From 6d2951db2dccc8cfc72d9a6f815192a43bec1568 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Sun, 5 Nov 2017 17:42:22 +0000 Subject: Ignore CVE-2017-1000112 for 3.2, and retire it git-svn-id: svn+ssh://svn.debian.org/svn/kernel-sec@5697 e094ebfe-e918-0410-adfb-c712417f3574 --- retired/CVE-2017-1000112 | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 retired/CVE-2017-1000112 (limited to 'retired/CVE-2017-1000112') diff --git a/retired/CVE-2017-1000112 b/retired/CVE-2017-1000112 new file mode 100644 index 00000000..b926309c --- /dev/null +++ b/retired/CVE-2017-1000112 @@ -0,0 +1,18 @@ +Description: Exploitable memory corruption due to UFO to non-UFO path switch +References: + http://www.openwall.com/lists/oss-security/2017/08/10/5 +Notes: + carnil> Introduced in e89e9cf539a28df7d0eb1d0a545368e9920b34ac + bwh> Exploitation is possible by unprivileged users after commit 40ba330227ad + bwh> "udp: disallow UFO for sockets with SO_NO_CHECK option", or with + bwh> CAP_NET_ADMIN (in any namespace). This is low severity for 3.2 and also + bwh> will be hard to fix there without revisiting CVE-2013-4470. +Bugs: +upstream: released (4.13-rc5) [85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa] +4.9-upstream-stable: released (4.9.43) [33dc6a6a85f1d6ce71e7056d009b8a5fcbf10f70] +3.16-upstream-stable: released (3.16.47) [08676246d893e3a42a541a2ef1291f2ea62c5b06] +3.2-upstream-stable: ignored "Low severity and difficult to backport" +sid: released (4.12.6-1) [bugfix/all/udp-consistently-apply-ufo-or-fragmentation.patch] +4.9-stretch-security: released (4.9.30-2+deb9u4) [bugfix/all/udp-consistently-apply-ufo-or-fragmentation.patch] +3.16-jessie-security: released (3.16.43-2+deb8u4) [bugfix/all/udp-consistently-apply-ufo-or-fragmentation.patch] +3.2-wheezy-security: ignored "Low severity and difficult to backport" -- cgit v1.2.3