CVE Request: kernel [Re: Security review of 2.6.32.28]

To: Ben Hutchings <ben@decadent.org.uk>, "Steven M. Christey" <coley@linus.mitre.org>
Cc: Debian kernel maintainers <debian-kernel@lists.debian.org>, stable-review@kernel.org, oss-security@lists.openwall.com
Subject: CVE Request: kernel [Re: Security review of 2.6.32.28]
From: dann frazier <dannf@dannf.org>
Date: Thu, 6 Jan 2011 09:18:11 -0700
Message-id: <[🔎] 20110106161811.GE12671@dannf.org>
In-reply-to: <[🔎] 1294275947.3044.12.camel@localhost>
References: <[🔎] 1294275947.3044.12.camel@localhost>

On Thu, Jan 06, 2011 at 01:05:47AM +0000, Ben Hutchings wrote:
> These are the patches that looked security-relevant, from a fairly quick
> review:

Thanks for the review Ben! Steve, can you assign CVEs for the
following issues?

> [03/49] fuse: verify ioctl retries
> Kernel buffer overflow, but only CUSE servers could exploit it and
> /dev/cuse is normally restricted to root.

Upstream fix:
  http://git.kernel.org/linus/7572777eef78ebdee1ecb7c258c0ef94d35bad16
Introduced in 2.6.29.

> [16/49] IB/uverbs: Handle large number of entries in poll CQ
> Fixes integer overflow and information leak which I assume can be triggered
> by unprivileged local users.

Sounds like it - Documentation/infiniband/user_verbs.txt says:

 "Since the InfiniBand userspace verbs should be safe for use by
 non-privileged processes, it may be useful to add an appropriate MODE
 or GROUP to the udev rule."

Upstream fix:
  http://git.kernel.org/linus/7182afea8d1afd432a17c18162cc3fd441d0da93
Introduced in 2.6.15.

> [20/49] orinoco: fix TKIP countermeasure behaviour
> Fixes cryptographic weakness potentially leaking information to remote
> (but physically nearby) users.

Upstream fix:
  http://git.kernel.org/linus/0a54917c3fc295cb61f3fb52373c173fd3b69f48
Introduced in 2.6.28.

> [24/49] tracing: Fix panic when lseek() called on "trace" opened for writing
> File is normally only writable by root, so not a security issue.

ack

> [33/49] [SCSI] bfa: fix system crash when reading sysfs fc_host statistics
> Local denial-of-service.
> CVE-2010-4343
> 
> [36/49] install_special_mapping skips security_file_mmap check.
> May enable privilege escalation through null pointer bugs that would
> otherwise only cause denial-of-service.
> CVE-2010-4346
> 
> [42/49] sound: Prevent buffer overflow in OSS load_mixer_volumes
> Not relevant to Debian kernel images since we don't build OSS.
> CVE-2010-4257
> 
> [44/49] ima: fix add LSM rule bug
> Allows subversion of IMA.  Not relevant to Debian kernel images since we
> don't build IMA.

Upstream fix:
  http://git.kernel.org/linus/867c20265459d30a01b021a9c1e81fb4c5832aa9
Introoduced in 2.6.30.

> [48/49] sctp: Fix a race between ICMP protocol unreachable and connect()
> Remote denial-of-service.
> CVE-2010-4526
> 
> Ben.
>

Reply to:

Follow-Ups:
- Re: [oss-security] CVE Request: kernel [Re: Security review of 2.6.32.28]
  - From: Josh Bressers <bressers@redhat.com>

References:
- Security review of 2.6.32.28
  - From: Ben Hutchings <ben@decadent.org.uk>

Prev by Date: linux-2.6_2.6.37-1~experimental.1_multi.changes ACCEPTED into experimental
Next by Date: Bug#609149: nfs-kernel-server: after some time, the server nfs is not working, and no client can mount share
Previous by thread: Security review of 2.6.32.28
Next by thread: Re: [oss-security] CVE Request: kernel [Re: Security review of 2.6.32.28]
Index(es):
- Date
- Thread