kernel-packages team mailing list archive
-
kernel-packages team
-
Mailing list archive
-
Message #104313
[Bug 769182] Re: CVE-2010-4249
linux (2.6.32-28.55) lucid-proposed; urgency=low
* Another version bump because of abi check failure
* Tracking Bug
- LP: #699885
linux (2.6.32-28.54) lucid-proposed; urgency=low
* Another version bump because of upload failure
linux (2.6.32-28.53) lucid-proposed; urgency=low
* Another version bump because of upload failure
linux (2.6.32-28.52) lucid-proposed; urgency=low
[ Steve Conklin ]
* (removed old tracking bug link)
linux (2.6.32-28.51) lucid-proposed; urgency=low
[ Steve Conklin ]
* bumped version due to build fail
linux (2.6.32-28.50) lucid-proposed; urgency=low
[ Tim Gardner ]
* SAUCE: Change nodelayacct boot parameter polarity.
- LP: #493156
* [Config] CONFIG_TASK_DELAY_ACCT=y
- LP: #493156
[ Upstream Kernel Changes ]
* ipc: initialize structure memory to zero for compat functions
* tcp: Increase TCP_MAXSEG socket option minimum.
- CVE-2010-4165
* perf_events: Fix perf_counter_mmap() hook in mprotect()
- CVE-2010-4169
* af_unix: limit unix_tot_inflight
- CVE-2010-4249
* AppArmor: fix the upper bound check for the next/check table
- LP: #581525
* NFS: Fix panic after nfs_umount()
- LP: #683938
* block: Ensure physical block size is unsigned int
- LP: #688669
* block: limit vec count in bio_kmalloc() and bio_alloc_map_data()
- LP: #688669
* block: take care not to overflow when calculating total iov length
- LP: #688669
* block: check for proper length of iov entries in blk_rq_map_user_iov()
- LP: #688669
* jme: Fix PHY power-off error
- LP: #688669
* irda: Fix parameter extraction stack overflow
- LP: #688669
* irda: Fix heap memory corruption in iriap.c
- LP: #688669
* i2c-pca-platform: Change device name of request_irq
- LP: #688669
* microblaze: Fix build with make 3.82
- LP: #688669
* Staging: asus_oled: fix up some sysfs attribute permissions
- LP: #688669
* Staging: asus_oled: fix up my fixup for some sysfs attribute
permissions
- LP: #688669
* Staging: line6: fix up some sysfs attribute permissions
- LP: #688669
* hpet: fix unwanted interrupt due to stale irq status bit
- LP: #688669
* hpet: unmap unused I/O space
- LP: #688669
* olpc_battery: Fix endian neutral breakage for s16 values
- LP: #688669
* percpu: fix list_head init bug in __percpu_counter_init()
- LP: #688669
* um: remove PAGE_SIZE alignment in linker script causing kernel
segfault.
- LP: #688669
* um: fix global timer issue when using CONFIG_NO_HZ
- LP: #688669
* numa: fix slab_node(MPOL_BIND)
- LP: #688669
* hwmon: (lm85) Fix ADT7468 frequency table
- LP: #688669
* mm: fix return value of scan_lru_pages in memory unplug
- LP: #688669
* mm: fix is_mem_section_removable() page_order BUG_ON check
- LP: #688669
* ssb: b43-pci-bridge: Add new vendor for BCM4318
- LP: #688669
* sgi-xpc: XPC fails to discover partitions with all nasids above 128
- LP: #688669
* xen: ensure that all event channels start off bound to VCPU 0
- LP: #688669
* xen: don't bother to stop other cpus on shutdown/reboot
- LP: #688669
* sys_semctl: fix kernel stack leakage
- LP: #688669
* net: NETIF_F_HW_CSUM does not imply FCoE CRC offload
- LP: #688669
* drivers/char/vt_ioctl.c: fix VT_OPENQRY error value
- LP: #688669
* viafb: use proper register for colour when doing fill ops
- LP: #688669
* eCryptfs: Clear LOOKUP_OPEN flag when creating lower file
- LP: #688669
* md/raid1: really fix recovery looping when single good device fails.
- LP: #688669
* md: fix return value of rdev_size_change()
- LP: #688669
* x86: AMD Northbridge: Verify NB's node is online
- LP: #688669
* tty: prevent DOS in the flush_to_ldisc
- LP: #688669
* TTY: restore tty_ldisc_wait_idle
- LP: #688669
* tty_ldisc: Fix BUG() on hangup
- LP: #688669
* TTY: ldisc, fix open flag handling
- LP: #688669
* KVM: VMX: fix vmx null pointer dereference on debug register access
- LP: #688669
- CVE-2010-0435
* KVM: x86: fix information leak to userland
- LP: #688669
* firewire: cdev: fix information leak
- LP: #688669
* firewire: core: fix an information leak
- LP: #688669
* firewire: ohci: fix buffer overflow in AR split packet handling
- LP: #688669
* firewire: ohci: fix race in AR split packet handling
- LP: #688669
* ALSA: ac97: Apply quirk for Dell Latitude D610 binding Master and
Headphone controls
- LP: #669279, #688669
* ALSA: HDA: Add an extra DAC for Realtek ALC887-VD
- LP: #688669
* ALSA: hda: Use "alienware" model quirk for another SSID
- LP: #683695, #688669
* netfilter: nf_conntrack: allow nf_ct_alloc_hashtable() to get highmem
pages
- LP: #688669
* latencytop: fix per task accumulator
- LP: #688669
* mm/vfs: revalidate page->mapping in do_generic_file_read()
- LP: #688669
* bio: take care not overflow page count when mapping/copying user data
- LP: #688669
* libata-scsi passthru: fix bug which truncated LBA48 return values
- LP: #688669
* libata: fix NULL sdev dereference race in atapi_qc_complete()
- LP: #688669
* PCI: fix size checks for mmap() on /proc/bus/pci files
- LP: #688669
* PCI: fix offset check for sysfs mmapped files
- LP: #688669
* efifb: check that the base address is plausible on pci systems
- LP: #688669
* USB: gadget: AT91: fix typo in atmel_usba_udc driver
- LP: #688669
* USB: ftdi_sio: add device IDs for Milkymist One JTAG/serial
- LP: #688669
* USB: option: fix when the driver is loaded incorrectly for some Huawei
devices.
- LP: #688669
* usb: misc: sisusbvga: fix information leak to userland
- LP: #688669
* usb: misc: iowarrior: fix information leak to userland
- LP: #688669
* usb: core: fix information leak to userland
- LP: #688669
* USB: EHCI: fix obscure race in ehci_endpoint_disable
- LP: #688669
* USB: storage: sierra_ms: fix sysfs file attribute
- LP: #688669
* USB: atm: ueagle-atm: fix up some permissions on the sysfs files
- LP: #688669
* USB: misc: cypress_cy7c63: fix up some sysfs attribute permissions
- LP: #688669
* USB: misc: usbled: fix up some sysfs attribute permissions
- LP: #688669
* USB: ftdi_sio: revert "USB: ftdi_sio: fix DTR/RTS line modes"
- LP: #688669
* USB: misc: trancevibrator: fix up a sysfs attribute permission
- LP: #688669
* USB: misc: usbsevseg: fix up some sysfs attribute permissions
- LP: #688669
* USB: ftdi_sio: Add ID for RT Systems USB-29B radio cable
- LP: #688669
* USB: serial: ftdi_sio: Vardaan USB RS422/485 converter PID added
- LP: #688669
* acpi-cpufreq: fix a memleak when unloading driver
- LP: #688669
* ACPI: EC: add Vista incompatibility DMI entry for Toshiba Satellite
L355
- LP: #688669
* fuse: fix attributes after open(O_TRUNC)
- LP: #688669
* do_exit(): make sure that we run with get_fs() == USER_DS
- LP: #688669
* uml: disable winch irq before freeing handler data
- LP: #688669
* backlight: grab ops_lock before testing bd->ops
- LP: #688669
* nommu: yield CPU while disposing VM
- LP: #688669
* DECnet: don't leak uninitialized stack byte
- LP: #688669
* ARM: 6489/1: thumb2: fix incorrect optimisation in usracc
- LP: #688669
* ARM: 6482/2: Fix find_next_zero_bit and related assembly
- LP: #688669
* Staging: frontier: fix up some sysfs attribute permissions
- LP: #688669
* staging: rtl8187se: Change panic to warn when RF switch turned off
- LP: #688669
* HID: hidraw, fix a NULL pointer dereference in hidraw_ioctl
- LP: #688669
* HID: hidraw, fix a NULL pointer dereference in hidraw_write
- LP: #688669
* gianfar: Fix crashes on RX path (Was Re: [Bugme-new] [Bug 19692] New:
linux-2.6.36-rc5 crash with gianfar ethernet at full line rate traffic)
- LP: #688669
* Limit sysctl_tcp_mem and sysctl_udp_mem initializers to prevent integer
overflows.
- LP: #688669
* sparc64: Fix race in signal instruction flushing.
- LP: #688669
* sparc: Don't mask signal when we can't setup signal frame.
- LP: #688669
* sparc: Prevent no-handler signal syscall restart recursion.
- LP: #688669
* x86, UV: Delete unneeded boot messages
- LP: #688669
* x86, UV: Fix initialization of max_pnode
- LP: #688669
* drivers/video/efifb.c: support framebuffer for NVIDIA 9400M in MacBook
Pro 5,1
- LP: #688669
* efifb: support the EFI framebuffer on more Apple hardware
- LP: #688669
* V4L/DVB (13154): uvcvideo: Handle garbage at the end of streaming
interface descriptors
- LP: #688669
* Input: i8042 - add Sony VAIO VPCZ122GX to nomux list
- LP: #688669
* x25: Patch to fix bug 15678 - x25 accesses fields beyond end of packet.
- LP: #688669
* memory corruption in X.25 facilities parsing
- LP: #688669
* can-bcm: fix minor heap overflow
- LP: #688669
* V4L/DVB: ivtvfb: prevent reading uninitialized stack memory
- LP: #688669
* x25: Prevent crashing when parsing bad X.25 facilities
- LP: #688669
* crypto: padlock - Fix AES-CBC handling on odd-block-sized input
- LP: #688669
* x86-32: Separate 1:1 pagetables from swapper_pg_dir
- LP: #688669
* x86, mm: Fix CONFIG_VMSPLIT_1G and 2G_OPT trampoline
- LP: #688669
* x86-32: Fix dummy trampoline-related inline stubs
- LP: #688669
* rds: Integer overflow in RDS cmsg handling
- LP: #688669
* net: Truncate recvfrom and sendto length to INT_MAX.
- LP: #688669
* net: Limit socket I/O iovec total length to INT_MAX.
- LP: #688669
* nmi: fix clock comparator revalidation
- LP: #688669
* UV - XPC: pass nasid instead of nid to gru_create_message_queue
- LP: #688669
* x86: uv: XPC receive message reuse triggers invalid BUG_ON()
- LP: #688669
* X86: uv: xpc_make_first_contact hang due to not accepting ACTIVE state
- LP: #688669
* x86: uv: xpc NULL deref when mesq becomes empty
- LP: #688669
* Linux 2.6.32.27
- LP: #688669
-- Steve Conklin <sconklin@xxxxxxxxxxxxx> Mon, 10 Jan 2011 14:51:10 -0600
** Changed in: linux (Ubuntu Lucid)
Status: Incomplete => Fix Released
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-lts-backport-maverick in Ubuntu.
https://bugs.launchpad.net/bugs/769182
Title:
CVE-2010-4249
Status in linux package in Ubuntu:
Fix Released
Status in linux-fsl-imx51 package in Ubuntu:
Invalid
Status in linux-lts-backport-maverick package in Ubuntu:
Invalid
Status in linux-mvl-dove package in Ubuntu:
Invalid
Status in linux-ti-omap4 package in Ubuntu:
Invalid
Status in linux source package in Lucid:
Fix Released
Status in linux-fsl-imx51 source package in Lucid:
Fix Released
Status in linux-lts-backport-maverick source package in Lucid:
Won't Fix
Status in linux-mvl-dove source package in Lucid:
Fix Released
Status in linux-ti-omap4 source package in Lucid:
Invalid
Status in linux source package in Maverick:
Fix Released
Status in linux-fsl-imx51 source package in Maverick:
Invalid
Status in linux-lts-backport-maverick source package in Maverick:
Won't Fix
Status in linux-mvl-dove source package in Maverick:
Fix Released
Status in linux-ti-omap4 source package in Maverick:
Fix Released
Status in linux source package in Natty:
Invalid
Status in linux-fsl-imx51 source package in Natty:
Invalid
Status in linux-lts-backport-maverick source package in Natty:
Invalid
Status in linux-mvl-dove source package in Natty:
Invalid
Status in linux-ti-omap4 source package in Natty:
Invalid
Status in linux source package in Dapper:
Won't Fix
Status in linux-fsl-imx51 source package in Dapper:
Invalid
Status in linux-lts-backport-maverick source package in Dapper:
Won't Fix
Status in linux-mvl-dove source package in Dapper:
Invalid
Status in linux-ti-omap4 source package in Dapper:
Invalid
Status in linux source package in Hardy:
Fix Released
Status in linux-fsl-imx51 source package in Hardy:
Invalid
Status in linux-lts-backport-maverick source package in Hardy:
Won't Fix
Status in linux-mvl-dove source package in Hardy:
Invalid
Status in linux-ti-omap4 source package in Hardy:
Invalid
Status in linux source package in Karmic:
Won't Fix
Status in linux-fsl-imx51 source package in Karmic:
Won't Fix
Status in linux-lts-backport-maverick source package in Karmic:
Won't Fix
Status in linux-mvl-dove source package in Karmic:
Invalid
Status in linux-ti-omap4 source package in Karmic:
Invalid
Bug description:
CVE-2010-4249
Vegard Nossum found a unix socket OOM was possible, posting an exploit
program.
My analysis is we can eat all LOWMEM memory before unix_gc() being
called from unix_release_sock(). Moreover, the thread blocked in
unix_gc() can consume huge amount of time to perform cleanup because of
huge working set.
One way to handle this is to have a sensible limit on unix_tot_inflight,
tested from wait_for_unix_gc() and to force a call to unix_gc() if this
limit is hit.
This solves the OOM and also reduce overall latencies, and should not
slowdown normal workloads.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/769182/+subscriptions