kernel-packages team mailing list archive

Thread
Date

[Bug 712749] Re: CVE-2010-4083

To: kernel-packages@xxxxxxxxxxxxxxxxxxx
From: Mathew Hodson <mathew.hodson@xxxxxxxxx>
Date: Thu, 12 Feb 2015 07:10:39 -0000
Reply-to: Bug 712749 <712749@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** CVE removed: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2010-4249

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/712749

Title:
  CVE-2010-4083

Status in linux package in Ubuntu:
  Fix Released
Status in linux-fsl-imx51 package in Ubuntu:
  Invalid
Status in linux-ti-omap4 package in Ubuntu:
  Invalid
Status in linux source package in Lucid:
  Fix Released
Status in linux-fsl-imx51 source package in Lucid:
  Fix Released
Status in linux-ti-omap4 source package in Lucid:
  Invalid
Status in linux source package in Maverick:
  Fix Released
Status in linux-fsl-imx51 source package in Maverick:
  Invalid
Status in linux-ti-omap4 source package in Maverick:
  Fix Released
Status in linux source package in Natty:
  Fix Released
Status in linux-fsl-imx51 source package in Natty:
  Invalid
Status in linux-ti-omap4 source package in Natty:
  Fix Released
Status in linux source package in Dapper:
  Won't Fix
Status in linux-fsl-imx51 source package in Dapper:
  Invalid
Status in linux-ti-omap4 source package in Dapper:
  Invalid
Status in linux source package in Hardy:
  Fix Released
Status in linux-fsl-imx51 source package in Hardy:
  Invalid
Status in linux-ti-omap4 source package in Hardy:
  Invalid
Status in linux source package in Karmic:
  Fix Released
Status in linux-fsl-imx51 source package in Karmic:
  Won't Fix
Status in linux-ti-omap4 source package in Karmic:
  Invalid

Bug description:
  sys_semctl: fix kernel stack leakage

  The semctl syscall has several code paths that lead to the leakage of
  uninitialized kernel stack memory (namely the IPC_INFO, SEM_INFO,
  IPC_STAT, and SEM_STAT commands) during the use of the older, obsolete
  version of the semid_ds struct. 

  The copy_semid_to_user() function declares a semid_ds struct on the stack
  and copies it back to the user without initializing or zeroing the
  "sem_base", "sem_pending", "sem_pending_last", and "undo" pointers,
  allowing the leakage of 16 bytes of kernel stack memory.
   
  The code is still reachable on 32-bit systems - when calling semctl()
  newer glibc's automatically OR the IPC command with the IPC_64 flag, but
  invoking the syscall directly allows users to use the older versions of
  the struct.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/712749/+subscriptions