[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#296899: marked as done (CAN-2005-0531: Buffer overflow in atm_get_addr)



Your message dated Thu, 17 Mar 2005 12:02:03 +0100
with message-id <200503171202.04172.sfritsch@ph.tum.de>
and subject line vulnerabilites fixed in kernel-source-2.6.8 (2.6.8-14)
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 25 Feb 2005 14:16:59 +0000
>From sf@sfritsch.de Fri Feb 25 06:16:59 2005
Return-path: <sf@sfritsch.de>
Received: from mail-out.m-online.net [212.18.0.9] 
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1D4gH5-0003Oc-00; Fri, 25 Feb 2005 06:16:59 -0800
Received: from mail.m-online.net (svr20.m-online.net [192.168.3.148])
	by mail-out.m-online.net (Postfix) with ESMTP id 2E53C5BA2
	for <submit@bugs.debian.org>; Fri, 25 Feb 2005 15:16:58 +0100 (CET)
Received: from k.local (ppp-82-135-14-157.mnet-online.de [82.135.14.157])
	by mail.m-online.net (Postfix) with ESMTP id 1D8B256E77
	for <submit@bugs.debian.org>; Fri, 25 Feb 2005 15:16:58 +0100 (CET)
Received: from stf by k.local with local (Exim 4.44)
	id 1D4gH4-0005ay-8m
	for submit@bugs.debian.org; Fri, 25 Feb 2005 15:16:58 +0100
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Stefan Fritsch <sf@sfritsch.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CAN-2005-0531: Buffer overflow in atm_get_addr
X-Mailer: reportbug 3.8
Date: Fri, 25 Feb 2005 15:16:58 +0100
Message-Id: <E1D4gH4-0005ay-8m@k.local>
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 

Package: kernel-source-2.6.8
Version: 2.6.8-13
Severity: critical
Tags: security
Justification: root security hole

Cite:
"The atm_get_addr function in addr.c for Linux kernel 2.6.10 and 2.6.11 before 2.6.11-rc4
may allow local users to trigger a buffer overflow via negative arguments."

The offending code is also in 2.6.8 and 2.4.27.

Fix:
http://linux.bkbits.net:8080/linux-2.6/gnupatch@4208e1fcfccuD-eH2OGM5mBhihmQ3A

Advisory:
http://marc.theaimsgroup.com/?l=full-disclosure&m=110846727602817&w=2

Please fix also 2.6.9 and 2.6.10

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

---------------------------------------
Received: (at 296899-done) by bugs.debian.org; 17 Mar 2005 11:02:40 +0000
>From sfritsch@ph.tum.de Thu Mar 17 03:02:40 2005
Return-path: <sfritsch@ph.tum.de>
Received: from neo.t30.physik.tu-muenchen.de [129.187.137.8] 
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1DBslz-00012r-00; Thu, 17 Mar 2005 03:02:39 -0800
Received: from neo.t30.physik.tu-muenchen.de ([129.187.137.8] helo=localhost)
	by neo.t30.physik.tu-muenchen.de with esmtp (Exim 3.35 #1 (Debian))
	id 1DBslR-0004Ww-00; Thu, 17 Mar 2005 12:02:05 +0100
From: Stefan Fritsch <sfritsch@ph.tum.de>
To: Andres Salomon <dilinger@voxel.net>
Subject: vulnerabilites fixed in kernel-source-2.6.8 (2.6.8-14)
Date: Thu, 17 Mar 2005 12:02:03 +0100
User-Agent: KMail/1.7.2
Cc: 299865-done@bugs.debian.org,
 296900-done@bugs.debian.org,
 296901-done@bugs.debian.org,
 296897-done@bugs.debian.org,
 296899-done@bugs.debian.org
MIME-Version: 1.0
Content-Type: text/plain;
  charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200503171202.04172.sfritsch@ph.tum.de>
Delivered-To: 296899-done@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-2.5 required=4.0 tests=BAYES_00,SUSPICIOUS_RECIPS 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 
X-CrossAssassin-Score: 2

Hi!

Some of the fixes in 2.6.8-14 are missing CAN- and bug numbers. Maybe 
you can add the CAN-numbers to the changelog?

Cheers,
Stefan
==============================
  * 2.6.11.2 [SECURITY] epoll: return proper error on overflow 
condition
    (Maximilian Attems)
    
#299865: CAN-2005-0736: Boundary condition error in sys_epoll_wait 



  * [SECURITY] 115-proc_file_read_nbytes_signedness_fix.dpatch
    Heap overflow fix in /proc; WDYBTGT3-1 on
    http://www.guninski.com/where_do_you_want_billg_to_go_today_3.html
    No CAN# assigned yet, afaik (Andres Salomon).

#296900: CAN-2005-0529: Buffer overflow in proc_file_read 



  * [SECURITY] 116-n_tty_copy_from_read_buf_signedness_fixes.dpatch
    copy_from_read_buf() fix; WDYBTGT3-2 on
    http://www.guninski.com/where_do_you_want_billg_to_go_today_3.html
    No CAN#, yet (Andres Salomon).

#296901: CAN-2005-0530: information disclosure because of signedness 
error in copy_from_read_buf 



  * [SECURITY] 117-reiserfs_file_64bit_size_t_fixes.dpatch
    reiserfs integer fixes; WDYBTGT3-4 on
    http://www.guninski.com/where_do_you_want_billg_to_go_today_3.html
    (Andres Salomon).

#296897: CAN-2005-0532: Buffer overflow in reiserfs_copy_from_user... 
on 64bit arches 



  * [SECURITY] 123-atm_get_addr_signedness_fix.dpatch
    Fix atm_get_addr()'s usage of its size arg, by making it
    unsigned.  WDYBTGT3-3 on
    http://www.guninski.com/where_do_you_want_billg_to_go_today_3.html
    (Andres Salomon).

#296899: CAN-2005-0531: Buffer overflow in atm_get_addr 



Reply to: