Candidate: CVE-2004-2731 References: http://www.securityfocus.com/bid/10632 http://securitytracker.com/id?1010617 http://git.kernel.org/?p=linux/kernel/git/wtarreau/linux-2.4.git;a=commit;h=996bad4803a2ebfebe7b27a431fbcae591f7d199 http://git.kernel.org/?p=linux/kernel/git/wtarreau/linux-2.4.git;a=commit;h=a545dd4118eba7242bb390a76b2a1bb3dce0430e http://git.kernel.org/?p=linux/kernel/git/wtarreau/linux-2.4.git;a=commit;h=6ab2cfa4f0a04c11932af701b5437879dd14d8bb http://git.kernel.org/?p=linux/kernel/git/wtarreau/linux-2.4.git;a=commit;h=090a4d5713b462e039e2896ac8092769c42ea742 Description: Multiple integer overflows in Sbus PROM driver (drivers/sbus/char/openprom.c) for the Linux kernel 2.4.x up to 2.4.27, 2.6.x up to 2.6.7, and possibly later versions, allow local users to execute arbitrary code by specifying (1) a small buffer size to the copyin_string function or (2) a negative buffer size to the copyin function. Ubuntu-Description: Notes: dannf> This appears to have been fixed in 2.5, but 2.4 is still dannf> vulnerable to the second part. I've sent patches to dannf> willy/davem for 2.4 consideration dannf> dannf> Patches have been accepted, see References section Bugs: upstream: released (2.5.33), released (2.4.35.4) linux-2.6: N/A 2.6.18-etch-security: N/A 2.6.8-sarge-security: N/A 2.4.27-sarge-security: released (2.4.27-10sarge6) [249_openpromfs-signedness-bug.diff, 250_openpromfs-checks-1.diff, 251_openpromfs-checks-2.diff, 252_openpromfs-checks-3.diff] 2.6.15-dapper-security: N/A 2.6.17-edgy-security: N/A 2.6.20-feisty-security: N/A 2.6.22-gutsy-security: N/A