|Description||block/scsi_ioctl.c in the Linux kernel through 3.8 does not properly consider the SCSI device class during authorization of SCSI commands, which allows local users to bypass intended access restrictions via an SG_IO ioctl call that leverages overlapping opcodes.|
|Source||CVE (at NVD; oss-sec, fulldisc, OSVDB, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, more)|
|NVD severity||medium (attack range: local)|
|Debian/oldstable||package linux-2.6 is vulnerable; however, the security impact is unimportant.|
|Debian/stable||package linux is vulnerable; however, the security impact is unimportant.|
|Debian/testing||package linux is vulnerable; however, the security impact is unimportant.|
|Debian/unstable||package linux is vulnerable; however, the security impact is unimportant.|
Vulnerable and fixed packages
The table below lists information on source packages.
|linux-2.6 (PTS)||squeeze (security), squeeze||2.6.32-48squeeze6||vulnerable|
The information above is based on the following data on fixed versions.
|Package||Type||Release||Fixed Version||Urgency||Origin||Debian Bugs|
[squeeze] - linux-2.6 <no-dsa> (Too intrusive to backport)
No upstream fix seems to be planned/treated as non-issue. Marking as unimportant