Debian Bug report logs - #332587
linux-2.6: [CAN-2005-3055] Oops while completing async USB via usbdevio

version graph

Package: linux-2.6; Maintainer for linux-2.6 is Debian Kernel Team <debian-kernel@lists.debian.org>;

Reported by: Horms <horms@debian.org>

Date: Fri, 7 Oct 2005 08:18:08 UTC

Severity: important

Tags: security, upstream

Merged with 330287

Fixed in version 2.6.14-1

Done: Filipus Klutiero <ido@vif.com>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Kernel Team <debian-kernel@lists.debian.org>:
Bug#332587; Package linux-2.6. Full text and rfc822 format available.

Acknowledgement sent to Horms <horms@debian.org>:
New Bug report received and forwarded. Copy sent to Debian Kernel Team <debian-kernel@lists.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Horms <horms@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: linux-2.6: [CAN-2005-3055] Oops while completing async USB via usbdevio
Date: Fri, 07 Oct 2005 17:12:45 +0900
Package: linux-2.6
Severity: normal
Tags: upstream security


>From CAN-2005-3055:

Linux kernel 2.6.8 to 2.6.14-rc2 allows local users to cause a denial
of service (kernel OOPS) via a userspace process that issues a USB
Request Block (URB) to a USB device and terminates before the URB is
finished, which leads to a stale pointer reference.

References: 
  [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3055
  [2] http://marc.theaimsgroup.com/?l=linux-kernel&m=112766129313883
  [3] http://lkml.org/lkml/2005/9/30/218

I believe that the 2.6.12 and 2.6.13 kernels have this problem.
2.6.8 and 2.4.27 do not seem to have it as the driver is missing.

Upstream do not seem to have a solution (See [3] above) yet, 
but I expect it will show up in 2.6-stable when they do.

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-1-686-smp
Locale: LANG=ja_JP.eucJP, LC_CTYPE=ja_JP.eucJP (charmap=EUC-JP) (ignored: LC_ALL set to ja_JP.eucJP)



Severity set to `important'. Request was from Joey Hess <joeyh@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Merged 330287 332587. Request was from Joey Hess <joeyh@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Filipus Klutiero <ido@vif.com>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Horms <horms@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #14 received at 330287-done@bugs.debian.org (full text, mbox):

From: Filipus Klutiero <ido@vif.com>
To: 330287-done@bugs.debian.org
Subject: Fixed
Date: Mon, 13 Feb 2006 18:11:02 -0500
Version: 2.6.14-1

The upstream fix for this is mentionned in the changelog as [PATCH] Fix signal sending in usbdevio on async URB completion





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 26 Jun 2007 23:49:50 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 24 05:33:04 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.