On Fri, Oct 07, 2005 at 12:21:38AM -0600, dann frazier wrote: > In order to hopefully help kickstart the security update process, I've > drafted some DSA text for our sarge/2.6.8 kernels (attached). Thanks to > Micah, we have CAN IDs assigned for a number of things we just had > marked as security. I tried to map all of the patches to CANs, but > these are the ones remaining. Does anyone know if there is a CAN ID for > any of the following? > > arch-ia64-ptrace-getregs-putregs.dpatch > arch-x86_64-kernel-smp-boot-race.dpatch > fs-exec-posix-timers-leak-1.dpatch > fs-exec-posix-timers-leak-2.dpatch > net-bridge-forwarding-poison-1.dpatch > net-bridge-forwarding-poison-2.dpatch > net-bridge-mangle-oops-1.dpatch > net-bridge-mangle-oops-2.dpatch > net-bridge-netfilter-etables-smp-race.dpatch
CAN-2005-3110 ? That is the only one I have added in 2.6.8-16sarge2 (svn) as a changelog annotation for 2.6.8-16sarge1 that you don't already have below. > net-ipv4-ipvs-conn_tab-race.dpatch > net-netlink-autobind-return.dpatch > net-rose-ndigis-verify.dpatch > netfilter-NAT-memory-corruption.dpatch > netfilter-ip_conntrack_untracked-refcount.dpatch > ppc32-time_offset-misuse.dpatch > sound-usb-usbaudio-unplug-oops.dpatch > sys_get_thread_area-leak.dpatch > > -- > dann frazier <[EMAIL PROTECTED]> > Packages : kernel-source-2.6.8 > kernel-image-2.6.8-alpha > kernel-image-2.6.8-amd64 > kernel-image-2.6.8-hppa > kernel-image-2.6.8-i386 > kernel-image-2.6.8-ia64 > kernel-image-2.6.8-m68k > kernel-image-2.6.8-s390 > kernel-image-2.6.8-sparc > kernel-patch-2.6.8-powerpc > Vulnerability : multiple > Problem type : remote, local, DoS > Debian-specific: no > CVE Id(s) : CAN-2005-3105 CAN-2005-1763 CAN-2005-1762 CAN-2005-0756 > CAN-2005-3108 CAN-2005-3106 CAN-2005-3107 CAN-2005-3109 > CAN-2005-1265 CAN-2005-0757 CAN-2005-1765 CAN-2005-1761 > CAN-2005-2548 CAN-2004-2302 CAN-2005-1767 CAN-2005-2458 > CAN-2005-2459 CAN-2005-2456 CAN-2005-2872 CAN-2005-2801 > > Multiple security vulnerabilities have been identified in the Linux kernel. > These vulnerabilities could allow an attacker to execute arbitrary code or > initiate a denial of service (DoS) attack. > > > CAN-2005-3105 > > The mprotect code (mprotect.c) in Linux 2.6 on Itanium IA64 Montecito > processors does not properly maintain cache coherency as required by > the architecture, which allows local users to cause a denial of service > and possibly corrupt data by modifying PTE protections. > > CAN-2005-1763 > > Buffer overflow in ptrace in the Linux Kernel for 64-bit architectures > allows local users to write bytes into kernel memory. > > CAN-2005-1762 > > The ptrace call in the Linux kernel 2.6.8.1 and 2.6.10 for the AMD64 > platform allows local users to cause a denial of service (kernel crash) > via a "non-canonical" address. > > CAN-2005-0756 > > ptrace 2.6.8.1 does not properly verify addresses on the amd64 > platform, which allows local users to cause a denial of service (kernel > crash) > > CAN-2005-3108 > > mm/ioremap.c in Linux 2.6 on 64-bit x86 systems allows local users to > cause a denial of service or an information leak via an iremap on a > certain memory map that causes the iounmap to perform a lookup of a > page that does not exist. > > CAN-2005-3106 > > Race condition in Linux 2.6, when threads are sharing memory mapping > via CLONE_VM (such as linuxthreads and vfork), might allow local users > to cause a denial of service (deadlock) by triggering a core dump while > waiting for a thread that has just performed an exec. > > CAN-2005-3107 > > fs/exec.c in Linux 2.6, when one thread is tracing another thread that > shares the same memory map, might allow local users to cause a denial > of service (deadlock) by forcing a core dump when the traced thread is > in the TASK_TRACED state. > > CAN-2005-3109 > > The HFS and HFS+ (hfsplus) modules in Linux 2.6 allows attackers to > cause a denial of service (oops) by using hfsplus to mount a filesystem > that is not hfsplus. > > CAN-2005-1265 > > The mmap function in the Linux Kernel 2.6.10 can be used to create > memory maps with a start address beyond the end address, which allows > local users to cause a denial of service (kernel crash). > > CAN-2005-0757 > > The xattr file system code, as backported in Red Hat Enterprise Linux 3 > on 64-bit systems, does not properly handle certain offsets, which > allows local users to cause a denial of service (system crash) via > certain actions on an ext3 file system with extended attributes > enabled. > > CAN-2005-1765 > > syscall in the Linux kernel 2.6.8.1 and 2.6.10 for the AMD64 platform, > when running in 32-bit compatibility mode, allows local users to cause > a denial of service (kernel hang) via crafted arguments. > > CAN-2005-1761 > > Linux kernel 2.6 and 2.4 on the IA64 architecture allows local users to > cause a denial of service (kernel crash) via ptrace and the > restore_sigcontext function. > > CAN-2005-2548 > > vlan_dev.c in Linux kernel 2.6.8 allows remote attackers to cause a > denial of service (kernel oops from null dereference) via certain UDP > packets that lead to a function call with the wrong argument, as > demonstrated using snmpwalk on snmpd. > > CAN-2004-2302 > > Race condition in the sysfs_read_file and sysfs_write_file functions in > Linux kernel before 2.6.10 allows local users to read kernel memory and > cause a denial of service (crash) via large offsets in sysfs files. > > CAN-2005-1767 > > traps.c in the Linux kernel 2.6.x and 2.4.x executes stack segment > faults on an exception stack, which allows local users to cause a > denial of service (oops and stack fault exception). > > CAN-2005-2458 > > inflate.c in the zlib routines in the Linux kernel before 2.6.12.5 > allows remote attackers to cause a denial of service (kernel crash) via > a compressed file with "improper tables". > > CAN-2005-2459 > > The huft_build function in inflate.c in the zlib routines in the Linux > kernel before 2.6.12.5 returns the wrong value, which allows remote > attackers to cause a denial of service (kernel crash) via a certain > compressed file that leads to a null pointer dereference, a different > vulnerability than CAN-2005-2458. > > CAN-2005-2456 > > Array index overflow in the xfrm_sk_policy_insert function in > xfrm_user.c in Linux kernel 2.6 allows local users to cause a denial of > service (oops or deadlock) and possibly execute arbitrary code via a > p->dir value that is larger than XFRM_POLICY_OUT, which is used as an > index in the sock->sk_policy array. > > CAN-2005-2872 > > The ipt_recent kernel module (ipt_recent.c) in Linux kernel before > 2.6.12, when running on 64-bit processors such as AMD64, allows remote > attackers to cause a denial of service (kernel panic) via certain > attacks such as SSH brute force, which leads to memset calls using a > length based on the u_int32_t type, acting on an array of unsigned long > elements, a different vulnerability than CAN-2005-2873. > > CAN-2005-2801 > > xattr.c in the ext2 and ext3 file system code for Linux kernel 2.6 does > not properly compare the name_index fields when sharing xattr blocks, > which could prevent default ACLs from being applied. -- Horms -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
