Your message dated Fri, 8 Dec 2006 23:10:09 +0100
with message-id <[EMAIL PROTECTED]>
and subject line This is not a vulnerability
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: kernel-source-2.6.8
Version: 2.6.8-16sarge5
Severity: critical
Justification: root security hole
Noticed:
Intel LAN Driver Buffer Overflow Local Privilege Escalation
http://support.intel.com/support/network/sb/CS-023726.htm
The Intel blurb says Linux, and specifically Debian, is affected also:
Product Family OS Affected Driver Versions Corrected Driver
Versions
Intel PRO 10/100 Adapters Linux* 3.5.14 or previous 3.5.17 or later
Intel PRO/1000 Adapters Linux 7.2.7 or previous 7.3.15 or later
and it seems that:
kernel-source-2.6.8/drivers/net/e100.c
#define DRV_NAME "e100"
#define DRV_VERSION "3.0.18"
#define DRV_DESCRIPTION "Intel(R) PRO/100 Network Driver"
#define DRV_COPYRIGHT "Copyright(c) 1999-2004 Intel Corporation"
kernel-source-2.6.8/drivers/net/e1000/e1000_main.c
char e1000_driver_name[] = "e1000";
char e1000_driver_string[] = "Intel(R) PRO/1000 Network Driver";
char e1000_driver_version[] = "5.2.52-k4";
char e1000_copyright[] = "Copyright (c) 1999-2004 Intel Corporation.";
are quite old (so seem to be affected).
Cheers,
Paul Szabo [EMAIL PROTECTED] http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia
-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.8-spm1.6
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Versions of packages kernel-source-2.6.8 depends on:
ii binutils 2.15-6 The GNU assembler, linker and bina
ii bzip2 1.0.2-7 high-quality block-sorting file co
ii coreutils [fileutils] 5.2.1-2 The GNU core utilities
ii fileutils 5.2.1-2 The GNU file management utilities
--- End Message ---
--- Begin Message ---
This vulnerability does not affect GNU/Linux. The security information
vendor providing this information refers to git commit
0eb5a34cdf34ad07b6db2df1e523aaf6574601b4
However, the overflow cannot be triggered by unprivileged users, so
the whole issue is bogus. This information is confirmed by Intel people.
Cheers,
Moritz
--- End Message ---