drafting a DSA for 2.6.8

To: debian-kernel@lists.debian.org
Cc: micah@debian.org
Subject: drafting a DSA for 2.6.8
From: dann frazier <dannf@dannf.org>
Date: Fri, 07 Oct 2005 00:21:38 -0600
Message-id: <1128666098.20670.9.camel@localhost>

In order to hopefully help kickstart the security update process, I've
drafted some DSA text for our sarge/2.6.8 kernels (attached).  Thanks to
Micah, we have CAN IDs assigned for a number of things we just had
marked as security.  I tried to map all of the patches to CANs, but
these are the ones remaining.  Does anyone know if there is a CAN ID for
any of the following?

arch-ia64-ptrace-getregs-putregs.dpatch
arch-x86_64-kernel-smp-boot-race.dpatch
fs-exec-posix-timers-leak-1.dpatch
fs-exec-posix-timers-leak-2.dpatch
net-bridge-forwarding-poison-1.dpatch
net-bridge-forwarding-poison-2.dpatch
net-bridge-mangle-oops-1.dpatch
net-bridge-mangle-oops-2.dpatch
net-bridge-netfilter-etables-smp-race.dpatch
net-ipv4-ipvs-conn_tab-race.dpatch
net-netlink-autobind-return.dpatch
net-rose-ndigis-verify.dpatch
netfilter-NAT-memory-corruption.dpatch
netfilter-ip_conntrack_untracked-refcount.dpatch
ppc32-time_offset-misuse.dpatch
sound-usb-usbaudio-unplug-oops.dpatch
sys_get_thread_area-leak.dpatch

-- 
dann frazier <dannf@dannf.org>

Packages       : kernel-source-2.6.8
		 kernel-image-2.6.8-alpha
		 kernel-image-2.6.8-amd64
		 kernel-image-2.6.8-hppa
		 kernel-image-2.6.8-i386
		 kernel-image-2.6.8-ia64
		 kernel-image-2.6.8-m68k
		 kernel-image-2.6.8-s390
		 kernel-image-2.6.8-sparc
		 kernel-patch-2.6.8-powerpc
Vulnerability  : multiple
Problem type   : remote, local, DoS
Debian-specific: no
CVE Id(s)      : CAN-2005-3105 CAN-2005-1763 CAN-2005-1762 CAN-2005-0756
		 CAN-2005-3108 CAN-2005-3106 CAN-2005-3107 CAN-2005-3109
		 CAN-2005-1265 CAN-2005-0757 CAN-2005-1765 CAN-2005-1761
		 CAN-2005-2548 CAN-2004-2302 CAN-2005-1767 CAN-2005-2458
		 CAN-2005-2459 CAN-2005-2456 CAN-2005-2872 CAN-2005-2801

Multiple security vulnerabilities have been identified in the Linux kernel.
These vulnerabilities could allow an attacker to execute arbitrary code or
initiate a denial of service (DoS) attack.


CAN-2005-3105

	The mprotect code (mprotect.c) in Linux 2.6 on Itanium IA64 Montecito
	processors does not properly maintain cache coherency as required by
	the architecture, which allows local users to cause a denial of service
	and possibly corrupt data by modifying PTE protections.

CAN-2005-1763

	Buffer overflow in ptrace in the Linux Kernel for 64-bit architectures
	allows local users to write bytes into kernel memory.

CAN-2005-1762

	The ptrace call in the Linux kernel 2.6.8.1 and 2.6.10 for the AMD64
	platform allows local users to cause a denial of service (kernel crash)
	via a "non-canonical" address.

CAN-2005-0756

	ptrace 2.6.8.1 does not properly verify addresses on the amd64
	platform, which allows local users to cause a denial of service (kernel
	crash)

CAN-2005-3108

	mm/ioremap.c in Linux 2.6 on 64-bit x86 systems allows local users to
	cause a denial of service or an information leak via an iremap on a
	certain memory map that causes the iounmap to perform a lookup of a
	page that does not exist.

CAN-2005-3106

	Race condition in Linux 2.6, when threads are sharing memory mapping
	via CLONE_VM (such as linuxthreads and vfork), might allow local users
	to cause a denial of service (deadlock) by triggering a core dump while
	waiting for a thread that has just performed an exec.

CAN-2005-3107

	fs/exec.c in Linux 2.6, when one thread is tracing another thread that
	shares the same memory map, might allow local users to cause a denial
	of service (deadlock) by forcing a core dump when the traced thread is
	in the TASK_TRACED state.

CAN-2005-3109

	The HFS and HFS+ (hfsplus) modules in Linux 2.6 allows attackers to
	cause a denial of service (oops) by using hfsplus to mount a filesystem
	that is not hfsplus.

CAN-2005-1265

	The mmap function in the Linux Kernel 2.6.10 can be used to create
	memory maps with a start address beyond the end address, which allows
	local users to cause a denial of service (kernel crash).

CAN-2005-0757

	The xattr file system code, as backported in Red Hat Enterprise Linux 3
	on 64-bit systems, does not properly handle certain offsets, which
	allows local users to cause a denial of service (system crash) via
	certain actions on an ext3 file system with extended attributes
	enabled.

CAN-2005-1765

	syscall in the Linux kernel 2.6.8.1 and 2.6.10 for the AMD64 platform,
	when running in 32-bit compatibility mode, allows local users to cause
	a denial of service (kernel hang) via crafted arguments.

CAN-2005-1761

	Linux kernel 2.6 and 2.4 on the IA64 architecture allows local users to
	cause a denial of service (kernel crash) via ptrace and the
	restore_sigcontext function.

CAN-2005-2548

	vlan_dev.c in Linux kernel 2.6.8 allows remote attackers to cause a
	denial of service (kernel oops from null dereference) via certain UDP
	packets that lead to a function call with the wrong argument, as
	demonstrated using snmpwalk on snmpd.

CAN-2004-2302

	Race condition in the sysfs_read_file and sysfs_write_file functions in
	Linux kernel before 2.6.10 allows local users to read kernel memory and
	cause a denial of service (crash) via large offsets in sysfs files.

CAN-2005-1767

	traps.c in the Linux kernel 2.6.x and 2.4.x executes stack segment
	faults on an exception stack, which allows local users to cause a
	denial of service (oops and stack fault exception).

CAN-2005-2458

	inflate.c in the zlib routines in the Linux kernel before 2.6.12.5
	allows remote attackers to cause a denial of service (kernel crash) via
	a compressed file with "improper tables".

CAN-2005-2459

	The huft_build function in inflate.c in the zlib routines in the Linux
	kernel before 2.6.12.5 returns the wrong value, which allows remote
	attackers to cause a denial of service (kernel crash) via a certain
	compressed file that leads to a null pointer dereference, a different
	vulnerability than CAN-2005-2458.

CAN-2005-2456

	Array index overflow in the xfrm_sk_policy_insert function in
	xfrm_user.c in Linux kernel 2.6 allows local users to cause a denial of
	service (oops or deadlock) and possibly execute arbitrary code via a
	p->dir value that is larger than XFRM_POLICY_OUT, which is used as an
	index in the sock->sk_policy array.

CAN-2005-2872

	The ipt_recent kernel module (ipt_recent.c) in Linux kernel before
	2.6.12, when running on 64-bit processors such as AMD64, allows remote
	attackers to cause a denial of service (kernel panic) via certain
	attacks such as SSH brute force, which leads to memset calls using a
	length based on the u_int32_t type, acting on an array of unsigned long
	elements, a different vulnerability than CAN-2005-2873.

CAN-2005-2801

	xattr.c in the ext2 and ext3 file system code for Linux kernel 2.6 does
	not properly compare the name_index fields when sharing xattr blocks,
	which could prevent default ACLs from being applied.

Reply to:

Prev by Date: Bug#330329: linux-2.6: 2.6.12-10 FTBFS on sparc
Next by Date: Bug#333834: linux-2.6: Please enabled "audit" support, selinux is pretty much unuseable otherwise.
Previous by thread: Bug#330329: linux-2.6: 2.6.12-10 FTBFS on sparc
Next by thread: Bug#333834: linux-2.6: Please enabled "audit" support, selinux is pretty much unuseable otherwise.
Index(es):
- Date
- Thread