CVE Request: kernel [Re: Security review of 2.6.32.28]

[dann frazier]

On Thu, Jan 06, 2011 at 01:05:47AM +, Ben Hutchings wrote:
 These are the patches that looked security-relevant, from a fairly quick
 review:

Thanks for the review Ben! Steve, can you assign CVEs for the
following issues?

 [03/49] fuse: verify ioctl retries
 Kernel buffer overflow, but only CUSE servers could exploit it and
 /dev/cuse is normally restricted to root.

Upstream fix:
  http://git.kernel.org/linus/7572777eef78ebdee1ecb7c258c0ef94d35bad16
Introduced in 2.6.29.

 [16/49] IB/uverbs: Handle large number of entries in poll CQ
 Fixes integer overflow and information leak which I assume can be triggered
 by unprivileged local users.

Sounds like it - Documentation/infiniband/user_verbs.txt says:

 Since the InfiniBand userspace verbs should be safe for use by
 non-privileged processes, it may be useful to add an appropriate MODE
 or GROUP to the udev rule.

Upstream fix:
  http://git.kernel.org/linus/7182afea8d1afd432a17c18162cc3fd441d0da93
Introduced in 2.6.15.

 [20/49] orinoco: fix TKIP countermeasure behaviour
 Fixes cryptographic weakness potentially leaking information to remote
 (but physically nearby) users.

Upstream fix:
  http://git.kernel.org/linus/0a54917c3fc295cb61f3fb52373c173fd3b69f48
Introduced in 2.6.28.

 [24/49] tracing: Fix panic when lseek() called on trace opened for writing
 File is normally only writable by root, so not a security issue.

ack

 [33/49] [SCSI] bfa: fix system crash when reading sysfs fc_host statistics
 Local denial-of-service.
 CVE-2010-4343
 
 [36/49] install_special_mapping skips security_file_mmap check.
 May enable privilege escalation through null pointer bugs that would
 otherwise only cause denial-of-service.
 CVE-2010-4346
 
 [42/49] sound: Prevent buffer overflow in OSS load_mixer_volumes
 Not relevant to Debian kernel images since we don't build OSS.
 CVE-2010-4257
 
 [44/49] ima: fix add LSM rule bug
 Allows subversion of IMA.  Not relevant to Debian kernel images since we
 don't build IMA.

Upstream fix:
  http://git.kernel.org/linus/867c20265459d30a01b021a9c1e81fb4c5832aa9
Introoduced in 2.6.30.

 [48/49] sctp: Fix a race between ICMP protocol unreachable and connect()
 Remote denial-of-service.
 CVE-2010-4526
 
 Ben.
 



-- 
To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20110106161811.ge12...@dannf.org

Re: [oss-security] CVE Request: kernel [Re: Security review of 2.6.32.28]

[Josh Bressers]

 
  [03/49] fuse: verify ioctl retries
  Kernel buffer overflow, but only CUSE servers could exploit it and
  /dev/cuse is normally restricted to root.
 
 Upstream fix:
 http://git.kernel.org/linus/7572777eef78ebdee1ecb7c258c0ef94d35bad16
 Introduced in 2.6.29.

Please use CVE-2010-4650


  [16/49] IB/uverbs: Handle large number of entries in poll CQ
  Fixes integer overflow and information leak which I assume can be
  triggered by unprivileged local users.
 
 Sounds like it - Documentation/infiniband/user_verbs.txt says:
 
 Since the InfiniBand userspace verbs should be safe for use by
 non-privileged processes, it may be useful to add an appropriate MODE
 or GROUP to the udev rule.
 
 Upstream fix:
 http://git.kernel.org/linus/7182afea8d1afd432a17c18162cc3fd441d0da93
 Introduced in 2.6.15.
 

Please use CVE-2010-4649


  [20/49] orinoco: fix TKIP countermeasure behaviour
  Fixes cryptographic weakness potentially leaking information to remote
  (but physically nearby) users.
 
 Upstream fix:
 http://git.kernel.org/linus/0a54917c3fc295cb61f3fb52373c173fd3b69f48
 Introduced in 2.6.28.
 

Please use CVE-2010-4648.


  [44/49] ima: fix add LSM rule bug
  Allows subversion of IMA. Not relevant to Debian kernel images since
  we
  don't build IMA.
 
 Upstream fix:
 http://git.kernel.org/linus/867c20265459d30a01b021a9c1e81fb4c5832aa9
 Introoduced in 2.6.30.

Please use CVE-2011-0006

Thanks.

-- 
JB


-- 
To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/1961486340.193615.1294341196350.javamail.r...@zmail01.collab.prod.int.phx2.redhat.com