Candidate: CVE-2010-3437
Description: 
 > ----- "Eugene Teo" <eugeneteo@kernel.sg> wrote:
 > As Dan Rosenberg explained in the patch commit: The PKT_CTRL_CMD_STATUS 
 > device ioctl retrieves a pointer to a pktcdvd_device from the global 
 > pkt_devs array.  The index into this array is provided directly by the
 > 
 > user and is a signed integer, so the comparison to ensure that it falls 
 > within the bounds of this array will fail when provided with a
 > negative index.
 > 
 > This can be used to read arbitrary kernel memory or cause a crash due to 
 > an invalid pointer dereference.  This can be exploited by users with 
 > permission to open /dev/pktcdvd/control (on many distributions, this is 
 > readable by group "cdrom").
References:
 https://bugzilla.redhat.com/show_bug.cgi?id=638085
Notes:
 exploit: http://jon.oberheide.org/files/cve-2010-3437.c
 only an info disclosure, but seems to be able to dump any/all kernel memory
 jmm> Submitted for 2.6.32.x on 2010-01-10.
Bugs:
upstream: released (2.6.36-rc6) [252a52aa4fa22a668f019e55b3aac3ff71ec1c29]
2.6.32-upstream-stable: released (2.6.32.30)
linux-2.6: released (2.6.32-25) [bugfix/all/fix-pktcdvd-ioctl-dev_minor-range-check.patch]
2.6.26-lenny-security: released (2.6.26-26lenny1) [bugfix/all/fix-pktcdvd-ioctl-dev_minor-range-check.patch]
2.6.32-squeeze-security: released (2.6.32-25) [bugfix/all/fix-pktcdvd-ioctl-dev_minor-range-check.patch]