From e58c55fce0b45d07070b6bf06bd56e914842758c Mon Sep 17 00:00:00 2001 From: Kees Cook Date: Wed, 19 Dec 2007 01:39:51 +0000 Subject: Ubuntu kernel updates git-svn-id: svn+ssh://svn.debian.org/svn/kernel-sec@1066 e094ebfe-e918-0410-adfb-c712417f3574 --- active/CVE-2006-6058 | 10 +++++++--- active/CVE-2007-4133 | 10 +++++++++- active/CVE-2007-4567 | 7 ++++++- active/CVE-2007-4849 | 6 ++++-- active/CVE-2007-4997 | 10 +++++++--- active/CVE-2007-5093 | 8 ++++++-- active/CVE-2007-5500 | 10 +++++++--- active/CVE-2007-5501 | 6 +++++- scripts/ubuntu-usn-desc | 2 ++ 9 files changed, 53 insertions(+), 16 deletions(-) diff --git a/active/CVE-2006-6058 b/active/CVE-2006-6058 index d848cd28..7582e472 100644 --- a/active/CVE-2006-6058 +++ b/active/CVE-2006-6058 @@ -13,6 +13,10 @@ Description: function. NOTE: this issue might be due to an integer overflow or signedness error. Ubuntu-Description: + The minix filesystem did not properly validate certain filesystem values. + If a local attacker could trick the system into attempting to mount a + corrupted minix filesystem, the kernel could be made to hang for long + periods of time, resulting in a denial of service. Notes: dannf> ignored for sarge for now - only applies under very rare circumstances and don't know if there's an upstream fix @@ -28,6 +32,6 @@ linux-2.6: released (2.6.23-1) [bugfix/2.6.23.7.patch] 2.6.8-sarge-security: ignored 2.4.27-sarge-security: ignored 2.6.15-dapper-security: pending (2.6.15-29.61) -2.6.17-edgy-security: pending (2.6.17.1-12.42) -2.6.20-feisty-security: pending (2.6.20-16.33) -2.6.22-gutsy-security: pending (2.6.22-14.47) +2.6.17-edgy-security: released (2.6.17.1-12.42) +2.6.20-feisty-security: released (2.6.20-16.33) +2.6.22-gutsy-security: released (2.6.22-14.47) diff --git a/active/CVE-2007-4133 b/active/CVE-2007-4133 index c56cb80c..68f19ae4 100644 --- a/active/CVE-2007-4133 +++ b/active/CVE-2007-4133 @@ -3,7 +3,15 @@ References: http://git.kernel.org/gitweb.cgi?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=856fc29505556cf263f3dcda2533cf3766c14ab6 https://bugzilla.redhat.com/show_bug.cgi?id=253926 Description: + The (1) hugetlb_vmtruncate_list and (2) hugetlb_vmtruncate functions + in fs/hugetlbfs/inode.c in the Linux kernel before 2.6.19-rc4 perform + certain prio_tree calculations using HPAGE_SIZE instead of PAGE_SIZE + units, which allows local users to cause a denial of service (panic) + via unspecified vectors. Ubuntu-Description: + Certain calculations in the hugetlb code were not correct. A local + attacker could exploit this to cause a kernel panic, leading to a denial + of service. Notes: jmm> 2.4 doesn't contain hugetlbfs Bugs: @@ -13,6 +21,6 @@ linux-2.6: released (2.6.20-1) 2.6.8-sarge-security: 2.4.27-sarge-security: N/A 2.6.15-dapper-security: pending (2.6.15-29.61) -2.6.17-edgy-security: pending (2.6.17.1-12.42) +2.6.17-edgy-security: released (2.6.17.1-12.42) 2.6.20-feisty-security: N/A 2.6.22-gutsy-security: N/A diff --git a/active/CVE-2007-4567 b/active/CVE-2007-4567 index c5bca8dc..986a9078 100644 --- a/active/CVE-2007-4567 +++ b/active/CVE-2007-4567 @@ -4,6 +4,11 @@ References: http://bugzilla.kernel.org/show_bug.cgi?id=8450 Description: Ubuntu-Description: + Eric Sesterhenn and Victor Julien discovered that the hop-by-hop IPv6 + extended header was not correctly validated. If a system was configured + for IPv6, a remote attacker could send a specially crafted IPv6 packet + and cause the kernel to panic, leading to a denial of service. This + was only vulnerable in Ubuntu 7.04. Notes: kees> introduced in 2.6.20, fixed in 2.6.22 Bugs: @@ -14,5 +19,5 @@ linux-2.6: 2.4.27-sarge-security: N/A 2.6.15-dapper-security: N/A 2.6.17-edgy-security: N/A -2.6.20-feisty-security: pending (2.6.20-2.6.20-16.33) +2.6.20-feisty-security: released (2.6.20-2.6.20-16.33) 2.6.22-gutsy-security: N/A diff --git a/active/CVE-2007-4849 b/active/CVE-2007-4849 index 98935417..8844c754 100644 --- a/active/CVE-2007-4849 +++ b/active/CVE-2007-4849 @@ -11,6 +11,8 @@ Description: restricted files or directories after a remount of a filesystem, related to "legacy modes" and an inconsistency between dentry permissions and inode permissions. Ubuntu-Description: + Permissions were not correctly stored on JFFS2 ACLs. For systems using + ACLs on JFFS2, a local attacker may gain access to private files. Notes: jmm> ACL support was introduced in 2.6.17 with commit aa98d7cf59b5b0764d3502662053489585faf2fe, marking jmm> earlier Debian releases as N/A @@ -22,5 +24,5 @@ linux-2.6: needed 2.4.27-sarge-security: N/A 2.6.15-dapper-security: N/A 2.6.17-edgy-security: N/A -2.6.20-feisty-security: pending (2.6.20-16.33) -2.6.22-gutsy-security: pending (2.6.22-14.47) +2.6.20-feisty-security: released (2.6.20-16.33) +2.6.22-gutsy-security: released (2.6.22-14.47) diff --git a/active/CVE-2007-4997 b/active/CVE-2007-4997 index ae43997c..01f1780e 100644 --- a/active/CVE-2007-4997 +++ b/active/CVE-2007-4997 @@ -4,6 +4,10 @@ References: http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.23.y.git;a=commitdiff;h=04045f98e0457aba7d4e6736f37eed189c48a5f7 Description: Ubuntu-Description: + Chris Evans discovered that the 802.11 network stack did not correctly + handle certain QOS frames. A remote attacker on the local wireless network + could send specially crafted packets that would panic the kernel, resulting + in a denial of service. Notes: > The summary is that an evil 80211 frame can crash out a victim's > machine. It only applies to drivers using the 80211 wireless code, and @@ -19,6 +23,6 @@ linux-2.6: needed 2.6.8-sarge-security: N/A 2.4.27-sarge-security: N/A 2.6.15-dapper-security: pending (2.6.15-29.61) -2.6.17-edgy-security: pending (2.6.17.1-12.42) -2.6.20-feisty-security: pending (2.6.20-16.33) -2.6.22-gutsy-security: pending (2.6.22-14.47) +2.6.17-edgy-security: released (2.6.17.1-12.42) +2.6.20-feisty-security: released (2.6.20-16.33) +2.6.22-gutsy-security: released (2.6.22-14.47) diff --git a/active/CVE-2007-5093 b/active/CVE-2007-5093 index d10018e7..0fac893d 100644 --- a/active/CVE-2007-5093 +++ b/active/CVE-2007-5093 @@ -17,6 +17,10 @@ Description: the disconnect is invoked. NOTE: this rarely crosses privilege boundaries, unless the attacker can convince the victim to unplug the affected device. Ubuntu-Description: + The Philips USB Webcam driver did not correctly handle disconnects. + If a local attacker tricked another user into disconnecting a webcam + unsafely, the kernel could hang or consume CPU resources, leading to + a denial of service. Notes: kees> debug regression was fixed in http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.22.y.git;a=commitdiff;h=a3a066bffd7754e6d40c48972e698352f6cd6c4e Bugs: @@ -26,6 +30,6 @@ linux-2.6: 2.6.8-sarge-security: 2.4.27-sarge-security: 2.6.15-dapper-security: pending (2.6.15-29.61) -2.6.17-edgy-security: pending (2.6.17.1-12.42) -2.6.20-feisty-security: pending (2.6.20-16.33) +2.6.17-edgy-security: released (2.6.17.1-12.42) +2.6.20-feisty-security: released (2.6.20-16.33) 2.6.22-gutsy-security: N/A diff --git a/active/CVE-2007-5500 b/active/CVE-2007-5500 index 6ca73739..6faf71ea 100644 --- a/active/CVE-2007-5500 +++ b/active/CVE-2007-5500 @@ -4,6 +4,10 @@ References: Description: wait_task_stopped: Check p->exit_state instead of TASK_TRACED Ubuntu-Description: + Scott James Remnant discovered that the waitid function could be made + to hang the system. A local attacker could execute a specially crafted + program which would leave the system unresponsive, resulting in a denial + of service. Notes: kees> 2.6.15 does not actually lock up -- it just spins in userspace jmm> This was introduced with commit 14bf01bb0599c89fc7f426d20353b76e12555308 @@ -15,6 +19,6 @@ linux-2.6: released (2.6.23-1) 2.6.8-sarge-security: N/A 2.4.27-sarge-security: N/A 2.6.15-dapper-security: pending (2.6.15-29.61) -2.6.17-edgy-security: pending (2.6.17.1-12.42) -2.6.20-feisty-security: pending (2.6.20-16.33) -2.6.22-gutsy-security: pending (2.6.22-14.47) +2.6.17-edgy-security: released (2.6.17.1-12.42) +2.6.20-feisty-security: released (2.6.20-16.33) +2.6.22-gutsy-security: released (2.6.22-14.47) diff --git a/active/CVE-2007-5501 b/active/CVE-2007-5501 index ff8414dc..8da4bfac 100644 --- a/active/CVE-2007-5501 +++ b/active/CVE-2007-5501 @@ -3,6 +3,10 @@ References: http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=96a2d41a3e495734b63bff4e5dd0112741b93b38 Description: Ubuntu-Description: + Ilpo Järvinen discovered that it might be possible for the TCP stack + to panic the kernel when receiving a crafted ACK response. Only Ubuntu + 7.10 contained the vulnerable code, and it is believed not to have + been exploitable. Notes: dannf> Jan Lieskovsky pointed out that tcp_write_queue_head() was introduced dannf> in 2.6.21-git1 @@ -15,4 +19,4 @@ linux-2.6: released (2.6.23-1) 2.6.15-dapper-security: N/A 2.6.17-edgy-security: N/A 2.6.20-feisty-security: N/A -2.6.22-gutsy-security: pending (2.6.22-14.47) +2.6.22-gutsy-security: released (2.6.22-14.47) diff --git a/scripts/ubuntu-usn-desc b/scripts/ubuntu-usn-desc index 9894a9e8..c1b07d2c 100755 --- a/scripts/ubuntu-usn-desc +++ b/scripts/ubuntu-usn-desc @@ -18,6 +18,8 @@ def wrap(text, width): ) for cve in sys.argv[1:]: + if cve == "--cve": + continue desc = deb822.deb822(file(cve))['Ubuntu-Description'].strip() if len(sys.argv[1:])!=1: desc += " (%s)"%cve -- cgit v1.2.3