Candidate: CVE-2007-3851
References:
 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=21f16289270447673a7263ccc0b22d562fb01ecb
Description: 
 The drm/i915 component in the Linux kernel before 2.6.22.2, when used
 with i965G and later chipsets, allows local users with access to an
 X11 session and Direct Rendering Manager (DRM) to write to arbitrary
 memory locations and gain privileges via a crafted batchbuffer.
Ubuntu-Description: 
 The Direct Rendering Manager for the i915 driver could be made to write
 to arbitrary memory locations.  An attacker with access to a running X11
 session could send a specially crafted buffer and gain root privileges.
Notes: 
 jmm> Code was introduced after 2.6.18, but backported to Etch
Bugs: 
upstream: released (2.6.22.2)
linux-2.6: released (2.6.22-4)
2.6.18-etch-security: released (2.6.18.dfsg.1-13etch1) [bugfix/i965-secure-batchbuffer.patch]
2.6.8-sarge-security: N/A
2.4.27-sarge-security: N/A
2.6.15-dapper-security: N/A 
2.6.17-edgy-security: released (2.6.17.1-12.40) [cc8e06db0f30d589b1bc6d164fadb28631f638b1]
2.6.20-feisty-security: released (2.6.20-16.31) [d475e30926c7d8337bc3008f42cae01da740ee12]