blob: ec1da937616f17e4282d5b9aff540224654e65d5 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
|
Candidate: CVE-2004-2607
References:
http://www.uwsg.iu.edu/hypermail/linux/kernel/0404.2/0313.html
http://www.kernel.org/git/?p=linux/kernel/git/tglx/history.git;a=commitdiff;h=98cd917c1ac348d5cd94beabecc3011dcaa0a0f2
Description:
A numeric casting discrepancy in sdla_xfer in Linux kernel 2.6.x up to
2.6.5 and 2.4 up to 2.4.29-rc1 allows local users to read portions of
kernel memory via a large len argument, which is received as an int but
cast to a short, which prevents a read loop from filling a buffer.
Notes:
jmm> The referenced patch was applied by Jeff Garzik on 2004-04-16,
jmm> 2.6.6 was released on 2004-05-09, so Sarge seems not affected, should
jmm> be double-checked against the source though, but my bandwidth is currently
jmm> too slim to download 2.6.8
jmm>
jmm> The fix below is for a completely different issue, I've split it out
horms> Fix was included in 2.6.6. Checked source and 2.6.8 is not vulnerable
horms> 2.4.27 is vulnerable, added fix to SVN. Woody is likely vulnerable
Bugs:
upstream: released (2.4.33-pre2), released (2.6.6)
linux-2.6: N/A
2.6.8-sarge-security: N/A
2.4.27-sarge-security: released (2.4.27-10sarge2) [200_net_sdla_xfer_leak.diff]
2.4.19-woody-security:
2.4.18-woody-security:
2.4.17-woody-security:
2.4.16-woody-security:
2.4.17-woody-security-hppa:
2.4.17-woody-security-ia64:
2.4.18-woody-security-hppa:
|