Candidate: CVE-2009-3547
Description:
 a NULL pointer dereference flaw was found in each of the following
 functions in the Linux kernel: pipe_read_open(), pipe_write_open(), and
 pipe_rdwr_open(). When the mutex lock is not held, the i_pipe pointer could
 be released by other processes before it is used to update the pipe's reader
 and writer counters. This could lead to a local denial of service or 
 privilege escalation.
References:
 http://www.openwall.com/lists/oss-security/2009/11/03/1
Notes:
 Brad Spengler *claims* to have already developed a working exploit.  Since
 his previous work has been effective, it is probably true.  Hence, this 
 should be treated with high urgency.
 - May be not be exploitable on debian due to mmap_min_addr protections?
jmm> ad3960243e55320d74195fb85c975e0a8cc4466c
Bugs:
upstream: released (2.6.32-rc6) [ad396024]
linux-2.6: released (2.6.31-2)
2.6.18-etch-security: released (2.6.18.dfsg.1-26etch1) [bugfix/all/fs-pipe-null-pointer-dereference.patch]
2.6.24-etch-security: released (2.6.24-6~etchnhalf.9etch1) [bugfix/all/fs-pipe-null-pointer-dereference.patch]
2.6.26-lenny-security: released (2.6.26-19lenny2) [bugfix/all/fs-pipe-null-pointer-dereference.patch]