From fe06ab796c3efe3aae50124a345d04fafd8dccbd Mon Sep 17 00:00:00 2001 From: Moritz Muehlenhoff Date: Mon, 7 Mar 2011 08:59:45 +0000 Subject: retire three issues git-svn-id: svn+ssh://svn.debian.org/svn/kernel-sec@2212 e094ebfe-e918-0410-adfb-c712417f3574 --- retired/CVE-2010-3437 | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 retired/CVE-2010-3437 (limited to 'retired/CVE-2010-3437') diff --git a/retired/CVE-2010-3437 b/retired/CVE-2010-3437 new file mode 100644 index 00000000..528110de --- /dev/null +++ b/retired/CVE-2010-3437 @@ -0,0 +1,27 @@ +Candidate: CVE-2010-3437 +Description: + > ----- "Eugene Teo" wrote: + > As Dan Rosenberg explained in the patch commit: The PKT_CTRL_CMD_STATUS + > device ioctl retrieves a pointer to a pktcdvd_device from the global + > pkt_devs array. The index into this array is provided directly by the + > + > user and is a signed integer, so the comparison to ensure that it falls + > within the bounds of this array will fail when provided with a + > negative index. + > + > This can be used to read arbitrary kernel memory or cause a crash due to + > an invalid pointer dereference. This can be exploited by users with + > permission to open /dev/pktcdvd/control (on many distributions, this is + > readable by group "cdrom"). +References: + https://bugzilla.redhat.com/show_bug.cgi?id=638085 +Notes: + exploit: http://jon.oberheide.org/files/cve-2010-3437.c + only an info disclosure, but seems to be able to dump any/all kernel memory + jmm> Submitted for 2.6.32.x on 2010-01-10. +Bugs: +upstream: released (2.6.36-rc6) [252a52aa4fa22a668f019e55b3aac3ff71ec1c29] +2.6.32-upstream-stable: released (2.6.32.30) +linux-2.6: released (2.6.32-25) [bugfix/all/fix-pktcdvd-ioctl-dev_minor-range-check.patch] +2.6.26-lenny-security: released (2.6.26-26lenny1) [bugfix/all/fix-pktcdvd-ioctl-dev_minor-range-check.patch] +2.6.32-squeeze-security: released (2.6.32-25) [bugfix/all/fix-pktcdvd-ioctl-dev_minor-range-check.patch] -- cgit v1.2.3