Put together an advisory for the linux-2.6 packages. This is not a normal

DTSA since the fix reached testing on its own steam; it seemed worth making
an announcement since users need to take special actions to install the new
linux-2.6 packages and upgrade.


git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@2006 e39458fd-73e7-0310-bf30-c45bca0a0e42

2 files changed, 120 insertions, 21 deletions

diff --git a/data/DTSA/advs/16-linux-2.6.adv b/data/DTSA/advs/16-linux-2.6.adv
new file mode 100644
index 0000000000..1305adbda1
--- /dev/null
+++ b/data/DTSA/advs/16-linux-2.6.adv
@@ -0,0 +1,120 @@
+source: linux-2.6
+date: September 15, 2005
+author: Joey Hess
+vuln-type: several holes
+problem-scope: remote
+debian-specifc: no
+cve: CAN-2005-2098 CAN-2005-2099 CAN-2005-2456 CAN-2005-2617 CAN-2005-1913 CAN-2005-1761 CAN-2005-2457 CAN-2005-2458 CAN-2005-2459 CAN-2005-2548 CAN-2004-2302 CAN-2005-1765 CAN-2005-1762 CAN-2005-1761 CAN-2005-2555
+testing-fix: 2.6.12-6
+sid-fix: 2.6.12-6
+upgrade: apt-get install linux-image-2.6-386; reboot
+
+Several security related problems have been found in version 2.6 of the
+linux kernel. The Common Vulnerabilities and Exposures project identifies
+the following problems:
+
+CAN-2004-2302
+
+  Race condition in the sysfs_read_file and sysfs_write_file functions in
+  Linux kernel before 2.6.10 allows local users to read kernel memory and
+  cause a denial of service (crash) via large offsets in sysfs files.
+
+CAN-2005-1761
+
+  Vulnerability in the Linux kernel allows local users to cause a
+  denial of service (kernel crash) via ptrace.
+
+CAN-2005-1762
+
+  The ptrace call in the Linux kernel 2.6.8.1 and 2.6.10 for the AMD64
+  platform allows local users to cause a denial of service (kernel crash) via
+  a "non-canonical" address.
+
+CAN-2005-1765
+
+  syscall in the Linux kernel 2.6.8.1 and 2.6.10 for the AMD64 platform, when
+  running in 32-bit compatibility mode, allows local users to cause a denial
+  of service (kernel hang) via crafted arguments.
+
+CAN-2005-1913
+
+  When a non group-leader thread called exec() to execute a different program
+  while an itimer was pending, the timer expiry would signal the old group
+  leader task, which did not exist any more. This caused a kernel panic.
+
+CAN-2005-2098 
+
+  The KEYCTL_JOIN_SESSION_KEYRING operation in the Linux kernel before
+  2.6.12.5 contains an error path that does not properly release the session
+  management semaphore, which allows local users or remote attackers to cause
+  a denial of service (semaphore hang) via a new session keyring (1) with an
+  empty name string, (2) with a long name string, (3) with the key quota
+  reached, or (4) ENOMEM.
+
+CAN-2005-2099
+
+  The Linux kernel before 2.6.12.5 does not properly destroy a keyring that
+  is not instantiated properly, which allows local users or remote attackers
+  to cause a denial of service (kernel oops) via a keyring with a payload
+  that is not empty, which causes the creation to fail, leading to a null
+  dereference in the keyring destructor.
+
+CAN-2005-2456
+
+  Array index overflow in the xfrm_sk_policy_insert function in xfrm_user.c
+  in Linux kernel 2.6 allows local users to cause a denial of service (oops
+  or deadlock) and possibly execute arbitrary code via a p->dir value that is
+  larger than XFRM_POLICY_OUT, which is used as an index in the
+  sock->sk_policy array.
+
+CAN-2005-2457
+
+  The driver for compressed ISO file systems (zisofs) in the Linux kernel
+  before 2.6.12.5 allows local users and remote attackers to cause a denial
+  of service (kernel crash) via a crafted compressed ISO file system.
+
+CAN-2005-2458
+
+  inflate.c in the zlib routines in the Linux kernel before 2.6.12.5 allows
+  remote attackers to cause a denial of service (kernel crash) via a
+  compressed file with "improper tables".
+
+CAN-2005-2459
+
+  The huft_build function in inflate.c in the zlib routines in the Linux
+  kernel before 2.6.12.5 returns the wrong value, which allows remote
+  attackers to cause a denial of service (kernel crash) via a certain
+  compressed file that leads to a null pointer dereference, a different
+  vulnerbility than CAN-2005-2458.
+
+CAN-2005-2548
+
+  vlan_dev.c in Linux kernel 2.6.8 allows remote attackers to cause a denial
+  of service (kernel oops from null dereference) via certain UDP packets that
+  lead to a function call with the wrong argument, as demonstrated using
+  snmpwalk on snmpd.
+
+CAN-2005-2555
+
+  Linux kernel 2.6.x does not properly restrict socket policy access to users
+  with the CAP_NET_ADMIN capability, which could allow local users to conduct
+  unauthorized activities via (1) ipv4/ip_sockglue.c and (2)
+  ipv6/ipv6_sockglue.c.
+
+CAN-2005-2617
+
+  The syscall32_setup_pages function in syscall32.c for Linux kernel 2.6.12
+  and later, on the amd64 architecture, does not check the return value of
+  the insert_vm_struct function, which allows local users to trigger a memory
+  leak via a 32-bit application with crafted ELF headers.
+
+In addition this update fixes some security issues that have not been
+assigned CVE ids:
+
+  - Fix DST leak in icmp_push_reply().  Possible remote DoS?
+
+  - NPTL signal delivery deadlock fix; possible local DoS.
+  
+  - fix a memory leak in devices seq_file implementation; local DoS.
+
+  - Fix SKB leak in ip6_input_finish(); local DoS.
diff --git a/data/DTSA/advs/nn-kernel-source-2.6.8.adv b/data/DTSA/advs/nn-kernel-source-2.6.8.adv
deleted file mode 100644
index 29f907e13f..0000000000
--- a/data/DTSA/advs/nn-kernel-source-2.6.8.adv
+++ /dev/null
@@ -1,21 +0,0 @@
-source: kernel-source-2.6.8
-date: September 10, 2005
-author: Micah Anderson
-vuln-type: various
-problem-scope: remote
-debian-specifc: no
-cve: CAN-2005-1763, CAN-2005-1762, CAN-2005-0756, CAN-2005-1265, CAN-2005-0757,
-CAN-2005-1765, CAN-2005-1761, CAN-2005-2456, CAN-2005-2548, CAN-2004-2302,
-CAN-2005-1767, CAN-2005-2458, CAN-2005-2459
-vendor-advisory: 
-testing-fix: linux-2.6
-sid-fix: linux-2.6
-upgrade: apt-get install xxx
-
-xxx multiline description here
-
-TODO:
-        upgrade instructions
-        descriptions
-        what about security fixes that don't have CANs?
-