Bug#481195: marked as done (linux-2.6: CVE-2008-2148 local denial of service)

To: maximilian attems <max@stro.at>
Subject: Bug#481195: marked as done (linux-2.6: CVE-2008-2148 local denial of service)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Wed, 14 May 2008 15:21:10 +0000
Message-id: <[🔎] handler.481195.D481195.12107784234532.ackdone@bugs.debian.org>
References: <20080514152017.GF13196@stro.at> <[🔎] 20080514133718.GA16547@ngolde.de>

Your message dated Wed, 14 May 2008 17:20:17 +0200
with message-id <20080514152017.GF13196@stro.at>
and subject line Re: Bug#481195: linux-2.6: CVE-2008-2148 local denial of service
has caused the Debian Bug report #481195,
regarding linux-2.6: CVE-2008-2148 local denial of service
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
481195: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=481195
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: submit@bugs.debian.org
Subject: linux-2.6: CVE-2008-2148 local denial of service
From: Nico Golde <nion@debian.org>
Date: Wed, 14 May 2008 15:37:18 +0200
Message-id: <[🔎] 20080514133718.GA16547@ngolde.de>

Package: linux-2.6
Version: 2.6.22-1
Severity: grave
Tags: security patch

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for linux-2.6.


CVE-2008-2148[0]:
| The utimensat system call in Linux kernel 2.6.22 and other versions
| before 2.6.25.3 does not check file permissions when certain UTIME_NOW
| and UTIME_OMIT combinations are used, which allows local users to
| modify file times of arbitrary files, possibly leading to a denial of
| service.

Upstream patch:
http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.25.y.git;a=commit;h=f9dfda1ad0637a89a64d001cf81478bd8d9b6306

Stable is not affected by this.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2148
    http://security-tracker.debian.net/tracker/CVE-2008-2148

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

Attachment: pgpm02f5SlfL8.pgp
Description: PGP signature

--- End Message ---

--- Begin Message ---

To: 481195-done@bugs.debian.org
Subject: Re: Bug#481195: linux-2.6: CVE-2008-2148 local denial of service
From: maximilian attems <max@stro.at>
Date: Wed, 14 May 2008 17:20:17 +0200
Message-id: <20080514152017.GF13196@stro.at>
In-reply-to: <[🔎] 20080514133718.GA16547@ngolde.de>
References: <[🔎] 20080514133718.GA16547@ngolde.de>

Version: 2.6.25-3

On Wed, 14 May 2008, Nico Golde wrote:

> the following CVE (Common Vulnerabilities & Exposures) id was
> published for linux-2.6.
> 
> 
> CVE-2008-2148[0]:
> | The utimensat system call in Linux kernel 2.6.22 and other versions
> | before 2.6.25.3 does not check file permissions when certain UTIME_NOW
> | and UTIME_OMIT combinations are used, which allows local users to
> | modify file times of arbitrary files, possibly leading to a denial of
> | service.
> 
> Upstream patch:
> http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.25.y.git;a=commit;h=f9dfda1ad0637a89a64d001cf81478bd8d9b6306
> 
> Stable is not affected by this.
> 
> If you fix the vulnerability please also make sure to include the
> CVE id in your changelog entry.

hmm, post happened after upload ;)

closing with appropriate versioning info + pasting changelog.

---
 linux-2.6 (2.6.25-3) unstable; urgency=low
 .
   [ Bastian Blank ]
   * Add stable release 2.6.25.3:
     - sit: Add missing kfree_skb() on pskb_may_pull() failure.
     - sparc: Fix mmap VA span checking.
     - CRYPTO: eseqiv: Fix off-by-one encryption
     - CRYPTO: authenc: Fix async crypto crash in crypto_authenc_genicv()
     - CRYPTO: cryptd: Correct kzalloc error test
     - CRYPTO: api: Fix scatterwalk_sg_chain
     - x86 PCI: call dmi_check_pciprobe()
     - b43: Fix some TX/RX locking issues
     - kprobes/arm: fix decoding of arithmetic immediate instructions
     - kprobes/arm: fix cache flush address for instruction stub
     - POWERPC: mpc5200: Fix unterminated of_device_id table
     - reiserfs: Unpack tails on quota files
     - sched: fix hrtick_start_fair and CPU-Hotplug
     - vfs: fix permission checking in sys_utimensat
     - md: fix use after free when removing rdev via sysfs
     - mm: fix usemap initialization
     - 2.6.25 regression: powertop says 120K wakeups/sec
 .
   [ maximilian attems ]
   * Redisable old dup prism54 driver.
   * Reenable accidentaly disabled SIS190. (closes: #478773)
   * Add lmkl patch to unbreak HZ userspace aka perl5.10 build fix.
     (closes: #480130)
 .
   [ Martin Michlmayr ]
   * [armel] Disable some SCSI drives (that are disabled on arm) so the
     ramdisk will fit in flash on NSLU2 (closes: #480310).

 
-- 
maks

--- End Message ---

Reply to:

References:
- Bug#481195: linux-2.6: CVE-2008-2148 local denial of service
  - From: Nico Golde <nion@debian.org>

Prev by Date: Bug#480763: marked as done (linux-2.6: disable CONFIG_PRISM54)
Next by Date: Processed: your mail
Previous by thread: Bug#481195: linux-2.6: CVE-2008-2148 local denial of service
Next by thread: Bug#481196: initramfs-tools: please document the behavior of 'break' when 'panic' is passed along with
Index(es):
- Date
- Thread