From d98b5dfcad9328b959c258b480dec33c85c7e108 Mon Sep 17 00:00:00 2001
From: Ben Hutchings <ben@decadent.org.uk>
Date: Thu, 25 Apr 2019 16:36:00 +0100
Subject: Fill in status of CVE-2018-20449 and retire it

---
 retired/CVE-2018-20449 | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)
 create mode 100644 retired/CVE-2018-20449

(limited to 'retired/CVE-2018-20449')

diff --git a/retired/CVE-2018-20449 b/retired/CVE-2018-20449
new file mode 100644
index 000000000..9f0f8b532
--- /dev/null
+++ b/retired/CVE-2018-20449
@@ -0,0 +1,21 @@
+Description: information leak by reading "callback=" lines in a debugfs file
+References:
+ https://lists.debian.org/debian-security-tracker/2019/01/msg00029.html
+Notes:
+ carnil> Not very convinced about the report as it only was throwed in
+ carnil> earlier this year on the debian security-tracker mailinglist.
+ carnil> Was it reported upstream? hidma_dbg.c introduced with
+ carnil> 570d0176296f0d17c4b5ab206ad4a4bc027b863b in 4.7-rc1.
+ canril> Issue mitigated with commit
+ canril> ad67b74d2469d9b82aaa572d76474c95bc484d57 ("printk: hash
+ canril> addresses printed with %p").
+ bwh> I consider hashing pointers to be a complete fix.  Additionally
+ bwh> debugfs is only accessible to root by default.
+Bugs:
+upstream: released (4.15-rc2) [ad67b74d2469d9b82aaa572d76474c95bc484d57]
+4.19-upstream-stable: N/A "Fixed before branch point"
+4.9-upstream-stable: ignored "Minor issue"
+3.16-upstream-stable: N/A "Vulnerable code introduced later"
+sid: released (4.15.4-1)
+4.9-stretch-security: ignored "Minor issue"
+3.16-jessie-security: N/A "Vulnerable code introduced later"
-- 
cgit v1.2.3