..ea4e901e --- /dev/null +++ b/retired/CVE-2004-1069 @@ -0,0 +1,24 @@ +Candidate: CVE-2004-1069 +References: + http://marc.theaimsgroup.com/?l=linux-kernel&m=110045613004761 + http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:022 + http://marc.theaimsgroup.com/?l=bugtraq&m=110306397320336&w=2 + http://xforce.iss.net/xforce/xfdb/18312 +Description: + Race condition in SELinux 2.6.x through 2.6.9 allows local users to + cause a denial of service (kernel crash) via SOCK_SEQPACKET unix + domain sockets, which are not properly handled in the sock_dgram_sendmsg + function. +Notes: +Bugs: +upstream: +linux-2.6: +2.6.8-sarge-security: released (2.6.8-11) +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A +2.4.18-woody-security-hppa: diff --git a/retired/CVE-2004-1070 b/retired/CVE-2004-1070 new file mode 100644 index 00000000..cb13be15 --- /dev/null +++ b/retired/CVE-2004-1070 @@ -0,0 +1,30 @@ +Candidate: CVE-2004-1070 +References: + MISC:http://www.isec.pl/vulnerabilities/isec-0017-binfmt_elf.txt + FEDORA:FLSA:2336 + URL:https://bugzilla.fedora.us/show_bug.cgi?id=2336 + MANDRAKE:MDKSA-2005:022 + URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:022 + REDHAT:RHSA-2004:549 + URL:http://www.redhat.com/support/errata/RHSA-2004-549.html + XF:linux-elf-setuid-gain-privileges(18025) + URL:http://xforce.iss.net/xforce/xfdb/18025 +Description: + The load_elf_binary function in the binfmt_elf loader (binfmt_elf.c) in Linux + kernel 2.4.x up to 2.4.27, and 2.6.x up to 2.6.8 , does not properly check + return values from calls to the kernel_read function, which may allow local + users to modify sensitive memory in a setuid program and execute arbitrary + code. +Notes: +Bugs: +upstream: +linux-2.6: +2.6.8-sarge-security: released (2.6.8-9) [elf-loader-fixes.dpatch, elf-loader-fixes-the-return.dpatch] +2.4.27-sarge-security: released (2.4.27-6) [097-elf_loader_overflow-1.diff, 097-elf_loader_overflow-2.diff, 097-elf_loader_overflow-3.diff, 097-elf_loader_overflow-4.diff] +2.4.19-woody-security: released (2.4.19-4.woody3) +2.4.18-woody-security: released (2.4.18-14.4) +2.4.17-woody-security: released (2.4.17-1woody4) +2.4.16-woody-security: released (2.4.16-1woody3) +2.4.17-woody-security-hppa: released (32.5) +2.4.17-woody-security-ia64: released (011226.18) +2.4.18-woody-security-hppa: released (62.4) diff --git a/retired/CVE-2004-1071 b/retired/CVE-2004-1071 new file mode 100644 index 00000000..14325cbb --- /dev/null +++ b/retired/CVE-2004-1071 @@ -0,0 +1,29 @@ +Candidate: CVE-2004-1071 +References: + MISC:http://www.isec.pl/vulnerabilities/isec-0017-binfmt_elf.txt + FEDORA:FLSA:2336 + URL:https://bugzilla.fedora.us/show_bug.cgi?id=2336 + MANDRAKE:MDKSA-2005:022 + URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:022 + REDHAT:RHSA-2004:537 + URL:http://www.redhat.com/support/errata/RHSA-2004-537.html + XF:linux-elf-setuid-gain-privileges(18025) + URL:http://xforce.iss.net/xforce/xfdb/18025 +Description: + The binfmt_elf loader (binfmt_elf.c) in Linux kernel 2.4.x up to 2.4.27, and + 2.6.x up to 2.6.8, does not properly handle a failed call to the mmap + function, which causes an incorrect mapped image and may allow local users to + execute arbitrary code. +Notes: +Bugs: +upstream: +linux-2.6: +2.6.8-sarge-security: released (2.6.8-9) [elf-loader-fixes.dpatch, elf-loader-fixes-the-return.dpatch] +2.4.27-sarge-security: released (2.4.27-6) [097-elf_loader_overflow-1.diff, 097-elf_loader_overflow-2.diff, 097-elf_loader_overflow-3.diff, 097-elf_loader_overflow-4.diff] +2.4.19-woody-security: released (2.4.19-4.woody3) +2.4.18-woody-security: released (2.4.18-14.4) +2.4.17-woody-security: released (2.4.17-1woody4) +2.4.16-woody-security: released (2.4.16-1woody3) +2.4.17-woody-security-hppa: released (32.5) +2.4.17-woody-security-ia64: released (011226.18) +2.4.18-woody-security-hppa: released (62.4) diff --git a/retired/CVE-2004-1072 b/retired/CVE-2004-1072 new file mode 100644 index 00000000..822e3a63 --- /dev/null +++ b/retired/CVE-2004-1072 @@ -0,0 +1,32 @@ +Candidate: CVE-2004-1072 +References: + MISC:http://www.isec.pl/vulnerabilities/isec-0017-binfmt_elf.txt + FEDORA:FLSA:2336 + URL:https://bugzilla.fedora.us/show_bug.cgi?id=2336 + MANDRAKE:MDKSA-2005:022 + URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:022 + REDHAT:RHSA-2004:537 + URL:http://www.redhat.com/support/errata/RHSA-2004-537.html + REDHAT:RHSA-2005:275 + URL:http://www.redhat.com/support/errata/RHSA-2005-275.html + XF:linux-elf-setuid-gain-privileges(18025) + URL:http://xforce.iss.net/xforce/xfdb/18025 +Description: + The binfmt_elf loader (binfmt_elf.c) in Linux kernel 2.4.x up to 2.4.27, and + 2.6.x up to 2.6.8, may create an interpreter name string that is not NULL + terminated, which could cause strings longer than PATH_MAX to be used, leading + to buffer overflows that allow local users to cause a denial of service (hang) + and possibly execute arbitrary code. +Notes: +Bugs: +upstream: +linux-2.6: +2.6.8-sarge-security: released (2.6.8-9) [elf-loader-fixes.dpatch, elf-loader-fixes-the-return.dpatch] +2.4.27-sarge-security: released (2.4.27-6) [097-elf_loader_overflow-1.diff, 097-elf_loader_overflow-2.diff, 097-elf_loader_overflow-3.diff, 097-elf_loader_overflow-4.diff] +2.4.19-woody-security: released (2.4.19-4.woody3) +2.4.18-woody-security: released (2.4.18-14.4) +2.4.17-woody-security: released (2.4.17-1woody4) +2.4.16-woody-security: released (2.4.16-1woody3) +2.4.17-woody-security-hppa: released (32.5) +2.4.17-woody-security-ia64: released (011226.18) +2.4.18-woody-security-hppa: released (62.4) diff --git a/retired/CVE-2004-1073 b/retired/CVE-2004-1073 new file mode 100644 index 00000000..21cc9e6c --- /dev/null +++ b/retired/CVE-2004-1073 @@ -0,0 +1,28 @@ +Candidate: CVE-2004-1073 +References: + MISC:http://www.isec.pl/vulnerabilities/isec-0017-binfmt_elf.txt + FEDORA:FLSA:2336 + URL:https://bugzilla.fedora.us/show_bug.cgi?id=2336 + MANDRAKE:MDKSA-2005:022 + URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:022 + REDHAT:RHSA-2004:549 + URL:http://www.redhat.com/support/errata/RHSA-2004-549.html + XF:linux-elf-setuid-gain-privileges(18025) + URL:http://xforce.iss.net/xforce/xfdb/18025 +Description: + The open_exec function in the execve functionality (exec.c) in Linux kernel + 2.4.x up to 2.4.27, and 2.6.x up to 2.6.8, allows local users to read + non-readable ELF binaries by using the interpreter (PT_INTERP) functionality. +Notes: +Bugs: +upstream: +linux-2.6: +2.6.8-sarge-security: released (2.6.8-9) [elf-loader-fixes.dpatch, elf-loader-fixes-the-return.dpatch] +2.4.27-sarge-security: released (2.4.27-6) [097-elf_loader_overflow-1.diff, 097-elf_loader_overflow-2.diff, 097-elf_loader_overflow-3.diff, 097-elf_loader_overflow-4.diff] +2.4.19-woody-security: released (2.4.19-4.woody3) +2.4.18-woody-security: released (2.4.18-14.4) +2.4.17-woody-security: released (2.4.17-1woody4) +2.4.16-woody-security: released (2.4.16-1woody3) +2.4.17-woody-security-hppa: released (32.5) +2.4.17-woody-security-ia64: released (011226.18) +2.4.18-woody-security-hppa: released (62.4) diff --git a/retired/CVE-2004-1137 b/retired/CVE-2004-1137 new file mode 100644 index 00000000..de8f91b6 --- /dev/null +++ b/retired/CVE-2004-1137 @@ -0,0 +1,39 @@ +Candidate: CVE-2004-1137 +References: + VULNWATCH:20041214 Linux kernel IGMP vulnerabilities + BUGTRAQ:20041214 Linux kernel IGMP vulnerabilities + MISC:http://isec.pl/vulnerabilities/isec-0018-igmp.txt + CONECTIVA:CLA-2005:930 + URL:http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=000930 + FEDORA:FLSA:2336 + URL:https://bugzilla.fedora.us/show_bug.cgi?id=2336 + MANDRAKE:MDKSA-2005:022 + URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:022 + REDHAT:RHSA-2005:092 + URL:http://www.redhat.com/support/errata/RHSA-2005-092.html + BUGTRAQ:20041214 [USN-38-1] Linux kernel vulnerabilities + URL:http://marc.theaimsgroup.com/?l=bugtraq&m=110306397320336&w=2 + XF:linux-igmpmarksources-dos(18482) + URL:http://xforce.iss.net/xforce/xfdb/18482 + XF:linux-ipmcsource-code-execution(18481) + URL:http://xforce.iss.net/xforce/xfdb/18481 +Description: + Multiple vulnerabilities in the IGMP functionality for Linux kernel 2.4.22 to + 2.4.28, and 2.6.x to 2.6.9, allow local and remote attackers to cause a denial + of service or execute arbitrary code via (1) the ip_mc_source function, which + decrements a counter to -1, or (2) the igmp_marksources function, which does + not properly validate IGMP message parameters and performs an out-of-bounds + read. +Notes: +Bugs: +upstream: +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-11) [igmp-src-list-fix.dpatch] +2.4.27-sarge-security: released (2.4.27-7) [117-igmp-source-filter-fixes.patch] +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/retired/CVE-2004-1144 b/retired/CVE-2004-1144 new file mode 100644 index 00000000..84734f73 --- /dev/null +++ b/retired/CVE-2004-1144 @@ -0,0 +1,27 @@ +Candidate: CVE-2004-1144 +References: + REDHAT:RHSA-2004:689 + URL:http://www.redhat.com/support/errata/RHSA-2004-689.html + SUSE:SUSE-SA:2004:046 + URL:http://marc.theaimsgroup.com/?l=bugtraq&m=110376890429798&w=2 + XF:linux-32bit-emulation-gain-privileges(18686) + URL:http://xforce.iss.net/xforce/xfdb/18686 +Description: + Unknown vulnerability in the 32bit emulation code in Linux 2.4 on AMD64 + systems allows local users to gain privileges. +Notes: + jmm> 2.6 is not affected, see the comment by Andi Kleen from the patch: + jmm> # The problem only occurs on 2.4 x86-64 kernels, 2.6 doesn't have this + jmm> # hole because some unrelated changes in 2.5 fixed it as a side effect. +Bugs: +upstream: +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: released (2.4.27-9) [138_amd64_syscall_vuln.diff] +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/retired/CVE-2004-1151 b/retired/CVE-2004-1151 new file mode 100644 index 00000000..a5f83c36 --- /dev/null +++ b/retired/CVE-2004-1151 @@ -0,0 +1,28 @@ +Candidate: CVE-2004-1151 +References: + MLIST:[linux-kernel] 20041130 Buffer overrun in arch/x86_64/sys_ia32.c:sys32_ni_syscall() + URL:http://www.ussg.iu.edu/hypermail/linux/kernel/0411.3/1467.html + MISC:http://linux.bkbits.net:8080/linux-2.6/cset@1.2079 + MISC:http://linux.bkbits.net:8080/linux-2.6/gnupatch@41ae6af1cR3mJYlW6D8EHxCKSxuJiQ + MANDRAKE:MDKSA-2005:022 + URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:022 + BUGTRAQ:20041214 [USN-38-1] Linux kernel vulnerabilities + URL:http://marc.theaimsgroup.com/?l=bugtraq&m=110306397320336&w=2 +Description: + Multiple buffer overflows in the (1) sys32_ni_syscall and (2) + sys32_vm86_warning functions in sys_ia32.c for Linux 2.6.x may allow local + attackers to modify kernel memory and gain privileges. +Notes: + <= 2.4.27 doesn't look vulnerable, and we don't have 2.4/x86_64 anyway. +Bugs: +upstream: released (2.6.10) +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-11) [arch-x86_64-sys32_ni-overflow.dpatch] +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A +2.4.18-woody-security-hppa: N/A diff --git a/retired/CVE-2004-1234 b/retired/CVE-2004-1234 new file mode 100644 index 00000000..b262dcc7 --- /dev/null +++ b/retired/CVE-2004-1234 @@ -0,0 +1,35 @@ +Candidate: CVE-2004-1234 +References: + FEDORA:FLSA:2336 + URL:https://bugzilla.fedora.us/show_bug.cgi?id=2336 + REDHAT:RHSA-2004:689 + URL:http://www.redhat.com/support/errata/RHSA-2004-689.html + CONFIRM:http://linux.bkbits.net:8080/linux-2.4/cset@4076466d_SqUm4azg4_v3FIG2-X6XQ + CONFIRM:http://linux.bkbits.net:8080/linux-2.4/cset@4076466d_SqUm4azg4_v3FIG2-X6XQ + CONFIRM:http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=142965 + BID:12101 + URL:http://www.securityfocus.com/bid/12101 + XF:linux-loadelfbinary-dos(18687) + URL:http://xforce.iss.net/xforce/xfdb/18687 +Description: + load_elf_binary in Linux before 2.4.26 allows local users to cause a denial of + service (system crash) via an ELF binary in which the interpreter is NULL. +Notes: + jmm> I don't know at which version this was merged into 2.6, but I've verified + jmm> that above-mentioned fix is included in 2.6.8's binfmt_elf.c: + jmm> out_free_dentry: + jmm> allow_write_access(interpreter); + jmm> if (interpreter) + jmm> fput(interpreter); +Bugs: +upstream: released (2.4.26-rc3) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: released (2.4.19-4.woody3) +2.4.18-woody-security: released (2.4.18-14.4) +2.4.17-woody-security: released (2.4.17-1woody4) +2.4.16-woody-security: released (2.4.16-1woody3) +2.4.17-woody-security-hppa: released (32.5) +2.4.17-woody-security-ia64: released (011226.18) +2.4.18-woody-security-hppa: released (62.4) diff --git a/retired/CVE-2004-1235 b/retired/CVE-2004-1235 new file mode 100644 index 00000000..122bb271 --- /dev/null +++ b/retired/CVE-2004-1235 @@ -0,0 +1,43 @@ +Candidate: CVE-2004-1235 +References: + BUGTRAQ:20050107 Linux kernel sys_uselib local root vulnerability + URL:http://marc.theaimsgroup.com/?l=bugtraq&m=110512575901427&w=2 + MISC:http://isec.pl/vulnerabilities/isec-0021-uselib.txt + CONECTIVA:CLA-2005:930 + URL:http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=000930 + FEDORA:FEDORA-2005-013 + URL:http://www.securityfocus.com/advisories/7806 + FEDORA:FEDORA-2005-014 + URL:http://www.securityfocus.com/advisories/7805 + FEDORA:FLSA:2336 + URL:https://bugzilla.fedora.us/show_bug.cgi?id=2336 + MANDRAKE:MDKSA-2005:022 + URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:022 + REDHAT:RHSA-2005:043 + URL:http://www.redhat.com/support/errata/RHSA-2005-043.html + REDHAT:RHSA-2005:092 + URL:http://www.redhat.com/support/errata/RHSA-2005-092.html + TRUSTIX:2005-0001 + URL:http://www.trustix.org/errata/2005/0001/ + CONFIRM:http://www.securityfocus.com/advisories/7804 + BID:12190 + URL:http://www.securityfocus.com/bid/12190 + XF:linux-uselib-gain-privileges(18800) + URL:http://xforce.iss.net/xforce/xfdb/18800 +Description: + Race condition in the (1) load_elf_library and (2) binfmt_aout function calls + for uselib in Linux kernel 2.4 through 2.429-rc2 and 2.6 through 2.6.10 allows + local users to execute arbitrary code by manipulating the VMA descriptor. +Notes: +Bugs: +upstream: +linux-2.6: +2.6.8-sarge-security: released (2.6.8-12) [028-do_brk_security_fixes.dpatch] +2.4.27-sarge-security: released (2.4.27-8) [122_sec_brk-locked.diff] +2.4.19-woody-security: released (2.4.19-4.woody3) +2.4.18-woody-security: released (2.4.18-14.4) +2.4.17-woody-security: released (2.4.17-1woody4) +2.4.16-woody-security: released (2.4.16-1woody3) +2.4.17-woody-security-hppa: released (32.5) +2.4.17-woody-security-ia64: released (011226.18) +2.4.18-woody-security-hppa: released (62.4) diff --git a/retired/CVE-2004-1237 b/retired/CVE-2004-1237 new file mode 100644 index 00000000..099e2cf7 --- /dev/null +++ b/retired/CVE-2004-1237 @@ -0,0 +1,28 @@ +Candidate: CVE-2004-1237 +References: + http://www.redhat.com/support/errata/RHSA-2005-043.html + https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=132245 + https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=141996 + https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=142091 + https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=142442 + https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=143886 + https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=144048 +Description: + Unknown vulnerability in the system call filtering code in the audit + subsystem for Red Hat Enterprise Linux 3 allows local users to cause + a denial of service (system crash) via unknown vectors. +Notes: + jmm> What a remarkably concrete description :-) + jmm> I found the Bugzilla entries above and this seems RHEL specific. + jmm> I'm marking it at such, but please double-check someone +Bugs: +upstream: N/A +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/retired/CVE-2004-1333 b/retired/CVE-2004-1333 new file mode 100644 index 00000000..9f40c436 --- /dev/null +++ b/retired/CVE-2004-1333 @@ -0,0 +1,32 @@ +Candidate: CVE-2004-1333 +References: + FULLDISC:20041215 fun with linux kernel + URL:http://www.securitytrap.com/mail/full-disclosure/2004/Dec/0323.html + MISC:http://www.guninski.com/where_do_you_want_billg_to_go_today_2.html + FEDORA:FLSA:152532 + URL:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152532 + SUSE:SUSE-SA:2005:018 + URL:http://www.novell.com/linux/security/advisories/2005_18_kernel.html + UBUNTU:USN-47-1 + URL:http://www.ubuntulinux.org/support/documentation/usn/usn-47-1 + BID:11956 + URL:http://www.securityfocus.com/bid/11956 + XF:linux-vcresize-dos(18523) + URL:http://xforce.iss.net/xforce/xfdb/18523 +Description: + Integer overflow in the vc_resize function in the Linux kernel 2.4 and 2.6 + before 2.6.10 allows local users to cause a denial of service (kernel crash) + via a short new screen value, which leads to a buffer overflow. +Notes: +Bugs: +upstream: released (2.6.10) +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-11) [vt-of-death.dpatch] +2.4.27-sarge-security: released (2.4.27-9) [136_vc_resizing_overflow.diff] +2.4.19-woody-security: released (2.4.19-4.woody3) +2.4.18-woody-security: released (2.4.18-14.4) +2.4.17-woody-security: released (2.4.17-1woody4) +2.4.16-woody-security: released (2.4.16-1woody3) +2.4.17-woody-security-hppa: released (32.5) +2.4.17-woody-security-ia64: released (011226.18) +2.4.18-woody-security-hppa: released (62.4) diff --git a/retired/CVE-2004-1334 b/retired/CVE-2004-1334 new file mode 100644 index 00000000..6ac0f8dd --- /dev/null +++ b/retired/CVE-2004-1334 @@ -0,0 +1,25 @@ +Candidate: CVE-2004-1334 +References: + http://www.securitytrap.com/mail/full-disclosure/2004/Dec/0323.html + http://marc.theaimsgroup.com/?l=bugtraq&m=110383108211524&w=2 + http://www.guninski.com/where_do_you_want_billg_to_go_today_2.html + http://www.securityfocus.com/bid/11956 + http://xforce.iss.net/xforce/xfdb/18522 +Description: + Integer overflow in the ip_options_get function in the Linux kernel before + 2.6.10 allows local users to cause a denial of service (kernel crash) via a + cmsg_len that contains a -1, which leads to a buffer overflow. +Notes: + dannf> This is a duplicate of CAN-2004-1016 +Bugs: +upstream: +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-11) [scm_send-dos-fix.dpatch, scm_send-dos-fix2.dpatch] +2.4.27-sarge-security: released (2.4.27-7) [116-cmsg-validation-checks.patch, 118-cmsg-validation-checks-compat.patch] +2.4.19-woody-security: released (2.4.19-4.woody3) +2.4.18-woody-security: released (2.4.18-14.4) +2.4.17-woody-security: released (2.4.17-1woody4) +2.4.16-woody-security: released (2.4.16-1woody3) +2.4.17-woody-security-hppa: released (32.5) +2.4.17-woody-security-ia64: released (011226.18) +2.4.18-woody-security-hppa: released (62.4) diff --git a/retired/CVE-2004-1335 b/retired/CVE-2004-1335 new file mode 100644 index 00000000..70b11309 --- /dev/null +++ b/retired/CVE-2004-1335 @@ -0,0 +1,28 @@ +Candidate: CVE-2004-1335 +References: + FULLDISC:20041215 fun with linux kernel + URL:http://www.securitytrap.com/mail/full-disclosure/2004/Dec/0323.html + MISC:http://www.guninski.com/where_do_you_want_billg_to_go_today_2.html + BUGTRAQ:20041215 [USN-47-1] Linux kernel vulnerabilities + URL:http://marc.theaimsgroup.com/?l=bugtraq&m=110383108211524&w=2 + BID:11956 + URL:http://www.securityfocus.com/bid/11956 + XF:linux-ipoptionsget-memory-leak(18524) + URL:http://xforce.iss.net/xforce/xfdb/18524 +Description: + Memory leak in the ip_options_get function in the Linux kernel before 2.6.10 + allows local users to cause a denial of service (memory consumption) by + repeatedly calling the ip_cmsg_send function. +Notes: +Bugs: +upstream: released (2.6.10) +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-11) [fix-ip-options-leak.dpatch] +2.4.27-sarge-security: released (2.4.27-9) [135_fix_ip_options_leak.diff] +2.4.19-woody-security: released (2.4.19-4.woody3) +2.4.18-woody-security: released (2.4.18-14.4) +2.4.17-woody-security: released (2.4.17-1woody4) +2.4.16-woody-security: released (2.4.16-1woody3) +2.4.17-woody-security-hppa: released (32.5) +2.4.17-woody-security-ia64: released (011226.18) +2.4.18-woody-security-hppa: released (62.4) diff --git a/retired/CVE-2004-1337 b/retired/CVE-2004-1337 new file mode 100644 index 00000000..53542701 --- /dev/null +++ b/retired/CVE-2004-1337 @@ -0,0 +1,28 @@ +Candidate: +References: + BUGTRAQ:20041223 Linux 2.6 Kernel Capability LSM Module Local Privilege Elevation + URL:http://marc.theaimsgroup.com/?l=bugtraq&m=110384535113035&w=2 + CONECTIVA:CLA-2005:930 + URL:http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=000930 + BID:12093 + URL:http://www.securityfocus.com/bid/12093 + XF:linux-security-module-gain-privileges(18673) + URL:http://xforce.iss.net/xforce/xfdb/18673 +Description: + The POSIX Capability Linux Security Module (LSM) for Linux kernel 2.6 does not + properly handle the credentials of a process that is launched before the + module is loaded, which allows local users to gain privileges. +Notes: + dannf> This code isn't in <= 2.4.27 +Bugs: +upstream: released (2.6.11) +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-14) [025-track_dummy_capability.dpatch, 027-track_dummy_capability.dpatch] +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A +2.4.18-woody-security-hppa: N/A diff --git a/retired/CVE-2004-2013 b/retired/CVE-2004-2013 new file mode 100644 index 00000000..d965a45b --- /dev/null +++ b/retired/CVE-2004-2013 @@ -0,0 +1,27 @@ +Candidate: CVE-2004-2013 +References: + http://archives.neohapsis.com/archives/bugtraq/2004-05/0091.html + http://lists.netsys.com/pipermail/full-disclosure/2004-May/021223.html + http://marc.theaimsgroup.com/?l=bugtraq&m=108456230815842&w=2 + http://www.securityfocus.com/bid/10326 + http://xforce.iss.net/xforce/xfdb/16117 +Description: + Integer overflow in the SCTP_SOCKOPT_DEBUG_NAME SCTP socket option in socket.c + in the Linux kernel 2.4.25 and earlier allows local users to execute arbitrary + code via an optlen value of -1, which causes kmalloc to allocate 0 bytes of + memory. +Notes: + jmm> http://archives.neohapsis.com/archives/bugtraq/2004-05/0091.html + jmm> The vulnerable socket option was removed entirely in 2.4.26 and 2.6.*, + jmm> Woody could be affected, though +Bugs: +upstream: released (2.4.26) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: diff --git a/retired/CVE-2004-2302 b/retired/CVE-2004-2302 new file mode 100644 index 00000000..f39ee81f --- /dev/null +++ b/retired/CVE-2004-2302 @@ -0,0 +1,25 @@ +Candidate: CVE-2004-2302 +References: + http://linux.bkbits.net:8080/linux-2.6/cset%404186a4deVoR88JjTwMa3ZnIp-_YJsA + http://kernel.org/pub/linux/kernel/people/akpm/patches/2.6/2.6.10-rc1/2.6.10-rc1-mm1/broken-out/fix-race-in-sysfs_read_file-and-sysfs_write_file.patch + http://frontal2.mandriva.com/security/advisories?name=MDKSA-2005:218 + http://frontal2.mandriva.com/security/advisories?name=MDKSA-2005:219 + http://www.novell.com/linux/security/advisories/2005_44_kernel.html +Description: + Race condition in the sysfs_read_file and sysfs_write_file functions in Linux + kernel before 2.6.10 allows local users to read kernel memory and cause a + denial of service (crash) via large offsets in sysfs files. +Notes: + dannf> sysfs is only in 2.6, so marking 2.4 N/A +Bugs: 322339 +upstream: released (2.6.10) +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-16sarge1) [fs-sysfs-read-write-race.dpatch] +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A +2.4.18-woody-security-hppa: N/A diff --git a/retired/CVE-2004-2536 b/retired/CVE-2004-2536 new file mode 100644 index 00000000..5ae37d27 --- /dev/null +++ b/retired/CVE-2004-2536 @@ -0,0 +1,28 @@ +Candidate: CVE-2004-2536 +References: + http://www.ussg.iu.edu/hypermail/linux/kernel/0405.0/1242.html + http://www.ussg.iu.edu/hypermail/linux/kernel/0405.0/1265.html + http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.6 +Description: + The exit_thread function (process.c) in Linux kernel 2.6 through + 2.6.5 does not invalidate the per-TSS io_bitmap pointers if a + process obtains IO access permissions from the ioperm function but + does not drop those permissions when it exits, which allows other + processes to access the per-TSS pointers, access restricted memory + locations, and possibly gain privileges. +Notes: + Horms> Tested against kernel-image-2.4.27-2-686 2.4.27-11 which does not + seem to exhibit the problem, although the code suggests it might. I guess + its just a 2.6 problem. I marked 2.4.27 and the woody kernels N/A +Bugs: +upstream: released (2.6.6) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A +2.4.18-woody-security-hppa: N/A diff --git a/retired/CVE-2004-2607 b/retired/CVE-2004-2607 new file mode 100644 index 00000000..ec1da937 --- /dev/null +++ b/retired/CVE-2004-2607 @@ -0,0 +1,30 @@ +Candidate: CVE-2004-2607 +References: + http://www.uwsg.iu.edu/hypermail/linux/kernel/0404.2/0313.html + http://www.kernel.org/git/?p=linux/kernel/git/tglx/history.git;a=commitdiff;h=98cd917c1ac348d5cd94beabecc3011dcaa0a0f2 +Description: + A numeric casting discrepancy in sdla_xfer in Linux kernel 2.6.x up to + 2.6.5 and 2.4 up to 2.4.29-rc1 allows local users to read portions of + kernel memory via a large len argument, which is received as an int but + cast to a short, which prevents a read loop from filling a buffer. +Notes: + jmm> The referenced patch was applied by Jeff Garzik on 2004-04-16, + jmm> 2.6.6 was released on 2004-05-09, so Sarge seems not affected, should + jmm> be double-checked against the source though, but my bandwidth is currently + jmm> too slim to download 2.6.8 + jmm> + jmm> The fix below is for a completely different issue, I've split it out + horms> Fix was included in 2.6.6. Checked source and 2.6.8 is not vulnerable + horms> 2.4.27 is vulnerable, added fix to SVN. Woody is likely vulnerable +Bugs: +upstream: released (2.4.33-pre2), released (2.6.6) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: released (2.4.27-10sarge2) [200_net_sdla_xfer_leak.diff] +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/retired/CVE-2005-0001 b/retired/CVE-2005-0001 new file mode 100644 index 00000000..97943e59 --- /dev/null +++ b/retired/CVE-2005-0001 @@ -0,0 +1,42 @@ +Candidate: CVE-2005-0001 +References: + BUGTRAQ:20050112 Linux kernel i386 SMP page fault handler privilege escalation + URL:http://marc.theaimsgroup.com/?l=bugtraq&m=110554694522719&w=2 + FULLDISC:20050112 Linux kernel i386 SMP page fault handler privilege escalation + URL:http://lists.grok.org.uk/pipermail/full-disclosure/2005-January/030826.html + MISC:http://isec.pl/vulnerabilities/isec-0022-pagefault.txt + CONECTIVA:CLA-2005:930 + URL:http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=000930 + FEDORA:FLSA:2336 + URL:https://bugzilla.fedora.us/show_bug.cgi?id=2336 + MANDRAKE:MDKSA-2005:022 + URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:022 + REDHAT:RHSA-2005:043 + URL:http://www.redhat.com/support/errata/RHSA-2005-043.html + REDHAT:RHSA-2005:092 + URL:http://www.redhat.com/support/errata/RHSA-2005-092.html + TRUSTIX:2005-0001 + URL:http://www.trustix.org/errata/2005/0001/ + BUGTRAQ:20050114 [USN-60-0] Linux kernel vulnerabilities + URL:http://marc.theaimsgroup.com/?l=bugtraq&m=110581146702951&w=2 + XF:linux-fault-handler-gain-privileges(18849) + URL:http://xforce.iss.net/xforce/xfdb/18849 +Description: + Race condition in the page fault handler (fault.c) for Linux kernel 2.2.x to + 2.2.7, 2.4 to 2.4.29, and 2.6 to 2.6.10, when running on multiprocessor + machines, allows local users to execute arbitrary code via concurrent threads + that share the same virtual memory space and simultaneously request stack + expansion. +Notes: +Bugs: +upstream: +linux-2.6: +2.6.8-sarge-security: released (2.6.8-13) [034-stack_resize_exploit.dpatch] +2.4.27-sarge-security: released (2.4.27-8) [131_expand_stack_race.diff] +2.4.19-woody-security: released (2.4.19-4.woody3) +2.4.18-woody-security: released (2.4.18-14.4) +2.4.17-woody-security: released (2.4.17-1woody4) +2.4.16-woody-security: released (2.4.16-1woody3) +2.4.17-woody-security-hppa: released (32.5) +2.4.17-woody-security-ia64: released (011226.18) +2.4.18-woody-security-hppa: released (62.4) diff --git a/retired/CVE-2005-0003 b/retired/CVE-2005-0003 new file mode 100644 index 00000000..77071990 --- /dev/null +++ b/retired/CVE-2005-0003 @@ -0,0 +1,34 @@ +Candidate: CVE-2005-0003 +References: + CONFIRM:http://linux.bkbits.net:8080/linux-2.4/cset@41c36fb6q1Z68WUzKQFjJR-40Ev3tw + MANDRAKE:MDKSA-2005:022 + URL:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:022 + REDHAT:RHSA-2005:043 + URL:http://www.redhat.com/support/errata/RHSA-2005-043.html + SUSE:SUSE-SA:2005:018 + URL:http://www.novell.com/linux/security/advisories/2005_18_kernel.html + TRUSTIX:2005-0001 + URL:http://www.trustix.org/errata/2005/0001/ + MISC:http://linux.bkbits.net:8080/linux-2.6/cset@41a6721cce-LoPqkzKXudYby_3TUmg + BID:12261 + URL:http://www.securityfocus.com/bid/12261 + XF:linux-vma-gain-privileges(18886) + URL:http://xforce.iss.net/xforce/xfdb/18886 +Description: + The 64 bit ELF support in Linux kernel 2.6 before 2.6.10, on 64-bit + architectures, does not properly check for overlapping VMA (virtual memory + address) allocations, which allows local users to cause a denial of service + (system crash) or execute arbitrary code via a crafted ELF or a.out file. +Notes: +Bugs: +upstream: released (2.6.10) +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-11) [binfmt-huge-vma-dos2.dpatch] +2.4.27-sarge-security: released (2.4.27-9) [145_insert_vm_struct-no-BUG.patch] +2.4.19-woody-security: released (2.4.19-4.woody3) +2.4.18-woody-security: released (2.4.18-14.4) +2.4.17-woody-security: released (2.4.17-1woody4) +2.4.16-woody-security: released (2.4.16-1woody3) +2.4.17-woody-security-hppa: released (32.5) +2.4.17-woody-security-ia64: released (011226.18) +2.4.18-woody-security-hppa: released (62.4) diff --git a/retired/CVE-2005-0090 b/retired/CVE-2005-0090 new file mode 100644 index 00000000..3a6ff8b0 --- /dev/null +++ b/retired/CVE-2005-0090 @@ -0,0 +1,22 @@ +Candidate: CVE-2005-0090 +References: + A regression error in the Red Hat Enterprise Linux 4 kernel 4GB/4GB split + patch omits an "access check," which allows local users to cause a denial + of service (crash). +Description: + http://www.redhat.com/support/errata/RHSA-2005-092.html + http://www.securityfocus.com/bid/12599 + http://xforce.iss.net/xforce/xfdb/20618 +Notes: + Red Hat specific vulnerability +Bugs: +upstream: +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/retired/CVE-2005-0091 b/retired/CVE-2005-0091 new file mode 100644 index 00000000..589abd45 --- /dev/null +++ b/retired/CVE-2005-0091 @@ -0,0 +1,22 @@ +Candidate: CVE-2005-0091 +References: + http://www.redhat.com/support/errata/RHSA-2005-092.html + http://www.securityfocus.com/bid/12599 + http://xforce.iss.net/xforce/xfdb/20619 +Description: + Unknown vulnerability in the Red Hat Enterprise Linux 4 kernel 4GB/4GB split + patch, when using the hugemem kernel, allows local users to read and write to + arbitrary kernel memory and gain privileges via certain syscalls. +Notes: + Red Hat specific. +Bugs: +upstream: N/A +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/retired/CVE-2005-0092 b/retired/CVE-2005-0092 new file mode 100644 index 00000000..426e1b21 --- /dev/null +++ b/retired/CVE-2005-0092 @@ -0,0 +1,22 @@ +Candidate: CVE-2005-0092 +References: + http://www.redhat.com/support/errata/RHSA-2005-092.html + http://www.securityfocus.com/bid/12599 + http://xforce.iss.net/xforce/xfdb/20620 +Description: + Unknown vulnerability in the Red Hat Enterprise Linux 4 kernel 4GB/4GB split + patch, when running on x86 with the hugemem kernel, allows local users to + cause a denial of service (crash). +Notes: + Red Hat specific. +Bugs: +upstream: N/A +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/retired/CVE-2005-0135 b/retired/CVE-2005-0135 new file mode 100644 index 00000000..372db1a5 --- /dev/null +++ b/retired/CVE-2005-0135 @@ -0,0 +1,28 @@ +Candidate: CVE-2005-0135 +References: + REDHAT:RHSA-2005:284 + URL:http://www.redhat.com/support/errata/RHSA-2005-284.html + REDHAT:RHSA-2005:366 + URL:http://www.redhat.com/support/errata/RHSA-2005-366.html + CONFIRM:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=148868 + CONFIRM:http://linux.bkbits.net:8080/linux-2.6/cset@41f2beablXVnAs_6fznhhITh1j5hZg + SECUNIA:15019 + URL:http://secunia.com/advisories/15019 +Description: + The unw_unwind_to_user function in unwind.c on Itanium (ia64) architectures in + Linux kernel 2.6 allows local users to cause a denial of service (system + crash). +Notes: + dannf> This is fixed in kernel-patch-2.4.27-ia64 +Bugs: +upstream: released (linux-2.4.29-ia64-050312.diff, 2.6.11) +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-14) [ia64-unwind-fix.dpatch] +2.4.27-sarge-security: released (2.4.27-10) +2.4.19-woody-security: released (2.4.19-4.woody3) +2.4.18-woody-security: released (2.4.18-14.4) +2.4.17-woody-security: released (2.4.17-1woody4) +2.4.16-woody-security: released (2.4.16-1woody3) +2.4.17-woody-security-hppa: released (32.5) +2.4.17-woody-security-ia64: released (011226.18) +2.4.18-woody-security-hppa: released (62.4) diff --git a/retired/CVE-2005-0136 b/retired/CVE-2005-0136 new file mode 100644 index 00000000..b17e5920 --- /dev/null +++ b/retired/CVE-2005-0136 @@ -0,0 +1,18 @@ +Candidate: CVE-2005-0136 +References: + ** RESERVED ** +Description: +Notes: + dannf> This is fixed in kernel-patch-2.4.27-ia64 +Bugs: +upstream: released (linux-2.4.29-ia64-050312.diff, 2.6.11) +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-14) [ia64-ptrace-fixes.dpatch, ia64-ptrace-speedup.dpatch] +2.4.27-sarge-security: released (2.4.27-10) +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/retired/CVE-2005-0137 b/retired/CVE-2005-0137 new file mode 100644 index 00000000..d20391d8 --- /dev/null +++ b/retired/CVE-2005-0137 @@ -0,0 +1,23 @@ +Candidate: CVE-2005-0137 +References: + REDHAT:RHSA-2005:284 + URL:http://www.redhat.com/support/errata/RHSA-2005-284.html + REDHAT:RHSA-2005:293 + URL:http://www.redhat.com/support/errata/RHSA-2005-293.html +Description: + Linux kernel 2.6 on Itanium (ia64) architectures allows local users to cause a + denial of service via a "missing Itanium syscall table entry." +Notes: + dannf> This is actually 2.4 specific - the mitre description is incorrect. +Bugs: +upstream: released (2.4.30-rc2) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: released (2.4.27-10) [165_arch-ia64-kernel-missing-sysctl.diff] +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/retired/CVE-2005-0176 b/retired/CVE-2005-0176 new file mode 100644 index 00000000..87dd16a6 --- /dev/null +++ b/retired/CVE-2005-0176 @@ -0,0 +1,27 @@ +Candidate: CVE-2005-0176 +References: + http://marc.theaimsgroup.com/?l=full-disclosure&m=110846102231365&w=2 + http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=000930 + http://www.redhat.com/support/errata/RHSA-2005-092.html + http://oval.mitre.org/oval/definitions/data/oval1225.html + http://www.kernel.org/git/?p=linux/kernel/git/tglx/history.git;a=commit;h=2637792e3d9ae50079238615fd16384a0d393b30 +Description: + The shmctl function in Linux 2.6.9 and earlier allows local users to unlock + the memory of other processes, which could cause sensitive memory to be swapped + to disk, which could allow it to be read by other users once it has been released. +Notes: + It appears that 2.6.8 and earlier are not vulnerable as prior to the + following patch, local users could not effect lock or unlock + http://www.kernel.org/git/?p=linux/kernel/git/tglx/history.git;a=commit;h=16698c49bbb42567c0bbc528d3820d18885e4642 + That is, only 2.6.10 is effected. +Bugs: +upstream: +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/retired/CVE-2005-0177 b/retired/CVE-2005-0177 new file mode 100644 index 00000000..c87b5954 --- /dev/null +++ b/retired/CVE-2005-0177 @@ -0,0 +1,26 @@ +Candidate: CVE-2005-0177 +References: + CONFIRM:http://linux.bkbits.net:8080/linux-2.6/cset@41e2bfbeOiXFga62XrBhzm7Kv9QDmQ + CONECTIVA:CLA-2005:930 + URL:http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=000930 + REDHAT:RHSA-2005:092 + URL:http://www.redhat.com/support/errata/RHSA-2005-092.html + BUGTRAQ:20050215 [USN-82-1] Linux kernel vulnerabilities + URL:http://marc.theaimsgroup.com/?l=full-disclosure&m=110846102231365&w=2 +Description: + nls_ascii.c in Linux before 2.6.8.1 uses an incorrect table size, which allows + attackers to cause a denial of service (kernel crash) via a buffer overflow. +Notes: + dannf> nls_ascii.c isn't in <= 2.4.27 +Bugs: +upstream: released (2.6.8.1, 2.6.11) +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-14) [nls-table-overflow.dpatch] +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A +2.4.18-woody-security-hppa: N/A diff --git a/retired/CVE-2005-0178 b/retired/CVE-2005-0178 new file mode 100644 index 00000000..eb3a56dd --- /dev/null +++ b/retired/CVE-2005-0178 @@ -0,0 +1,30 @@ +Candidate: CVE-2005-0178 +References: + CONFIRM:http://linux.bkbits.net:8080/linux-2.6/cset@41ddda70CWJb5nNL71T4MOlG2sMG8A + CONECTIVA:CLA-2005:930 + URL:http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=000930 + REDHAT:RHSA-2005:092 + URL:http://www.redhat.com/support/errata/RHSA-2005-092.html + BUGTRAQ:20050215 [USN-82-1] Linux kernel vulnerabilities + URL:http://marc.theaimsgroup.com/?l=full-disclosure&m=110846102231365&w=2 +Description: + Race condition in the setsid function in Linux before 2.6.8.1 allows local + users to cause a denial of service (crash) and possibly access portions of + kernel memory, related to TTY changes, locking, and semaphores. +Notes: + dannf> Alan Cox suggested that this is not a 2.4 issue: + Alan> Is it actually needed for 2.4. In the 2.4 case your controlling tty is + Alan> private not thread group so a setsid() can't race because you can't + Alan> setsid in the same thread as is opening current->tty. +Bugs: +upstream: released (2.6.8.1, 2.6.11) +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-14) [setsid-race.dpatch] +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A +2.4.18-woody-security-hppa: N/A diff --git a/retired/CVE-2005-0180 b/retired/CVE-2005-0180 new file mode 100644 index 00000000..01275bf5 --- /dev/null +++ b/retired/CVE-2005-0180 @@ -0,0 +1,28 @@ +Candidate: CVE-2005-0180 +References: + http://lists.grok.org.uk/pipermail/full-disclosure/2005-January/030660.html + http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=000930 + http://frontal2.mandriva.com/security/advisories?name=MDKSA-2005:218 + http://frontal2.mandriva.com/security/advisories?name=MDKSA-2005:219 + http://www.redhat.com/support/errata/RHSA-2005-092.html +Description: + Multiple integer signedness errors in the sg_scsi_ioctl function in + scsi_ioctl.c for Linux 2.6.x allow local users to read or modify kernel + memory via negative integers in arguments to the scsi ioctl, which + bypass a maximum length check before calling the copy_from_user and + copy_to_user functions. +Notes: + jmm> The 2.4.27 version, scsi_ioctl_send_command(), is not affected, as + jmm> intlen and outlen are unsigned ints +Bugs: +upstream: +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-12) [031-sg_scsi_ioctl_int_overflows.dpatch] +2.4.27-sarge-security: N/A +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/retired/CVE-2005-0204 b/retired/CVE-2005-0204 new file mode 100644 index 00000000..d663b2ed --- /dev/null +++ b/retired/CVE-2005-0204 @@ -0,0 +1,23 @@ +Candidate: CVE-2005-0204 +References: + REDHAT:RHSA-2005:092 + URL:http://www.redhat.com/support/errata/RHSA-2005-092.html +Description: + Linux kernel before 2.6.9, when running on the AMD64 and Intel EM64T + architectures, allows local users to write to privileged IO ports via the OUTS + instruction. +Notes: + jmm> 190_outs-2.diff had regressions +Bugs: 296700 +upstream: +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-14) [outs.dpatch] +2.4.27-sarge-security: released (2.4.27-9) [143_outs.diff] +2.4.27-sid: released (2.4.27-12) [190_outs-2.diff] +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/retired/CVE-2005-0207 b/retired/CVE-2005-0207 new file mode 100644 index 00000000..effeab57 --- /dev/null +++ b/retired/CVE-2005-0207 @@ -0,0 +1,27 @@ +Candidate: CVE-2005-0207 +References: + CONECTIVA:CLA-2005:930 + URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000930 + SUSE:SUSE-SA:2005:003 + URL:http://www.securityfocus.com/advisories/7880 + BID:12330 + URL:http://www.securityfocus.com/bid/12330 + http://www.acm.cs.rpi.edu/~dilinger/patches/2.6.10/as2/linux-2.6.10-as2/026-nfs_o_direct_error.patch + http://linux.bkbits.net:8080/linux-2.6/cset@41db2d65wbgJvuXTv4x9_quExW0vEA +Description: + Unknown vulnerability in Linux kernel 2.4.x, 2.5.x, and 2.6.x allows NFS + clients to cause a denial of service via O_DIRECT. +Notes: + dannf> The vulnerable code doesn't exist in <= 2.4.27 +Bugs: +upstream: released (2.6.11) +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-14) [nfs-O_DIRECT-fix.dpatch] +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A +2.4.18-woody-security-hppa: N/A diff --git a/retired/CVE-2005-0209 b/retired/CVE-2005-0209 new file mode 100644 index 00000000..7c5941a6 --- /dev/null +++ b/retired/CVE-2005-0209 @@ -0,0 +1,25 @@ +Candidate: CVE-2005-0209 +References: + BUGTRAQ:20050315 [USN-95-1] Linux kernel vulnerabilities + URL:http://marc.theaimsgroup.com/?l=bugtraq&m=111091402626556&w=2 + CONECTIVA:CLA-2005:945 + URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000945 + SUSE:SUSE-SA:2005:018 + URL:http://www.novell.com/linux/security/advisories/2005_18_kernel.html + http://oss.sgi.com/archives/netdev/2005-01/msg01072.html +Description: + Netfilter in Linux kernel 2.6.8.1 allows remote attackers to cause a denial of + service (kernel crash) via crafted IP packet fragments. +Notes: +Bugs: +upstream: +linux-2.6: +2.6.8-sarge-security: released (2.6.8-14) [skb-reset-ip_summed.dpatch] +2.4.27-sarge-security: released (2.4.27-9) [134_skb_reset_ip_summed.diff] +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/retired/CVE-2005-0210 b/retired/CVE-2005-0210 new file mode 100644 index 00000000..804e62c1 --- /dev/null +++ b/retired/CVE-2005-0210 @@ -0,0 +1,25 @@ +Candidate: CVE-2005-0210 +References: + BUGTRAQ:20050315 [USN-95-1] Linux kernel vulnerabilities + URL:http://marc.theaimsgroup.com/?l=bugtraq&m=111091402626556&w=2 + CONECTIVA:CLA-2005:945 + URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000945 + SUSE:SUSE-SA:2005:018 + URL:http://www.novell.com/linux/security/advisories/2005_18_kernel.html +Description: + Netfilter in the Linux kernel 2.6.8.1 allows local users to cause a denial of + service (memory consumption) via certain packet fragments that are reassembled + twice, which causes a data structure to be allocated twice. +Notes: +Bugs: +upstream: +linux-2.6: +2.6.8-sarge-security: released (2.6.8-15) [ip_copy_metadata_leak.dpatch, ip6_copy_metadata_leak.dpatch] +2.4.27-sarge-security: released (2.4.27-9) [146_ip6_copy_metadata_leak.diff, 147_ip_copy_metadata_leak.diff] +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/retired/CVE-2005-0384 b/retired/CVE-2005-0384 new file mode 100644 index 00000000..133e2209 --- /dev/null +++ b/retired/CVE-2005-0384 @@ -0,0 +1,31 @@ +Candidate: CVE-2005-0384 +References: + FEDORA:FLSA:152532 + URL:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152532 + REDHAT:RHSA-2005:283 + URL:http://www.redhat.com/support/errata/RHSA-2005-283.html + REDHAT:RHSA-2005:284 + URL:http://www.redhat.com/support/errata/RHSA-2005-284.html + SUSE:SUSE-SA:2005:018 + URL:http://www.novell.com/linux/security/advisories/2005_18_kernel.html + TRUSTIX:2005-0009 + URL:http://www.trustix.org/errata/2005/0009/ + UBUNTU:USN-95-1 + URL:http://www.ubuntulinux.org/support/documentation/usn/usn-95-1 +Description: + Unknown vulnerability in the PPP driver for the Linux kernel 2.6.8.1 allows + remote attackers to cause a denial of service (kernel crash) via a pppd + client. +Notes: +Bugs: +upstream: +linux-2.6: +2.6.8-sarge-security: released (2.6.8-15) [drivers-net-ppp_async-fix-dos.dpatch] +2.4.27-sarge-security: released (2.4.27-9) [153_ppp_async_dos.diff] +2.4.19-woody-security: released (2.4.19-4.woody3) +2.4.18-woody-security: released (2.4.18-14.4) +2.4.17-woody-security: released (2.4.17-1woody4) +2.4.16-woody-security: released (2.4.16-1woody3) +2.4.17-woody-security-hppa: released (32.5) +2.4.17-woody-security-ia64: released (011226.18) +2.4.18-woody-security-hppa: released (62.4) diff --git a/retired/CVE-2005-0400 b/retired/CVE-2005-0400 new file mode 100644 index 00000000..84063342 --- /dev/null +++ b/retired/CVE-2005-0400 @@ -0,0 +1,32 @@ +Candidate: CVE-2005-0400 +References: + BUGTRAQ:20050401 Information leak in the Linux kernel ext2 implementation + URL:http://marc.theaimsgroup.com/?l=bugtraq&m=111238764720696&w=2 + MISC:http://arkoon.net/advisories/ext2-make-empty-leak.txt + FEDORA:FLSA:152532 + URL:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152532 + UBUNTU:USN-103-1 + URL:http://www.ubuntulinux.org/support/documentation/usn/usn-103-1 + XF:kernel-ext2-information-disclosure(19866) + URL:http://xforce.iss.net/xforce/xfdb/19866 + CONFIRM:http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.11.6 + SECUNIA:14713 + URL:http://secunia.com/advisories/14713/ +Description: + The ext2_make_empty function call in the Linux kernel before 2.6.11.6 does not + properly initialize memory when creating a block for a new directory entry, + which allows local users to obtain potentially sensitive information by + reading the block. +Notes: +Bugs: 301799 303294 +upstream: released (2.6.11.6) +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-16) [fs-ext2-info-leak.dpatch] +2.4.27-sarge-security: released (2.4.27-10) [156_fs-ext2-info-leak.diff] +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/retired/CVE-2005-0449 b/retired/CVE-2005-0449 new file mode 100644 index 00000000..62875ef2 --- /dev/null +++ b/retired/CVE-2005-0449 @@ -0,0 +1,20 @@ +Candidate: CVE-2005-0449 +References: + http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0449 + http://kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=1e01441051dda3bb01c455b6e20bce6d00563\d82 + http://oss.sgi.com/archives/netdev/2005-01/msg01107.html +Description: + The netfilter/iptables module in Linux before 2.6.8.1 allows remote attackers to + cause a denial of service (kernel crash) or bypass firewall rules via crafted + packets, which are not properly handled by the skb_checksum_help function. +Notes: + ** CHANGES ABI ** + ipv4-fragment-queues-[1,2,2.1].dpatch are in sarge's 2.6.8. + ipv4-fragment-queues-[3,4].dpatch are awaiting an ABI event + . + 150_private_fragment_queues-[1,2].diff are awaiting a 2.4.27 ABI event +Bugs: +upstream: released (2.6.8.1) +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-16sarge2) [ipv4-fragment-queues-1.dpatch, ipv4-fragment-queues-2.dpatch, ipv4-fragment-queues-3.dpatch, ipv4-fragment-queues-4.dpatch] +2.4.27-sarge-security: released (2.4.27-10sarge2) [150_private_fragment_queues-1.diff, 150_private_fragment_queues-2.diff] diff --git a/retired/CVE-2005-0528 b/retired/CVE-2005-0528 new file mode 100644 index 00000000..d896c0f6 --- /dev/null +++ b/retired/CVE-2005-0528 @@ -0,0 +1,28 @@ +Candidate: CVE-2005-0528 +References: +Description: +Notes: + From Joey's 2.4.18-14.4 changelog: + * Applied patch by Andrea Arcangeli from 2.4.24 to fix privilege + escalation in the mremap() syscall [mm/mremap.c, CAN-2004-nnnn] + jmm> Isn't this CVE-2004-0077? + dannf> Looks like this is a different issue. Joey's patch is here: + http://klecker.debian.org/~joey/security/kernel/patches/patch.CAN-2005-0528.mremap + dannf> But it doesn't look like mitre has released the details yet: + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0528 + jmm> The patch is merged as of 2.4.27, but I'm not sure at which exact version + dannf> It looks like this would apply to 2.6, but isn't necessary because + dannf> its already fixed in a different way. 2.6 checks for a 0 new_len + dannf> earlier and errors out + jmm> This turned out to be a dupe of CVE-2003-0985 +Bugs: +upstream: N/A +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: released (2.4.19-4.woody3) +2.4.18-woody-security: released (2.4.18-14.4) +2.4.17-woody-security: released (2.4.17-1woody4) +2.4.16-woody-security: released (2.4.16-1woody3) +2.4.17-woody-security-hppa: released (32.5) +2.4.17-woody-security-ia64: released (011226.18) diff --git a/retired/CVE-2005-0529 b/retired/CVE-2005-0529 new file mode 100644 index 00000000..c941380b --- /dev/null +++ b/retired/CVE-2005-0529 @@ -0,0 +1,31 @@ +Candidate: CVE-2005-0529 +References: + FULLDISC:20050215 linux kernel 2.6 fun. windoze is a joke + URL:http://marc.theaimsgroup.com/?l=full-disclosure&m=110846727602817&w=2 + MISC:http://www.guninski.com/where_do_you_want_billg_to_go_today_3.html + CONFIRM:http://linux.bkbits.net:8080/linux-2.6/cset@4201818eC6aMn0x3GY_9rw3ueb2ZWQ + CONECTIVA:CLA-2005:930 + URL:http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=000930 + SUSE:SUSE-SA:2005:018 + URL:http://www.novell.com/linux/security/advisories/2005_18_kernel.html + BUGTRAQ:20050315 [USN-95-1] Linux kernel vulnerabilities + URL:http://marc.theaimsgroup.com/?l=bugtraq&m=111091402626556&w=2 +Description: + Linux kernel 2.6.10 and 2.6.11rc1-bk6 uses different size types for offset + arguments to the proc_file_read and locks_read_proc functions, which leads to + a heap-based buffer overflow when a signed comparison causes negative integers + to be used in a positive context. +Notes: + dannf> 2.4 doesn't do the signed cast, so it shouldn't be vulnerable +Bugs: +upstream: released (2.6.11) +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-14) [115-proc_file_read_nbytes_signedness_fix.dpatch] +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A +2.4.18-woody-security-hppa: N/A diff --git a/retired/CVE-2005-0530 b/retired/CVE-2005-0530 new file mode 100644 index 00000000..042124ce --- /dev/null +++ b/retired/CVE-2005-0530 @@ -0,0 +1,38 @@ +Candidate: CVE-2005-0530 +References: + FULLDISC:20050215 linux kernel 2.6 fun. windoze is a joke + URL:http://marc.theaimsgroup.com/?l=full-disclosure&m=110846727602817&w=2 + MISC:http://www.guninski.com/where_do_you_want_billg_to_go_today_3.html + CONFIRM:http://linux.bkbits.net:8080/linux-2.6/cset@420181322LZmhPTewcCOLkubGwOL3w + CONECTIVA:CLA-2005:930 + URL:http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=000930 + SUSE:SUSE-SA:2005:018 + URL:http://www.novell.com/linux/security/advisories/2005_18_kernel.html + BUGTRAQ:20050315 [USN-95-1] Linux kernel vulnerabilities + URL:http://marc.theaimsgroup.com/?l=bugtraq&m=111091402626556&w=2 +Description: + Signedness error in the copy_from_read_buf function in n_tty.c for Linux + kernel 2.6.10 and 2.6.11rc1 allows local users to read kernel memory via a + negative argument. +Notes: + dannf> This doesn't affect 2.4: + marcello> v2.4 does not suffer from the issue mentioned by Guninski because + marcello> the first argument of the arithmetic comparison is not casted + marcello> to a "signed" value: + . + marcello> n = min((ssize_t)*nr, n); + . + marcello> That was the problem in v2.6, where an unsigned value bigger than + marcello> 2^31 would be treated as a negative signed. +Bugs: +upstream: released (2.6.11) +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-14) [116-n_tty_copy_from_read_buf_signedness_fixes.dpatch] +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A +2.4.18-woody-security-hppa: N/A diff --git a/retired/CVE-2005-0531 b/retired/CVE-2005-0531 new file mode 100644 index 00000000..5a095abd --- /dev/null +++ b/retired/CVE-2005-0531 @@ -0,0 +1,20 @@ +Candidate: CVE-2005-0531 +References: + FULLDISC:20050215 linux kernel 2.6 fun. windoze is a joke + URL:http://marc.theaimsgroup.com/?l=full-disclosure&m=110846727602817&w=2 + MISC:http://www.guninski.com/where_do_you_want_billg_to_go_today_3.html + CONFIRM:http://linux.bkbits.net:8080/linux-2.6/gnupatch@4208e1fcfccuD-eH2OGM5mBhihmQ3A + CONECTIVA:CLA-2005:930 + URL:http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=000930 + BUGTRAQ:20050315 [USN-95-1] Linux kernel vulnerabilities + URL:http://marc.theaimsgroup.com/?l=bugtraq&m=111091402626556&w=2 +Description: + The atm_get_addr function in addr.c for Linux kernel 2.6.10 and 2.6.11 before + 2.6.11-rc4 may allow local users to trigger a buffer overflow via negative + arguments. +Notes: +Bugs: +upstream: released (2.6.11-rc4) +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-14) [123-atm_get_addr_signedness_fix.dpatch] +2.4.27-sarge-security: released (2.4.27-9) [151_atm_get_addr_signedness_fix.diff] diff --git a/retired/CVE-2005-0532 b/retired/CVE-2005-0532 new file mode 100644 index 00000000..ec7873f6 --- /dev/null +++ b/retired/CVE-2005-0532 @@ -0,0 +1,29 @@ +Candidate: CVE-2005-0532 +References: + FULLDISC:20050215 linux kernel 2.6 fun. windoze is a joke + URL:http://marc.theaimsgroup.com/?l=full-disclosure&m=110846727602817&w=2 + MISC:http://www.guninski.com/where_do_you_want_billg_to_go_today_3.html + CONFIRM:http://linux.bkbits.net:8080/linux-2.6/cset@42018227TkNpHlX6BefnItV_GqMmzQ + SUSE:SUSE-SA:2005:018 + URL:http://www.novell.com/linux/security/advisories/2005_18_kernel.html + BUGTRAQ:20050315 [USN-95-1] Linux kernel vulnerabilities + URL:http://marc.theaimsgroup.com/?l=bugtraq&m=111091402626556&w=2 +Description: + The reiserfs_copy_from_user_to_file_region function in reiserfs/file.c for + Linux kernel 2.6.10 and 2.6.11 before 2.6.11-rc4, when running on 64-bit + architectures, may allow local users to trigger a buffer overflow as a result + of casting discrepancies between size_t and int data types. +Notes: + dannf> Vulnerable code didn't exist in 2.4 +Bugs: +upstream: released (2.6.11-rc3) +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-14) [117-reiserfs_file_64bit_size_t_fixes.dpatch] +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A +2.4.18-woody-security-hppa: N/A diff --git a/retired/CVE-2005-0736 b/retired/CVE-2005-0736 new file mode 100644 index 00000000..d6d730db --- /dev/null +++ b/retired/CVE-2005-0736 @@ -0,0 +1,22 @@ +Candidate: CVE-2005-0736 +References: + http://lists.grok.org.uk/pipermail/full-disclosure/2005-March/032314.html + http://linux.bkbits.net:8080/linux-2.6/cset@422dd06a1p5PsyFhoGAJseinjEq3ew?nav=index.html|ChangeSet@-1d + http://www.novell.com/linux/security/advisories/2005_18_kernel.html + http://www.ubuntulinux.org/support/documentation/usn/usn-95-1 + http://www.securityfocus.com/bid/12763 +Description: + Integer overflow in sys_epoll_wait in eventpoll.c for Linux kernel 2.6 to 2.6.11 + allows local users to overwrite kernel memory via a large number of events. +Notes: 2.4.* doesn't have epoll() +Bugs: +upstream: released (2.6.11.2) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/retired/CVE-2005-0749 b/retired/CVE-2005-0749 new file mode 100644 index 00000000..44137f1c --- /dev/null +++ b/retired/CVE-2005-0749 @@ -0,0 +1,28 @@ +Candidate: CVE-2005-0749 +References: + FEDORA:FLSA:152532 + URL:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152532 + UBUNTU:USN-103-1 + URL:http://www.ubuntulinux.org/support/documentation/usn/usn-103-1 + CONFIRM:http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.11.6 + SECUNIA:14713 + URL:http://secunia.com/advisories/14713/ + XF:kernel-loadelflibrary-dos(19867) + URL:http://xforce.iss.net/xforce/xfdb/19867 +Description: + The load_elf_library in the Linux kernel before 2.6.11.6 allows local users to + cause a denial of service (kernel crash) via a crafted ELF library or + executable, which causes a free of an invalid pointer. +Notes: +Bugs: 301799, 303498 +upstream: released (2.6.11.6) +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-16) [fs-binfmt_elf-dos.dpatch] +2.4.27-sarge-security: released (2.4.27-10) [158_fs-binfmt_elf-dos.diff] +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/retired/CVE-2005-0750 b/retired/CVE-2005-0750 new file mode 100644 index 00000000..7b2ad779 --- /dev/null +++ b/retired/CVE-2005-0750 @@ -0,0 +1,32 @@ +Candidate: CVE-2005-0750 +References: + BUGTRAQ:20050327 local root security bug in linux >= 2.4.6 <= 2.4.30-rc1 and 2.6.x.y <= 2.6.11.5 + URL:http://marc.theaimsgroup.com/?l=bugtraq&m=111204562102633&w=2 + FULLDISC:20050327 local root security bug in linux >= 2.4.6 <= 2.4.30-rc1 and 2.6.x.y <= 2.6.11.5 + URL:http://lists.grok.org.uk/pipermail/full-disclosure/2005-March/032913.html + FEDORA:FLSA:152532 + URL:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152532 + REDHAT:RHSA-2005:283 + URL:http://www.redhat.com/support/errata/RHSA-2005-283.html + REDHAT:RHSA-2005:284 + URL:http://www.redhat.com/support/errata/RHSA-2005-284.html + XF:kernel-bluezsockcreate-integer-underflow(19844) + URL:http://xforce.iss.net/xforce/xfdb/19844 +Description: + The bluez_sock_create function in the Bluetooth stack for Linux kernel 2.4.6 + through 2.4.30-rc1 and 2.6 through 2.6.11.5 allows local users to gain + privileges via (1) socket or (2) socketpair call with a negative protocol + value. +Notes: +Bugs: 301799 +upstream: released (2.6.11.5) +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-16) [net-bluetooth-signdness-fix.dpatch] +2.4.27-sarge-security: released (2.4.27-10) [155_net-bluetooth-signdness-fix.diff] +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/retired/CVE-2005-0756 b/retired/CVE-2005-0756 new file mode 100644 index 00000000..de676ae1 --- /dev/null +++ b/retired/CVE-2005-0756 @@ -0,0 +1,19 @@ +Candidate: CVE-2005-0756 +References: + http://www.ubuntulinux.org/support/documentation/usn/usn-137-1 +Description: + ptrace 2.6.8.1 does not properly verify addresses on the amd64 platform, + which allows local users to cause a denial of service (kernel crash). +Notes: +Bugs: +upstream: +linux-2.6: +2.6.8-sarge-security: released (2.6.8-16sarge1) [arch-x86_64-kernel-ptrace-canonical-rip-2.dpatch] +2.4.27-sarge-security: released (2.4.27-10sarge1) +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/retired/CVE-2005-0757 b/retired/CVE-2005-0757 new file mode 100644 index 00000000..49061609 --- /dev/null +++ b/retired/CVE-2005-0757 @@ -0,0 +1,21 @@ +Candidate: CVE-2005-0757 +References: +Description: + source: Trawled out of Red Hat's kernel-2.4.21-32.0.1.EL.src.rpm by Horms + inclusion: upstream code has been reworked and doesn't appear vulnerable + descrition: on 64 bit architectures incorrect handling of xattr offsets + may cause a local DoS + revision date: Fri, 29 Jul 2005 12:04:57 +0900 +Notes: +Bugs: +upstream: +2.4.27-sarge-security: released (2.4.27-10sarge1) +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-16sarge1) [fs-ext3-64bit-offset.dpatch] +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/retired/CVE-2005-0767 b/retired/CVE-2005-0767 new file mode 100644 index 00000000..48d7e737 --- /dev/null +++ b/retired/CVE-2005-0767 @@ -0,0 +1,22 @@ +Candidate: CVE-2005-0767 +References: + http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000945 + http://www.ubuntulinux.org/support/documentation/usn/usn-95-1 +Description: + Race condition in the Radeon DRI driver for Linux kernel 2.6.8.1 allows + local users with DRI privileges to execute arbitrary code as root. +Notes: + horms> For the record: + horms> The patch seems to already be present in 2.6.11. + horms> And the bug does not seem to be present in 2.4.27. +Bugs: 297203 +upstream: released (2.6.11-rc4) +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-15) +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/retired/CVE-2005-0815 b/retired/CVE-2005-0815 new file mode 100644 index 00000000..19302776 --- /dev/null +++ b/retired/CVE-2005-0815 @@ -0,0 +1,28 @@ +Candidate: CVE-2005-0815 +References: + BUGTRAQ:20050317 Linux ISO9660 handling flaws + URL:http://www.securityfocus.com/archive/1/393590 + CONFIRM:http://kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.12-rc1 + FEDORA:FLSA:152532 + URL:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152532 + BID:12837 + URL:http://www.securityfocus.com/bid/12837 + XF:kernel-iso9660-filesystem(19741) + URL:http://xforce.iss.net/xforce/xfdb/19741 +Description: + Multiple "range checking flaws" in the ISO9660 filesystem handler in Linux + 2.6.11 and earlier may allow attackers to cause a denial of service or corrupt + memory via a crafted filesystem. +Notes: +Bugs: 301799 +upstream: released (2.6.12-rc1) +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-16) [fs-isofs-range-check-1.dpatch, fs-isofs-range-check-2.dpatch, fs-isofs-range-check-3.dpatch] +2.4.27-sarge-security: released (2.4.27-10) [157_fs-isofs-range-check-1.diff, 157_fs-isofs-range-check-2.diff, 157_fs-isofs-range-check-3.diff] +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/retired/CVE-2005-0839 b/retired/CVE-2005-0839 new file mode 100644 index 00000000..5a933031 --- /dev/null +++ b/retired/CVE-2005-0839 @@ -0,0 +1,23 @@ +Candidate: CVE-2005-0839 +References: + MLIST:[linux-kernel] 20050301 Re: Breakage from patch: Only root should be able to set the N_MOUSE line discipline. + URL:http://www.mail-archive.com/linux-kernel@vger.kernel.org/msg64704.html + MISC:http://linux.bkbits.net:8080/linux-2.6/cset@41fa6464E1UuGu6zmketEYxm73KSyQ +Description: + Linux kernel 2.6 before 2.6.11 does not restrict access to the N_MOUSE line + discipline for a TTY, which allows local users to gain privileges by injecting + mouse or keyboard events into other user sessions. +Notes: + dannf> This file isn't in <= 2.4.27 +Bugs: 301372 +upstream: released (2.6.11) +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-16) [drivers-input-serio-nmouse.dpatch] +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A +2.4.18-woody-security-hppa: N/A diff --git a/retired/CVE-2005-0867 b/retired/CVE-2005-0867 new file mode 100644 index 00000000..116d7497 --- /dev/null +++ b/retired/CVE-2005-0867 @@ -0,0 +1,22 @@ +Candidate: CVE-2005-0867 +References: + http://www.novell.com/linux/security/advisories/2005_18_kernel.html +Description: + Integer overflow in Linux kernel 2.6 allows local users to overwrite kernel + memory by writing to a sysfs file. +Notes: + horms> The Debian Packages for 2.6.8 and 2.6.11 do not appear to + horms> have this bug. 2.4.27 does not include sysfs, and thus + horma> also does not have this bug. + jmm> The patch for the vulnerability in question can be found in the BTS +Bugs: 306137 +upstream: +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/retired/CVE-2005-0916 b/retired/CVE-2005-0916 new file mode 100644 index 00000000..9ed5249f --- /dev/null +++ b/retired/CVE-2005-0916 @@ -0,0 +1,22 @@ +Candidate: CVE-2005-0916 +References: + http://groups-beta.google.com/group/linux.kernel/browse_thread/thread/13b43bd5783842f6/7ce3c5a514a497ab + http://linux.bkbits.net:8080/linux-2.6/cset%404248c8c0es30_4YVdwa6vteKi7h_nw + http://www.novell.com/linux/security/advisories/2005_50_kernel.html +Description: + AIO in the Linux kernel 2.6.11 on the PPC64 or IA64 architectures with + CONFIG_HUGETLB_PAGE enabled allows local panic) via a process that executes + the io_queue_init function but exits without running io_queue_release, which + to fail. +Notes: +Bugs: +upstream: released (2.6.12) +linux-2.6: released (2.6.12-1) +2.6.8-sarge-security: released (2.6.8-16) [arch-ppc64-hugepage-aio-panic.dpatch] +2.4.27-sarge-security: N/A +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: diff --git a/retired/CVE-2005-1041 b/retired/CVE-2005-1041 new file mode 100644 index 00000000..c27caac5 --- /dev/null +++ b/retired/CVE-2005-1041 @@ -0,0 +1,22 @@ +Candidate: CVE-2005-1041 +References: + http://marc.theaimsgroup.com/?l=bk-commits-head&m=111186506706769&w=2 +Description: + The fib_seq_start function in fib_hash.c in Linux kernel allows local + users to cause a denial of service (system crash) via /proc/net/route. +Notes: + horms> 2.4.27 is not effected by 304548 as the buggy code is a complete + horms> rework for 2.6. I looked over the way that proc/route is handled + horms> for 2.4.27, and it seems fine. +Bugs: 304548 +upstream: released (2.6.11.5) +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-16) +2.4.27-sarge-security: N/A +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/retired/CVE-2005-1263 b/retired/CVE-2005-1263 new file mode 100644 index 00000000..4c749bfd --- /dev/null +++ b/retired/CVE-2005-1263 @@ -0,0 +1,28 @@ +Candidate: CVE-2005-1263 +References: + BUGTRAQ:20050511 Linux kernel ELF core dump privilege elevation + URL:http://www.securityfocus.com/archive/1/397966 + MISC:http://www.isec.pl/vulnerabilities/isec-0023-coredump.txt + FRSIRT:ADV-2005-0524 + URL:http://www.frsirt.com/english/advisories/2005/0524 + OVAL:OVAL1122 + URL:http://oval.mitre.org/oval/definitions/data/oval1122.html +Description: + The elf_core_dump function in binfmt_elf.c for Linux kernel 2.x.x to + 2.2.27-rc2, 2.4.x to 2.4.31-pre1, and 2.6.x to 2.6.12-rc4 allows local users + to execute arbitrary code via an ELF binary that, in certain conditions + involving the create_elf_tables function, causes a negative length argument + to pass a signed integer comparison, leading to a buffer overflow. +Notes: +Bugs: +upstream: released (2.2.27-rc2, 2.4.31-pre1, 2.6.12-rc4) +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-16) +2.4.27-sarge-security: released (2.4.27-10) +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/retired/CVE-2005-1368 b/retired/CVE-2005-1368 new file mode 100644 index 00000000..03933ce2 --- /dev/null +++ b/retired/CVE-2005-1368 @@ -0,0 +1,23 @@ +Candidate: CVE-2005-1368 +References: + http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.11.8 + http://linux.bkbits.net:8080/linux-2.6/cset%40423078fafVa6mAyny23YZ87hDipmTw +Description: + The key_user_lookup function in security/keys/key.c in Linux kernel 2.6.10 to 2.6.11.8 may allow + attackers to cause a denial of service (oops) via SMP. +Notes: + horms> The fix for CAN-2005-1368 is in SVN for 2.6.11. + horms> The code that this bug manifests in is not present + horms> in 2.6.8 or 2.4.27. + jmm> The code in question isn't present in Woody either +Bugs: +upstream: released (2.6.11.8) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/retired/CVE-2005-1369 b/retired/CVE-2005-1369 new file mode 100644 index 00000000..10d7dd87 --- /dev/null +++ b/retired/CVE-2005-1369 @@ -0,0 +1,24 @@ +Candidate: CVE-2005-1369 +References: + http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.11.8 + http://lkml.org/lkml/2005/4/20/159 +Description: + The (1) it87 and (2) via686a drivers in I2C for Linux 2.6.x before 2.6.11.8, + and 2.6.12 before 2.6.12-rc2, create the sysfs "alarms" file with write + permissions, which allows local users to cause a denial of service (CPU + consumption) by attempting to write to the file, which does not have an + associated store function. +Notes: + jmm> These drivers are not present in 2.4 +Bugs: 307552 +upstream: released (2.6.11.8) +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-16) +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A +2.4.18-woody-security-hppa: N/A diff --git a/retired/CVE-2005-1589 b/retired/CVE-2005-1589 new file mode 100644 index 00000000..da505ae3 --- /dev/null +++ b/retired/CVE-2005-1589 @@ -0,0 +1,36 @@ +Candidate: CVE-2005-1589 +References: + http://marc.theaimsgroup.com/?l=linux-kernel&m=111630531515901&w=2 + http://archives.neohapsis.com/archives/vulnwatch/2005-q2/0045.html + http://archives.neohapsis.com/archives/vulnwatch/2005-q2/0046.html + http://archives.neohapsis.com/archives/vulnwatch/2005-q2/0047.html + http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.11.10 + http://frontal2.mandriva.com/security/advisories?name=MDKSA-2005:219 + http://www.frsirt.com/english/advisories/2005/0557 +Description: + The pkt_ioctl function in the pktcdvd block device ioctl handler (pktcdvd.c) + in Linux kernel 2.6.12-rc4 and earlier calls the wrong function before + passing an ioctl to the block device, which crosses security boundaries by + making kernel address space accessible from user space and allows local users + to cause a denial of service and possibly execute arbitrary code, a similar + vulnerability to CVE-2005-1264. +Notes: + horms> (discussing this and a similar problem): + horms> 2.6.8 is only vulnerable to the raw ioctl problem, + horms> which I believe is CAN-2005-1264. + horms> (unstable/testing-proposed-updates) and sarge-security + horms> (testing-security) branches and it should appear in 2.6.8-16 and + horms> 2.6.8-15sarge1 respectively. + horms> 2.4.27 does not appear to be vulnerable to either of these problems. +Bugs: 309429 +upstream: released (2.6.11.10), released (2.6.12-rc5) +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-16) +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A +2.4.18-woody-security-hppa: N/A diff --git a/retired/CVE-2005-1761 b/retired/CVE-2005-1761 new file mode 100644 index 00000000..13f91713 --- /dev/null +++ b/retired/CVE-2005-1761 @@ -0,0 +1,25 @@ +Candidate: CVE-2005-1761 +References: + http://www.novell.com/linux/security/advisories/2005_44_kernel.html + http://kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=4ea78729b8dbfc400fe165a57b90a394a7275a54 +Description: + Linux kernel 2.6 and 2.4 on the IA64 architecture allows local users + to cause a denial of service (kernel crash) via ptrace and the + restore_sigcontext function. +Notes: + jmm> This uses arch-ia64-ptrace-restore_sigcontext.dpatch, correct? + dannf> 2.4 patch for ia64 from SuSE in: CVE-2005-1761-linux24.patch + dannf> Unfortunately, its against an older 2.4, so this doesn't apply + dannf> trivially +Bugs: +upstream: released (2.6.12.1) +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-16sarge1) [arch-x86_64-private-tss.dpatch, arch-x86_64-nmi.dpatch, arch-ia64-ptrace-getregs-putregs.dpatch, arch-ia64-ptrace-restore_sigcontext.dpatch] +2.4.27-sarge-security: released (2.4.27-10sarge2) [204_arch-ia64-ptrace-getregs-putregs.diff, 205_arch-ia64-ptrace-restore_sigcontext.diff] +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/retired/CVE-2005-1762 b/retired/CVE-2005-1762 new file mode 100644 index 00000000..cdf20f53 --- /dev/null +++ b/retired/CVE-2005-1762 @@ -0,0 +1,22 @@ +Candidate: CVE-2005-1762 +References: + http://www.novell.com/linux/security/advisories/2005_29_kernel.html + http://www.ubuntulinux.org/support/documentation/usn/usn-143-1 + http://secunia.com/advisories/15786 +Description: + The ptrace call in the Linux kernel 2.6.8.1 and 2.6.10 for the AMD64 + platform allows local users to cause a denial of service (kernel + crash) via a "non-canonical" address. +Notes: +Bugs: +upstream: released (2.6.12-rc5) +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-16sarge1) [arch-x86_64-kernel-ptrace-canonical-rip-1.dpatch] +2.4.27-sarge-security: released (2.4.27-10sarge1) [169_arch-x86_64-kernel-ptrace-canonical-rip-1.dpatch] +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/retired/CVE-2005-1764 b/retired/CVE-2005-1764 new file mode 100644 index 00000000..26a1a60b --- /dev/null +++ b/retired/CVE-2005-1764 @@ -0,0 +1,30 @@ +Candidate: CVE-2005-1764 +References: + URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1764 + Final-Decision: + Interim-Decision: + Modified: + Proposed: + Assigned: 20050531 + Category: SF + CONFIRM:http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=637716a3825e186555361574aa1fa3c0ebf8018b + CONFIRM:http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=637716a3825e186555361574aa1fa3c0ebf8018bReference: SUSE:SUSE-SA:2005:029 + URL:http://freshmeat.net/articles/view/1678/ +Description: + Linux 2.6.11 on 64-bit x86 (x86_64) platforms does not use a guard + page for the 47-bit address page to protect against an AMD K8 bug, + which allows local users to cause a denial of service. +Notes: + horms> I believe that only 2.6.11 is vulnerable to this +upstream: released (2.6.11.11) +2.6.8-sarge-security: N/A +2.4.27-sid/sarge: N/A +2.4.27-sarge-security: N/A +linux-2.6: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A +2.4.18-woody-security-hppa: N/A diff --git a/retired/CVE-2005-1765 b/retired/CVE-2005-1765 new file mode 100644 index 00000000..f17d7dbc --- /dev/null +++ b/retired/CVE-2005-1765 @@ -0,0 +1,24 @@ +Candidate: CVE-2005-1765 +References: + http://www.novell.com/linux/security/advisories/2005_29_kernel.html + http://www.ubuntulinux.org/support/documentation/usn/usn-143-1 +Description: + syscall in the Linux kernel 2.6.8.1 and 2.6.10 for the AMD64 platform, + when running in 32-bit compatibility mode, allows local users to cause + a denial of service (kernel hang) via crafted arguments. +Notes: + jmm> I've extracted the patch from the Ubuntu update (CVE-2005-1765.patch) + dannf> This code was very different in 2.4, and we don't ship 2.4/amd64, so + I'll mark 2.4 N/A +Bugs: +upstream: +linux-2.6: +2.6.8-sarge-security: released (2.6.8-16sarge1) [arch-x86_64-mm-mmap.dpatch] +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A +2.4.18-woody-security-hppa: N/A diff --git a/retired/CVE-2005-1767 b/retired/CVE-2005-1767 new file mode 100644 index 00000000..e1cbe995 --- /dev/null +++ b/retired/CVE-2005-1767 @@ -0,0 +1,23 @@ +Candidate: CVE-2005-1767 +References: + CONFIRM:http://kernel.org/git/?p=linux/kernel/git/marcelo/linux-2.4.git;a=commit;h=51e31546a2fc46cb978da2ee0330a6a68f07541e + http://www.novell.com/linux/security/advisories/2005_44_kernel.html + http://www.ubuntu.com/usn/usn-187-1 +Description: + traps.c in the Linux kernel 2.6.x and 2.4.x executes stack segment faults on an exception + stack, which allows local users to cause a denial of service (oops and stack fault exception). +Notes: + This is already fixed in 2.6 and added for completeness. + Horms> This is amd64 specific, and thus should not affect 2.4 +Bugs: +upstream: released (2.6.12, 2.4.32) +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-16sarge1) [arch-x86_64-kernel-stack-faults.dpatch, arch-x86_64-nmi.dpatch, arch-x86_64-kernel-stack-faults.dpatch] +2.4.27-sarge-security: released (2.4.27-10sarge1) [181_arch-x86_64-kernel-stack-faults.diff] +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A +2.4.18-woody-security-hppa: N/A diff --git a/retired/CVE-2005-1768 b/retired/CVE-2005-1768 new file mode 100644 index 00000000..00eb2833 --- /dev/null +++ b/retired/CVE-2005-1768 @@ -0,0 +1,34 @@ +Candidate: CVE-2005-1768 +References: + URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1768 + Final-Decision: + Interim-Decision: + Modified: + Proposed: + Assigned: 20050531 + Category: SF + BUGTRAQ:20050711 [ Suresec Advisories ] - Linux kernel ia32 compatibility (ia64/x86-64) + URL:http://marc.theaimsgroup.com/?l=bugtraq&m=112110120216116&w=2 + MISC:http://www.suresec.org/advisories/adv4.pdf +Description: + Race condition in the ia32 compatibility code for the execve system + call in Linux kernel 2.4 before 2.4.31 and 2.6 before 2.6.6 allows + local users to cause a denial of service (kernel panic) and possibly + execute arbitrary code via a concurrent thread that increments a + pointer count after the nargs function has counted the pointers, but + before the count is copied from user space to kernel space, which + leads to a buffer overflow. +Notes: + 167_arch-ia64-x86_64_execve.diff (note 2.4 is not supported for amd64) +upstream: released (2.4.31, 2.6.6) +2.6.8-sarge-security: N/A +2.4.27-sid/sarge: released (2.4.27-11) +2.4.27-sarge-security: released (2.4.27-10sarge1) +linux-2.6: N/A +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/retired/CVE-2005-1913 b/retired/CVE-2005-1913 new file mode 100644 index 00000000..e3ccfe9f --- /dev/null +++ b/retired/CVE-2005-1913 @@ -0,0 +1,37 @@ +Candidate: CVE-2005-1913 +References: + URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1913 + Final-Decision: + Interim-Decision: + Modified: + Proposed: + Assigned: 20050608 + Category: SF + CONFIRM:http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.12.1 + UBUNTU:USN-178-1 + URL:http://www.ubuntu.com/usn/usn-178-1 + BID:14054 + URL:http://www.securityfocus.com/bid/14054 + SECUNIA:15786 + URL:http://secunia.com/advisories/15786/ + XF:kernel-subthread-dos(21138) + URL:http://xforce.iss.net/xforce/xfdb/21138 +Description: + The Linux kernel 2.6 before 2.6.12.1 allows local users to cause a + denial of service (kernel panic) via a non group-leader thread + executing a different program than was pending in itimer, which causes + the signal to be delivered to the old group-leader task, which does + not exist. +Notes: +upstream: released (2.6.12.1) +2.6.8-sarge-security: N/A +2.4.27-sid/sarge: N/A +2.4.27-sarge-security: N/A +linux-2.6: released (2.6.12-1) [linux-2.6.12.1.patch] +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/retired/CVE-2005-2098 b/retired/CVE-2005-2098 new file mode 100644 index 00000000..20aaf4f5 --- /dev/null +++ b/retired/CVE-2005-2098 @@ -0,0 +1,33 @@ +Candidate: CVE-2005-2098 +References: + URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2098 + Final-Decision: + Interim-Decision: + Modified: + Proposed: + Assigned: 20050630 + Category: SF + CONFIRM:http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.12.5 + UBUNTU:USN-169-1 + URL:http://www.ubuntulinux.org/support/documentation/usn/usn-169-1 + SECUNIA:16355 + URL:http://secunia.com/advisories/16355/ +Description: + The KEYCTL_JOIN_SESSION_KEYRING operation in the Linux kernel before + 2.6.12.5 contains an error path that does not properly release the + session management semaphore, which allows local users or remote + attackers to cause a denial of service (semaphore hang) via a new + session keyring (1) with an empty name string, (2) with a long name + string, (3) with the key quota reached, or (4) ENOMEM. +upstream: released (2.6.12.5) +2.6.8-sarge-security: N/A +2.4.27-sid/sarge: N/A +2.4.27-sarge-security: N/A +linux-2.6: released (2.6.12-3) [linux-2.6.12.5.patch] +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/retired/CVE-2005-2099 b/retired/CVE-2005-2099 new file mode 100644 index 00000000..15e33c8a --- /dev/null +++ b/retired/CVE-2005-2099 @@ -0,0 +1,32 @@ +Candidate: CVE-2005-2099 +References: + URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2099 + Final-Decision: + Interim-Decision: + Modified: + Proposed: + Assigned: 20050630 + Category: SF + CONFIRM:http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.12.5 + UBUNTU:USN-169-1 + URL:http://www.ubuntulinux.org/support/documentation/usn/usn-169-1 + SECUNIA:16355 + URL:http://secunia.com/advisories/16355/ +Description: + The Linux kernel before 2.6.12.5 does not properly destroy a keyring + that is not instantiated properly, which allows local users or remote + attackers to cause a denial of service (kernel oops) via a keyring + with a payload that is not empty, which causes the creation to fail, + leading toa null dereference in the keyring destructor. +upstream: released (2.6.12.5) +2.6.8-sarge-security: N/A +2.4.27-sid/sarge: N/A +2.4.27-sarge-security: N/A +linux-2.6: released (2.6.12-3) [linux-2.6.12.5.patch] +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/retired/CVE-2005-2100 b/retired/CVE-2005-2100 new file mode 100644 index 00000000..343d09d6 --- /dev/null +++ b/retired/CVE-2005-2100 @@ -0,0 +1,24 @@ +Candidate: CVE-2005-2100 +References: + CONFIRM:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=165547 + REDHAT:RHSA-2005:514 + URL:http://www.redhat.com/support/errata/RHSA-2005-514.html +Description: + The rw_vm function in usercopy.c in the 4GB split patch for the Linux kernel in + Red Hat Enterprise Linux 4 does not perform proper bounds checking, which allows + local users to cause a denial of service (crash). +Notes: + horms> This is a bug in the Red Hat 4G/4G patch, and doesn't appear + in Upstream or Debian Kernels. +Bugs: +upstream: +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A +2.4.18-woody-security-hppa: diff --git a/retired/CVE-2005-2456 b/retired/CVE-2005-2456 new file mode 100644 index 00000000..90b2a29a --- /dev/null +++ b/retired/CVE-2005-2456 @@ -0,0 +1,32 @@ +Candidate: CVE-2005-2456 +References: + http://www.mail-archive.com/netdev@vger.kernel.org/msg00520.html + http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=a4f1bac62564049ea4718c4624b0fadc9f597c84 + http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=blobdiff;h=8da3e25b2c4c1f305fd85428d3a9eb62b543bfba;hp=ecade4893a139cc35d4fe345ce70242ede5358c4;hb=a4f1bac62564049ea4718c4624b0fadc9f597c84;f=net/xfrm/xfrm_user.c + http://frontal2.mandriva.com/security/advisories?name=MDKSA-2005:219 + http://frontal2.mandriva.com/security/advisories?name=MDKSA-2005:220 + http://www.ubuntulinux.org/support/documentation/usn/usn-169-1 + http://www.novell.com/linux/security/advisories/2005_50_kernel.html + http://www.securityfocus.com/bid/14477 + http://secunia.com/advisories/16298 + http://secunia.com/advisories/16500 + http://xforce.iss.net/xforce/xfdb/21710 +Description: + Array index overflow in the xfrm_sk_policy_insert function in xfrm_user.c + in Linux kernel 2.6 allows local users to cause a denial of service (oops + or deadlock) and possibly execute arbitrary code via a p->dir value that is + larger than XFRM_POLICY_OUT, which is used as an index in the sock->sk_policy + array. +Notes: +Bugs: 321401 +upstream: +linux-2.6: released (2.6.12-2) +2.6.8-sarge-security: released (2.6.8-16sarge1) +2.4.27-sarge-security: released (2.4.27-10sarge1) [176_ipsec-array-overflow.diff] +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/retired/CVE-2005-2457 b/retired/CVE-2005-2457 new file mode 100644 index 00000000..06715f7f --- /dev/null +++ b/retired/CVE-2005-2457 @@ -0,0 +1,27 @@ +Candidate: CVE-2005-2457 +References: + URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2457 + CONFIRM:http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.12.5 + UBUNTU:USN-169-1 + URL:http://www.ubuntulinux.org/support/documentation/usn/usn-169-1 + BID:14614 + URL:http://www.securityfocus.com/bid/14614 + SECUNIA:16355 + URL:http://secunia.com/advisories/16355/ +Description: + The driver for compressed ISO file systems (zisofs) in the Linux + kernel before 2.6.12.5 allows local users and remote attackers to + cause a denial of service (kernel crash) via a crafted compressed ISO + file system. +upstream: released (2.6.12.5) +2.6.8-sarge-security: released (2.6.8-16sarge2) [zisofs.diff] +2.4.27-sid/sarge: pending [187_zisofs-2.diff] +2.4.27-sarge-security: released (2.4.27-10sarge2) [187_zisofs-2.diff] +linux-2.6: released (2.6.12-3) [linux-2.6.12.5.patch] +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/retired/CVE-2005-2458 b/retired/CVE-2005-2458 new file mode 100644 index 00000000..6d7b55a2 --- /dev/null +++ b/retired/CVE-2005-2458 @@ -0,0 +1,32 @@ +Candidate: CVE-2005-2458 +References: + URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2458 + Final-Decision: + Interim-Decision: + Modified: + Proposed: + Assigned: 20050805 + Category: SF + MLIST:[bug-gnu-utils] 19990625 Re: bug in gzip: segfault when doing "gzip -t" on a broken file + URL:http://sources.redhat.com/ml/bug-gnu-utils/1999-06/msg00183.html + CONFIRM:http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.12.5 + UBUNTU:USN-169-1 + URL:http://www.ubuntulinux.org/support/documentation/usn/usn-169-1 + SECUNIA:16355 + URL:http://secunia.com/advisories/16355/ +Description: + inflate.c in the zlib routines in the Linux kernel before 2.6.12.5 + allows remote attackers to cause a denial of service (kernel crash) + via a compressed file with "improper tables". +upstream: released (2.6.12.5) +linux-2.6: released (2.6.12-3) [linux-2.6.12.5.patch] +2.6.8-sarge-security: released (2.6.8-16sarge1) [linux-zlib-fixes.dpatch] +2.4.27-sid/sarge: released (2.4.27-11) [182_linux-zlib-fixes.diff] +2.4.27-sarge-security: released (2.4.27-10sarge1) [182_linux-zlib-fixes.diff] +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/retired/CVE-2005-2459 b/retired/CVE-2005-2459 new file mode 100644 index 00000000..2bdc6f42 --- /dev/null +++ b/retired/CVE-2005-2459 @@ -0,0 +1,31 @@ +Candidate: CVE-2005-2459 +References: + URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2459 + MISC:http://bugs.gentoo.org/show_bug.cgi?id=94584 + CONFIRM:http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.12.5 + UBUNTU:USN-169-1 + URL:http://www.ubuntulinux.org/support/documentation/usn/usn-169-1 + SECUNIA:16355 + URL:http://secunia.com/advisories/16355/ +Description: + The huft_build function in inflate.c in the zlib routines in the Linux + kernel before 2.6.12.5 returns the wrong value, which allows remote + attackers to cause a denial of service (kernel crash) via a certain + compressed file that leads to a null pointer dereference, a different + vulnerability than CVE-2005-2458. +Notes: + This is a bogus fix that was applied in 2.6.12.5 and reverted in 2.6.12.6 + http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.12.6 + We included the broken fix in the sarge1 releases, so this backs it out. +upstream: released (2.6.12.5) +linux-2.6: released (2.6.12.3) +2.6.8-sarge-security: released (2.6.8-16sarge1) [linux-zlib-fixes.dpatch] +2.4.27-sid/sarge: released (2.4.27-11) [182_linux-zlib-fixes.diff] +2.4.27-sarge-security: released (2.4.27-10sarge1) [182_linux-zlib-fixes.diff] +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/retired/CVE-2005-2490 b/retired/CVE-2005-2490 new file mode 100644 index 00000000..d06ca172 --- /dev/null +++ b/retired/CVE-2005-2490 @@ -0,0 +1,36 @@ +Candidate: CVE-2005-2490 +References: + URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2490 + Final-Decision: + Interim-Decision: + Modified: + Proposed: + Assigned: 20050808 + Category: SF + MISC:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=166248 + CONFIRM:http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.13.1 + UBUNTU:USN-178-1 + URL:http://www.ubuntu.com/usn/usn-178-1 + BID:14785 + URL:http://www.securityfocus.com/bid/14785 + SECUNIA:16747 + URL:http://secunia.com/advisories/16747/ + XF:kernel-sendmsg-bo(22217) + URL:http://xforce.iss.net/xforce/xfdb/22217 +Description: + Stack-based buffer overflow in the sendmsg function call in the Linux + kernel 2.6 before 2.6.13.1 allows local users execute arbitrary code + by calling sendmsg and modifying the message contents in another + thread. +upstream: released (2.6.13.1), released (2.4.33-pre1) +linux-2.6: released (2.6.12-7, 2.6.13-1) [sendmsg-stackoverflow.patch, linux-2.6.13.1.patch] +2.6.8-sarge-security: released (2.6.8-16sarge2) [sendmsg-stackoverflow.dpatch] +2.4.27-sid/sarge: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/retired/CVE-2005-2492 b/retired/CVE-2005-2492 new file mode 100644 index 00000000..efc21d41 --- /dev/null +++ b/retired/CVE-2005-2492 @@ -0,0 +1,35 @@ +Candidate: CVE-2005-2492 +References: + URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2492 + Final-Decision: + Interim-Decision: + Modified: + Proposed: + Assigned: 20050808 + Category: SF + MISC:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=166830 + CONFIRM:http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.13.1 + UBUNTU:USN-178-1 + URL:http://www.ubuntu.com/usn/usn-178-1 + BID:14787 + URL:http://www.securityfocus.com/bid/14787 + SECUNIA:16747 + URL:http://secunia.com/advisories/16747/ + XF:kernel-rawsendmsg-obtain-information(22218) + URL:http://xforce.iss.net/xforce/xfdb/22218 +Description: + The raw_sendmsg function in the Linux kernel 2.6 before 2.6.13.1 + allows local users to cause a denial of service (change hardware + state) or read from arbitrary memory via crafted input. +upstream: released (2.6.13.1) +linux-2.6: released (2.6.12-7, 2.6.13-1) [sendmsg-DoS.patch, linux-2.6.13.1.patch] +2.6.8-sarge-security: N/A +2.4.27-sid/sarge: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/retired/CVE-2005-2548 b/retired/CVE-2005-2548 new file mode 100644 index 00000000..7aa9f590 --- /dev/null +++ b/retired/CVE-2005-2548 @@ -0,0 +1,27 @@ +Candidate: CVE-2005-2548 +References: + URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2548 + Final-Decision: + Interim-Decision: + Modified: + Proposed: + Assigned: 20050812 + Category: SF + CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=309308 +Description: + vlan_dev.c in Linux kernel 2.6.8 allows remote attackers to cause a + denial of service (kernel oops from null dereference) via certain UDP + packets that lead to a function call with the wrong argument, as + demonstrated using snmpwalk on snmpd. +upstream: released (2.4.29) +2.6.8-sarge-security: released (2.6.8-16sarge1) [vlan-mii-ioctl.dpatch] +2.4.27-sid/sarge: N/A +2.4.27-sarge-security: N/A +linux-2.6: N/A +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/retired/CVE-2005-2553 b/retired/CVE-2005-2553 new file mode 100644 index 00000000..444d853c --- /dev/null +++ b/retired/CVE-2005-2553 @@ -0,0 +1,24 @@ +Candidate: CVE-2005-2553 +References: + URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2553 + CONFIRM:http://lkml.org/lkml/2005/1/5/245 + CONFIRM:http://linux.bkbits.net:8080/linux-2.4/cset@41dd3455GwQPufrGvBJjcUOXQa3WXA +Description: + The find_target function in ptrace32.c in the Linux kernel 2.4.x + before 2.4.29 does not properly handle a NULL return value from + another function, which allows local users to cause a denial of + service (kernel crash/oops) by running a 32-bit ltrace program with + the -i option on a 64-bit executable program. +Bugs: +upstream: released (2.4.29) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sid/sarge: pending [184_arch-x86_64-ia32-ptrace32-oops.diff] +2.4.27-sarge-security: released (2.4.27-10sarge1) [184_arch-x86_64-ia32-ptrace32-oops.diff] +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/retired/CVE-2005-2555 b/retired/CVE-2005-2555 new file mode 100644 index 00000000..4c466519 --- /dev/null +++ b/retired/CVE-2005-2555 @@ -0,0 +1,21 @@ +Candidate: CVE-2005-2555 +References: + URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2555 +Description: + Linux kernel 2.6.x does not properly restrict socket policy access to users + with the CAP_NET_ADMIN capability, which could allow local users to conduct + unauthorized activities via (1) ipv4/ip_sockglue.c and + (2) ipv6/ipv6_sockglue.c. +Notes: +Bugs: +upstream: released (2.6.13) +linux-2.6: released (2.6.13-1) +2.6.8-sarge-security: released (2.6.8-16sarge2) +2.4.27-sarge-security: released (2.4.27-10sarge2) +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/retired/CVE-2005-2708 b/retired/CVE-2005-2708 new file mode 100644 index 00000000..8c10fd12 --- /dev/null +++ b/retired/CVE-2005-2708 @@ -0,0 +1,24 @@ +Candidate: CVE-2005-2708 +References: + CONFIRM:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=161925 +Description: + The search_binary_handler function in exec.c in Linux kernel on 64-bit x86 + architectures does not check a return code for a particular function call when + virtual memory is low, which allows local users to cause a denial of service + (panic), as demonstrated by running a process using the bash ulimit -v + command. +Notes: + This bug only affects 2.4 and AMD64, a combination that does not exist in + Debian +Bugs: +upstream: released (2.4.33-pre1) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A +2.4.18-woody-security-hppa: diff --git a/retired/CVE-2005-2709 b/retired/CVE-2005-2709 new file mode 100644 index 00000000..12eb1c7e --- /dev/null +++ b/retired/CVE-2005-2709 @@ -0,0 +1,30 @@ +Candidate: CVE-2005-2709 +References: + CONFIRM:http://www.kernel.org/git/?p=linux/kernel/git/chrisw/stable-queue.git;a=blob_plain;h=5dbbdc13a7bdbc132de44bc00e13079afaf033d0;f=2.6.14.1/cve-2005-2709-sysctl-unregistration-oops.patch +Description: + From: Al Viro <viro@zeniv.linux.org.uk> + . + You could open the /proc/sys/net/ipv4/conf/<if>/<whatever> file, then + wait for interface to go away, try to grab as much memory as possible in + hope to hit the (kfreed) ctl_table. Then fill it with pointers to your + function. Then do read from file you've opened and if you are lucky, + you'll get it called as ->proc_handler() in kernel mode. +Notes: + CVE is reserved, so we can't take the description from there yet + . + dannf> arch/s390/appldata/appldata_base.c doesn't exist in 2.4, so I dropped + dannf> that hunk in my backport + . + **THIS IS AN ABI CHANGE** +Bug: +upstream: released (2.6.14.1), released (2.4.33-pre1) +linux-2.6: released (2.6.14-3) +2.6.8-sarge-security: released (2.6.8-16sarge2) [sysctl-unregistration-oops.dpatch] +2.4.27-sarge-security: released (2.4.27-10sarge2) [196_sysctl-unregistration-oops.patch] +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/retired/CVE-2005-2800 b/retired/CVE-2005-2800 new file mode 100644 index 00000000..6174e495 --- /dev/null +++ b/retired/CVE-2005-2800 @@ -0,0 +1,24 @@ +Candidate: CVE-2005-2800 +References: + URL:http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=CVE-2005-2800 +Description: + Memory leak in the seq_file implemenetation in the SCSI procfs interface + (sg.c) in Linux kernel 2.6.13 and earlier allows local users to cause a + denial of service (memory consumption) via certain repeated reads from the + /proc/scsi/sg/devices file, which is not properly handled when the next() + iterator returns NULL or an error. +Notes: + dannf> seq_file is a 2.6ism, so marking 2.4 as N/A + dannf> There's a trivial test case - can it be reproduce this on 2.4? +Bugs: +upstream: released (2.6.12.6) +linux-2.6: released (2.6.12-6) +2.6.8-sarge-security: released (2.6.8-16sarge2) +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A +2.4.18-woody-security-hppa: N/A diff --git a/retired/CVE-2005-2801 b/retired/CVE-2005-2801 new file mode 100644 index 00000000..975e4eec --- /dev/null +++ b/retired/CVE-2005-2801 @@ -0,0 +1,26 @@ +Candidate: CVE-2005-2801 +References: + URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2801 + MLIST:[Acl-Devel] 20050205 [FIX] Long-standing xattr sharing bug + URL:http://acl.bestbits.at/pipermail/acl-devel/2005-February/001848.html + MLIST:[debian-kernel] 20050809 Re: ACL patches in Debian 2.4 series kernel. + URL:http://lists.debian.org/debian-kernel/2005/08/msg00238.html + SUSE:SUSE-SA:2005:018 + URL:http://www.novell.com/linux/security/advisories/2005_18_kernel.html +Description: + xattr.c in the ext2 and ext3 file system code for Linux kernel 2.6 + does not properly compare the name_index fields when sharing xattr + blocks, which could prevent default ACLs from being applied. +Bugs: 332381 +upstream: released (2.6.11) +2.6.8-sarge-security: released (2.6.8-16sarge1) [fs_ext2_ext3_xattr-sharing.dpatch] +2.4.27-sarge-security: released (2.4.27-10sarge1) [178_fs_ext2_ext3_xattr-sharing.diff] +2.4.27-sid: released (2.4.27-12) [178_fs_ext2_ext3_xattr-sharing.diff] +linux-2.6: N/A +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/retired/CVE-2005-2872 b/retired/CVE-2005-2872 new file mode 100644 index 00000000..5fb79ff8 --- /dev/null +++ b/retired/CVE-2005-2872 @@ -0,0 +1,31 @@ +Candidate: CVE-2005-2872 +References: + URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2872 + Final-Decision: + Interim-Decision: + Modified: + Proposed: + Assigned: 20050909 + Category: SF + Reference: CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=322237 + Reference: + CONFIRM:http://www.kernel.org/git/?p=linux/kernel/git/chrisw/lsm-2.6.git;a=commit;h=bcfff0b471a60df350338bcd727fc9b8a6aa54b2 +Description: + The ipt_recent kernel module (ipt_recent.c) in Linux kernel before + 2.6.12, when running on 64-bit processors such as AMD64, allows remote + attackers to cause a denial of service (kernel panic) via certain + attacks such as SSH brute force, which leads to memset calls using a + length based on the u_int32_t type, acting on an array of unsigned + long elements, a different vulnerability than CVE-2005-2873. +upstream: released (2.6.12) +2.6.8-sarge-security: released (2.6.8-16sarge1) [net-ipv4-netfilter-ip_recent-last_pkts.dpatch] +2.4.27-sid/sarge: released (2.4.27-12) [179_net-ipv4-netfilter-ip_recent-last_pkts.diff] +2.4.27-sarge-security: released (2.4.27-10sarge1) [179_net-ipv4-netfilter-ip_recent-last_pkts.diff] +linux-2.6: N/A +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/retired/CVE-2005-2973 b/retired/CVE-2005-2973 new file mode 100644 index 00000000..ba46533d --- /dev/null +++ b/retired/CVE-2005-2973 @@ -0,0 +1,21 @@ +Candidate: CVE-2005-2973 +References: + URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2973 + CONFIRM:http://linux.bkbits.net:8080/linux-2.6/cset@4342df67SNhRx_3FGhUrrU-FXLlQIA +Description: + Fix infinite loop in udp_v6_get_port(). +Bugs: +Notes: + submitted for inclusion in 2.4.32-rc2 +upstream: released (2.6.14-rc4) +2.6.8-sarge-security: released (2.6.8-16sarge2) [net-ipv6-udp_v6_get_port-loop.patch] +2.4.27-sarge-security: released (2.4.27-10sarge2) [195_net-ipv6-udp_v6_get_port-loop.diff] +2.4.27-sarge/sid: pending (2.4.27-12) +linux-2.6: released (2.6.13+2.6.14-rc4-0experimental.1) +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/retired/CVE-2005-3053 b/retired/CVE-2005-3053 new file mode 100644 index 00000000..27a385f0 --- /dev/null +++ b/retired/CVE-2005-3053 @@ -0,0 +1,28 @@ +Candidate: CVE-2005-3053 +References: + URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3053 + Final-Decision: + Interim-Decision: + Modified: + Proposed: + Assigned: 20050926 + Category: SF + Reference: CONFIRM:http://linux.bkbits.net:8080/linux-2.6/cset@42eef8b09C5r6iI0LuMe5Uy3k05c5g +Description: + The sys_set_mempolicy function in mempolicy.c in Linux kernel 2.6.x + allows local users to cause a denial of service (kernel BUG()) via a + negative first argument. +Notes: + horms> http://lkml.org/lkml/2005/9/30/218 +upstream: released (2.6.12.5) +linux-2.6: released (2.6.12-3) +2.6.8-sarge-security: released (2.6.8-16sarge2) [mempolicy-check-mode.dpatch] +2.4.27-sid/sarge: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/retired/CVE-2005-3055 b/retired/CVE-2005-3055 new file mode 100644 index 00000000..c4da2529 --- /dev/null +++ b/retired/CVE-2005-3055 @@ -0,0 +1,33 @@ +Candidate: CVE-2005-3055 +References: + URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3055 + Final-Decision: + Interim-Decision: + Modified: + Proposed: + Assigned: 20050926 + Category: SF + MLIST:[linux-kernel] 20050925 [BUG/PATCH/RFC] Oops while completing async USB via usbdevio + URL:http://marc.theaimsgroup.com/?l=linux-kernel&m=112766129313883 +Description: + Linux kernel 2.6.8 to 2.6.14-rc2 allows local users to cause a denial + of service (kernel OOPS) via a userspace process that issues a USB + Request Block (URB) to a USB device and terminates before the URB is + finished, which leads to a stale pointer reference. +Notes: + horms> http://lkml.org/lkml/mbox/2005/10/11/90 + horms> http://lkml.org/lkml/2005/10/11/90 + horms> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=330287;msg=21 +Bugs: 330287, 332587 +upstream: released (2.6.14-rc4) +linux-2.6: released (2.6.14-1) +2.6.8-sarge-security: released (2.6.8-16sarge2) +2.4.27-sid/sarge: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/retired/CVE-2005-3106 b/retired/CVE-2005-3106 new file mode 100644 index 00000000..7b2b2e99 --- /dev/null +++ b/retired/CVE-2005-3106 @@ -0,0 +1,33 @@ +Candidate: CVE-2005-3106 +References: + URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3106 + Final-Decision: + Interim-Decision: + Modified: + Proposed: + Assigned: 20050930 + Category: SF + CONFIRM:http://linux.bkbits.net:8080/linux-2.6/diffs/fs/exec.c@1.156?nav=index.html|src/|src/fs|hist/fs/exec.c +Description: + Race condition in Linux 2.6, when threads are sharing memory mapping + via CLONE_VM (such as linuxthreads and vfork), might allow local users + to cause a denial of service (deadlock) by triggering a core dump + while waiting for a thread that has just performed an exec. + . + Extra information from Moritz Muehlenhof: + CVE-2005-3106: + DoS through race condition in processes that share a memory mapping through + CLONE_VM + http://linux.bkbits.net:8080/linux-2.6/diffs/fs/exec.c@1.156?nav=index.html|src/|src/fs|hist/fs/exec.c +upstream: released (2.6.11) +2.6.8-sarge-security: released (2.6.8-16sarge1) [fs-exec-ptrace-core-exec-race.dpatch] +2.4.27-sid/sarge: N/A +2.4.27-sarge-security: N/A +linux-2.6: N/A +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/retired/CVE-2005-3107 b/retired/CVE-2005-3107 new file mode 100644 index 00000000..5123c7b3 --- /dev/null +++ b/retired/CVE-2005-3107 @@ -0,0 +1,33 @@ +Candidate: CVE-2005-3107 +References: + URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3107 + Final-Decision: + Interim-Decision: + Modified: + Proposed: + Assigned: 20050930 + Category: SF + CONFIRM:http://www.kernel.org/pub/linux/kernel/people/akpm/patches/2.6/2.6.11-rc1/2.6.11-rc1-mm1/broken-out/fix-coredump_wait-deadlock-with-ptracer-tracee-on-shared-mm.patch + CONFIRM:http://linux.bkbits.net:8080/linux-2.6/diffs/fs/exec.c@1.155?nav=index.html|src/|src/fs|hist/fs/exec.c +Description: + fs/exec.c in Linux 2.6, when one thread is tracing another thread that + shares the same memory map, might allow local users to cause a denial + of service (deadlock) by forcing a core dump when the traced thread is + in the TASK_TRACED state. + . + Extra information from Moritz Muehlenhof: + Local DoS through threads tracing each other by forcing a core dump, while the traced + thread is in TASK_TRACED state. + http://www.kernel.org/pub/linux/kernel/people/akpm/patches/2.6/2.6.11-rc1/2.6.11-rc1-mm1/broken-out/fix-coredump_wait-deadlock-with-ptracer-tracee-on-shared-mm.patch +upstream: released (2.6.11) +2.6.8-sarge-security: released (2.6.8-16sarge1) [fs-exec-ptrace-deadlock.dpatch] +2.4.27-sid/sarge: N/A +2.4.27-sarge-security: N/A +linux-2.6: N/A +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/retired/CVE-2005-3108 b/retired/CVE-2005-3108 new file mode 100644 index 00000000..54985b8e --- /dev/null +++ b/retired/CVE-2005-3108 @@ -0,0 +1,31 @@ +Candidate: CVE-2005-3108 +References: + URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3108 + Final-Decision: + Interim-Decision: + Modified: + Proposed: + Assigned: 20050930 + Category: SF + CONFIRM:http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=93ef70a217637ade3f335303a112b22a134a1ec2 +Description: + mm/ioremap.c in Linux 2.6 on 64-bit x86 systems allows local users to + cause a denial of service or an information leak via an iremap on a + certain memory map that causes the iounmap to perform a lookup of a + page that does not exist. +Notes: + Extra information from Moritz Muehlenhof: + DoS and potential information leak in ioremap (seemingly specific to amd64) + http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=93ef70a217637ade3f335303a112b22a134a1ec2 +upstream: released (2.6.11.12) +2.6.8-sarge-security: released (2.6.8-16sarge1) [arch-x86_64-mm-ioremap-page-lookup.dpatch] +2.4.27-sid/sarge: N/A +2.4.27-sarge-security: N/A +linux-2.6: N/A +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/retired/CVE-2005-3109 b/retired/CVE-2005-3109 new file mode 100644 index 00000000..2d36440f --- /dev/null +++ b/retired/CVE-2005-3109 @@ -0,0 +1,32 @@ +Candidate: CVE-2005-3109 +References: + URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3109 + Final-Decision: + Interim-Decision: + Modified: + Proposed: + Assigned: 20050930 + Category: SF + CONFIRM:http://www.kernel.org/git/gitweb.cgi?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=945b092011c6af71a0107be96e119c8c08776f3f +Description: + The HFS and HFS+ (hfsplus) modules in Linux 2.6 allows attackers to + cause a denial of service (oops) by using hfsplus to mount a + filesystem that is not hfsplus. +Notes: + Extra information from Moritz Muehlenhof: + Local DoS through oops by mounting a non-HFS+ filesystem as HFS+. + Asking upstream about 2.4: http://lkml.org/lkml/2005/10/7/3/index.html + dannf> Looks like, from the above thread, that 2.4 is not affected; marking + as such. +upstream: released (2.6.11.12) +2.6.8-sarge-security: released (2.6.8-16sarge1) [fs-hfs-oops-and-leak.dpatch] +2.4.27-sid/sarge: N/A +2.4.27-sarge-security: N/A +linux-2.6: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A +2.4.18-woody-security-hppa: N/A diff --git a/retired/CVE-2005-3110 b/retired/CVE-2005-3110 new file mode 100644 index 00000000..7b5f4922 --- /dev/null +++ b/retired/CVE-2005-3110 @@ -0,0 +1,32 @@ +Candidate: CVE-2005-3110 +References: + URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3110 + Final-Decision: + Interim-Decision: + Modified: + Proposed: + Assigned: 20050930 + Category: SF + Reference: CONFIRM:http://sourceforge.net/mailarchive/forum.php?thread_id=6800453&forum_id=8572 +Description: + Race condition in ebtables netfilter module (ebtables.c) in Linux 2.6, + when running on an SMP system that is operating under a heavy load, + might allow remote attackers to cause a denial of service (crash) via + a series of packets that cause a value to be modified after it has + been read but before it has been locked. +Notes: + Extra information from Moritz Muehlenhof: + DoS on SMP, potentially 2.4 and 2.6 + http://sourceforge.net/mailarchive/forum.php?thread_id=6800453&forum_id=8572 +upstream: released (2.6.11.11) +2.6.8-sarge-security: released (2.6.8-16sarge1) [net-bridge-netfilter-etables-smp-race.dpatch] +2.4.27-sid/sarge: N/A +2.4.27-sarge-security: N/A +linux-2.6: N/A +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/retired/CVE-2005-3119 b/retired/CVE-2005-3119 new file mode 100644 index 00000000..85710594 --- /dev/null +++ b/retired/CVE-2005-3119 @@ -0,0 +1,30 @@ +Candidate: CVE-2005-3119 +References: + URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3119 + CONFIRM:http://linux.bkbits.net:8080/linux-2.6/cset@43483fddCiQX1WyG_orbko06TrjMVA + REDHAT:RHSA-2005:808 + URL:http://www.redhat.com/support/errata/RHSA-2005-808.html + SECUNIA:17364 + URL:http://secunia.com/advisories/17364 +Description: + Memory leak in the request_key_auth_destroy function in request_key_auth in Linux + kernel 2.6.13 and earlier allows local users to cause a denial of service (memory + consumption) via a large number of authorization token keys. +Notes: + Plug request_key_auth memleak. This can be triggered by unprivileged + users, so is local DoS. + http://www.ussg.iu.edu/hypermail/linux/kernel/0510.0/1860.html + . + dannf> This file doesn't exist in 2.6.8, so sarge isn't vulnerable +upstream: released (2.6.13.4, 2.6.14) +linux-2.6: released (2.6.13+2.6.14-rc4-0experimental.1) +2.6.8-sarge-security: N/A +2.4.27-sid/sarge: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A +2.4.18-woody-security-hppa: diff --git a/retired/CVE-2005-3179 b/retired/CVE-2005-3179 new file mode 100644 index 00000000..f2b7e547 --- /dev/null +++ b/retired/CVE-2005-3179 @@ -0,0 +1,27 @@ +Candidate: CVE-2005-3179 +References: + URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3179 + Reference: CONFIRM:http://www.kernel.org/hg/linux-2.6/?cmd=changeset;node=d7067d7d1f92cba14963a430cfbd53098cbbc8fd + Reference: CONFIRM:http://bugs.gentoo.org/show_bug.cgi?id=107893 +Description: + drm.c in Linux kernel 2.6.13 and earlier creates a debug file in sysfs + with world-readable and world-writable permissions, which allows local + users to enable DRM debugging and obtain sensitive information. +Notes: + (from Horms) + > > From: Dave Jones <davej@redhat.com> + > > + > > Please consider for next 2.6.13, it is a minor security issue allowing + > > users to turn on drm debugging when they shouldn't... +upstream: released (2.6.13.4) +linux-2.6: released (2.6.13+2.6.14-rc4-0experimental.1) +2.6.8-sarge-security: N/A +2.4.27-sid/sarge: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/retired/CVE-2005-3180 b/retired/CVE-2005-3180 new file mode 100644 index 00000000..70d585c3 --- /dev/null +++ b/retired/CVE-2005-3180 @@ -0,0 +1,31 @@ +Candidate: CVE-2005-3180 +References: + URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3180 + CONFIRM:http://www.kernel.org/hg/linux-2.6/?cmd=changeset;node=feecb2ffde28639e60ede769c6f817dc536c677b +Description: + The Orinoco driver (orinoco.c) in Linux kernel 2.6.13 and earlier does + not properly clear memory from a previously used packet whose length + is increased, which allows remote attackers to obtain sensitive + information. +Notes: + > > From: Pavel Roskin <proski@gnu.org> + > > + > > The orinoco driver can send uninitialized data exposing random pieces of + > > the system memory. This happens because data is not padded with zeroes + > > when its length needs to be increased. + horms> a better fix for this is + horms> http://mirror.local.valinux.co.jp/linux/kernel/v2.6/ChangeLog-2.6.15 + horms> 192_orinoco-info-leak.diff is missing the ALIGN macro which is not + horms> defined elsewhere in 2.4. + horms> is added by 192_orinoco-info-leak-2.diff +upstream: released (2.6.13.4), released (2.4.33-pre2) +linux-2.6: released (2.6.13+2.6.14-rc4-0experimental.1) +2.6.8-sarge-security: released (2.6.8-16sarge2) [orinoco-info-leak.dpatch] +2.4.27-sarge-security: released (2.4.27-10sarge2) [192_orinoco-info-leak.diff, 192_orinoco-info-leak-2.diff] +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/retired/CVE-2005-3181 b/retired/CVE-2005-3181 new file mode 100644 index 00000000..614a43ea --- /dev/null +++ b/retired/CVE-2005-3181 @@ -0,0 +1,24 @@ +Candidate: CVE-2005-3181 +References: + URL: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=CVE-2005-3181 + CONFIRM: http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=829841146878e082613a49581ae252c071057c23 +Description: + Linux kernel before 2.6.13.4, when CONFIG_AUDITSYSCALL is enabled, uses an + incorrect function to free names_cache memory, which prevents the memory + from being tracked by AUDITSYSCALL code and leads to a memory leak that + allows attackers to cause a denial of service (memory consumption). +Notes: + 2.4 isn't vulnerable because AUDITSYSCALL doesn't exist in 2.4 +Bugs: +upstream: released (2.6.13.4) +2.6.8-sarge-security: released (2.6.8-16sarge2) +2.4.27-sarge-security: N/A +2.4.27-sarge/sid: N/A +linux-2.6: released (2.6.13+2.6.14-rc4-0experimental.1) +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/retired/CVE-2005-3257 b/retired/CVE-2005-3257 new file mode 100644 index 00000000..f2dfa81f --- /dev/null +++ b/retired/CVE-2005-3257 @@ -0,0 +1,25 @@ +Candidate: CVE-2005-3257 +References: + URL: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=CVE-2005-3257 + CONFIRM: http://article.gmane.org/gmane.linux.debian.devel.bugs.general/8533 +Description: + The VT implementation (vt_ioctl.c) in Linux kernel 2.6.12 allows local + users to use the KDSKBSENT ioctl on terminals of other users and gain + privileges, as demonstrated by modifying key bindings using loadkeys. +Bugs: 334113 +Notes: + The first patch is the bit that adds the capability check; the second + one makes it less anal (only apply to writes). + jmm> The patch targeted to 2.6.14.4 is slightly different, needs to be + jmm> sorted out. +upstream: released (2.4.32-rc3), released (2.6.15-rc1), released (2.6.14.4) +2.6.8-sarge-security: released (2.6.8-16sarge2) [setkeys-needs-root-1.dpatch, setkeys-needs-root-2.dpatch] +2.4.27-sarge-security: released (2.4.27-10sarge2) [197_setkeys-needs-root-1.diff, 197_setkeys-needs-root-2.diff] +linux-2.6: released (2.6.14-6) +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/retired/CVE-2005-3271 b/retired/CVE-2005-3271 new file mode 100644 index 00000000..f2300a6c --- /dev/null +++ b/retired/CVE-2005-3271 @@ -0,0 +1,24 @@ +Candidate: CVE-2005-3271 +References: + URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3271 + MLIST:[linux-kernel] 20040911 [PATCH] exec: fix posix-timers leak and pending signal loss + URL:http://www.ussg.iu.edu/hypermail/linux/kernel/0409.1/1107.html + CONFIRM:http://linux.bkbits.net:8080/linux-2.6/cset@414b332fsZQvEUsfzKJIo-q2_ZH0hg +Description: + Exec in Linux kernel 2.6 does not properly clear posix-timers in + multi-threaded environments, which results in a resource leak and + could allow a large number of multiple local users to cause a denial + of service by using more posix-timers than specified by the quota for + a single user. +Bugs: +upstream: released (2.6.9) +2.6.8-sarge-security: released (2.6.8-16sarge1) [fs-exec-posix-timers-leak-1.dpatch] +2.4.27-sarge-security: N/A +linux-2.6: N/A +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/retired/CVE-2005-3272 b/retired/CVE-2005-3272 new file mode 100644 index 00000000..62faaf83 --- /dev/null +++ b/retired/CVE-2005-3272 @@ -0,0 +1,20 @@ +Candidate: CVE-2005-3272 +References: + URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3272 + CONFIRM:http://linux.bkbits.net:8080/linux-2.6/cset@1.3097.18.19?nav=index.html|src/|src/net|src/net/bridge|related/net/bridge/br_input.c +Description: + Linux kernel before 2.6.12 allows remote attackers to poison the + bridge forwarding table using frames that have already been dropped by + filtering, which can cause the bridge to forward spoofed packets. +Bugs: +upstream: released (2.6.12) +2.6.8-sarge-security: released (2.6.8-16sarge1) [net-bridge-forwarding-poison-1.dpatch, net-bridge-mangle-oops-1.dpatch, net-bridge-mangle-oops-2.dpatch] +2.4.27-sarge-security: N/A +linux-2.6: released (2.6.12-1) +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/retired/CVE-2005-3273 b/retired/CVE-2005-3273 new file mode 100644 index 00000000..7226e3d8 --- /dev/null +++ b/retired/CVE-2005-3273 @@ -0,0 +1,22 @@ +Candidate: CVE-2005-3273 +References: + URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3273 + CONFIRM:http://linux.bkbits.net:8080/linux-2.6/diffs/net/rose/rose_route.c@1.16?nav=index.html|src/|src/net|src/net/rose|related/net/rose/rose_route.c|cset@1.2009.1.46 + CONFIRM:http://lkml.org/lkml/2005/5/23/169 +Description: + The rose_rt_ioctl function in rose_route.c for ROSE in Linux 2.6 + kernels prior to 2.6.12 does not properly verify the ndigis argument + for a new route, which allows attackers to trigger array out-of-bounds + errors with a large number of digipeats. +Bugs: +upstream: released (2.6.12) +2.6.8-sarge-security: released (2.6.8-16sarge1) [net-rose-ndigis-verify.dpatch] +2.4.27-sarge-security: N/A +linux-2.6: released (2.6.12-1) +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/retired/CVE-2005-3274 b/retired/CVE-2005-3274 new file mode 100644 index 00000000..46e16aab --- /dev/null +++ b/retired/CVE-2005-3274 @@ -0,0 +1,24 @@ +Candidate: CVE-2005-3274 +References: + URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3274 + CONFIRM:http://www.kernel.org/git/?p=linux/kernel/git/marcelo/linux-2.4.git;a=commit;h=e684f066dff5628bb61ad1912de6e8058b5b4c7d + CONFIRM:http://lkml.org/lkml/2005/6/23/249 + CONFIRM:http://lkml.org/lkml/2005/6/24/173 +Description: + Race condition in ip_vs_conn_flush in Linux 2.6 before 2.6.13 and 2.4 + before 2.4.32-pre2, when running on SMP systems, allows local users to + cause a denial of service (null dereference) by causing a connection + timer to expire while the connection table is being flushed before the + appropriate lock is acquired. +Bugs: +upstream: released (2.6.13, 2.4.32-pre2) +linux-2.6: released (2.6.13-1) +2.6.8-sarge-security: released (2.6.8-16sarge1) [net-ipv4-ipvs-conn_tab-race.dpatch] +2.4.27-sarge-security: released (2.4.27-10sarge1) +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/retired/CVE-2005-3275 b/retired/CVE-2005-3275 new file mode 100644 index 00000000..9fc10e88 --- /dev/null +++ b/retired/CVE-2005-3275 @@ -0,0 +1,23 @@ +Candidate: CVE-2005-3275 +References: + URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3275 + CONFIRM:http://linux.bkbits.net:8080/linux-2.6/cset@1.3596.79.34?nav=index.html|src/|src/net|src/net/ipv4|src/net/ipv4/netfilter|related/net/ipv4/netfilter/ip_nat_proto_udp.c +Description: + The NAT code (1) ip_nat_proto_tcp.c and (2) ip_nat_proto_udp.c in + Linux kernel 2.6 before 2.6.13 and 2.4 before 2.4.32-rc1 incorrectly + declares a variable to be static, which allows remote attackers to + cause a denial of service (memory corruption) by causing two packets + for the same protocol to be NATed at the same time, which leads to + memory corruption. +Bugs: +upstream: released (2.6.12.3) +2.6.8-sarge-security: released (2.6.8-16sarge1) [netfilter-NAT-memory-corruption.dpatch] +2.4.27-sarge-security: released (2.4.27-10sarge1) [174_net-ipv4-netfilter-nat-mem.diff] +linux-2.6: released (2.6.12-1) +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/retired/CVE-2005-3276 b/retired/CVE-2005-3276 new file mode 100644 index 00000000..56a01b84 --- /dev/null +++ b/retired/CVE-2005-3276 @@ -0,0 +1,21 @@ +Candidate: CVE-2005-3276 +References: + CONFIRM:http://linux.bkbits.net:8080/linux-2.6/cset@1.3700.4.106?nav=index.html|src/|src/arch|src/arch/i386|src/arch/i386/kernel|related/arch/i386/kernel/process.c + CONFIRM: http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=71ae18ec690953e9ba7107c7cc44589c2cc0d9f1 + URL:http://lkml.org/lkml/2005/8/3/36 +Description: + The sys_get_thread_area function in Linux 2.6 kernels prior to 2.6.12.4 and + 2.6.13 does not entirely clear a user_desc structure before copying it + to userspace, resulting in a small information leak. +Bugs: +upstream: released (2.6.12.4) +linux-2.6: released (2.6.12-2) +2.6.8-sarge-security: released (2.6.8-16sarge1) [sys_get_thread_area-leak.dpatch] +2.4.27-sarge-security: N/A +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/retired/CVE-2005-3356 b/retired/CVE-2005-3356 new file mode 100644 index 00000000..4da47902 --- /dev/null +++ b/retired/CVE-2005-3356 @@ -0,0 +1,34 @@ +Candidate: CVE-2005-3356 +References: + http://kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff_plain;h=7c7dce9209161eb260cdf9e9172f72c3a02379e6h+p=12dbf3fc4d06d2c0c4c44dc0612df04248b3cfd3 +Description: + [PATCH] Fix double decrement of mqueue_mnt->mnt_count in sys_mq_open + . + Fixed the refcounting on failure exits in sys_mq_open() and + cleaned the logics up. Rules are actually pretty simple - dentry_open() + expects vfsmount and dentry to be pinned down and it either transfers + them into created struct file or drops them. Old code had been very + confused in that area - if dentry_open() had failed either in do_open() + or do_create(), we ended up dentry and mqueue_mnt dropped twice, once + by dentry_open() cleanup and then by sys_mq_open(). + . + Fix consists of making the rules for do_create() and do_open() + same as for dentry_open() and updating the sys_mq_open() accordingly; + that actually leads to more straightforward code and less work on + normal path. + . + Signed-off-by: Al Viro <aviro@redhat.com> + Signed-off-by: Linus Torvalds <torvalds@osdl.org> +Notes: + jmm> Discovered by Doug Chapman +Bugs: +upstream: released (2.6.15.2) +linux-2.6: released (2.6.15-4) +2.6.8-sarge-security: released (2.6.8-16sarge2) +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/retired/CVE-2005-3358 b/retired/CVE-2005-3358 new file mode 100644 index 00000000..bcb2ae93 --- /dev/null +++ b/retired/CVE-2005-3358 @@ -0,0 +1,22 @@ +Candidate: CVE-2005-3358 +References: + https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=175683 +Description: + Linux kernel 2.6.x, possibly before 2.6.11, allows local users to + cause a denial of service (panic) via a set_mempolicy call with a + 0 bitmask, which causes a panic when a page fault occurs. +Notes: + jmm> This was initially believed to be fixed as of 2.6.11, but this + jmm> turned out to be wrong. +Bugs: +upstream: released (2.6.15) +linux-2.6: released (2.6.15-1) +2.6.8-sarge-security: released (2.6.8-16sarge2) [mempolicy-undefined-nodes.dpatch] +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A +2.4.18-woody-security-hppa: N/A diff --git a/retired/CVE-2005-3359 b/retired/CVE-2005-3359 new file mode 100644 index 00000000..54534cbd --- /dev/null +++ b/retired/CVE-2005-3359 @@ -0,0 +1,35 @@ +Candidate: CVE-2005-3359 +References: + http://linux.bkbits.net:8080/linux-2.6/cset@4339c66aLroC1_zunYKhEIbtIWrnwg + https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=175769 + http://kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=a79af59efd20990473d579b1d8d70bb120f0920c + CONFIRM:http://linux.bkbits.net:8080/linux-2.6/cset@4339c66aLroC1_zunYKhEIbtIWrnwg + CONFIRM:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=175769 + UBUNTU:USN-263-1 + URL:http://www.ubuntulinux.org/support/documentation/usn/usn-263-1 + BID:17078 + URL:http://www.securityfocus.com/bid/17078 + SECUNIA:19220 + URL:http://secunia.com/advisories/19220 +Description: + The atm module in Linux kernel 2.6 before 2.6.14 allows local users to cause a + denial of service (panic) via certain socket calls that produce inconsistent + reference counts for loadable protocol modules. +Notes: + dannf> Easily reproduced on 2.6.8, not reproducible on 2.4.27, so marking + dannf> 2.4 N/A + . + dannf> Note that atm is marked experimental in 2.6.8, and is not built + dannf> as a module on i386, amd64 or ia64 - but of course users could + dannf> build their own kernels, and this isn't atm specific +Bugs: +upstream: released (2.6.14) +linux-2.6: released (2.6.14-1) +2.6.8-sarge-security: released (2.6.8-16sarge3) +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/retired/CVE-2005-3623 b/retired/CVE-2005-3623 new file mode 100644 index 00000000..928c8ebd --- /dev/null +++ b/retired/CVE-2005-3623 @@ -0,0 +1,21 @@ +Candidate: CVE-2005-3623 +References: + http://permalink.gmane.org/gmane.linux.kernel/360868 +Description: + We must check for MAY_SATTR before setting acls, which includes + checking for read-only exports: the lower-level setxattr operation + that eventually sets the acl cannot check export-level restrictions. +Notes: + jmm> NFS ACLs were only introduced somewhere between 2.6.12-2.6.14, so + jmm> Sarge and Woody are not vulnerable +Bugs: +upstream: released (2.6.14.5), released (2.6.15-pre7) +linux-2.6: released (2.6.14-7) +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/retired/CVE-2005-3783 b/retired/CVE-2005-3783 new file mode 100644 index 00000000..5edfb1da --- /dev/null +++ b/retired/CVE-2005-3783 @@ -0,0 +1,22 @@ +Candidate: CVE-2005-3783 +References: + http://www.kernel.org/git/?p=linux/kernel/git/gregkh/linux-2.6.14.y.git;a=commit;h=082d52c56f642d21b771a13221068d40915a1409 + http://www.kernel.org/git/?p=linux/kernel/git/gregkh/linux-2.6.14.y.git;a=blobdiff;h=fcfc4568b45f3f190ba320b0d5853836921cb8bc;hp=019e04ec065a55d8f28157d3a1f7ba06cafd347f;hb=082d52c56f642d21b771a13221068d40915a1409;f=kernel/ptrace.c +Description: + The ptrace functionality (ptrace.c) in Linux kernel 2.6 before 2.6.14.2, + using CLONE_THREAD, does not use the thread group ID to check whether it + is attaching to itself, which allows local users to cause a denial of + service (crash). +Notes: +Bugs: +upstream: released (2.4.33-pre1, 2.6.14.2) +linux-2.6: released (2.6.14-3) +2.6.8-sarge-security: released (2.6.8-16sarge2) [ptrace-fix_self-attach_rule.dpatch] +2.4.27-sarge-security: released (2.4.27-10sarge2) [201_ptrace-fix_self-attach_rule.diff] +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/retired/CVE-2005-3784 b/retired/CVE-2005-3784 new file mode 100644 index 00000000..ecaa8893 --- /dev/null +++ b/retired/CVE-2005-3784 @@ -0,0 +1,21 @@ +Candidate: CVE-2005-3784 +References: + http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=7ed0175a462c4c30f6df6fac1cccac058f997739 +Description: + The auto-reap of child processes in Linux kernel 2.6 before 2.6.15 includes processes + with ptrace attached,which leads to a dangling ptrace reference and allows local users + to cause a denial of service (crash). +Notes: + jmm,horms> 2.4 code seems very different and not vulnerable +Bugs: +upstream: released (2.6.15) +linux-2.6: released (2.6.15-1) +2.6.8-sarge-security: released (2.6.8-16sarge2) [kernel-dont-reap-traced.dpatch] +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A +2.4.18-woody-security-hppa: N/A diff --git a/retired/CVE-2005-3805 b/retired/CVE-2005-3805 new file mode 100644 index 00000000..dee7bc66 --- /dev/null +++ b/retired/CVE-2005-3805 @@ -0,0 +1,22 @@ +Candidate: CVE-2005-3805 +References: + http://kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=25f407f0b668f5e4ebd5d13e1fb4306ba6427ead +Description: + A locking problem in POSIX timer cleanup handling on exit in Linux kernel + 2.6.10 to 2.6.14, when running on SMP systems, allows local users to cause + a denial of service (deadlock) involving process CPU timers. +Notes: + The referenced patch was actually added in 2.6.14, so I think the vulnerable + versions listed in the description are wrong. +Bugs: +upstream: released (2.6.14) +linux-2.6: released (2.6.14-1) +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A +2.4.18-woody-security-hppa: N/A diff --git a/retired/CVE-2005-3806 b/retired/CVE-2005-3806 new file mode 100644 index 00000000..de1ca218 --- /dev/null +++ b/retired/CVE-2005-3806 @@ -0,0 +1,23 @@ +Candidate: CVE-2005-3806 +References: + http://kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=4ea6a8046bb49d43c950898f0cb4e1994ef6c89d + http://kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=blobdiff;h=bbbe80cdaf72a75a463aff9551e60b31e2f69061;hp=f841bde30c18493a94fd5d522b84724a8eb82a4a;hb=4ea6a8046bb49d43c950898f0cb4e1994ef6c89d;f=net/ipv6/ip6_flowlabel.c +Description: + The IPv6 flowlabel handling code (ip6_flowlabel.c) in Linux kernels + 2.4 up to 2.4.32 and 2.6 before 2.6.14 modifies the wrong variable in + certain circumstances, which allows local users to corrupt kernel memory + or cause a denial of service (crash) by triggering a free of non-allocated + memory. +Notes: +Bugs: +upstream: released (2.6.14) +linux-2.6: released (2.6.14-1) +2.6.8-sarge-security: released (2.6.8-16sarge2) [net-ipv6-flowlabel-refcnt.dpatch] +2.4.27-sarge-security: released (2.4.27-10sarge2) [net-ipv6-flowlabel-refcnt.dpatch] +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/retired/CVE-2005-3807 b/retired/CVE-2005-3807 new file mode 100644 index 00000000..28c164ba --- /dev/null +++ b/retired/CVE-2005-3807 @@ -0,0 +1,24 @@ +Candidate: CVE-2005-3807 +References: + CONFIRM:http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=dc15ae14e97ee9d5ed740cbb0b94996076d8b37e +Description: + [PATCH] VFS: Fix memory leak with file leases + . + Memory leak in the VFS file lease handling in locks.c in Linux kernels + 2.6.10 to 2.6.15 allows local users to cause a denial of service + (memory exhaustion) via certain Samba activities that cause an fasync + entry to be re-allocated by the fcntl_setlease function after the + fasync queue has already +Notes: +Bugs: +upstream: released (2.6.14.3) +linux-2.6: released (2.6.14-4) +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/retired/CVE-2005-3808 b/retired/CVE-2005-3808 new file mode 100644 index 00000000..47f74a1d --- /dev/null +++ b/retired/CVE-2005-3808 @@ -0,0 +1,19 @@ +Candidate: CVE-2005-3808 +References: http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=479ef592f3664dd629417098c8599261c0f689ab +Description: + Fix a 32 bit integer overflow in invalidate_inode_pages2_range. Local DoS +Notes: + horms> I don't see any evidence of this on 2.6.8 or 2.4.27 + I didn't check the woody kernels, but it seems very unlikely it is there +Bugs: +upstream: released (2.6.14.4) +linux-2.6: released (2.6.14-4) +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A +2.4.18-woody-security-hppa: diff --git a/retired/CVE-2005-3809 b/retired/CVE-2005-3809 new file mode 100644 index 00000000..93e4f5db --- /dev/null +++ b/retired/CVE-2005-3809 @@ -0,0 +1,16 @@ +Candidate: CVE-2005-3809 +References: http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=51df784ed739246a3774b300e5f536e17bec36ed +Description: +Notes: +Bugs: +upstream: released (2.6.15-rc1, 2.6.14.3) +linux-2.6: pending (2.6.14-4) +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A +2.4.18-woody-security-hppa: diff --git a/retired/CVE-2005-3810 b/retired/CVE-2005-3810 new file mode 100644 index 00000000..786a9235 --- /dev/null +++ b/retired/CVE-2005-3810 @@ -0,0 +1,20 @@ +Candidate: CVE-2005-3810 +References: http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=439a9994bb6ae3c7cab1f0b776bca6bc7aa58a11 +Description: + [NETFILTER] ctnetlink: Fix oops when no ICMP ID info in message + . + This patch fixes an userspace triggered oops. If there is no ICMP_ID + info the reference to attr will be NULL. +Notes: +Bugs: +upstream: released (2.6.15-rc1, 2.6.14.3) +linux-2.6: released (2.6.14-4) +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A +2.4.18-woody-security-hppa: diff --git a/retired/CVE-2005-3847 b/retired/CVE-2005-3847 new file mode 100644 index 00000000..84af9587 --- /dev/null +++ b/retired/CVE-2005-3847 @@ -0,0 +1,30 @@ +Candidate: CVE-2005-3847 +References: + CONFIRM:http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=dd12f48d4e8774415b528d3991ae47c28f26e1ac;hp=ade6648b3b11a5d81f6f28135193ab6d85d621db + MISC:http://groups.google.com/group/linux.kernel/browse_thread/thread/74683bcc8dbf0df3/bf540370894d3de0%23bf540370894d3de0?sa=X&oi=groupsr&start=0&num=3 + MISC:http://svn.debian.org/wsvn/kernel/dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/nptl-signal-delivery-deadlock-fix.dpatch?op=file&rev=4458&sc=0 +Description: + Bhavesh P. Davda reported a race condition that exists in Linux 2.6 kernels prior to + 2.6.13 and 2.6.12.6. A deadlock can occur when a SIGKILL signal is sent to a real-time + threaded process that is dumping core, which can be used by a local user to initiate + a denial of service attack. +Notes: + handle_stop_signal() in 2.4 looks significantly different, and since this bug + is associated with NPTL, I don't think we need to worry about in 2.4. + CVE description is actually as follows: + signal.c in Linux kernel before 2.6.13 and 2.6.12.6 and earlier allows + local users to cause a denial of service (deadlock) by sending a + SIGKILL to a real-time threaded process while it is performing a core + dump. +Bug: +upstream: released (2.6.12.6, 2.6.13) +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-16sarge2) [nptl-signal-delivery-deadlock-fix.dpatch] +2.4.27-sarge-security: N/A +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/retired/CVE-2005-3848 b/retired/CVE-2005-3848 new file mode 100644 index 00000000..13cb1398 --- /dev/null +++ b/retired/CVE-2005-3848 @@ -0,0 +1,32 @@ +Candidate: CVE-2005-3848 +References: + CONFIRM:http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=cb94c62c252796f42bb83fe40960d12f3ea5a82a + MISC:http://lkml.org/lkml/2005/8/26/173 +Description: + Ollie Wild discovered a leak in the icmp_push_reply() function in Linux 2.6, + in which an ignored error returned by ip_append_data() would result in the + route and net_device not being freed. A malicious remote user could exploit + this in order to initiate a denial of service attack. This issue was fixed + in Linux 2.6.12.6 and 2.6.13. +Notes: + This code looks completely different in 2.4; neither ip_append_data() (the + function that returns an error) nor icmp_push_reply() (the function that fails + to check this error) exist. So, I'm marking 2.4 as unaffected. + Actual CVE description: + Memory leak in the icmp_push_reply function in Linux 2.6 before + 2.6.12.6 and 2.6.13 allows remote attackers to cause a denial of + service (memory consumption) via a large number of crafted packets + that cause the ip_append_data function to fail, aka "DST leak in + icmp_push_reply." +upstream: released (2.6.12.6, 2.6.13) +2.6.8-sarge-security: released (2.6.8-16sarge2) [fix-dst-leak-in-icmp_push_reply.dpatch] +2.4.27-sid/sarge: released (2.4.27-12) [188_fix-dst-leak-in-icmp_push_reply.diff] +2.4.27-sarge-security: released (2.4.27-10sarge2) [188_fix-dst-leak-in-icmp_push_reply.diff] +linux-2.6: +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A +2.4.18-woody-security-hppa: diff --git a/retired/CVE-2005-3857 b/retired/CVE-2005-3857 new file mode 100644 index 00000000..414ec8fb --- /dev/null +++ b/retired/CVE-2005-3857 @@ -0,0 +1,24 @@ +Candidate: CVE-2005-3857 +References: + CONFIRM:http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=f3a9388e4ebea57583272007311fffa26ebbb305 +Description: + [PATCH] VFS: local denial-of-service with file leases + . + The time_out_leases function in locks.c for Linux kernel before 2.6.15 + allows local users to cause a denial of service (kernel log message + consumption) by causing a large number of broken leases, which is + recorded to the log using the printk function. +Notes: + Sent for inclusion in 2.4.33 +Bugs: +upstream: released (2.6.15-rc2), needed (2.6.33) +linux-2.6: released (2.6.14+2.6.15-rc5-0experimental.1) +2.6.8-sarge-security: released (2.6.8-16sarge2) +2.4.27-sarge-security: released (2.4.27-10sarge2) +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/retired/CVE-2005-3858 b/retired/CVE-2005-3858 new file mode 100644 index 00000000..0da7beed --- /dev/null +++ b/retired/CVE-2005-3858 @@ -0,0 +1,24 @@ +Candidate: CVE-2005-3858 +References: + CONFIRM:http://www.kernel.org/git/?p=linux/kernel/git/chrisw/linux-2.6.12.y.git;a=commit;h=f982542ed2f495cbe94e6d9001878f27ea738b36 + MISC:http://lkml.org/lkml/2005/8/26/175 +Description: + ip6_input_finish() contains a memory leak in Linux kernels prior to + 2.6.12.6 and 2.6.13. This could potentially be used to trigger a remote + denial of service (DoS) attack. +Notes: + dannf> Though the code in 2.4 is quite different, it looks to me like the + dannf> 2.4 code could be vulnerable. +Bugs: +upstream: released (2.6.12.6, 2.6.13) +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-16sarge2) +2.4.27-sarge-security: released (2.4.27-10sarge2) [189_ipv6-skb-leak.diff] +2.4.27-sid: released (2.4.27-12) [189_ipv6-skb-leak.diff] +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: +2.4.18-woody-security-hppa: diff --git a/retired/CVE-2005-4351 b/retired/CVE-2005-4351 new file mode 100644 index 00000000..63dec1f5 --- /dev/null +++ b/retired/CVE-2005-4351 @@ -0,0 +1,23 @@ +Candidate: CVE-2005-4351 +References: + http://www.redteam-pentesting.de/advisories/rt-sa-2005-15.txt +Description: + The securelevels implementation in FreeBSD 7.0 and earlier, OpenBSD up to 3.8, + DragonFly up to 1.2, and Linux up to 2.6.15 allows root users to bypass + immutable settings for files by mounting another filesystem that masks the + immutable files while the system is running. +Notes: + jmm> This affects the LSM module for BSD secure levels, not included in 2.4 and + jmm> 2.6.8 + jmm> To be removed in 2.6.18 or 2.6.19 +Bugs: +upstream: +linux-2.6: +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/retired/CVE-2005-4352 b/retired/CVE-2005-4352 new file mode 100644 index 00000000..5ac5c560 --- /dev/null +++ b/retired/CVE-2005-4352 @@ -0,0 +1,24 @@ +Candidate: CVE-2005-4352 +References: + http://www.redteam-pentesting.de/advisories/rt-sa-2005-16.txt +Description: + The securelevels implementation in NetBSD 2.1 and earlier, and Linux 2.6.15 + and earlier, allows local users to bypass time setting restrictions and set + the clock backwards by setting the clock ahead to the maximum unixtime value + (19 Jan 2038), which then wraps around to the minimum value (13 Dec 1901), + which can then be set ahead to the desired time, aka "settimeofday() time wrap." +Notes: + jmm> This affects the LSM module for BSD secure levels, not included in 2.6.8 + jmm> and 2.4.27 + jmm> To be removed in 2.6.18 or 2.6.19 +Bugs: +upstream: +linux-2.6: +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/retired/CVE-2005-4605 b/retired/CVE-2005-4605 new file mode 100644 index 00000000..e6f75575 --- /dev/null +++ b/retired/CVE-2005-4605 @@ -0,0 +1,25 @@ +Candidate: CVE-2005-4605 +References: + http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=8b90db0df7187a01fb7177f1f812123138f562cf + http://marc.theaimsgroup.com/?l=full-disclosure&m=113535380422339&w=2 + http://linux.bkbits.net:8080/linux-2.6/gnupatch@43b562ae6hJGLWZA4TNf2k-RzXnVlQ +Description: + The procfs code (proc_misc.c) in Linux 2.6.14.3 and other versions + before 2.6.15 allows attackers to read sensitive kernel memory via + unspecified vectors in which a signed value is added to an unsigned + value. +Notes: + jmm> 2.4 not affected as proc_file_lseek() contains a check for this + jmm> if (offset>=0 && (unsigned long long)offset<=file->f_dentry->d_inode->i_sb->s_maxbytes) { + jmm> Discovered by Karl Janmar +Bugs: +upstream: released (2.6.15), released (2.6.14.6) +linux-2.6: released (2.6.15-1) +2.6.8-sarge-security: released (2.6.8-16sarge2) [proc-legacy-loff-underflow.dpatch] +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/retired/CVE-2005-4618 b/retired/CVE-2005-4618 new file mode 100644 index 00000000..c4e87ac6 --- /dev/null +++ b/retired/CVE-2005-4618 @@ -0,0 +1,22 @@ +Candidate: CVE-2005-4618 +References: + http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.15 + http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=8febdd85adaa41fa1fc1cb31286210fc2cd3ed0c +Description: + Buffer overflow in sysctl in the Linux Kernel 2.6 before 2.6.15 allows + local users to cause a denial of service and possibly execute arbitrary + code via a long string, which causes sysctl to write a zero byte outside + the buffer. +Notes: + jmm> Discovered by Yi Ying +Bugs: +upstream: released (2.6.15) +linux-2.6: released (2.6.15-1) +2.6.8-sarge-security: released (2.6.8-16sarge2) +2.4.27-sarge-security: released (2.4.27-10sarge2) +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: diff --git a/retired/CVE-2005-4635 b/retired/CVE-2005-4635 new file mode 100644 index 00000000..f0696f60 --- /dev/null +++ b/retired/CVE-2005-4635 @@ -0,0 +1,29 @@ +Candidate: CVE-2005-4635 +References: + MISC:http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=ea86575eaf99a9262a969309d934318028dbfacb + CONFIRM:http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.15 + BID:16139 + URL:http://www.securityfocus.com/bid/16139 + FRSIRT:ADV-2006-0035 + URL:http://www.frsirt.com/english/advisories/2006/0035 + SECUNIA:18216 + URL:http://secunia.com/advisories/18216 +Description: + The nl_fib_input function in fib_frontend.c in the Linux kernel before 2.6.15 + does not check for valid lengths of the header and payload, which allows + remote attackers to cause a denial of service (invalid memory reference) via + malformed fib_lookup netlink messages. +Notes: + dannf> Well, I don't know how it could be exploited by an unpriveleged user - dannf> but I don't think we need to worry about it. The vulnerable function + dannf> wasn't added until after 2.6.12, and is already fixed in 2.6.15. +Bugs: +upstream: released (2.6.15) +linux-2.6: released (2.6.15-1) +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/retired/CVE-2005-4639 b/retired/CVE-2005-4639 new file mode 100644 index 00000000..1fb9348b --- /dev/null +++ b/retired/CVE-2005-4639 @@ -0,0 +1,25 @@ +Candidate: CVE-2005-4639 +References: + CONFIRM:http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.15 + URL:http://www.securityfocus.com/bid/16142 + URL:http://www.frsirt.com/english/advisories/2006/0035 + URL:http://secunia.com/advisories/18216 +Description: + Buffer overflow in the CA-driver (dst_ca.c) for TwinHan DST Frontend/ + Card in Linux kernel 2.6.12 and other versions before 2.6.15 allows + local users to cause a denial of service (crash) and possibly execute + arbitrary code by "reading more than 8 bytes into an 8 byte long array". +Notes: + jmm> Discovered by Perceval Anichini + dannf> Driver wasn't added till after 2.6.8 +Bugs: +upstream: released (2.6.15) +linux-2.6: released (2.6.15-1) +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/retired/CVE-2006-0035 b/retired/CVE-2006-0035 new file mode 100644 index 00000000..fbcdac97 --- /dev/null +++ b/retired/CVE-2006-0035 @@ -0,0 +1,19 @@ +Candidate: CVE-2006-0035 +References: + http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=ad8e4b75c8a7bed475d72ce09bf5267188621961 +Description: + Sanity check nlmsg_len during netlink_rcv_skb. An nlmsg_len == 0 can cause + infinite loop in kernel, effectively DoSing machine. Noted by Matin Murray. +Notes: + dannf> The vulnerable code doesn't exist in <= 2.6.8 +Bugs: +upstream: released (2.6.15.1) +linux-2.6: released (2.6.15-3) +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/retired/CVE-2006-0036 b/retired/CVE-2006-0036 new file mode 100644 index 00000000..0f811535 --- /dev/null +++ b/retired/CVE-2006-0036 @@ -0,0 +1,21 @@ +Candidate: CVE-2006-0036 +References: + http://kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=15db34702cfafd24acc60295cf14861e4975\02ab +Description: + When an inbound PPTP_IN_CALL_REQUEST packet is received the + PPTP NAT helper uses a NULL pointer in pointer arithmentic to + calculate the offset in the packet which needs to be mangled + and corrupts random memory or crashes. +Notes: + jmm> This is not included in 2.4 and 2.6.8 +Bugs: +upstream: released (2.6.15.1) +linux-2.6: released (2.6.15-3) +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/retired/CVE-2006-0037 b/retired/CVE-2006-0037 new file mode 100644 index 00000000..b9e97843 --- /dev/null +++ b/retired/CVE-2006-0037 @@ -0,0 +1,21 @@ +Candidate: CVE-2006-0037 +References: http://kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=03b9feca89366952ae5dfe4ad8107b1ece50b710 +Description: + The PPTP NAT helper calculates the offset at which the packet needs + to be mangled as difference between two pointers to the header. With + non-linear skbs however the pointers may point to two seperate buffers + on the stack and the calculation results in a wrong offset beeing + used. +Notes: + jmm> The vulnerable code isn't present in 2.4 and 2.6.8 +Bugs: +upstream: released (2.6.15.1) +linux-2.6: released (2.6.15-3) +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/retired/CVE-2006-0038 b/retired/CVE-2006-0038 new file mode 100644 index 00000000..504f0c1d --- /dev/null +++ b/retired/CVE-2006-0038 @@ -0,0 +1,22 @@ +Candidate: CVE-2006-0038 +References: + https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=186295 + http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=ee4bb818ae35f68d1f848eae0a7b150a38eb4168 +Description: + Integer overflow in the do_replace function in netfilter for Linux + before 2.6.16-rc3, when using "virtualization solutions" such as OpenVZ, + allows local users with CAP_NET_ADMIN rights to cause a buffer overflow + in the copy_from_user function. +Notes: + dannf> Submitted to Marcelo for 2.4 +Bugs: +upstream: released (2.6.16-rc3) +linux-2.6: released (2.6.16-1) +2.6.8-sarge-security: released (2.6.8-16sarge3) [netfilter-do_replace-overflow.dpatch] +2.4.27-sarge-security: released (2.4.27-10sarge3) [221_netfilter-do_replace-overflow.diff] +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: diff --git a/retired/CVE-2006-0039 b/retired/CVE-2006-0039 new file mode 100644 index 00000000..89597172 --- /dev/null +++ b/retired/CVE-2006-0039 @@ -0,0 +1,13 @@ +Candidate: CVE-2006-0039 +References: + https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=191698 +Description: netfilter do_add_counters race +Notes: + jmm> Only exploitable with CAP_NET_ADMIN privilege + jmm> exposure is leakage of sensitive information + dannf> Submitted to Marcelo for 2.4 +Bugs: +upstream: released (2.6.16.17) +linux-2.6: released (2.6.16-14) +2.6.8-sarge-security: released (2.6.8-16sarge3) +2.4.27-sarge-security: released (2.4.27-10sarge3) diff --git a/retired/CVE-2006-0095 b/retired/CVE-2006-0095 new file mode 100644 index 00000000..44fc3af1 --- /dev/null +++ b/retired/CVE-2006-0095 @@ -0,0 +1,22 @@ +Candidate: CVE-2006-0095 +References: + http://article.gmane.org/gmane.linux.kernel/363528/match=dm+crypt +Description: + dm-crypt does not clear struct crypt_config before freeing it. Thus, + information on the key could leak f.e. to a swsusp image even after the + encrypted device has been removed. The attached patch against 2.6.14 / + 2.6.15 fixes it. +Notes: + jhorms> 2.4 not affected as dm-crypt doesn't seem to exist + jmm> Discovered by Stefan Rompf +Bugs: +upstream: released (2.6.16-rc1) +linux-2.6: released (2.6.16-1) +2.6.8-sarge-security: released (2.6.8-16sarge2) [dm-crypt-zero-key.dpatch] +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/retired/CVE-2006-0096 b/retired/CVE-2006-0096 new file mode 100644 index 00000000..d3adfd46 --- /dev/null +++ b/retired/CVE-2006-0096 @@ -0,0 +1,34 @@ +Candidate: CVE-2006-0096 +References: +http://www.kernel.org/git/?p=linux/kernel/git/tglx/history.git;a=commitdiff;h=0f1d4813a4a65296e1131f320a60741732bc068f +http://linux.bkbits.net:8080/linux-2.4/cset@1.1448.91.23?nav=index.html|src/|src/drivers|src/drivers/net|src/drivers/net/wan|related/drivers/net/wan/sdla.c +Description: +Notes: + jmm> This was accidentally released as a fix for CVE-2004-2607 in 2.4.27-8: + jmm> + jmm> diff -Nru a/drivers/net/wan/sdla.c b/drivers/net/wan/sdla.c + jmm> --- a/drivers/net/wan/sdla.c 2005-01-13 08:41:42 -08:00 + jmm> +++ b/drivers/net/wan/sdla.c 2005-01-13 08:41:42 -08:00 + jmm> @@ -1300,6 +1300,8 @@ + jmm> + jmm> case SDLA_WRITEMEM: + jmm> case SDLA_READMEM: + jmm> + if(!capable(CAP_SYS_RAWIO)) + jmm> + return -EPERM; + jmm> return(sdla_xfer(dev, (struct sdla_mem *)ifr->ifr_data, cmd == SDLA_READMEM)); + jmm> + jmm> case SDLA_START: + horms> I only see reference to CVE-2004-2607 in patch-tracking, + horms> not in the changelog for 2.4.27-8, so I don't think the first line + horms> of the statement above is correct +Bugs: +upstream: released (2.6.11), fixed (2.4.29) +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-16sarge2) [net-sdla-coverty.dpatch] +2.4.27-sarge-security: released (2.4.27-8) [129_net_sdla_coverty.diff] +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: diff --git a/retired/CVE-2006-0456 b/retired/CVE-2006-0456 new file mode 100644 index 00000000..b164ee1a --- /dev/null +++ b/retired/CVE-2006-0456 @@ -0,0 +1,20 @@ +Candidate: CVE-2006-0456 +References: + http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=331c46591414f7f92b1cec048009abe89892ee79 +Description: + strnlen_user() on s390 and s390x does not return a value greater than + maxlen if the string is looking at is longer than maxlen; instead it + returns maxlen. +Notes: + jmm> 2.4 doesn't have an assembly version +Bugs: +upstream: released (2.6.16) +linux-2.6: released (2.6.16-1) +2.6.8-sarge-security: released (2.6.8-16sarge3) +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/retired/CVE-2006-0457 b/retired/CVE-2006-0457 new file mode 100644 index 00000000..e413d34e --- /dev/null +++ b/retired/CVE-2006-0457 @@ -0,0 +1,31 @@ +Candidate: CVE-2006-0457 +References: + http://linux.bkbits.net:8080/linux-2.6/cset@43e385c7rMAIqryXIl7lGGdWgZ1Ivg + MANDRIVA:MDKSA-2006:059 + URL:http://frontal2.mandriva.com/security/advisories?name=MDKSA-2006:059 + UBUNTU:USN-263-1 + URL:http://www.ubuntulinux.org/support/documentation/usn/usn-263-1 + BID:17084 + URL:http://www.securityfocus.com/bid/17084 + OSVDB:23894 + URL:http://www.osvdb.org/23894 + SECUNIA:19220 + URL:http://secunia.com/advisories/19220 +Description: + Race condition in the (1) add_key, (2) request_key, and (3) keyctl functions + in Linux kernel 2.6.x allows local users to cause a denial of service (crash) + or read sensitive kernel memory by modifying the length of a string argument + between the time that the kernel calculates the length and when it copies the + data into kernel memory. +Notes: +Bugs: +upstream: released (2.6.10) +linux-2.6: released (2.6.10-1) +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/retired/CVE-2006-0482 b/retired/CVE-2006-0482 new file mode 100644 index 00000000..47100448 --- /dev/null +++ b/retired/CVE-2006-0482 @@ -0,0 +1,21 @@ +Candidate: CVE-2006-0482 +References: http://lists.debian.org/debian-sparc/2006/01/msg00129.html + http://marc.theaimsgroup.com/?t=113861017400002&r=1&w=2 + http://marc.theaimsgroup.com/?l=linux-sparc&m=113861287813463&w=2 +Description: date -s run as a normal user hangs machine on sparc64 +Notes: + Jurij Smakov> sparc32 would be tricky to test and i don't know about 2.4.27 + dannf> Code isn't present in 2.4, and Jurij couldn't reproduce it there + dannf> I can't reproduce on sparc32, which makes sense because the bug is + dannf> in sparc64 32-bit compat code +Bugs: +upstream: pending (2.6.16-rc2) +linux-2.6: pending (2.6.16-4) [sparc64-clock-settime.patch] +2.6.8-sarge-security: released (2.6.8-16sarge2) [sparc64-clock-settime.dpatch] +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/retired/CVE-2006-0554 b/retired/CVE-2006-0554 new file mode 100644 index 00000000..d6117ab6 --- /dev/null +++ b/retired/CVE-2006-0554 @@ -0,0 +1,18 @@ +Candidate: CVE-2006-0554 +References: + http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.15.5 +Description: + Linux kernel 2.6 before 2.6.15.5 allows local users to obtain sensitive + information via a crafted XFS ftruncate call, which may return stale data. +Notes: +Bugs: +upstream: released (2.6.15.5) +linux-2.6: released (2.6.15-8) +2.6.8-sarge-security: released (2.6.8-16sarge3) +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/retired/CVE-2006-0555 b/retired/CVE-2006-0555 new file mode 100644 index 00000000..1d38a731 --- /dev/null +++ b/retired/CVE-2006-0555 @@ -0,0 +1,19 @@ +Candidate: CVE-2006-0555 +References: + http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.15.5 +Description: + The Linux Kernel before 2.6.15.5 allows local users to cause a denial of + service (NFS client panic) via unknown attack vectors related to the use of + O_DIRECT (direct I/O). +Notes: UBUNTU:USN-263-1 +Bugs: +upstream: released (2.6.15.5) +linux-2.6: released (2.6.15-8) +2.6.8-sarge-security: released (2.6.8-16sarge3) +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/retired/CVE-2006-0557 b/retired/CVE-2006-0557 new file mode 100644 index 00000000..07b4435a --- /dev/null +++ b/retired/CVE-2006-0557 @@ -0,0 +1,20 @@ +Candidate: CVE-2006-0557 +References: + http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=636f13c174dd7c84a437d3c3e8fa66f03f7fda63 + http://www.securityfocus.com/bid/16924 +Description: + Local DoS in mempolicy code; certain maxnodes values cause a crash. +Notes: + Fixed in git on Feb 17, dunno about 2.6.15.x + dannf> mempolicy.c doesn't exist in 2.4, marking N/A +Bugs: +upstream: released (2.6.16-rc4) +linux-2.6: released (2.6.16-1) +2.6.8-sarge-security: released (2.6.8-16sarge3) +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/retired/CVE-2006-0741 b/retired/CVE-2006-0741 new file mode 100644 index 00000000..0fcd6859 --- /dev/null +++ b/retired/CVE-2006-0741 @@ -0,0 +1,20 @@ +Candidate: CVE-2006-0741 +References: +Description: + Fixes a local DOS on Intel systems that lead to an endless +recursive fault. AMD machines don't seem to be affected. +Notes: + 2.6: http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=5342fba5412cead88b61ead07168615dbeba1ee3 + . + This is amd64-specific (em64t in particular), so we could ignore it for 2.4 +Bugs: +upstream: released (2.6.15.5) +linux-2.6: released (2.6.15-8) +2.6.8-sarge-security: released (2.6.8-16sarge3) [binfmt-bad-elf-entry-address.dpatch] +2.4.27-sarge-security: released (2.4.27-10sarge3) [222_binfmt-bad-elf-entry-address.diff] +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/retired/CVE-2006-0742 b/retired/CVE-2006-0742 new file mode 100644 index 00000000..36546475 --- /dev/null +++ b/retired/CVE-2006-0742 @@ -0,0 +1,21 @@ +Candidate: CVE-2006-0742 +References: + http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e963701a761aede31c9c1bfc74cf8e0ec671f0f4;hp=eb0911e27e8c6778d6c8ec95b7dd60c002d923c3 +Description: + The die_if_kernel function in arch/ia64/kernel/unaligned.c in Linux kernel + 2.6.x before 2.6.15.6, possibly when compiled with certain versions of gcc, + has the "noreturn" attribute set, which allows local users to cause a denial + of service by causing user faults on Itanium systems. +Notes: + dannf> Forwarded to Bjorn for 2.4-ia64 inclusion +Bugs: +upstream: released (2.6.15.6) +linux-2.6: released (2.6.15-8) +2.6.8-sarge-security: released (2.6.8-16sarge3) +2.4.27-sarge-security: released (2.4.27-10sarge3) +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: diff --git a/retired/CVE-2006-1055 b/retired/CVE-2006-1055 new file mode 100644 index 00000000..3b264a56 --- /dev/null +++ b/retired/CVE-2006-1055 @@ -0,0 +1,26 @@ +Candidate: CVE-2006-1055 +References: +Description: + Quoting Greg KH: + Al just pointed me at an old sysfs patch that went into the tree last + year that has some potential security problems. Turns out that if you + write to a sysfs file exactly PAGE_SIZE worth of data, with no zeros in + it, there's a good chance you could read off the end of the kernel + buffer into who knows where. +Notes: + jmm> This was judged non-exploitable by Al Viro, but it's still a local DoS + jmm> 2.4 N/A, as it doesn't have sysfs + . + troyh> N/A for sarge, it was broken in 2.6.12 - 2.6.17-rc1. 2.6.8 is fine, + and since its's sysfs 2.4 is N/A. +Bugs: +upstream: released (2.6.17-rc1), released (2.6.16.2) +linux-2.6: released (2.6.16-6) +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/retired/CVE-2006-1056 b/retired/CVE-2006-1056 new file mode 100644 index 00000000..af49eed2 --- /dev/null +++ b/retired/CVE-2006-1056 @@ -0,0 +1,29 @@ +Candidate: CVE-2006-1056 +References: + CONFIRM:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=187910 + CONFIRM:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=187911 + URL:http://marc.theaimsgroup.com/?l=linux-kernel&m=114548768214478&w=2 + URL:http://www.securityfocus.com/bid/17600 + URL:http://xforce.iss.net/xforce/xfdb/25871 +Description: + The Linux kernel before 2.6.16.9 and the FreeBSD kernel, when running on + AMD64 and other 7th and 8th generation AuthenticAMD processors, only + save/restore the FOP, FIP, and FDP x87 registers in FXSAVE/FXRSTOR when an + exception is pending, which allows one process to determine portions of the + state of floating point instructions of other processes, which can be + leveraged to obtain sensitive information such as cryptographic keys. NOTE: + this is the documented behavior of AMD64 processors, but it is inconsistent + with Intel processers in a security-relevant fashion that was not addressed + by the kernels. +Notes: +Bugs: +upstream: released (2.4.33-pre3), released (2.6.16.9) +linux-2.6: released (2.6.16-9) +2.6.8-sarge-security: released (2.6.8-16sarge3) +2.4.27-sarge-security: released (2.4.27-10sarge3) +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: diff --git a/retired/CVE-2006-1066 b/retired/CVE-2006-1066 new file mode 100644 index 00000000..7636fdd7 --- /dev/null +++ b/retired/CVE-2006-1066 @@ -0,0 +1,40 @@ +Candidate: CVE-2006-1066 +References: +Description: 2.6.8 ia64 kernel w/ PREEMPT enabled permits local DoS (oops) +Notes: + From: dann frazier <dannf@dannf.org> + To: team@security.debian.org + Subject: kernel-image-2.6.8-ia64 - disable preempt + Date: Fri, 25 Mar 2005 18:57:59 -0700 + . + hey security team, + Its likely that kernel-image-2.6.8-ia64 (2.6.8-12) will be the version + that ships in sarge. This kernel has CONFIG_PREEMPT enabled, which has + at least one known issue in ptrace code that lets an unpriveleged + userspace process trigger an oops. This issue went away upstream by + 2.6.9, but its unclear what actually fixed it. SuSE/RedHat disable + PREEMPT for ia64 (or so I'm told), so they are not affected. This same + test case does _not_ fail on x86, which also has PREEMPT enabled for + sarge. + . + This issue has been known for a while, but I waited until after d-i + RC3 to upload it, since it changes the ABI. This fix is in the 2.6.8-13 + build in unstable, but the release team is blocking this kernel from + normal sarge propagation to keep the kernel udebs in sync. + . + . + dannf> This is only a config change, so it requires no changes to + dannf> kernel-source-2.6.8, but I'll use the kernel-source version + dannf> for the pending/released tags to match the others. +Bugs: +upstream: +linux-2.6: N/A +2.6.8-sarge-security: released (2.6.8-16sarge2) +2.4.27-sarge-security: N/A +2.6.8: needed +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/retired/CVE-2006-1242 b/retired/CVE-2006-1242 new file mode 100644 index 00000000..08a09c4a --- /dev/null +++ b/retired/CVE-2006-1242 @@ -0,0 +1,38 @@ +Candidate: CVE-2006-1242 +References: +http://www.kernel.org/git/gitweb.cgi?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=1a55d57b107c3e06935763905dc0fb235214569d +Description: + [TCP]: Do not use inet->id of global tcp_socket when sending RST. + . + The problem is in ip_push_pending_frames(), which uses: + . if (!df) { + . __ip_select_ident(iph, &rt->u.dst, 0); + . } else { + . iph->id = htons(inet->id++); + . } + . + instead of ip_select_ident(). + . + Right now I think the code is a nonsense. Most likely, I copied it from + old ip_build_xmit(), where it was really special, we had to decide + whether to generate unique ID when generating the first (well, the last) + fragment. + . + In ip_push_pending_frames() it does not make sense, it should use plain + ip_select_ident() instead. +Notes: + jmm> 2.4 doesn't seem to be affected, but I'd prefer a second look before + jmm> marking it N/A + . + dannf> troyh gave me a patch for 2.4, so I guess it is affected +Bugs: +upstream: released (2.6.16.1) +linux-2.6: released (2.6.16-4) +2.6.8-sarge-security: released (2.6.8-16sarge3) +2.4.27-sarge-security: released (2.4.27-10sarge3) +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: diff --git a/retired/CVE-2006-1342 b/retired/CVE-2006-1342 new file mode 100644 index 00000000..ae41638d --- /dev/null +++ b/retired/CVE-2006-1342 @@ -0,0 +1,25 @@ +Candidate: CVE-2006-1342 +References: + http://marc.theaimsgroup.com/?l=linux-netdev&m=114148078223594&w=2 + http://www.kernel.org/git/?p=linux/kernel/git/marcelo/linux-2.4.git;a=commit;h=09d3b3dcfa80c9094f1748c1be064b9326c9ef2b +Description: + net/ipv4/af_inet.c in Linux kernel 2.4 does not clear sockaddr_in.sin_zero + before returning IPv4 socket names from the (1) getsockname, (2) getpeername, + and (3) accept functions, which allows local users to obtain portions of + potentially sensitive memory. +Notes: + jmm> getorigdst() requires the fix in 2.6.8, inet_getname() is already fixed + dannf> both CVE-2006-1342 & CVE-2006-1343 were fixed by the same patch; + however we actually coincidentally already fixed 1343 in the + 043_ipsec.diff patch +Bugs: +upstream: released (2.4.33-pre3) +linux-2.6: N/A +2.6.8-sarge-security: N/A +2.4.27-sarge-security: released (2.4.27-1) +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: diff --git a/retired/CVE-2006-1368 b/retired/CVE-2006-1368 new file mode 100644 index 00000000..df2f4997 --- /dev/null +++ b/retired/CVE-2006-1368 @@ -0,0 +1,23 @@ +Candidate: CVE-2006-1368 +References: + http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=8763716bfe4d8a16bef28c9947cf9d799b1796a5 + http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16 +Description: + Buffer overflow in the USB Gadget RNDIS implementation in the Linux kernel before + 2.6.16 allows remote attackers to cause a denial of service (kmalloc'd memory + corruption) via a remote NDIS response to OID_GEN_SUPPORTED_LIST, which causes + memory to be allocated for the reply data but not the reply structure. +Notes: + dannf> Marcelo has posted a patch identical to ours and has asked for + feedback, so it should be upstream soon +Bugs: +upstream: released (2.6.16) +linux-2.6: released (2.6.16-1) +2.6.8-sarge-security: released (2.6.8-16sarge3) +2.4.27-sarge-security: released (2.4.27-10sarge3) +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: diff --git a/retired/CVE-2006-1522 b/retired/CVE-2006-1522 new file mode 100644 index 00000000..0122676f --- /dev/null +++ b/retired/CVE-2006-1522 @@ -0,0 +1,16 @@ +Candidate: CVE-2006-1522 +References: +Description: +Notes: + jmm> Vulnerable code not present in 2.6.8 and 2.4 +Bugs: +upstream: released (2.6.16.3) +linux-2.6: released (2.6.16-7) +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/retired/CVE-2006-1523 b/retired/CVE-2006-1523 new file mode 100644 index 00000000..61d6590a --- /dev/null +++ b/retired/CVE-2006-1523 @@ -0,0 +1,23 @@ +Candidate: CVE-2006-1523 +References: + MLIST:[linux-kernel] 20060411 [PATCH] __group_complete_signal: remove bogus BUG_ON + URL:http://marc.theaimsgroup.com/?l=linux-kernel&m=114476543426600&w=2 + CONFIRM:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=188604 + BID:17640 + URL:http://www.securityfocus.com/bid/17640 +Description: + The __group_complete_signal function in the RCU signal handling (signal.c) in + Linux kernel 2.6.16, and possibly other versions, has unknown impact and + attack vectors related to improper use of BUG_ON. +Notes: +Bugs: +upstream: released (2.6.16.4) +linux-2.6: released (2.6.16-7) +2.6.8-sarge-security: released (2.6.8-16sarge3) +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/retired/CVE-2006-1524 b/retired/CVE-2006-1524 new file mode 100644 index 00000000..5ed3b130 --- /dev/null +++ b/retired/CVE-2006-1524 @@ -0,0 +1,28 @@ +Candidate: CVE-2006-1524 +References: + CONFIRM:http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16.6 + BID:17587 + URL:http://www.securityfocus.com/bid/17587 + SECUNIA:19664 + URL:http://secunia.com/advisories/19664 + SECUNIA:19657 + URL:http://secunia.com/advisories/19657 +Description: + madvise_remove in Linux kernel 2.6.16 up to 2.6.16.6 does not follow + file and mmap restrictions, which allows local users to bypass IPC + permissions and replace portions of readonly tmpfs files with zeroes, + aka the MADV_REMOVE vulnerability. NOTE: this description was + originally written in a way that combined two separate issues. The + mprotect issue now has a separate name, CVE-2006-2071. +Notes: +Bugs: +upstream: released (2.6.16.7) +linux-2.6: +2.6.8-sarge-security: released (2.6.8-16sarge3) +2.4.27-sarge-security: released (2.4.27-10sarge3) +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: diff --git a/retired/CVE-2006-1525 b/retired/CVE-2006-1525 new file mode 100644 index 00000000..c7033bf5 --- /dev/null +++ b/retired/CVE-2006-1525 @@ -0,0 +1,23 @@ +Candidate: CVE-2006-1525 +References: + CONFIRM:http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16.8 + CONFIRM:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=189346 + URL:http://www.securityfocus.com/bid/17593 + URL:http://xforce.iss.net/xforce/xfdb/25872 +Description: + ip_route_input in Linux kernel 2.6 before 2.6.16.8 allows local users to + cause a denial of service (panic) via a request for a route for a multicast + IP address, which triggers a null dereference. +Notes: + dannf> Submitted to Marcelo for 2.4 +Bugs: +upstream: released (2.6.16.8) +linux-2.6: released (2.6.16-9) +2.6.8-sarge-security: released (2.6.8-16sarge3) +2.4.27-sarge-security: released (2.4.27-10sarge3) +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: diff --git a/retired/CVE-2006-1527 b/retired/CVE-2006-1527 new file mode 100644 index 00000000..7bd36f71 --- /dev/null +++ b/retired/CVE-2006-1527 @@ -0,0 +1,30 @@ +Candidate: CVE-2006-1527 +References: + CONFIRM:http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16.13 + TRUSTIX:2006-0024 + URL:http://www.trustix.org/errata/2006/0024 + BID:17806 + URL:http://www.securityfocus.com/bid/17806 + FRSIRT:ADV-2006-1632 + URL:http://www.frsirt.com/english/advisories/2006/1632 + OSVDB:25229 + URL:http://www.osvdb.org/25229 + SECUNIA:19926 + URL:http://secunia.com/advisories/19926 +Description: + The SCTP-netfilter code in Linux kernel before 2.6.16.13 allows remote attackers to trigger a denial of + service (infinite loop) via unknown vectors that cause an invalid SCTP chunk size to be processed by the + for_each_sctp_chunk function. +Notes: + troyh> SCTP-netfilter code didn't exist until after 2.6.8 +Bugs: +upstream: released (2.6.16.13) +linux-2.6: released (2.6.16-12) +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/retired/CVE-2006-1857 b/retired/CVE-2006-1857 new file mode 100644 index 00000000..2fe2e36e --- /dev/null +++ b/retired/CVE-2006-1857 @@ -0,0 +1,20 @@ +Candidate: CVE-2006-1857 +References: + http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=a601266e4f3c479790f373c2e3122a766d123652;hp=dd2d1c6f2958d027e4591ca5d2a04dfe36ca6512 +Description: + Buffer overflow in SCTP in Linux kernel before 2.6.16.17 allows remote + attackers to cause a denial of service (crash) and possibly execute arbitrary + code via a malformed HB-ACK chunk. +Notes: + dannf> Submitted to Marcelo for 2.4 +Bugs: +upstream: released (2.6.16.17) +linux-2.6: released (2.6.16-14) +2.6.8-sarge-security: released (2.6.8-16sarge3) +2.4.27-sarge-security: released (2.4.27-10sarge3) +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/retired/CVE-2006-1858 b/retired/CVE-2006-1858 new file mode 100644 index 00000000..48b082a8 --- /dev/null +++ b/retired/CVE-2006-1858 @@ -0,0 +1,20 @@ +Candidate: CVE-2006-1858 +References: + http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=dd2d1c6f2958d027e4591ca5d2a04dfe36ca6512;hp=61c9fed41638249f8b6ca5345064eb1beb50179f +Description: + SCTP in Linux kernel before 2.6.16.17 allows remote attackers to cause a + denial of service (crash) and possibly execute arbitrary code via a chunk + length that is inconsistent with the actual length of provided parameters. +Notes: + dannf> Submitted to Marcello for 2.4 +Bugs: +upstream: released (2.6.16.17) +linux-2.6: released (2.6.16-14) +2.6.8-sarge-security: released (2.6.8-16sarge3) +2.4.27-sarge-security: released (2.4.27-10sarge3) +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/retired/CVE-2006-1859 b/retired/CVE-2006-1859 new file mode 100644 index 00000000..d88822dd --- /dev/null +++ b/retired/CVE-2006-1859 @@ -0,0 +1,25 @@ +Candidate: CVE-2006-1859 +References: + http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16.16 + http://www.kernel.org/git/?p=linux/kernel/git/stable/linux-2.6.16.y.git;a=commit;h=1f0e637c94a9b0418 + http://www.kernel.org/git/?p=linux/kernel/git/stable/linux-2.6.16.y.git;a=blobdiff;h=aa7f66091823dde953e15895dc427615701c39c7;hp=e75ac392a313f3fad823bf2e46a03f29701e3e34;hb=1f0e637c94a9b041833947c79110d6c02fff8618;f=fs/locks.c + http://www.securityfocus.com/bid/17943 + http://www.frsirt.com/english/advisories/2006/1767 + http://secunia.com/advisories/20083 +Description: + lease_init in fs/locks.c in Linux kernel before 2.6.16.16 allows attackers to + cause a denial of service (fcntl_setlease lockup) via actions that cause + lease_init to free a lock that might not have been allocated on the stack. +Notes: + jmm> The vulnerable NFS4 leases code was only introduced in 2.6.10 +Bugs: +upstream: released (2.6.16.6) +linux-2.6: released (2.6.16-8) +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/retired/CVE-2006-1860 b/retired/CVE-2006-1860 new file mode 100644 index 00000000..8a18aa62 --- /dev/null +++ b/retired/CVE-2006-1860 @@ -0,0 +1,25 @@ +Candidate: CVE-2006-1860 +References: + http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16.16 + http://www.kernel.org/git/?p=linux/kernel/git/stable/linux-2.6.16.y.git;a=commit;h=1f0e637c94a9b0418 + http://www.kernel.org/git/?p=linux/kernel/git/stable/linux-2.6.16.y.git;a=blobdiff;h=aa7f66091823dde953e15895dc427615701c39c7;hp=e75ac392a313f3fad823bf2e46a03f29701e3e34;hb=1f0e637c94a9b041833947c79110d6c02fff8618;f=fs/locks.c + http://www.securityfocus.com/bid/17943 + http://www.frsirt.com/english/advisories/2006/1767 + http://secunia.com/advisories/20083 +Description: + lease_init in fs/locks.c in Linux kernel before 2.6.16.16 allows attackers to + cause a denial of service (fcntl_setlease lockup) via actions that cause + lease_init to free a lock that might not have been allocated on the stack. +Notes: + jmm> The vulnerable NFS4 leases code was only introduced in 2.6.10 +Bugs: +upstream: released (2.6.16.6) +linux-2.6: released (2.6.16-8) +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/retired/CVE-2006-1863 b/retired/CVE-2006-1863 new file mode 100644 index 00000000..e44adcf0 --- /dev/null +++ b/retired/CVE-2006-1863 @@ -0,0 +1,17 @@ +Candidate: CVE-2006-1863 +References: + http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=296034f7de8bdf111984ce1630ac598a9c94a253 +Description: cifs chroot escape +Notes: + jmm> 2.4 doesn't have CIFS +Bugs: +upstream: released (2.6.16.11) +linux-2.6: released (2.6.16-10) +2.6.8-sarge-security: released (2.6.8-16sarge3) +2.4.27-sarge-security: N/A +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/retired/CVE-2006-1864 b/retired/CVE-2006-1864 new file mode 100644 index 00000000..70dccdfb --- /dev/null +++ b/retired/CVE-2006-1864 @@ -0,0 +1,21 @@ +Candidate: CVE-2006-1864 +References: + CONFIRM:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=189435 + URL:http://www.trustix.org/errata/2006/0026 + URL:http://www.securityfocus.com/bid/17735 +Description: + Directory traversal vulnerability in smbfs in Linux 2.6.16 and earlier allows + local users to escape chroot restrictions for an SMB-mounted filesystem via + "..\\" sequences, a similar vulnerability to CVE-2006-1863. +Notes: +Bugs: +upstream: pending (2.4.33-pre4), released (2.6.16.14) +linux-2.6: released (2.6.16-10) +2.6.8-sarge-security: released (2.6.8-16sarge3) +2.4.27-sarge-security: released (2.4.27-10sarge3) +2.4.19-woody-security: +2.4.18-woody-security: +2.4.17-woody-security: +2.4.16-woody-security: +2.4.17-woody-security-hppa: +2.4.17-woody-security-ia64: diff --git a/retired/CVE-2006-2271 b/retired/CVE-2006-2271 new file mode 100644 index 00000000..28d861c5 --- /dev/null +++ b/retired/CVE-2006-2271 @@ -0,0 +1,27 @@ +Candidate: CVE-2006-2271 +References: + FULLDISC:20060508 [MU-200605-01] Multiple vulnerabilities in Linux SCTP 2.6.16 + URL:http://archives.neohapsis.com/archives/fulldisclosure/2006-05/0227.html + MISC:http://labs.musecurity.com/advisories/MU-200605-01.txt + CONFIRM:http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=35d63edb1c807bc5317e49592260e84637bc432e + FRSIRT:ADV-2006-1734 + URL:http://www.frsirt.com/english/advisories/2006/1734 + SECUNIA:19990 + URL:http://secunia.com/advisories/19990 +Description: + The ECNE chunk handling in Linux SCTP (lksctp) before 2.6.17 allows remote + attackers to cause a denial of service (kernel panic) via an unexpected chunk + when the session is in CLOSED state. +Notes: + dannf> Forwarded to Marcelo for 2.4 inclusion +Bugs: +upstream: released (2.6.16.15) +linux-2.6: released (2.6.16-13) +2.6.8-sarge-security: released (2.6.8-16sarge3) +2.4.27-sarge-security: released (2.4.27-10sarge3) +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/retired/CVE-2006-2272 b/retired/CVE-2006-2272 new file mode 100644 index 00000000..b579d769 --- /dev/null +++ b/retired/CVE-2006-2272 @@ -0,0 +1,22 @@ +Candidate: CVE-2006-2272 +References: + CONFIRM:http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=62b08083ec3dbfd7e533c8d230dd1d8191a6e813 + URL:http://www.securityfocus.com/bid/17910 + URL:http://xforce.iss.net/xforce/xfdb/26431 +Description: + Linux SCTP (lksctp) before 2.6.17 allows remote attackers to cause a denial + of service (kernel panic) via incoming IP fragmented (1) COOKIE_ECHO and (2) + HEARTBEAT SCTP control chunks. +Notes: + dannf> Submitted to Marcelo for inclusion in 2.4 +Bugs: +upstream: released (2.6.16.15) +linux-2.6: released (2.6.16-13) +2.6.8-sarge-security: released (2.6.8-16sarge3) +2.4.27-sarge-security: released (2.4.27-10sarge3) +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/retired/CVE-2006-2274 b/retired/CVE-2006-2274 new file mode 100644 index 00000000..a3dacf6c --- /dev/null +++ b/retired/CVE-2006-2274 @@ -0,0 +1,25 @@ +Candidate: CVE-2006-2274 +References: + CONFIRM:http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=672e7cca17ed6036a1756ed34cf20dbd72d5e5f6 + URL:http://www.securityfocus.com/bid/17955 + URL:http://secunia.com/advisories/20237 + URL:http://xforce.iss.net/xforce/xfdb/26432 +Description: + Linux SCTP (lksctp) before 2.6.17 allows remote attackers to cause a denial + of service (infinite recursion and crash) via a packet that contains two or + more DATA fragments, which causes an skb pointer to refer back to itself when + the full message is reassembled, leading to infinite recursion in the + sctp_skb_pull function. +Notes: + dannf> Submitted to Marcelo for 2.4 +Bugs: +upstream: released (2.6.16.15) +linux-2.6: released (2.6.16-13) +2.6.8-sarge-security: released (2.6.8-16sarge3) +2.4.27-sarge-security: released (2.4.27-10sarge3) +2.4.19-woody-security: N/A +2.4.18-woody-security: N/A +2.4.17-woody-security: N/A +2.4.16-woody-security: N/A +2.4.17-woody-security-hppa: N/A +2.4.17-woody-security-ia64: N/A diff --git a/retired/CVE-2006-2451 b/retired/CVE-2006-2451 new file mode 100644 index 00000000..369c23e6 --- /dev/null +++ b/retired/CVE-2006-2451 @@ -0,0 +1,15 @@ +Candidate: CVE-2006-2451 +References: +Description: + The suid_dumpable support in Linux kernel 2.6.13 up to versions before + 2.6.17.4, and 2.6.16 before 2.6.16.24, allows a local user to cause a denial + of service (disk consumption) and possibly gain privileges via the + PR_SET_DUMPABLE argument of the prctl function and a program that causes a + core dump file to be created in a directory for which the user does not have + permissions. +Notes: +Bugs: +upstream: released (2.6.16.14), released (2.6.17.4) +linux-2.6: released (2.6.16-17) +2.6.8-sarge-security: N/A +2.4.27-sarge-security: N/A diff --git a/retired/CVE-2006-3626 b/retired/CVE-2006-3626 new file mode 100644 index 00000000..0307c5b2 --- /dev/null +++ b/retired/CVE-2006-3626 @@ -0,0 +1,14 @@ +Candidate: CVE-2006-3626 +References: + FULLDISC:20060714, http://lists.grok.org.uk/pipermail/full-disclosure/2006-July/047907.html + http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=18b0bbd8ca6d3cb90425aa0d77b99a762c6d6de3 +Description: Linux kernel 0day - dynamite inside, don't burn your fingers + Race condition in Linux kernel 2.6.17.4 and earlier allows local users + to gain root privileges by using prctl with PR_SET_DUMPABLE in a way + that causes /proc/self/environ to become setuid root. +Notes: +Bugs: +upstream: released (2.6.16.25, 2.6.17.5) +linux-2.6: released (2.6.16-17, 2.6.17-4) +2.6.8-sarge-security: released (2.6.8-16sarge4) +2.4.27-sarge-security: N/A |