blob: 1de93562edda0880097bc68c5f037d3afc388a27 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
|
Candidate: CVE-2004-2731
References:
http://www.securityfocus.com/bid/10632
http://securitytracker.com/id?1010617
http://git.kernel.org/?p=linux/kernel/git/wtarreau/linux-2.4.git;a=commit;h=996bad4803a2ebfebe7b27a431fbcae591f7d199
http://git.kernel.org/?p=linux/kernel/git/wtarreau/linux-2.4.git;a=commit;h=a545dd4118eba7242bb390a76b2a1bb3dce0430e
http://git.kernel.org/?p=linux/kernel/git/wtarreau/linux-2.4.git;a=commit;h=6ab2cfa4f0a04c11932af701b5437879dd14d8bb
http://git.kernel.org/?p=linux/kernel/git/wtarreau/linux-2.4.git;a=commit;h=090a4d5713b462e039e2896ac8092769c42ea742
Description:
Multiple integer overflows in Sbus PROM driver (drivers/sbus/char/openprom.c)
for the Linux kernel 2.4.x up to 2.4.27, 2.6.x up to 2.6.7, and possibly
later versions, allow local users to execute arbitrary code by specifying (1)
a small buffer size to the copyin_string function or (2) a negative buffer
size to the copyin function.
Ubuntu-Description:
Notes:
dannf> This appears to have been fixed in 2.5, but 2.4 is still
dannf> vulnerable to the second part. I've sent patches to
dannf> willy/davem for 2.4 consideration
dannf>
dannf> Patches have been accepted, see References section
Bugs:
upstream: released (2.5.33), released (2.4.35.4)
linux-2.6: N/A
2.6.18-etch-security: N/A
2.6.8-sarge-security: N/A
2.4.27-sarge-security: released (2.4.27-10sarge6) [249_openpromfs-signedness-bug.diff, 250_openpromfs-checks-1.diff, 251_openpromfs-checks-2.diff, 252_openpromfs-checks-3.diff]
2.6.15-dapper-security: N/A
2.6.17-edgy-security: N/A
2.6.20-feisty-security: N/A
2.6.22-gutsy-security: N/A
|
