| Name | CVE-2004-1190 |
| Description | SUSE Linux before 9.1 and SUSE Linux Enterprise Server before 9 do not properly check commands sent to CD devices that have been opened read-only, which could allow local users to conduct unauthorized write activities to modify the firmware of associated SCSI devices. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| kernel-source-2.6.8 | source | sarge | 2.6.8-14 | |||
| linux-2.6 | source | (unstable) | (not affected) |
Response from Suse people reveals that http://linux.bkbits.net:8080/linux-2.6/hist/drivers/block/scsi_ioctl.c
has a misleading entry titled "Fix exploitable hole"
http://www.securityfocus.com/advisories/7579
http://xforce.iss.net/xforce/xfdb/18370
Response from Marcus Meissner <meissner@suse.de> saying the patch was integrated in upstream 2.6.8
on further clarification he said that further fixes to this patch were made after 2.6.8 so only
2.6.10 is actually fixed, but 2.6.8 is not
- linux-2.6 <not-affected> (Fixed before upload into archive; 2.6.10)