From 8401a6ccb4231c063895387616a45318b7405892 Mon Sep 17 00:00:00 2001 From: Salvatore Bonaccorso Date: Wed, 24 Aug 2016 08:26:40 +0000 Subject: Retire several CVEs git-svn-id: svn+ssh://svn.debian.org/svn/kernel-sec@4591 e094ebfe-e918-0410-adfb-c712417f3574 --- active/CVE-2014-9904 | 10 ---------- active/CVE-2016-1237 | 11 ----------- active/CVE-2016-1583 | 31 ------------------------------- active/CVE-2016-4482 | 14 -------------- active/CVE-2016-4568 | 13 ------------- active/CVE-2016-4569 | 13 ------------- active/CVE-2016-4578 | 12 ------------ active/CVE-2016-4997 | 10 ---------- active/CVE-2016-4998 | 10 ---------- active/CVE-2016-5243 | 12 ------------ active/CVE-2016-5244 | 11 ----------- active/CVE-2016-5728 | 24 ------------------------ active/CVE-2016-5828 | 12 ------------ active/CVE-2016-6130 | 11 ----------- retired/CVE-2014-9904 | 10 ++++++++++ retired/CVE-2016-1237 | 11 +++++++++++ retired/CVE-2016-1583 | 31 +++++++++++++++++++++++++++++++ retired/CVE-2016-4482 | 14 ++++++++++++++ retired/CVE-2016-4568 | 13 +++++++++++++ retired/CVE-2016-4569 | 13 +++++++++++++ retired/CVE-2016-4578 | 12 ++++++++++++ retired/CVE-2016-4997 | 10 ++++++++++ retired/CVE-2016-4998 | 10 ++++++++++ retired/CVE-2016-5243 | 12 ++++++++++++ retired/CVE-2016-5244 | 11 +++++++++++ retired/CVE-2016-5728 | 24 ++++++++++++++++++++++++ retired/CVE-2016-5828 | 12 ++++++++++++ retired/CVE-2016-6130 | 11 +++++++++++ 28 files changed, 194 insertions(+), 194 deletions(-) delete mode 100644 active/CVE-2014-9904 delete mode 100644 active/CVE-2016-1237 delete mode 100644 active/CVE-2016-1583 delete mode 100644 active/CVE-2016-4482 delete mode 100644 active/CVE-2016-4568 delete mode 100644 active/CVE-2016-4569 delete mode 100644 active/CVE-2016-4578 delete mode 100644 active/CVE-2016-4997 delete mode 100644 active/CVE-2016-4998 delete mode 100644 active/CVE-2016-5243 delete mode 100644 active/CVE-2016-5244 delete mode 100644 active/CVE-2016-5728 delete mode 100644 active/CVE-2016-5828 delete mode 100644 active/CVE-2016-6130 create mode 100644 retired/CVE-2014-9904 create mode 100644 retired/CVE-2016-1237 create mode 100644 retired/CVE-2016-1583 create mode 100644 retired/CVE-2016-4482 create mode 100644 retired/CVE-2016-4568 create mode 100644 retired/CVE-2016-4569 create mode 100644 retired/CVE-2016-4578 create mode 100644 retired/CVE-2016-4997 create mode 100644 retired/CVE-2016-4998 create mode 100644 retired/CVE-2016-5243 create mode 100644 retired/CVE-2016-5244 create mode 100644 retired/CVE-2016-5728 create mode 100644 retired/CVE-2016-5828 create mode 100644 retired/CVE-2016-6130 diff --git a/active/CVE-2014-9904 b/active/CVE-2014-9904 deleted file mode 100644 index b60b60f4b..000000000 --- a/active/CVE-2014-9904 +++ /dev/null @@ -1,10 +0,0 @@ -Description: -References: -Notes: Introduced in 3.7-rc1 with b35cc8225845112a616e3a2266d2fde5ab13d3ab -Bugs: -upstream: released (3.17-rc1) [6217e5ede23285ddfee10d2e4ba0cc2d4c046205] -3.16-upstream-stable: released (3.16.37) [alsa-compress-fix-an-integer-overflow-check.patch] -3.2-upstream-stable: N/A "Introduced with b35cc8225845112a616e3a2266d2fde5ab13d3ab in 3.7-rc1" -sid: released (4.0.2-1) -3.16-jessie-security: released (3.16.7-ckt25-2+deb8u3) [bugfix/all/alsa-compress-fix-an-integer-overflow-check.patch] -3.2-wheezy-security: N/A "Vulnerable code not present" diff --git a/active/CVE-2016-1237 b/active/CVE-2016-1237 deleted file mode 100644 index aa4b3c50a..000000000 --- a/active/CVE-2016-1237 +++ /dev/null @@ -1,11 +0,0 @@ -Description: nfsd: any user can set a file's ACL over NFS and grant access to it -References: -Notes: - Requisite for the fix: 485e71e8fb6356c08c7fc6bcce4bf02c9a9a663f -Bugs: -upstream: released (4.7-rc5) [999653786df6954a31044528ac3f7a5dadca08f4] -3.16-upstream-stable: released (3.16.37) [nfsd-check-permissions-when-setting-acls.patch] -3.2-upstream-stable: N/A "Introduced in v3.14-rc1 with 4ac7249ea5a0ceef9f8269f63f33cc873c3fac61" -sid: released (4.6.2-2) [bugfix/all/nfsd-check-permissions-when-setting-acls.patch] -3.16-jessie-security: released (3.16.7-ckt25-2+deb8u1) [bugfix/all/nfsd-check-permissions-when-setting-ACLs.patch] -3.2-wheezy-security: N/A "Vulnerable code not present" diff --git a/active/CVE-2016-1583 b/active/CVE-2016-1583 deleted file mode 100644 index 0dd2e903f..000000000 --- a/active/CVE-2016-1583 +++ /dev/null @@ -1,31 +0,0 @@ -Description: eCryptfs layered over procfs can trigger stack overflow -References: - http://www.openwall.com/lists/oss-security/2016/06/10/8 -Notes: - carnil> backport to kernels pre 4.6 need to cherry-pick 6a480a7842545ec520a91730209ec0bae41694c1 (4.6) - carnil> as well. - bwh> The issue here is: - bwh> 1. ecryptfs never uses mmap() on the lower file, so did not check - bwh> that it was implemented. - bwh> 2. procfs includes files that map to (part of) a process's VM. - bwh> 3. mount.ecryptfs_private is setuid-root and allows layering over any - bwh> directory owned by the caller. - bwh> So it was possible to mmap part of an ecryptfs file layered on a procfs - bwh> file that maps to another mmapped region, and then to chain mappings - bwh> to an arbitrary depth. This could result in calling page fault - bwh> handlers recursively, again to an arbitrary depth. Either the procfs - bwh> change *or* the ecryptfs change should be sufficient to fix this. - bwh> The procfs fix depends on commit 69c433ed2ecd (3.18) which is an ABI - bwh> breaker. - bwh> The ecryptfs fix depends on the commit carnil mentioned. - bwh> The first ecryptfs fix prevents reading directories on many underlying - bwh> filesystems. It was reverted upstream and replaced with commit - bwh> f0fe970df383. But with this version it's important to have the procfs - bwh> fix as well. -Bugs: -upstream: released (4.7-rc3) [e54ad7f1ee263ffa5a2de9c609d58dfa27b21cd9, 2f36db71009304b3f0b95afacd8eba1f9f046b87, 29d6455178a09e1dc340380c582b13356227e8df] -3.16-upstream-stable: released (3.16.37) [fs-limit-filesystem-stacking-depth.patch, proc-prevent-stacking-filesystems-on-top.patch, ecryptfs-don-t-allow-mmap-when-the-lower-fs-doesn-t-support-it.patch] -3.2-upstream-stable: released (3.2.82) [fs-limit-filesystem-stacking-depth.patch, proc-prevent-stacking-filesystems-on-top.patch, ecryptfs-don-t-allow-mmap-when-the-lower-fs-doesn-t-support-it.patch] -sid: released (4.6.2-1) [bugfix/all/proc-prevent-stacking-filesystems-on-top.patch, bugfix/all/ecryptfs-forbid-opening-files-without-mmap-handler.patch, bugfix/all/sched-panic-on-corrupted-stack-end.patch] -3.16-jessie-security: released (3.16.7-ckt25-2+deb8u1) [bugfix/all/ecryptfs-fix-handling-of-directory-opening.patch, bugfix/all/ecryptfs-forbid-opening-files-without-mmap-handler.patch] -3.2-wheezy-security: released (3.2.81-1) [bugfix/all/ecryptfs-fix-handling-of-directory-opening.patch, bugfix/all/ecryptfs-forbid-opening-files-without-mmap-handler.patch] diff --git a/active/CVE-2016-4482 b/active/CVE-2016-4482 deleted file mode 100644 index f0deefdae..000000000 --- a/active/CVE-2016-4482 +++ /dev/null @@ -1,14 +0,0 @@ -Description: information leak in devio -References: - http://www.spinics.net/lists/linux-usb/msg140243.html -Notes: - bwh> There may or may not be an information leak here in practice, - bwh> depending on how the compiler optimises the structure - bwh> initialisation. -Bugs: -upstream: released (4.7-rc1) [681fef8380eb818c0b845fca5d2ab1dcbab114ee] -3.16-upstream-stable: released (3.16.37) [usb-usbfs-fix-potential-infoleak-in-devio.patch] -3.2-upstream-stable: released (3.2.82) [usb-usbfs-fix-potential-infoleak-in-devio.patch] -sid: released (4.5.5-1) [bugfix/all/usb-usbfs-fix-potential-infoleak-in-devio.patch] -3.16-jessie-security: released (3.16.7-ckt25-2+deb8u1) [bugfix/all/usb-usbfs-fix-potential-infoleak-in-devio.patch] -3.2-wheezy-security: released (3.2.81-1) [bugfix/all/usb-usbfs-fix-potential-infoleak-in-devio.patch] diff --git a/active/CVE-2016-4568 b/active/CVE-2016-4568 deleted file mode 100644 index 114309497..000000000 --- a/active/CVE-2016-4568 +++ /dev/null @@ -1,13 +0,0 @@ -Description: Kernel memory overwrite in media/videobuf2 -References: -Notes: - bwh> This was supposed to be fixed upstream in 4.6-rc6 by commit - bwh> 2c1f6951a8a82e6de0d82b1158b5e493fc6c54ab. However that caused a - bwh> regression and was reverted. -Bugs: -upstream: released (4.8-rc1) [e7e0c3e26587749b62d17b9dd0532874186c77f7, 2c1f6951a8a82e6de0d82b1158b5e493fc6c54ab, 126f40298446a82116e1f92a1aaf72b8c8228fae] -3.16-upstream-stable: N/A "Introduced by b0e0e1f83de31aa0428c38b692c590cc0ecd3f03 in 4.4-rc1" -3.2-upstream-stable: N/A "Introduced by b0e0e1f83de31aa0428c38b692c590cc0ecd3f03 in 4.4-rc1" -sid: released (4.5.3-1) -3.16-jessie-security: N/A "Vulnerable code not present" -3.2-wheezy-security: N/A "Vulnerable code not present" diff --git a/active/CVE-2016-4569 b/active/CVE-2016-4569 deleted file mode 100644 index 28be0537f..000000000 --- a/active/CVE-2016-4569 +++ /dev/null @@ -1,13 +0,0 @@ -Description: information leak in ALSA timers -References: - http://comments.gmane.org/gmane.linux.kernel/2214250 -Notes: - bwh> This only affects 64-bit architectures as no padding is needed in - bwh> struct snd_timer_tread on 32-bit architectures. -Bugs: -upstream: released (4.7-rc1) [cec8f96e49d9be372fdb0c3836dcf31ec71e457e] -3.16-upstream-stable: released (3.16.37) [alsa-timer-fix-leak-in-sndrv_timer_ioctl_params.patch] -3.2-upstream-stable: released (3.2.82) [alsa-timer-fix-leak-in-sndrv_timer_ioctl_params.patch] -sid: released (4.4.5-1) [bugfix/all/alsa-timer-fix-leak-in-sndrv_timer_ioctl_params.patch] -3.16-jessie-security: released (3.16.7-ckt25-2+deb8u1) [bugfix/all/alsa-timer-fix-leak-in-sndrv_timer_ioctl_params.patch] -3.2-wheezy-security: released (3.2.81-1) [bugfix/all/alsa-timer-fix-leak-in-sndrv_timer_ioctl_params.patch] diff --git a/active/CVE-2016-4578 b/active/CVE-2016-4578 deleted file mode 100644 index 1351a03d2..000000000 --- a/active/CVE-2016-4578 +++ /dev/null @@ -1,12 +0,0 @@ -Description: information leaks in ALSA timers -References: -Notes: - bwh> This only affects 64-bit architectures as no padding is needed in - bwh> struct snd_timer_tread on 32-bit architectures. -Bugs: -upstream: released (4.7-rc1) [9a47e9cff994f37f7f0dbd9ae23740d0f64f9fe6, e4ec8cc8039a7063e24204299b462bd1383184a5] -3.16-upstream-stable: released (3.16.37) [alsa-timer-fix-leak-in-events-via-snd_timer_user_ccallback.patch, alsa-timer-fix-leak-in-events-via-snd_timer_user_tinterrupt.patch] -3.2-upstream-stable: released (3.2.82) [alsa-timer-fix-leak-in-events-via-snd_timer_user_ccallback.patch, alsa-timer-fix-leak-in-events-via-snd_timer_user_tinterrupt.patch] -sid: released (4.5.5-1) [bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_cca.patch, bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_tin.patch] -3.16-jessie-security: released (3.16.7-ckt25-2+deb8u1) [bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_cca.patch, bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_tin.patch] -3.2-wheezy-security: released (3.2.81-1) [bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_cca.patch, bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_tin.patch] diff --git a/active/CVE-2016-4997 b/active/CVE-2016-4997 deleted file mode 100644 index 5445279ac..000000000 --- a/active/CVE-2016-4997 +++ /dev/null @@ -1,10 +0,0 @@ -Description: Corrupted offset allows for arbitrary decrements in compat IPT_SO_SET_REPLACE setsockopt -References: -Notes: -Bugs: -upstream: released (4.7-rc1) [fc1221b3a163d1386d1052184202d5dc50d302d1, ce683e5f9d045e5d67d1312a42b359cb2ab2a13c] -3.16-upstream-stable: released (3.16.37) [netfilter-x_tables-add-compat-version-of-xt_check_entry_offsets.patch, netfilter-x_tables-check-for-bogus-target-offset.patch] -3.2-upstream-stable: ignored "too many changes required, and netfilter is not exposed to unprivileged users" -sid: released (4.6.2-2) [bugfix/all/netfilter-x_tables-add-compat-version-of-xt_check_en.patch, bugfix/all/netfilter-x_tables-check-for-bogus-target-offset.patch] -3.16-jessie-security: released (3.16.7-ckt25-2+deb8u1) [bugfix/all/netfilter-x_tables-add-compat-version-of-xt_check_en.patch, bugfix/all/netfilter-x_tables-check-for-bogus-target-offset.patch] -3.2-wheezy-security: ignored "too many changes required, and netfilter is not exposed to unprivileged users" diff --git a/active/CVE-2016-4998 b/active/CVE-2016-4998 deleted file mode 100644 index 92d0114c9..000000000 --- a/active/CVE-2016-4998 +++ /dev/null @@ -1,10 +0,0 @@ -Description: out of bounds reads when processing IPT_SO_SET_REPLACE setsockopt -References: -Notes: -Bugs: -upstream: released (4.7-rc1) [7d35812c3214afa5b37a675113555259cfd67b98, a08e4e190b866579896c09af59b3bdca821da2cd, 7ed2abddd20cf8f6bd27f65bd218f26fa5bf7f44, 13631bfc604161a9d69cd68991dff8603edd66f9, b7eba0f3515fca3296b8881d583f7c1042f5226] -3.16-upstream-stable: released (3.16.37) [netfilter-x_tables-add-and-use-xt_check_entry_offsets.patch, netfilter-x_tables-assert-minimum-target-size.patch, netfilter-x_tables-check-standard-target-size-too.patch, netfilter-x_tables-validate-all-offsets-and-sizes-in-a-rule.patch, netfilter-x_tables-don-t-reject-valid-target-size-on-some.patch] -3.2-upstream-stable: ignored "too many changes required, and netfilter is not exposed to unprivileged users" -sid: released (4.6.2-2) [bugfix/all/netfilter-x_tables-add-and-use-xt_check_entry_offset.patch, bugfix/all/netfilter-x_tables-assert-minimum-target-size.patch, bugfix/all/netfilter-x_tables-check-standard-target-size-too.patch, bugfix/all/netfilter-x_tables-validate-all-offsets-and-sizes-in.patch, bugfix/all/netfilter-x_tables-don-t-reject-valid-target-size-on.patch] -3.16-jessie-security: released (3.16.7-ckt25-2+deb8u1) [bugfix/all/netfilter-x_tables-add-and-use-xt_check_entry_offset.patch, bugfix/all/netfilter-x_tables-assert-minimum-target-size.patch, bugfix/all/netfilter-x_tables-check-standard-target-size-too.patch, bugfix/all/netfilter-x_tables-validate-all-offsets-and-sizes-in.patch, bugfix/all/netfilter-x_tables-don-t-reject-valid-target-size-on.patch] -3.2-wheezy-security: ignored "too many changes required, and netfilter is not exposed to unprivileged users" diff --git a/active/CVE-2016-5243 b/active/CVE-2016-5243 deleted file mode 100644 index 7f873f9e6..000000000 --- a/active/CVE-2016-5243 +++ /dev/null @@ -1,12 +0,0 @@ -Description: tipc: an infoleak in tipc_nl_compat_link_dump -References: - https://patchwork.ozlabs.org/patch/629100/ -Notes: - bwh> In kernel versions older than 4.0 the bug is in tipc_node_get_links() -Bugs: -upstream: released (4.7-rc3) [5d2be1422e02ccd697ccfcd45c85b4a26e6178e2] -3.16-upstream-stable: released (3.16.37) [tipc-fix-an-infoleak-in-tipc_nl_compat_link_dump.patch] -3.2-upstream-stable: released (3.2.82) [tipc-fix-an-infoleak-in-tipc_nl_compat_link_dump.patch] -sid: released (4.6.2-1) [bugfix/all/tipc-fix-an-infoleak-in-tipc_nl_compat_link_dump.patch] -3.16-jessie-security: released (3.16.7-ckt25-2+deb8u1) [bugfix/all/tipc-fix-an-infoleak-in-tipc_nl_compat_link_dump.patch] -3.2-wheezy-security: released (3.2.81-1) [bugfix/all/tipc-fix-an-infoleak-in-tipc_nl_compat_link_dump.patch] diff --git a/active/CVE-2016-5244 b/active/CVE-2016-5244 deleted file mode 100644 index 6e4b38698..000000000 --- a/active/CVE-2016-5244 +++ /dev/null @@ -1,11 +0,0 @@ -Description: rds: fix an infoleak in rds_inc_info_copy -References: - https://patchwork.ozlabs.org/patch/629110/ -Notes: -Bugs: -upstream: released (4.7-rc3) [4116def2337991b39919f3b448326e21c40e0dbb] -3.16-upstream-stable: released (3.16.37) [rds-fix-an-infoleak-in-rds_inc_info_copy.patch] -3.2-upstream-stable: released (3.2.82) [rds-fix-an-infoleak-in-rds_inc_info_copy.patch] -sid: released (4.6.2-1) [bugfix/all/rds-fix-an-infoleak-in-rds_inc_info_copy.patch] -3.16-jessie-security: released (3.16.7-ckt25-2+deb8u1) [bugfix/all/rds-fix-an-infoleak-in-rds_inc_info_copy.patch] -3.2-wheezy-security: released (3.2.81-1) [bugfix/all/rds-fix-an-infoleak-in-rds_inc_info_copy.patch] diff --git a/active/CVE-2016-5728 b/active/CVE-2016-5728 deleted file mode 100644 index 235407c55..000000000 --- a/active/CVE-2016-5728 +++ /dev/null @@ -1,24 +0,0 @@ -Description: Race condition vulnerability in VOP driver -References: -Notes: - From Red Hat Bugzilla: The VOP driver is "new" in the 4.6 kernel only - in that the functionality was moved out of the host MIC driver into a - new driver entirely with commit - 61e9c905df78c253752971e200f0ac6d8667dda6. Prior to that, the - functionality was in the drivers/misc/mic/host/mic_virtio.c host driver, - which was introduced with commit f69bcbf3b4c4 (v3.13). - . - If you look at versions of the kernel prior to 4.6, you will see the - code sequence that is fixed by the mentioned upstream patch is still in - the host driver in the mic_copy_dp_entry function. That needs to be - patched with a similar fix. - . - Introduced in 3.13-rc1 with f69bcbf3b4c4b333dcd7a48eaf868bf0c88edab5 -Bugs: - https://bugzilla.kernel.org/show_bug.cgi?id=116651 -upstream: released (v4.7-rc1) [9bf292bfca94694a721449e3fd752493856710f6] -3.16-upstream-stable: released (3.16.37) [misc-mic-fix-for-double-fetch-security-bug-in-vop-driver.patch] -3.2-upstream-stable: N/A "Vulnerable code introduced in 3.13-rc1 with f69bcbf3b4c4b333dcd7a48eaf868bf0c88edab5" -sid: released (4.6.1-1) [2a9369456a384d84c521c8ebb48d247e8738f84f] -3.16-jessie-security: released (3.16.7-ckt25-2+deb8u3) [bugfix/x86/misc-mic-fix-for-double-fetch-security-bug-in-vop-dr.patch] -3.2-wheezy-security: N/A "Vulnerable code not present" diff --git a/active/CVE-2016-5828 b/active/CVE-2016-5828 deleted file mode 100644 index 3f4eae105..000000000 --- a/active/CVE-2016-5828 +++ /dev/null @@ -1,12 +0,0 @@ -Description: powerpc/tm: Always reclaim in start_thread() for exec() class syscalls -References: -Notes: - Fix: https://git.kernel.org/cgit/linux/kernel/git/powerpc/linux.git/commit/?id=8e96a87c5431c256feb65bcfc5 - not yet merged in Linus' tree. -Bugs: -upstream: released (4.7-rc6) [8e96a87c5431c256feb65bcfc5aec92d9f7839b6] -3.16-upstream-stable: released (3.16.37) [powerpc-tm-always-reclaim-in-start_thread-for-exec-class.patch] -3.2-upstream-stable: N/A "Introduced in 3.10-rc1 with bc2a9408fa65195288b41751016c36fd00a75a85" -sid: released (4.6.3-1) [bugfix/powerpc/powerpc-tm-always-reclaim-in-start_thread-for-exec-c.patch] -3.16-jessie-security: released (3.16.7-ckt25-2+deb8u3) [bugfix/powerpc/powerpc-tm-always-reclaim-in-start_thread-for-exec-c.patch] -3.2-wheezy-security: N/A "Vulnerable code not present" diff --git a/active/CVE-2016-6130 b/active/CVE-2016-6130 deleted file mode 100644 index 7e933f97f..000000000 --- a/active/CVE-2016-6130 +++ /dev/null @@ -1,11 +0,0 @@ -Description: Information leak in s390 sclp driver -References: -Notes: -Bugs: - https://bugzilla.kernel.org/show_bug.cgi?id=116741 -upstream: released (4.6-rc6) [532c34b5fbf1687df63b3fcd5b2846312ac943c6] -3.16-upstream-stable: released (3.16.37) [s390-sclp_ctl-fix-potential-information-leak-with-dev-sclp.patch] -3.2-upstream-stable: N/A "Vulnerable code introduced in 3.11 with d475f942b1dd6a897dac3ad4ed98d6994b275378" -sid: released (4.6.1-1) -3.16-jessie-security: released (3.16.7-ckt25-2+deb8u3) [bugfix/s390/s390-sclp_ctl-fix-potential-information-leak-with-de.patch] -3.2-wheezy-security: N/A "Vulnerable code not present" diff --git a/retired/CVE-2014-9904 b/retired/CVE-2014-9904 new file mode 100644 index 000000000..b60b60f4b --- /dev/null +++ b/retired/CVE-2014-9904 @@ -0,0 +1,10 @@ +Description: +References: +Notes: Introduced in 3.7-rc1 with b35cc8225845112a616e3a2266d2fde5ab13d3ab +Bugs: +upstream: released (3.17-rc1) [6217e5ede23285ddfee10d2e4ba0cc2d4c046205] +3.16-upstream-stable: released (3.16.37) [alsa-compress-fix-an-integer-overflow-check.patch] +3.2-upstream-stable: N/A "Introduced with b35cc8225845112a616e3a2266d2fde5ab13d3ab in 3.7-rc1" +sid: released (4.0.2-1) +3.16-jessie-security: released (3.16.7-ckt25-2+deb8u3) [bugfix/all/alsa-compress-fix-an-integer-overflow-check.patch] +3.2-wheezy-security: N/A "Vulnerable code not present" diff --git a/retired/CVE-2016-1237 b/retired/CVE-2016-1237 new file mode 100644 index 000000000..aa4b3c50a --- /dev/null +++ b/retired/CVE-2016-1237 @@ -0,0 +1,11 @@ +Description: nfsd: any user can set a file's ACL over NFS and grant access to it +References: +Notes: + Requisite for the fix: 485e71e8fb6356c08c7fc6bcce4bf02c9a9a663f +Bugs: +upstream: released (4.7-rc5) [999653786df6954a31044528ac3f7a5dadca08f4] +3.16-upstream-stable: released (3.16.37) [nfsd-check-permissions-when-setting-acls.patch] +3.2-upstream-stable: N/A "Introduced in v3.14-rc1 with 4ac7249ea5a0ceef9f8269f63f33cc873c3fac61" +sid: released (4.6.2-2) [bugfix/all/nfsd-check-permissions-when-setting-acls.patch] +3.16-jessie-security: released (3.16.7-ckt25-2+deb8u1) [bugfix/all/nfsd-check-permissions-when-setting-ACLs.patch] +3.2-wheezy-security: N/A "Vulnerable code not present" diff --git a/retired/CVE-2016-1583 b/retired/CVE-2016-1583 new file mode 100644 index 000000000..0dd2e903f --- /dev/null +++ b/retired/CVE-2016-1583 @@ -0,0 +1,31 @@ +Description: eCryptfs layered over procfs can trigger stack overflow +References: + http://www.openwall.com/lists/oss-security/2016/06/10/8 +Notes: + carnil> backport to kernels pre 4.6 need to cherry-pick 6a480a7842545ec520a91730209ec0bae41694c1 (4.6) + carnil> as well. + bwh> The issue here is: + bwh> 1. ecryptfs never uses mmap() on the lower file, so did not check + bwh> that it was implemented. + bwh> 2. procfs includes files that map to (part of) a process's VM. + bwh> 3. mount.ecryptfs_private is setuid-root and allows layering over any + bwh> directory owned by the caller. + bwh> So it was possible to mmap part of an ecryptfs file layered on a procfs + bwh> file that maps to another mmapped region, and then to chain mappings + bwh> to an arbitrary depth. This could result in calling page fault + bwh> handlers recursively, again to an arbitrary depth. Either the procfs + bwh> change *or* the ecryptfs change should be sufficient to fix this. + bwh> The procfs fix depends on commit 69c433ed2ecd (3.18) which is an ABI + bwh> breaker. + bwh> The ecryptfs fix depends on the commit carnil mentioned. + bwh> The first ecryptfs fix prevents reading directories on many underlying + bwh> filesystems. It was reverted upstream and replaced with commit + bwh> f0fe970df383. But with this version it's important to have the procfs + bwh> fix as well. +Bugs: +upstream: released (4.7-rc3) [e54ad7f1ee263ffa5a2de9c609d58dfa27b21cd9, 2f36db71009304b3f0b95afacd8eba1f9f046b87, 29d6455178a09e1dc340380c582b13356227e8df] +3.16-upstream-stable: released (3.16.37) [fs-limit-filesystem-stacking-depth.patch, proc-prevent-stacking-filesystems-on-top.patch, ecryptfs-don-t-allow-mmap-when-the-lower-fs-doesn-t-support-it.patch] +3.2-upstream-stable: released (3.2.82) [fs-limit-filesystem-stacking-depth.patch, proc-prevent-stacking-filesystems-on-top.patch, ecryptfs-don-t-allow-mmap-when-the-lower-fs-doesn-t-support-it.patch] +sid: released (4.6.2-1) [bugfix/all/proc-prevent-stacking-filesystems-on-top.patch, bugfix/all/ecryptfs-forbid-opening-files-without-mmap-handler.patch, bugfix/all/sched-panic-on-corrupted-stack-end.patch] +3.16-jessie-security: released (3.16.7-ckt25-2+deb8u1) [bugfix/all/ecryptfs-fix-handling-of-directory-opening.patch, bugfix/all/ecryptfs-forbid-opening-files-without-mmap-handler.patch] +3.2-wheezy-security: released (3.2.81-1) [bugfix/all/ecryptfs-fix-handling-of-directory-opening.patch, bugfix/all/ecryptfs-forbid-opening-files-without-mmap-handler.patch] diff --git a/retired/CVE-2016-4482 b/retired/CVE-2016-4482 new file mode 100644 index 000000000..f0deefdae --- /dev/null +++ b/retired/CVE-2016-4482 @@ -0,0 +1,14 @@ +Description: information leak in devio +References: + http://www.spinics.net/lists/linux-usb/msg140243.html +Notes: + bwh> There may or may not be an information leak here in practice, + bwh> depending on how the compiler optimises the structure + bwh> initialisation. +Bugs: +upstream: released (4.7-rc1) [681fef8380eb818c0b845fca5d2ab1dcbab114ee] +3.16-upstream-stable: released (3.16.37) [usb-usbfs-fix-potential-infoleak-in-devio.patch] +3.2-upstream-stable: released (3.2.82) [usb-usbfs-fix-potential-infoleak-in-devio.patch] +sid: released (4.5.5-1) [bugfix/all/usb-usbfs-fix-potential-infoleak-in-devio.patch] +3.16-jessie-security: released (3.16.7-ckt25-2+deb8u1) [bugfix/all/usb-usbfs-fix-potential-infoleak-in-devio.patch] +3.2-wheezy-security: released (3.2.81-1) [bugfix/all/usb-usbfs-fix-potential-infoleak-in-devio.patch] diff --git a/retired/CVE-2016-4568 b/retired/CVE-2016-4568 new file mode 100644 index 000000000..114309497 --- /dev/null +++ b/retired/CVE-2016-4568 @@ -0,0 +1,13 @@ +Description: Kernel memory overwrite in media/videobuf2 +References: +Notes: + bwh> This was supposed to be fixed upstream in 4.6-rc6 by commit + bwh> 2c1f6951a8a82e6de0d82b1158b5e493fc6c54ab. However that caused a + bwh> regression and was reverted. +Bugs: +upstream: released (4.8-rc1) [e7e0c3e26587749b62d17b9dd0532874186c77f7, 2c1f6951a8a82e6de0d82b1158b5e493fc6c54ab, 126f40298446a82116e1f92a1aaf72b8c8228fae] +3.16-upstream-stable: N/A "Introduced by b0e0e1f83de31aa0428c38b692c590cc0ecd3f03 in 4.4-rc1" +3.2-upstream-stable: N/A "Introduced by b0e0e1f83de31aa0428c38b692c590cc0ecd3f03 in 4.4-rc1" +sid: released (4.5.3-1) +3.16-jessie-security: N/A "Vulnerable code not present" +3.2-wheezy-security: N/A "Vulnerable code not present" diff --git a/retired/CVE-2016-4569 b/retired/CVE-2016-4569 new file mode 100644 index 000000000..28be0537f --- /dev/null +++ b/retired/CVE-2016-4569 @@ -0,0 +1,13 @@ +Description: information leak in ALSA timers +References: + http://comments.gmane.org/gmane.linux.kernel/2214250 +Notes: + bwh> This only affects 64-bit architectures as no padding is needed in + bwh> struct snd_timer_tread on 32-bit architectures. +Bugs: +upstream: released (4.7-rc1) [cec8f96e49d9be372fdb0c3836dcf31ec71e457e] +3.16-upstream-stable: released (3.16.37) [alsa-timer-fix-leak-in-sndrv_timer_ioctl_params.patch] +3.2-upstream-stable: released (3.2.82) [alsa-timer-fix-leak-in-sndrv_timer_ioctl_params.patch] +sid: released (4.4.5-1) [bugfix/all/alsa-timer-fix-leak-in-sndrv_timer_ioctl_params.patch] +3.16-jessie-security: released (3.16.7-ckt25-2+deb8u1) [bugfix/all/alsa-timer-fix-leak-in-sndrv_timer_ioctl_params.patch] +3.2-wheezy-security: released (3.2.81-1) [bugfix/all/alsa-timer-fix-leak-in-sndrv_timer_ioctl_params.patch] diff --git a/retired/CVE-2016-4578 b/retired/CVE-2016-4578 new file mode 100644 index 000000000..1351a03d2 --- /dev/null +++ b/retired/CVE-2016-4578 @@ -0,0 +1,12 @@ +Description: information leaks in ALSA timers +References: +Notes: + bwh> This only affects 64-bit architectures as no padding is needed in + bwh> struct snd_timer_tread on 32-bit architectures. +Bugs: +upstream: released (4.7-rc1) [9a47e9cff994f37f7f0dbd9ae23740d0f64f9fe6, e4ec8cc8039a7063e24204299b462bd1383184a5] +3.16-upstream-stable: released (3.16.37) [alsa-timer-fix-leak-in-events-via-snd_timer_user_ccallback.patch, alsa-timer-fix-leak-in-events-via-snd_timer_user_tinterrupt.patch] +3.2-upstream-stable: released (3.2.82) [alsa-timer-fix-leak-in-events-via-snd_timer_user_ccallback.patch, alsa-timer-fix-leak-in-events-via-snd_timer_user_tinterrupt.patch] +sid: released (4.5.5-1) [bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_cca.patch, bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_tin.patch] +3.16-jessie-security: released (3.16.7-ckt25-2+deb8u1) [bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_cca.patch, bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_tin.patch] +3.2-wheezy-security: released (3.2.81-1) [bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_cca.patch, bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_tin.patch] diff --git a/retired/CVE-2016-4997 b/retired/CVE-2016-4997 new file mode 100644 index 000000000..5445279ac --- /dev/null +++ b/retired/CVE-2016-4997 @@ -0,0 +1,10 @@ +Description: Corrupted offset allows for arbitrary decrements in compat IPT_SO_SET_REPLACE setsockopt +References: +Notes: +Bugs: +upstream: released (4.7-rc1) [fc1221b3a163d1386d1052184202d5dc50d302d1, ce683e5f9d045e5d67d1312a42b359cb2ab2a13c] +3.16-upstream-stable: released (3.16.37) [netfilter-x_tables-add-compat-version-of-xt_check_entry_offsets.patch, netfilter-x_tables-check-for-bogus-target-offset.patch] +3.2-upstream-stable: ignored "too many changes required, and netfilter is not exposed to unprivileged users" +sid: released (4.6.2-2) [bugfix/all/netfilter-x_tables-add-compat-version-of-xt_check_en.patch, bugfix/all/netfilter-x_tables-check-for-bogus-target-offset.patch] +3.16-jessie-security: released (3.16.7-ckt25-2+deb8u1) [bugfix/all/netfilter-x_tables-add-compat-version-of-xt_check_en.patch, bugfix/all/netfilter-x_tables-check-for-bogus-target-offset.patch] +3.2-wheezy-security: ignored "too many changes required, and netfilter is not exposed to unprivileged users" diff --git a/retired/CVE-2016-4998 b/retired/CVE-2016-4998 new file mode 100644 index 000000000..92d0114c9 --- /dev/null +++ b/retired/CVE-2016-4998 @@ -0,0 +1,10 @@ +Description: out of bounds reads when processing IPT_SO_SET_REPLACE setsockopt +References: +Notes: +Bugs: +upstream: released (4.7-rc1) [7d35812c3214afa5b37a675113555259cfd67b98, a08e4e190b866579896c09af59b3bdca821da2cd, 7ed2abddd20cf8f6bd27f65bd218f26fa5bf7f44, 13631bfc604161a9d69cd68991dff8603edd66f9, b7eba0f3515fca3296b8881d583f7c1042f5226] +3.16-upstream-stable: released (3.16.37) [netfilter-x_tables-add-and-use-xt_check_entry_offsets.patch, netfilter-x_tables-assert-minimum-target-size.patch, netfilter-x_tables-check-standard-target-size-too.patch, netfilter-x_tables-validate-all-offsets-and-sizes-in-a-rule.patch, netfilter-x_tables-don-t-reject-valid-target-size-on-some.patch] +3.2-upstream-stable: ignored "too many changes required, and netfilter is not exposed to unprivileged users" +sid: released (4.6.2-2) [bugfix/all/netfilter-x_tables-add-and-use-xt_check_entry_offset.patch, bugfix/all/netfilter-x_tables-assert-minimum-target-size.patch, bugfix/all/netfilter-x_tables-check-standard-target-size-too.patch, bugfix/all/netfilter-x_tables-validate-all-offsets-and-sizes-in.patch, bugfix/all/netfilter-x_tables-don-t-reject-valid-target-size-on.patch] +3.16-jessie-security: released (3.16.7-ckt25-2+deb8u1) [bugfix/all/netfilter-x_tables-add-and-use-xt_check_entry_offset.patch, bugfix/all/netfilter-x_tables-assert-minimum-target-size.patch, bugfix/all/netfilter-x_tables-check-standard-target-size-too.patch, bugfix/all/netfilter-x_tables-validate-all-offsets-and-sizes-in.patch, bugfix/all/netfilter-x_tables-don-t-reject-valid-target-size-on.patch] +3.2-wheezy-security: ignored "too many changes required, and netfilter is not exposed to unprivileged users" diff --git a/retired/CVE-2016-5243 b/retired/CVE-2016-5243 new file mode 100644 index 000000000..7f873f9e6 --- /dev/null +++ b/retired/CVE-2016-5243 @@ -0,0 +1,12 @@ +Description: tipc: an infoleak in tipc_nl_compat_link_dump +References: + https://patchwork.ozlabs.org/patch/629100/ +Notes: + bwh> In kernel versions older than 4.0 the bug is in tipc_node_get_links() +Bugs: +upstream: released (4.7-rc3) [5d2be1422e02ccd697ccfcd45c85b4a26e6178e2] +3.16-upstream-stable: released (3.16.37) [tipc-fix-an-infoleak-in-tipc_nl_compat_link_dump.patch] +3.2-upstream-stable: released (3.2.82) [tipc-fix-an-infoleak-in-tipc_nl_compat_link_dump.patch] +sid: released (4.6.2-1) [bugfix/all/tipc-fix-an-infoleak-in-tipc_nl_compat_link_dump.patch] +3.16-jessie-security: released (3.16.7-ckt25-2+deb8u1) [bugfix/all/tipc-fix-an-infoleak-in-tipc_nl_compat_link_dump.patch] +3.2-wheezy-security: released (3.2.81-1) [bugfix/all/tipc-fix-an-infoleak-in-tipc_nl_compat_link_dump.patch] diff --git a/retired/CVE-2016-5244 b/retired/CVE-2016-5244 new file mode 100644 index 000000000..6e4b38698 --- /dev/null +++ b/retired/CVE-2016-5244 @@ -0,0 +1,11 @@ +Description: rds: fix an infoleak in rds_inc_info_copy +References: + https://patchwork.ozlabs.org/patch/629110/ +Notes: +Bugs: +upstream: released (4.7-rc3) [4116def2337991b39919f3b448326e21c40e0dbb] +3.16-upstream-stable: released (3.16.37) [rds-fix-an-infoleak-in-rds_inc_info_copy.patch] +3.2-upstream-stable: released (3.2.82) [rds-fix-an-infoleak-in-rds_inc_info_copy.patch] +sid: released (4.6.2-1) [bugfix/all/rds-fix-an-infoleak-in-rds_inc_info_copy.patch] +3.16-jessie-security: released (3.16.7-ckt25-2+deb8u1) [bugfix/all/rds-fix-an-infoleak-in-rds_inc_info_copy.patch] +3.2-wheezy-security: released (3.2.81-1) [bugfix/all/rds-fix-an-infoleak-in-rds_inc_info_copy.patch] diff --git a/retired/CVE-2016-5728 b/retired/CVE-2016-5728 new file mode 100644 index 000000000..235407c55 --- /dev/null +++ b/retired/CVE-2016-5728 @@ -0,0 +1,24 @@ +Description: Race condition vulnerability in VOP driver +References: +Notes: + From Red Hat Bugzilla: The VOP driver is "new" in the 4.6 kernel only + in that the functionality was moved out of the host MIC driver into a + new driver entirely with commit + 61e9c905df78c253752971e200f0ac6d8667dda6. Prior to that, the + functionality was in the drivers/misc/mic/host/mic_virtio.c host driver, + which was introduced with commit f69bcbf3b4c4 (v3.13). + . + If you look at versions of the kernel prior to 4.6, you will see the + code sequence that is fixed by the mentioned upstream patch is still in + the host driver in the mic_copy_dp_entry function. That needs to be + patched with a similar fix. + . + Introduced in 3.13-rc1 with f69bcbf3b4c4b333dcd7a48eaf868bf0c88edab5 +Bugs: + https://bugzilla.kernel.org/show_bug.cgi?id=116651 +upstream: released (v4.7-rc1) [9bf292bfca94694a721449e3fd752493856710f6] +3.16-upstream-stable: released (3.16.37) [misc-mic-fix-for-double-fetch-security-bug-in-vop-driver.patch] +3.2-upstream-stable: N/A "Vulnerable code introduced in 3.13-rc1 with f69bcbf3b4c4b333dcd7a48eaf868bf0c88edab5" +sid: released (4.6.1-1) [2a9369456a384d84c521c8ebb48d247e8738f84f] +3.16-jessie-security: released (3.16.7-ckt25-2+deb8u3) [bugfix/x86/misc-mic-fix-for-double-fetch-security-bug-in-vop-dr.patch] +3.2-wheezy-security: N/A "Vulnerable code not present" diff --git a/retired/CVE-2016-5828 b/retired/CVE-2016-5828 new file mode 100644 index 000000000..3f4eae105 --- /dev/null +++ b/retired/CVE-2016-5828 @@ -0,0 +1,12 @@ +Description: powerpc/tm: Always reclaim in start_thread() for exec() class syscalls +References: +Notes: + Fix: https://git.kernel.org/cgit/linux/kernel/git/powerpc/linux.git/commit/?id=8e96a87c5431c256feb65bcfc5 + not yet merged in Linus' tree. +Bugs: +upstream: released (4.7-rc6) [8e96a87c5431c256feb65bcfc5aec92d9f7839b6] +3.16-upstream-stable: released (3.16.37) [powerpc-tm-always-reclaim-in-start_thread-for-exec-class.patch] +3.2-upstream-stable: N/A "Introduced in 3.10-rc1 with bc2a9408fa65195288b41751016c36fd00a75a85" +sid: released (4.6.3-1) [bugfix/powerpc/powerpc-tm-always-reclaim-in-start_thread-for-exec-c.patch] +3.16-jessie-security: released (3.16.7-ckt25-2+deb8u3) [bugfix/powerpc/powerpc-tm-always-reclaim-in-start_thread-for-exec-c.patch] +3.2-wheezy-security: N/A "Vulnerable code not present" diff --git a/retired/CVE-2016-6130 b/retired/CVE-2016-6130 new file mode 100644 index 000000000..7e933f97f --- /dev/null +++ b/retired/CVE-2016-6130 @@ -0,0 +1,11 @@ +Description: Information leak in s390 sclp driver +References: +Notes: +Bugs: + https://bugzilla.kernel.org/show_bug.cgi?id=116741 +upstream: released (4.6-rc6) [532c34b5fbf1687df63b3fcd5b2846312ac943c6] +3.16-upstream-stable: released (3.16.37) [s390-sclp_ctl-fix-potential-information-leak-with-dev-sclp.patch] +3.2-upstream-stable: N/A "Vulnerable code introduced in 3.11 with d475f942b1dd6a897dac3ad4ed98d6994b275378" +sid: released (4.6.1-1) +3.16-jessie-security: released (3.16.7-ckt25-2+deb8u3) [bugfix/s390/s390-sclp_ctl-fix-potential-information-leak-with-de.patch] +3.2-wheezy-security: N/A "Vulnerable code not present" -- cgit v1.2.3