Candidate: CVE-2007-3105 References: Description: Stack-based buffer overflow in the random number generator (RNG) implementation in the Linux kernel before 2.6.22 might allow local root users to cause a denial of service or gain privileges by setting the default wakeup threshold to a value greater than the output pool size, which triggers writing random numbers to the stack by the pool transfer function involving "bound check ordering". NOTE: this issue might only cross privilege boundaries in environments that have granular assignment of privileges for root. Ubuntu-Description: A buffer overflow was discovered in the random number generator. In environments with granular assignment of root privileges, a local attacker could gain additional privileges. Notes: jmm> Vulnerable code not present in 2.4.27 jmm> 2.6.8 is affected, but since we don't have full SE Linux support in jmm> Sarge, I don't believe this is an issue, which needs to be fixed Bugs: upstream: released (2.6.21, 2.6.22.3) linux-2.6: released (2.6.21-1) 2.6.18-etch-security: released (2.6.18.dfsg.1-13etch2) [bugfix/random-bound-check-ordering.patch] 2.6.8-sarge-security: released (2.6.8-17sarge2) [random-bound-check-ordering.dpatch] 2.4.27-sarge-security: N/A 2.6.15-dapper-security: released (2.6.15-29.58) 2.6.17-edgy-security: released (2.6.17.1-12.40) [f22710043b7d89b496f7910e9c87ed62519dff14] 2.6.20-feisty-security: released (2.6.20-16.31) [542a98d0809f0eccc5cf23ed402285e995e0b31e]