there is a local root exploit by integer underflow in the bluetooth handling, triggerable by any user if you have bluetooth modules installed. (I think using socket(AF_BLUETOOTH, -index, x); ) Marcel has posted below patch, I am not sure which bk tree that is it is however. CAN-2005-0750 as by Mark J Cox. An actual exploit supposedly exist already.
Created attachment 54428 [details, diff] CAN-2005-0750.patch
Patch posted in BK tree. New kernel release should follow.
Fixed in vanilla 2.6.11.6 http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.11.6
mips-sources fixed.
Fixed in gentoo-sources-2.6.11-r6
Another that can probably be closed now. http://kiss.gentoo.org/dev/viewBug.php?BugID=86638
*** Bug 87901 has been marked as a duplicate of this bug. ***
This also affects the 2.4 series. From solar : grsec-sources-2.4.30 is in the tree as ~arch. Note for other bumpers of 2.4.x series. CAN-2004-1056.patch and linux-2.4.28-random-poolsize.patch have never been applied to mainline.
rsbac-sources affected.
All fixed, closing.