[Secure-testing-commits] r36824 - data/CVE

[Ben Hutchings]

Author: benh
Date: 2015-09-25 00:06:59 +0000 (Fri, 25 Sep 2015)
New Revision: 36824

Modified:
   data/CVE/list
Log:
Triage linux/linux-2.6 issues

Various issues are in code we don't ship, or were fixed before the CVE
assignment and without a DSA.


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2015-09-24 21:10:12 UTC (rev 36823)
+++ data/CVE/list	2015-09-25 00:06:59 UTC (rev 36824)
@@ -2478,8 +2478,10 @@
 	TODO: check
 CVE-2015-6526 (The perf_callchain_user_64 function in arch/powerpc/perf/callchain.c ...)
 	- linux 4.1.3-1
-	[wheezy] - linux <not-affected> (No ppc64 yet)
-	- linux-2.6 <not-affected> (No ppc64 yet)
+	[wheezy] - linux 3.2.71-1
+	[jessie] - linux 3.16.7-ckt11-1
+	- linux-2.6 <removed>
+	[squeeze] - linux-2.6 <not-affected> (powerpc not supported in Squeeze LTS)
 	NOTE: http://www.openwall.com/lists/oss-security/2015/08/18/4
 	NOTE: Fixed by: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=9a5cbce421a283e6aea3c4007f141735bf9da8c3 (v4.1-rc1)
 	TODO: check which ppc64 kernel support perf
@@ -8421,20 +8423,20 @@
 CVE-2015-4005
 	RESERVED
 CVE-2015-4004 (The OZWPAN driver in the Linux kernel through 4.0.5 relies on an ...)
-	- linux <unfixed> (unimportant)
+	- linux <not-affected> (ozwpan driver not built)
 	[wheezy] - linux <not-affected> (ozwpan driver not present)
 	- linux-2.6 <not-affected> (ozwpan driver not present)
 	NOTE: https://lkml.org/lkml/2015/5/13/739
 	NOTE: Not enabled in Debian kernels; staging drivers are not supported
 CVE-2015-4003 (The oz_usb_handle_ep_data function in ...)
-	- linux <unfixed> (unimportant)
+	- linux <not-affected> (ozwpan driver not built)
 	[wheezy] - linux <not-affected> (ozwpan driver not present)
 	- linux-2.6 <not-affected> (ozwpan driver not present)
 	NOTE: https://lkml.org/lkml/2015/5/13/741
 	NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=04bf464a5dfd9ade0dda918e44366c2c61fce80b (v4.1-rc7)
 	NOTE: Not enabled in Debian kernels; staging drivers are not supported
 CVE-2015-4002 (drivers/staging/ozwpan/ozusbsvc1.c in the OZWPAN driver in the Linux ...)
-	- linux <unfixed> (unimportant)
+	- linux <not-affected> (ozwpan driver not built)
 	[wheezy] - linux <not-affected> (ozwpan driver not present)
 	- linux-2.6 <not-affected> (ozwpan driver not present)
 	NOTE: https://lkml.org/lkml/2015/5/13/740
@@ -8443,7 +8445,7 @@
 	NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=9a59029bc218b48eff8b5d4dde5662fd79d3e1a8 (v4.1-rc7)
 	NOTE: Not enabled in Debian kernels; staging drivers are not supported
 CVE-2015-4001 (Integer signedness error in the oz_hcd_get_desc_cnf function in ...)
-	- linux <unfixed> (unimportant)
+	- linux <not-affected> (ozwpan driver not built)
 	[wheezy] - linux <not-affected> (ozwpan driver not present)
 	- linux-2.6 <not-affected> (ozwpan driver not present)
 	NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=b1bb5b49373b61bf9d2c73a4d30058ba6f069e4c (v4.1-rc7)
@@ -15568,6 +15570,8 @@
 	NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/02/20/14
 CVE-2015-XXXX [Linux ASLR mmap weakness: Reducing entropy by half]
 	- linux 4.0.2-1
+	[wheezy] - linux <no-dsa> (Minor issue)
+	[jessie] - linux <no-dsa> (Minor issue)
 	- linux-2.6 <removed>
 	[squeeze] - linux-2.6 <not-affected> (powerpc not supported in Squeeze LTS)
 	NOTE: http://hmarco.org/bugs/linux-ASLR-reducing-mmap-by-half.html
@@ -46835,6 +46839,7 @@
 	NOTE: https://github.com/mrash/fwsnort/commit/fa977453120cc48e1654f373311f9cac468d3348
 CVE-2014-0038 (The compat_sys_recvmmsg function in net/compat.c in the Linux kernel ...)
 	- linux 3.13.4-1 (unimportant)
+	[wheezy] - linux <not-affected> (Introduced in 3.4+)
 	- linux-2.6 <not-affected> (Introduced in 3.4+)
 	NOTE: introduced by http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/net/compat.c?id=ee4fa23c4bfcc635d077a9633d405610de45bc70
 	NOTE: Debian does not enable CONFIG_X86_X32, see #708070
@@ -53094,12 +53099,14 @@
 	NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=a8b33654b1e3b0c74d4a1fed041c9aae50b3c427
 	NOTE: Not enabled in Debian kernels; staging drivers are not supported
 CVE-2013-4515 (The bcm_char_ioctl function in drivers/staging/bcm/Bcmchar.c in the ...)
-	- linux 3.12-1 (unimportant)
+	- linux <not-affected> (bcm driver not built)
+	[wheezy] - linux <not-affected> (bcm driver not built)
 	- linux-2.6 <not-affected> (Affected code not present yet)
 	NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8d1e72250c847fa96498ec029891de4dc638a5ba
 	NOTE: Not enabled in Debian kernels; staging drivers are not supported
 CVE-2013-4514 (Multiple buffer overflows in drivers/staging/wlags49_h2/wl_priv.c in ...)
-	- linux 3.12-1 (unimportant)
+	- linux <not-affected> (wlags49_h2 driver not built)
+	[wheezy] - linux <not-affected> (wlags49_h2 driver not built)
 	- linux-2.6 <not-affected> (Affected code not present yet)
 	NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=b5e2f339865fb443107e5b10603e53bbc92dc054
 	NOTE: Not enabled in Debian kernels; staging drivers are not supported
@@ -68347,9 +68354,8 @@
 	- lighttpd 1.4.31-2
 	[squeeze] - lighttpd <not-affected> (Introduced in 1.4.31)
 CVE-2012-5532 (The main function in tools/hv/hv_kvp_daemon.c in hypervkvpd, as ...)
-	- linux 3.8.11-1 (unimportant)
+	- linux-tools <not-affected> (userspace daemon not built until later)
 	- linux-2.6 <not-affected> (userspace daemon not yet present)
-	NOTE: hyperv tools are not build in sid
 CVE-2012-5531 (Multiple cross-site scripting (XSS) vulnerabilities in the GateIn ...)
 	NOT-FOR-US: GateIn Portal
 CVE-2012-5530 (The (1) pcmd and (2) pmlogger init scripts in Performance Co-Pilot ...)