Dan Rosenberg

**Name of the Vulnerable Software and Affected Versions** Linux kernel version 2.6.37 **Description** The issue is related to an integer signedness error in the `btrfs ioctl space info` function, which allows local users to cause a denial of service, specifically a heap-based buffer overflow, or possibly have other unspecified impacts. This can be achieved by using a crafted `slot` value. **Recommendations** For Linux kernel version 2.6.37, consider applying a patch to fix the integer signedness error in the `btrfs ioctl space info` function as a permanent solution. As a temporary workaround, restrict access to the `btrfs ioctl space info` function to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** ax25-tools versions prior to 0.0.8-13 **Description** The issue is related to the AX.25 daemon (ax25d) not checking the return value of a setuid call, which is responsible for dropping privileges. If the setuid call fails, the daemon continues to run with root privileges, potentially allowing privilege escalation. **Recommendations** For versions prior to 0.0.8-13, update to version 0.0.8-13 or later to resolve the issue. As a temporary workaround, consider restricting access to the ax25d daemon to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** ettercap versions prior to 0.7.5 **Description** The issue arises from an unchecked sscanf() call, which allows an insecure temporary settings file to overflow a static-sized buffer on the stack. **Recommendations** For versions prior to 0.7.5, update to version 0.7.5 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** gnustep-base versions prior to 1.24.6 **Description** The issue is related to the improper handling of the file descriptor for the logger in the gdomap component of GNUstep Base. This can be exploited remotely, potentially leading to a denial of service. The exploitation may cause the service to abort when an invalid request is received. **Recommendations** For versions prior to 1.24.6, update to version 1.24.6 or later to resolve the issue. As a temporary workaround, consider restricting access to the gdomap service to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Linux Kernel versions prior to 3.8.9 **Description** The issue allows local users to create a read-write memory mapping for the entirety of kernel memory, and consequently gain privileges, via crafted /dev/graphics/fb0 mmap2 system calls. This is due to an integer overflow in the fb mmap function in drivers/video/fbmem.c. The Motochopper pwn program demonstrates this exploit. **Recommendations** For Linux Kernel versions prior to 3.8.9, update to version 3.8.9 or later to resolve the issue. As a temporary workaround, consider restricting access to the /dev/graphics/fb0 device file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** TrustZone kernel on Motorola devices with Android 4.1.2 **Description** The issue allows local users to unlock the bootloader by using kernel mode to perform crafted `0x9` and `0x2` SMC operations, due to the lack of verification of the association between a certain physical-address argument and a memory region. **Recommendations** For the affected Motorola devices with Android 4.1.2, consider restricting access to kernel mode operations until a patch is available. As a temporary workaround, avoid using the crafted SMC operations `0x9` and `0x2` to prevent potential exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Apple iOS versions prior to 6 **Description** The issue allows local users to gain privileges via a crafted program that makes packet-filter ioctl calls, due to the kernel dereferencing invalid pointers during the handling of packet-filter data structures. **Recommendations** For versions prior to 6, update to a version 6 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Apple iOS versions prior to 6 **Description** The issue concerns the Berkeley Packet Filter (BPF) interpreter implementation in the kernel, which accesses uninitialized memory locations. This allows local users to obtain sensitive information about the layout of kernel memory via a crafted program that uses a BPF interface. **Recommendations** For versions prior to 6, update to iOS version 6 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 3.4.5 **Description** The issue is related to multiple stack-based buffer overflows in the Near Field Communication Controller Interface (NCI) in the Linux kernel. This can be exploited by remote attackers who send incoming frames with crafted length fields, potentially leading to a denial of service (crash) and possibly allowing the execution of arbitrary code. **Recommendations** For Linux kernel versions prior to 3.4.5, update to version 3.4.5 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 2.6.39 **Description** The issue is related to multiple array index errors in the sound/oss/opl3.c file of the Linux kernel. This can be exploited by local users to cause a denial of service, resulting in heap memory corruption, or potentially gain privileges. The exploitation requires write access to /dev/sequencer. **Recommendations** For Linux kernel versions prior to 2.6.39, update to version 2.6.39 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 2.6.39 **Description** The issue is related to the ROSE protocol implementation in the Linux kernel, where it fails to verify the consistency of certain data-length values with the amount of data sent. This could potentially allow remote attackers to obtain sensitive information from kernel memory or cause a denial of service through an out-of-bounds read by sending crafted data to a ROSE socket. **Recommendations** For Linux kernel versions prior to 2.6.39, update to version 2.6.39 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 2.6.39 **Description** The issue is related to an array index error in the `rose parse national` function, which can be exploited by remote attackers to cause a denial of service or potentially have other unspecified impacts. This is achieved by composing FAC NATIONAL DIGIS data with a large number of digipeaters and sending it to a ROSE socket. **Recommendations** For Linux kernel versions prior to 2.6.39, update to version 2.6.39 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 2.6.39 **Description** The issue is related to the `rose parse ccitt` function in the Linux kernel, which does not validate certain fields. This allows remote attackers to cause a denial of service or conduct stack-based buffer overflow attacks via specially crafted data sent to a ROSE socket. **Recommendations** For Linux kernel versions prior to 2.6.39, update to version 2.6.39 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 2.6.39 **Description** The issue is related to an integer underflow in the Open Sound System (OSS) subsystem of the Linux kernel. This allows local users with write access to /dev/sequencer to cause a denial of service, resulting in memory corruption. The problem is specifically noted on non-x86 platforms. **Recommendations** For Linux kernel versions prior to 2.6.39, update to version 2.6.39 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 2.6.39.4 **Description** The issue allows local users to gain privileges by writing a certain integer value to kernel memory due to the osf wait4 function in arch/alpha/kernel/osf sys.c using an incorrect pointer on the Alpha platform. **Recommendations** For versions prior to 2.6.39.4, update to version 2.6.39.4 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 2.6.39 **Description** The issue is related to an integer overflow in the sys oabi semtimedop function, which can be exploited by local users to gain privileges or cause a denial of service, resulting in heap memory corruption. This can be achieved by providing a crafted argument and leveraging a race condition when CONFIG OABI COMPAT is enabled on the ARM platform. **Recommendations** For versions prior to 2.6.39, update to version 2.6.39 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 2.6.39.4 **Description** The issue is related to an integer signedness error in the osf sysinfo function, which can allow local users to obtain sensitive information from kernel memory. This error is present in the Linux kernel on the Alpha platform. **Recommendations** For versions prior to 2.6.39.4, update to version 2.6.39.4 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 2.6.39.4 **Description** The issue is related to the `osf getsysinfo` function in the Linux kernel, which does not properly restrict the data size for GSI GET HWRPB operations. This allows local users to obtain sensitive information from kernel memory via a crafted call. **Recommendations** For Linux kernel versions prior to 2.6.39.4, update to version 2.6.39.4 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 2.6.39.4 **Description** The issue is related to an integer signedness error in the osf getdomainname function, which can allow local users to obtain sensitive information from kernel memory. This error is present in the Linux kernel on the Alpha platform. **Recommendations** For versions prior to 2.6.39.4, update to version 2.6.39.4 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 3.1 **Description** The issue allows local users to obtain sensitive information from kernel memory locations. This is due to the ptrace setxregs function in arch/xtensa/kernel/ptrace.c not validating user-space pointers, enabling users to craft a PTRACE SETXTREGS request to access sensitive information. **Recommendations** For Linux kernel versions prior to 3.1, update to version 3.1 or later to resolve the issue.