Candidate: CVE-2006-6106
References:
 http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=f4777569204cb59f2f04fbe9ef4e9a6918209104
Description: 
 Multiple buffer overflows in the cmtp_recv_interopmsg function in the
 Bluetooth driver (net/bluetooth/cmtp/capi.c) in the Linux kernel
 2.4.22 up to 2.4.33.4 and 2.6.2 before 2.6.18.6, and 2.6.19.x, allow
 remote attackers to cause a denial of service (crash) and possibly
 execute arbitrary code via CAPI messages with a large value for the
 length of the (1) manu (manufacturer) or (2) serial (serial number)
 field.
Ubuntu-Description: 
 Marcel Holtman discovered several buffer overflows in the Bluetooth
 driver. By sending Bluetooth packets with specially crafted CAPI
 messages, a remote attacker could exploit these to crash the kernel.
Notes: 
Bugs: 
upstream: released (2.4.33.5), released (2.6.18.6)
linux-2.6: released (2.6.18.dfsg.1-9) [2.6.18.6]
2.6.18-etch-security: released (2.6.18.dfsg.1-9) [2.6.18.6]
2.6.8-sarge-security: released (2.6.8-16sarge7) [bluetooth-capi-size-checks.dpatch]
2.4.27-sarge-security: released (2.4.27-10sarge6) [241_bluetooth-capi-size-checks.diff]
2.6.12-breezy-security: released (2.6.12-10.43)
2.6.15-dapper-security: released (2.6.15-28.51)
2.6.17-edgy-security: released (2.6.17.1-11.35)