From 05e144f5efb3f82e93da6f2fa0283cf10f5662c5 Mon Sep 17 00:00:00 2001 From: Salvatore Bonaccorso Date: Tue, 6 Jun 2017 09:43:25 +0000 Subject: Retire several CVEs git-svn-id: svn+ssh://svn.debian.org/svn/kernel-sec@5347 e094ebfe-e918-0410-adfb-c712417f3574 --- active/CVE-2016-2188 | 23 ----------------------- active/CVE-2016-9604 | 15 --------------- active/CVE-2017-2671 | 14 -------------- active/CVE-2017-7184 | 15 --------------- active/CVE-2017-7261 | 19 ------------------- active/CVE-2017-7294 | 13 ------------- active/CVE-2017-7308 | 20 -------------------- active/CVE-2017-7472 | 16 ---------------- active/CVE-2017-7616 | 16 ---------------- active/CVE-2017-7618 | 17 ----------------- retired/CVE-2016-2188 | 23 +++++++++++++++++++++++ retired/CVE-2016-9604 | 15 +++++++++++++++ retired/CVE-2017-2671 | 14 ++++++++++++++ retired/CVE-2017-7184 | 15 +++++++++++++++ retired/CVE-2017-7261 | 19 +++++++++++++++++++ retired/CVE-2017-7294 | 13 +++++++++++++ retired/CVE-2017-7308 | 20 ++++++++++++++++++++ retired/CVE-2017-7472 | 16 ++++++++++++++++ retired/CVE-2017-7616 | 16 ++++++++++++++++ retired/CVE-2017-7618 | 17 +++++++++++++++++ 20 files changed, 168 insertions(+), 168 deletions(-) delete mode 100644 active/CVE-2016-2188 delete mode 100644 active/CVE-2016-9604 delete mode 100644 active/CVE-2017-2671 delete mode 100644 active/CVE-2017-7184 delete mode 100644 active/CVE-2017-7261 delete mode 100644 active/CVE-2017-7294 delete mode 100644 active/CVE-2017-7308 delete mode 100644 active/CVE-2017-7472 delete mode 100644 active/CVE-2017-7616 delete mode 100644 active/CVE-2017-7618 create mode 100644 retired/CVE-2016-2188 create mode 100644 retired/CVE-2016-9604 create mode 100644 retired/CVE-2017-2671 create mode 100644 retired/CVE-2017-7184 create mode 100644 retired/CVE-2017-7261 create mode 100644 retired/CVE-2017-7294 create mode 100644 retired/CVE-2017-7308 create mode 100644 retired/CVE-2017-7472 create mode 100644 retired/CVE-2017-7616 create mode 100644 retired/CVE-2017-7618 diff --git a/active/CVE-2016-2188 b/active/CVE-2016-2188 deleted file mode 100644 index 56e71357c..000000000 --- a/active/CVE-2016-2188 +++ /dev/null @@ -1,23 +0,0 @@ -Description: Kernel panic on invalid USB device descriptor (iowarrior driver) -References: - https://bugzilla.redhat.com/show_bug.cgi?id=1317018 - https://bugzilla.redhat.com/show_bug.cgi?id=1283390 - http://seclists.org/bugtraq/2016/Mar/87 - http://marc.info/?l=linux-usb&m=145796659429788&w=2 - https://git.kernel.org/linus/4ec0ef3a82125efc36173062a50624550a900ae0 - https://marc.info/?l=linux-usb&m=148890022313747 -Notes: - bwh> Upstream fix (commit listed above) handles the case where there - bwh> are zero endpoints, but not the case where there are some - bwh> endpoints but none of the expected type. So this is not really - bwh> fixed anywhere yet. - bwh> A second proposed fix was posted in March 2017 (second linux-usb - bwh> message linked above). -Bugs: -upstream: released (4.11-rc2) [b7321e81fc369abe353cf094d4f0dc2fe11ab95f] -4.9-upstream-stable: released (4.9.16) [653418adaf1026a10e0c2e4e29b7319610117b33] -3.16-upstream-stable: released (3.16.44) [d2d603cf8fd51f0da5e4bc809d17824faa7630f7] -3.2-upstream-stable: released (3.2.89) [6598f3d653a85dccfb4a472504ec6fd12cec8e42] -sid: released (4.9.16-1) -3.16-jessie-security: released (3.16.43-1) [bugfix/all/usb-iowarrior-fix-null-deref-at-probe.patch] -3.2-wheezy-security: released (3.2.88-1) [bugfix/all/usb-iowarrior-fix-null-deref-at-probe.patch] diff --git a/active/CVE-2016-9604 b/active/CVE-2016-9604 deleted file mode 100644 index 0eb675958..000000000 --- a/active/CVE-2016-9604 +++ /dev/null @@ -1,15 +0,0 @@ -Description: KEYS: Disallow keyrings beginning with '.' to be joined as session keyrings -References: -Notes: - bwh> A similar issue was fixed in 3.17 by commit a4e3b8d79a5c - bwh> "KEYS: special dot prefixed keyring name bug fix" (which wrongly - bwh> removed another check - fixed by commit 54e2c2c1a9d6 - bwh> "KEYS: Reinstate EPERM for a key type name beginning with a '.'") -Bugs: -upstream: released (4.11-rc8) [ee8f844e3c5a73b999edf733df1c529d6503ec2f] -4.9-upstream-stable: released (4.9.25) [a5c6e0a76817a3751f58d761aaff7c0b0c4001ff] -3.16-upstream-stable: released (3.16.44) [41bd08bfce7c33e0d383e7678e6d6c7e8e041524] -3.2-upstream-stable: released (3.2.89) [7488aaea277dc17eb12bda22c91332c804c62965] -sid: released (4.9.25-1) -3.16-jessie-security: released (3.16.43-1) [bugfix/all/keys-disallow-keyrings-beginning-with-.-to-be-joined.patch] -3.2-wheezy-security: released (3.2.88-1) [bugfix/all/keys-disallow-keyrings-beginning-with-.-to-be-joined.patch] diff --git a/active/CVE-2017-2671 b/active/CVE-2017-2671 deleted file mode 100644 index 5965d09de..000000000 --- a/active/CVE-2017-2671 +++ /dev/null @@ -1,14 +0,0 @@ -Description: Linux kernel ping socket / AF_LLC connect() sin_family race -References: - http://www.openwall.com/lists/oss-security/2017/03/24/6 - https://github.com/danieljiang0415/android_kernel_crash_poc - https://twitter.com/danieljiang0415/status/845116665184497664 -Notes: -Bugs: -upstream: released (4.11-rc6) [43a6684519ab0a6c52024b5e25322476cabad893] -4.9-upstream-stable: released (4.9.26) [e88a8e0a23c23e09858a4f5caeb106da972e7934] -3.16-upstream-stable: released (3.16.44) [c3f18d2a809b563ef078130ab3758899625e4cfb] -3.2-upstream-stable: released (3.2.89) [352651a0a07649e4ee03e294da069b5c3e42aae4] -sid: released (4.9.25-1) [bugfix/all/ping-implement-proper-locking.patch] -3.16-jessie-security: released (3.16.43-1) [bugfix/all/ping-implement-proper-locking.patch] -3.2-wheezy-security: released (3.2.88-1) [bugfix/all/ping-implement-proper-locking.patch] diff --git a/active/CVE-2017-7184 b/active/CVE-2017-7184 deleted file mode 100644 index 8e29f4747..000000000 --- a/active/CVE-2017-7184 +++ /dev/null @@ -1,15 +0,0 @@ -Description: Missing range checks in xfrm_user allow heap buffer overflow and privilege escalation -References: - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7184 -Notes: - bwh> xfrm_user is only accessible with CAP_NET_ADMIN capability (in any - bwh> user namespace). So this is not exploitable by unprivileged users - bwh> in a default Debian configuration. -Bugs: -upstream: released (4.11-rc5) [677e806da4d916052585301785d847c3b3e6186a, f843ee6dd019bcece3e74e76ad9df0155655d0df] -4.9-upstream-stable: released (4.9.20) [64a5465799ee40e3d54d9da3037934cd4b7b502f, 79191ea36dc9be10a9c9b03d6b341ed2d2f76045] -3.16-upstream-stable: released (3.16.44) [811f5600db1a0a9c4f1abad5017e09f43d7088f3, fda265baa45b630675359db3699bb68350c4b907] -3.2-upstream-stable: released (3.2.89) [04dba730e9d4798184b4769f74ef14c20f8c6f9a, 4d09fd3505c59374e599a29918ca40059be3d554] -sid: released (4.9.18-1) [bugfix/all/xfrm_user-validate-xfrm_msg_newae-xfrma_replay_esn_val-replay_window.patch, bugfix/all/xfrm_user-validate-xfrm_msg_newae-incoming-esn-size-harder.patch] -3.16-jessie-security: released (3.16.43-1) [bugfix/all/xfrm_user-validate-xfrm_msg_newae-xfrma_replay_esn_val-replay_window.patch, bugfix/all/xfrm_user-validate-xfrm_msg_newae-incoming-esn-size-harder.patch] -3.2-wheezy-security: released (3.2.88-1) [bugfix/all/xfrm_user-validate-xfrm_msg_newae-xfrma_replay_esn_val-replay_window.patch, bugfix/all/xfrm_user-validate-xfrm_msg_newae-incoming-esn-size-harder.patch] diff --git a/active/CVE-2017-7261 b/active/CVE-2017-7261 deleted file mode 100644 index e02f0dd11..000000000 --- a/active/CVE-2017-7261 +++ /dev/null @@ -1,19 +0,0 @@ -Description: drm/vmwgfx: check that number of mip levels is above zero -References: - https://lists.freedesktop.org/archives/dri-devel/2017-March/136814.html - https://bugzilla.redhat.com/show_bug.cgi?id=1435719 - https://marc.info/?t=149037004200005&r=1&w=2 - https://cgit.freedesktop.org/mesa/vmwgfx/commit/?id=e904061d2c8968429954be87ad1cc45526510812 -Notes: - bwh> This seems to have been discovered independently by Murray - bwh> McAllister, Vladis Dronov and Li Qiang, resulting in three - bwh> slightly different fixes. Murray McAllister's version was - bwh> applied upstream. -Bugs: -upstream: released (4.11-rc6) [36274ab8c596f1240c606bb514da329add2a1bcd] -4.9-upstream-stable: released (4.9.22) [73ab72517b61ce4b27ceddec47dd5d6edafb556a] -3.16-upstream-stable: released (3.16.44) [61cabe967321767052498032178d56a1ea03a7bc] -3.2-upstream-stable: released (3.2.89) [20996e6d81c907b10a5ab57c4172be97cb1a7de1] -sid: released (4.9.18-1) [bugfix/x86/vmwgfx-null-pointer-dereference-in-vmw_surface_define_ioctl.patch] -3.16-jessie-security: released (3.16.43-1) [bugfix/x86/vmwgfx-null-pointer-dereference-in-vmw_surface_define_ioctl.patch] -3.2-wheezy-security: released (3.2.88-1) [bugfix/x86/vmwgfx-null-pointer-dereference-in-vmw_surface_define_ioctl.patch] diff --git a/active/CVE-2017-7294 b/active/CVE-2017-7294 deleted file mode 100644 index 7d420f6ea..000000000 --- a/active/CVE-2017-7294 +++ /dev/null @@ -1,13 +0,0 @@ -Description: drm/vmwgfx: limit mip levels in vmw_surface_define_ioctl() -References: - https://bugzilla.redhat.com/show_bug.cgi?id=1436798 - https://lists.freedesktop.org/archives/dri-devel/2017-March/137094.html -Notes: -Bugs: -upstream: released (4.11-rc6) [e7e11f99564222d82f0ce84bd521e57d78a6b678] -4.9-upstream-stable: released (4.9.22) [4ddd24d54fedff301e8f020d7b9f70116383af31] -3.16-upstream-stable: released (3.16.44) [629655f798b92fd309fdde494a3cfb8a37f807ad] -3.2-upstream-stable: released (3.2.89) [c2e7959f2ea446a417bf2cdb79792575852d17bb] -sid: released (4.9.18-1) [bugfix/x86/drm-vmwgfx-fix-integer-overflow-in-vmw_surface_define_ioctl.patch] -3.16-jessie-security: released (3.16.43-1) [bugfix/x86/drm-vmwgfx-fix-integer-overflow-in-vmw_surface_define_ioctl.patch] -3.2-wheezy-security: released (3.2.88-1) [bugfix/x86/drm-vmwgfx-fix-integer-overflow-in-vmw_surface_define_ioctl.patch] diff --git a/active/CVE-2017-7308 b/active/CVE-2017-7308 deleted file mode 100644 index 03c2a8a57..000000000 --- a/active/CVE-2017-7308 +++ /dev/null @@ -1,20 +0,0 @@ -Description: AF_PACKET missing/incorrect range checks allow heap buffer overflow -References: - https://patchwork.ozlabs.org/patch/744811/ - https://patchwork.ozlabs.org/patch/744812/ - https://patchwork.ozlabs.org/patch/744813/ - https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-via-packet.html -Notes: - bwh> 3.2 is also missing an earlier related fix, commit dc808110bb62 - bwh> "packet: handle too big packets for PACKET_V3" - nsl> only saw one of the commits in the 4.9 release - carnil> which was 16fc98c2479f5477f2df220acd9cb53686e33f4c (in 4.9.23) - carnil> the other two commits are in 4.9.26 -Bugs: -upstream: released (4.11-rc6) [2b6867c2ce76c596676bec7d2d525af525fdc6e2, 8f8d28e4d6d815a391285e121c3a53a0b6cb9e7b, bcc5364bdcfe131e6379363f089e7b4108d35b70] -4.9-upstream-stable: released (4.9.26) [16fc98c2479f5477f2df220acd9cb53686e33f4c, 10452124bac39411e92fc8910dd418648bbb78ac, 1f49c8cd2c9a53ea04bd86bce01247415d12aa26] -3.16-upstream-stable: released (3.16.44) [a481ab4edd87bc2dc6f1fa9029866dd69c86fc5c, a318bc0bcec7f7867f1f1d8cef5ae6f25aa169a7, 7bb3f26487e578c2cb0567196ce93c008967a269] -3.2-upstream-stable: released (3.2.89) [091a6de006536c50f8a30db60d994a5b083b1c7b, 1634172286550a62d8a0a98cf8bec5cd975fa09c, 96053b293c69c636d8d34fc569ac81fbf1118658] -sid: released (4.9.18-1) [bugfix/all/net-packet-fix-overflow-in-check-for-priv-area-size.patch, bugfix/all/net-packet-fix-overflow-in-check-for-tp_frame_nr.patch, bugfix/all/net-packet-fix-overflow-in-check-for-tp_reserve.patch] -3.16-jessie-security: released (3.16.43-1) [bugfix/all/net-packet-fix-overflow-in-check-for-priv-area-size.patch, bugfix/all/net-packet-fix-overflow-in-check-for-tp_frame_nr.patch, bugfix/all/net-packet-fix-overflow-in-check-for-tp_reserve.patch] -3.2-wheezy-security: released (3.2.88-1) [bugfix/all/net-packet-fix-overflow-in-check-for-priv-area-size.patch, bugfix/all/net-packet-fix-overflow-in-check-for-tp_frame_nr.patch, bugfix/all/net-packet-fix-overflow-in-check-for-tp_reserve.patch] diff --git a/active/CVE-2017-7472 b/active/CVE-2017-7472 deleted file mode 100644 index d19ba7e15..000000000 --- a/active/CVE-2017-7472 +++ /dev/null @@ -1,16 +0,0 @@ -Description: keyctl_set_reqkey_keyring() leaks thread keyrings -References: - https://lkml.org/lkml/2017/4/1/235 - https://lkml.org/lkml/2017/4/3/724 -Notes: - carnil> 'Fixes: d84f4f992cbd ("CRED: Inaugurate COW credentials")' - carnil> which is first in 2.6.29-rc1 -Bugs: - https://bugzilla.redhat.com/show_bug.cgi?id=1442086 -upstream: released (4.11-rc8) [c9f838d104fed6f2f61d68164712e3204bf5271b] -4.9-upstream-stable: released (4.9.25) [174a74dbca2ddc7269c265598399c000e5b9b870] -3.16-upstream-stable: released (3.16.44) [f7ce1014bc5e4bb42d6b9f5afb308f59534067ea] -3.2-upstream-stable: released (3.2.89) [0ebd7208190d2f7b16fee3cea05665e212cebaab] -sid: released (4.9.25-1) -3.16-jessie-security: released (3.16.43-1) [bugfix/all/keys-fix-keyctl_set_reqkey_keyring-to-not-leak-threa.patch] -3.2-wheezy-security: released (3.2.88-1) [bugfix/all/keys-fix-keyctl_set_reqkey_keyring-to-not-leak-threa.patch] diff --git a/active/CVE-2017-7616 b/active/CVE-2017-7616 deleted file mode 100644 index 3993e51da..000000000 --- a/active/CVE-2017-7616 +++ /dev/null @@ -1,16 +0,0 @@ -Description: mm/mempolicy.c: fix error handling in set_mempolicy and mbind -References: - https://grsecurity.net/the_infoleak_that_mostly_wasnt.php -Notes: - bwh> As Brad Spengler notes, this doesn't affect amd64. The compat - bwh> wrappers are only used for swapping bitmap words on 64-bit - bwh> architectures that are (or can be) big-endian. Fixing this on - bwh> wheezy was a (small) waste of time. -Bugs: -upstream: released (4.11-rc6) [cf01fb9985e8deb25ccf0ea54d916b8871ae0e62] -4.9-upstream-stable: released (4.9.22) [cddab768d13469d1e254fb8c0e1629f93c8dfaca] -3.16-upstream-stable: released (3.16.44) [4474624a1a496e4dc93a2cd49ea915d9c90d80e9] -3.2-upstream-stable: released (3.2.89) [3f3b4a9db31af279e793229177b63ea201e24629] -sid: released (4.9.25-1) -3.16-jessie-security: released (3.16.43-1) [bugfix/all/mm-mempolicy.c-fix-error-handling-in-set_mempolicy-a.patch] -3.2-wheezy-security: released (3.2.88-1) [bugfix/all/mm-mempolicy.c-fix-error-handling-in-set_mempolicy-a.patch] diff --git a/active/CVE-2017-7618 b/active/CVE-2017-7618 deleted file mode 100644 index 0e96cf94b..000000000 --- a/active/CVE-2017-7618 +++ /dev/null @@ -1,17 +0,0 @@ -Description: crypto: ahash - Fix EINPROGRESS notification callback -References: - http://marc.info/?l=linux-crypto-vger&m=149181655623850&w=2 - https://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6.git/commit/?id=ef0579b64e93188710d48667cb5e014926af9f1b -Notes: - bwh> This depends on several earlier fixes to crypto/ahash.c, applied - bwh> between 3.2 and 3.16. It also breaks algif_aead, fixed by commit - bwh> e6534aebb26e ("crypto: algif_aead - Fix bogus request dereference in - bwh> completion function"). -Bugs: -upstream: released (4.11-rc8) [ef0579b64e93188710d48667cb5e014926af9f1b] -4.9-upstream-stable: released (4.9.24) [c10479591869177ae7ac0570b54ace6fbdeb57c2] -3.16-upstream-stable: released (3.16.44) [13af702256f8b7d9bb51b86c982fe08e96c589c8] -3.2-upstream-stable: released (3.2.89) [82ef3e7b16e777db114a0c3699b91134417fe8c9] -sid: released (4.9.25-1) -3.16-jessie-security: released (3.16.43-1) [bugfix/all/crypto-ahash-fix-einprogress-notification-callback.patch] -3.2-wheezy-security: released (3.2.88-1) [bugfix/all/crypto-ahash-fix-einprogress-notification-callback.patch] diff --git a/retired/CVE-2016-2188 b/retired/CVE-2016-2188 new file mode 100644 index 000000000..56e71357c --- /dev/null +++ b/retired/CVE-2016-2188 @@ -0,0 +1,23 @@ +Description: Kernel panic on invalid USB device descriptor (iowarrior driver) +References: + https://bugzilla.redhat.com/show_bug.cgi?id=1317018 + https://bugzilla.redhat.com/show_bug.cgi?id=1283390 + http://seclists.org/bugtraq/2016/Mar/87 + http://marc.info/?l=linux-usb&m=145796659429788&w=2 + https://git.kernel.org/linus/4ec0ef3a82125efc36173062a50624550a900ae0 + https://marc.info/?l=linux-usb&m=148890022313747 +Notes: + bwh> Upstream fix (commit listed above) handles the case where there + bwh> are zero endpoints, but not the case where there are some + bwh> endpoints but none of the expected type. So this is not really + bwh> fixed anywhere yet. + bwh> A second proposed fix was posted in March 2017 (second linux-usb + bwh> message linked above). +Bugs: +upstream: released (4.11-rc2) [b7321e81fc369abe353cf094d4f0dc2fe11ab95f] +4.9-upstream-stable: released (4.9.16) [653418adaf1026a10e0c2e4e29b7319610117b33] +3.16-upstream-stable: released (3.16.44) [d2d603cf8fd51f0da5e4bc809d17824faa7630f7] +3.2-upstream-stable: released (3.2.89) [6598f3d653a85dccfb4a472504ec6fd12cec8e42] +sid: released (4.9.16-1) +3.16-jessie-security: released (3.16.43-1) [bugfix/all/usb-iowarrior-fix-null-deref-at-probe.patch] +3.2-wheezy-security: released (3.2.88-1) [bugfix/all/usb-iowarrior-fix-null-deref-at-probe.patch] diff --git a/retired/CVE-2016-9604 b/retired/CVE-2016-9604 new file mode 100644 index 000000000..0eb675958 --- /dev/null +++ b/retired/CVE-2016-9604 @@ -0,0 +1,15 @@ +Description: KEYS: Disallow keyrings beginning with '.' to be joined as session keyrings +References: +Notes: + bwh> A similar issue was fixed in 3.17 by commit a4e3b8d79a5c + bwh> "KEYS: special dot prefixed keyring name bug fix" (which wrongly + bwh> removed another check - fixed by commit 54e2c2c1a9d6 + bwh> "KEYS: Reinstate EPERM for a key type name beginning with a '.'") +Bugs: +upstream: released (4.11-rc8) [ee8f844e3c5a73b999edf733df1c529d6503ec2f] +4.9-upstream-stable: released (4.9.25) [a5c6e0a76817a3751f58d761aaff7c0b0c4001ff] +3.16-upstream-stable: released (3.16.44) [41bd08bfce7c33e0d383e7678e6d6c7e8e041524] +3.2-upstream-stable: released (3.2.89) [7488aaea277dc17eb12bda22c91332c804c62965] +sid: released (4.9.25-1) +3.16-jessie-security: released (3.16.43-1) [bugfix/all/keys-disallow-keyrings-beginning-with-.-to-be-joined.patch] +3.2-wheezy-security: released (3.2.88-1) [bugfix/all/keys-disallow-keyrings-beginning-with-.-to-be-joined.patch] diff --git a/retired/CVE-2017-2671 b/retired/CVE-2017-2671 new file mode 100644 index 000000000..5965d09de --- /dev/null +++ b/retired/CVE-2017-2671 @@ -0,0 +1,14 @@ +Description: Linux kernel ping socket / AF_LLC connect() sin_family race +References: + http://www.openwall.com/lists/oss-security/2017/03/24/6 + https://github.com/danieljiang0415/android_kernel_crash_poc + https://twitter.com/danieljiang0415/status/845116665184497664 +Notes: +Bugs: +upstream: released (4.11-rc6) [43a6684519ab0a6c52024b5e25322476cabad893] +4.9-upstream-stable: released (4.9.26) [e88a8e0a23c23e09858a4f5caeb106da972e7934] +3.16-upstream-stable: released (3.16.44) [c3f18d2a809b563ef078130ab3758899625e4cfb] +3.2-upstream-stable: released (3.2.89) [352651a0a07649e4ee03e294da069b5c3e42aae4] +sid: released (4.9.25-1) [bugfix/all/ping-implement-proper-locking.patch] +3.16-jessie-security: released (3.16.43-1) [bugfix/all/ping-implement-proper-locking.patch] +3.2-wheezy-security: released (3.2.88-1) [bugfix/all/ping-implement-proper-locking.patch] diff --git a/retired/CVE-2017-7184 b/retired/CVE-2017-7184 new file mode 100644 index 000000000..8e29f4747 --- /dev/null +++ b/retired/CVE-2017-7184 @@ -0,0 +1,15 @@ +Description: Missing range checks in xfrm_user allow heap buffer overflow and privilege escalation +References: + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7184 +Notes: + bwh> xfrm_user is only accessible with CAP_NET_ADMIN capability (in any + bwh> user namespace). So this is not exploitable by unprivileged users + bwh> in a default Debian configuration. +Bugs: +upstream: released (4.11-rc5) [677e806da4d916052585301785d847c3b3e6186a, f843ee6dd019bcece3e74e76ad9df0155655d0df] +4.9-upstream-stable: released (4.9.20) [64a5465799ee40e3d54d9da3037934cd4b7b502f, 79191ea36dc9be10a9c9b03d6b341ed2d2f76045] +3.16-upstream-stable: released (3.16.44) [811f5600db1a0a9c4f1abad5017e09f43d7088f3, fda265baa45b630675359db3699bb68350c4b907] +3.2-upstream-stable: released (3.2.89) [04dba730e9d4798184b4769f74ef14c20f8c6f9a, 4d09fd3505c59374e599a29918ca40059be3d554] +sid: released (4.9.18-1) [bugfix/all/xfrm_user-validate-xfrm_msg_newae-xfrma_replay_esn_val-replay_window.patch, bugfix/all/xfrm_user-validate-xfrm_msg_newae-incoming-esn-size-harder.patch] +3.16-jessie-security: released (3.16.43-1) [bugfix/all/xfrm_user-validate-xfrm_msg_newae-xfrma_replay_esn_val-replay_window.patch, bugfix/all/xfrm_user-validate-xfrm_msg_newae-incoming-esn-size-harder.patch] +3.2-wheezy-security: released (3.2.88-1) [bugfix/all/xfrm_user-validate-xfrm_msg_newae-xfrma_replay_esn_val-replay_window.patch, bugfix/all/xfrm_user-validate-xfrm_msg_newae-incoming-esn-size-harder.patch] diff --git a/retired/CVE-2017-7261 b/retired/CVE-2017-7261 new file mode 100644 index 000000000..e02f0dd11 --- /dev/null +++ b/retired/CVE-2017-7261 @@ -0,0 +1,19 @@ +Description: drm/vmwgfx: check that number of mip levels is above zero +References: + https://lists.freedesktop.org/archives/dri-devel/2017-March/136814.html + https://bugzilla.redhat.com/show_bug.cgi?id=1435719 + https://marc.info/?t=149037004200005&r=1&w=2 + https://cgit.freedesktop.org/mesa/vmwgfx/commit/?id=e904061d2c8968429954be87ad1cc45526510812 +Notes: + bwh> This seems to have been discovered independently by Murray + bwh> McAllister, Vladis Dronov and Li Qiang, resulting in three + bwh> slightly different fixes. Murray McAllister's version was + bwh> applied upstream. +Bugs: +upstream: released (4.11-rc6) [36274ab8c596f1240c606bb514da329add2a1bcd] +4.9-upstream-stable: released (4.9.22) [73ab72517b61ce4b27ceddec47dd5d6edafb556a] +3.16-upstream-stable: released (3.16.44) [61cabe967321767052498032178d56a1ea03a7bc] +3.2-upstream-stable: released (3.2.89) [20996e6d81c907b10a5ab57c4172be97cb1a7de1] +sid: released (4.9.18-1) [bugfix/x86/vmwgfx-null-pointer-dereference-in-vmw_surface_define_ioctl.patch] +3.16-jessie-security: released (3.16.43-1) [bugfix/x86/vmwgfx-null-pointer-dereference-in-vmw_surface_define_ioctl.patch] +3.2-wheezy-security: released (3.2.88-1) [bugfix/x86/vmwgfx-null-pointer-dereference-in-vmw_surface_define_ioctl.patch] diff --git a/retired/CVE-2017-7294 b/retired/CVE-2017-7294 new file mode 100644 index 000000000..7d420f6ea --- /dev/null +++ b/retired/CVE-2017-7294 @@ -0,0 +1,13 @@ +Description: drm/vmwgfx: limit mip levels in vmw_surface_define_ioctl() +References: + https://bugzilla.redhat.com/show_bug.cgi?id=1436798 + https://lists.freedesktop.org/archives/dri-devel/2017-March/137094.html +Notes: +Bugs: +upstream: released (4.11-rc6) [e7e11f99564222d82f0ce84bd521e57d78a6b678] +4.9-upstream-stable: released (4.9.22) [4ddd24d54fedff301e8f020d7b9f70116383af31] +3.16-upstream-stable: released (3.16.44) [629655f798b92fd309fdde494a3cfb8a37f807ad] +3.2-upstream-stable: released (3.2.89) [c2e7959f2ea446a417bf2cdb79792575852d17bb] +sid: released (4.9.18-1) [bugfix/x86/drm-vmwgfx-fix-integer-overflow-in-vmw_surface_define_ioctl.patch] +3.16-jessie-security: released (3.16.43-1) [bugfix/x86/drm-vmwgfx-fix-integer-overflow-in-vmw_surface_define_ioctl.patch] +3.2-wheezy-security: released (3.2.88-1) [bugfix/x86/drm-vmwgfx-fix-integer-overflow-in-vmw_surface_define_ioctl.patch] diff --git a/retired/CVE-2017-7308 b/retired/CVE-2017-7308 new file mode 100644 index 000000000..03c2a8a57 --- /dev/null +++ b/retired/CVE-2017-7308 @@ -0,0 +1,20 @@ +Description: AF_PACKET missing/incorrect range checks allow heap buffer overflow +References: + https://patchwork.ozlabs.org/patch/744811/ + https://patchwork.ozlabs.org/patch/744812/ + https://patchwork.ozlabs.org/patch/744813/ + https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-via-packet.html +Notes: + bwh> 3.2 is also missing an earlier related fix, commit dc808110bb62 + bwh> "packet: handle too big packets for PACKET_V3" + nsl> only saw one of the commits in the 4.9 release + carnil> which was 16fc98c2479f5477f2df220acd9cb53686e33f4c (in 4.9.23) + carnil> the other two commits are in 4.9.26 +Bugs: +upstream: released (4.11-rc6) [2b6867c2ce76c596676bec7d2d525af525fdc6e2, 8f8d28e4d6d815a391285e121c3a53a0b6cb9e7b, bcc5364bdcfe131e6379363f089e7b4108d35b70] +4.9-upstream-stable: released (4.9.26) [16fc98c2479f5477f2df220acd9cb53686e33f4c, 10452124bac39411e92fc8910dd418648bbb78ac, 1f49c8cd2c9a53ea04bd86bce01247415d12aa26] +3.16-upstream-stable: released (3.16.44) [a481ab4edd87bc2dc6f1fa9029866dd69c86fc5c, a318bc0bcec7f7867f1f1d8cef5ae6f25aa169a7, 7bb3f26487e578c2cb0567196ce93c008967a269] +3.2-upstream-stable: released (3.2.89) [091a6de006536c50f8a30db60d994a5b083b1c7b, 1634172286550a62d8a0a98cf8bec5cd975fa09c, 96053b293c69c636d8d34fc569ac81fbf1118658] +sid: released (4.9.18-1) [bugfix/all/net-packet-fix-overflow-in-check-for-priv-area-size.patch, bugfix/all/net-packet-fix-overflow-in-check-for-tp_frame_nr.patch, bugfix/all/net-packet-fix-overflow-in-check-for-tp_reserve.patch] +3.16-jessie-security: released (3.16.43-1) [bugfix/all/net-packet-fix-overflow-in-check-for-priv-area-size.patch, bugfix/all/net-packet-fix-overflow-in-check-for-tp_frame_nr.patch, bugfix/all/net-packet-fix-overflow-in-check-for-tp_reserve.patch] +3.2-wheezy-security: released (3.2.88-1) [bugfix/all/net-packet-fix-overflow-in-check-for-priv-area-size.patch, bugfix/all/net-packet-fix-overflow-in-check-for-tp_frame_nr.patch, bugfix/all/net-packet-fix-overflow-in-check-for-tp_reserve.patch] diff --git a/retired/CVE-2017-7472 b/retired/CVE-2017-7472 new file mode 100644 index 000000000..d19ba7e15 --- /dev/null +++ b/retired/CVE-2017-7472 @@ -0,0 +1,16 @@ +Description: keyctl_set_reqkey_keyring() leaks thread keyrings +References: + https://lkml.org/lkml/2017/4/1/235 + https://lkml.org/lkml/2017/4/3/724 +Notes: + carnil> 'Fixes: d84f4f992cbd ("CRED: Inaugurate COW credentials")' + carnil> which is first in 2.6.29-rc1 +Bugs: + https://bugzilla.redhat.com/show_bug.cgi?id=1442086 +upstream: released (4.11-rc8) [c9f838d104fed6f2f61d68164712e3204bf5271b] +4.9-upstream-stable: released (4.9.25) [174a74dbca2ddc7269c265598399c000e5b9b870] +3.16-upstream-stable: released (3.16.44) [f7ce1014bc5e4bb42d6b9f5afb308f59534067ea] +3.2-upstream-stable: released (3.2.89) [0ebd7208190d2f7b16fee3cea05665e212cebaab] +sid: released (4.9.25-1) +3.16-jessie-security: released (3.16.43-1) [bugfix/all/keys-fix-keyctl_set_reqkey_keyring-to-not-leak-threa.patch] +3.2-wheezy-security: released (3.2.88-1) [bugfix/all/keys-fix-keyctl_set_reqkey_keyring-to-not-leak-threa.patch] diff --git a/retired/CVE-2017-7616 b/retired/CVE-2017-7616 new file mode 100644 index 000000000..3993e51da --- /dev/null +++ b/retired/CVE-2017-7616 @@ -0,0 +1,16 @@ +Description: mm/mempolicy.c: fix error handling in set_mempolicy and mbind +References: + https://grsecurity.net/the_infoleak_that_mostly_wasnt.php +Notes: + bwh> As Brad Spengler notes, this doesn't affect amd64. The compat + bwh> wrappers are only used for swapping bitmap words on 64-bit + bwh> architectures that are (or can be) big-endian. Fixing this on + bwh> wheezy was a (small) waste of time. +Bugs: +upstream: released (4.11-rc6) [cf01fb9985e8deb25ccf0ea54d916b8871ae0e62] +4.9-upstream-stable: released (4.9.22) [cddab768d13469d1e254fb8c0e1629f93c8dfaca] +3.16-upstream-stable: released (3.16.44) [4474624a1a496e4dc93a2cd49ea915d9c90d80e9] +3.2-upstream-stable: released (3.2.89) [3f3b4a9db31af279e793229177b63ea201e24629] +sid: released (4.9.25-1) +3.16-jessie-security: released (3.16.43-1) [bugfix/all/mm-mempolicy.c-fix-error-handling-in-set_mempolicy-a.patch] +3.2-wheezy-security: released (3.2.88-1) [bugfix/all/mm-mempolicy.c-fix-error-handling-in-set_mempolicy-a.patch] diff --git a/retired/CVE-2017-7618 b/retired/CVE-2017-7618 new file mode 100644 index 000000000..0e96cf94b --- /dev/null +++ b/retired/CVE-2017-7618 @@ -0,0 +1,17 @@ +Description: crypto: ahash - Fix EINPROGRESS notification callback +References: + http://marc.info/?l=linux-crypto-vger&m=149181655623850&w=2 + https://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6.git/commit/?id=ef0579b64e93188710d48667cb5e014926af9f1b +Notes: + bwh> This depends on several earlier fixes to crypto/ahash.c, applied + bwh> between 3.2 and 3.16. It also breaks algif_aead, fixed by commit + bwh> e6534aebb26e ("crypto: algif_aead - Fix bogus request dereference in + bwh> completion function"). +Bugs: +upstream: released (4.11-rc8) [ef0579b64e93188710d48667cb5e014926af9f1b] +4.9-upstream-stable: released (4.9.24) [c10479591869177ae7ac0570b54ace6fbdeb57c2] +3.16-upstream-stable: released (3.16.44) [13af702256f8b7d9bb51b86c982fe08e96c589c8] +3.2-upstream-stable: released (3.2.89) [82ef3e7b16e777db114a0c3699b91134417fe8c9] +sid: released (4.9.25-1) +3.16-jessie-security: released (3.16.43-1) [bugfix/all/crypto-ahash-fix-einprogress-notification-callback.patch] +3.2-wheezy-security: released (3.2.88-1) [bugfix/all/crypto-ahash-fix-einprogress-notification-callback.patch] -- cgit v1.2.3