← Back to team overview

kernel-packages team mailing list archive

[Bug 769182] Re: CVE-2010-4249

 

linux (2.6.32-28.55) lucid-proposed; urgency=low

  * Another version bump because of abi check failure
  * Tracking Bug
    - LP: #699885

linux (2.6.32-28.54) lucid-proposed; urgency=low

  * Another version bump because of upload failure

linux (2.6.32-28.53) lucid-proposed; urgency=low

  * Another version bump because of upload failure

linux (2.6.32-28.52) lucid-proposed; urgency=low

  [ Steve Conklin ]

  * (removed old tracking bug link)

linux (2.6.32-28.51) lucid-proposed; urgency=low

  [ Steve Conklin ]

  * bumped version due to build fail

linux (2.6.32-28.50) lucid-proposed; urgency=low

  [ Tim Gardner ]

  * SAUCE: Change nodelayacct boot parameter polarity.
    - LP: #493156
  * [Config] CONFIG_TASK_DELAY_ACCT=y
    - LP: #493156

  [ Upstream Kernel Changes ]

  * ipc: initialize structure memory to zero for compat functions
  * tcp: Increase TCP_MAXSEG socket option minimum.
    - CVE-2010-4165
  * perf_events: Fix perf_counter_mmap() hook in mprotect()
    - CVE-2010-4169
  * af_unix: limit unix_tot_inflight
    - CVE-2010-4249
  * AppArmor: fix the upper bound check for the next/check table
    - LP: #581525
  * NFS: Fix panic after nfs_umount()
    - LP: #683938
  * block: Ensure physical block size is unsigned int
    - LP: #688669
  * block: limit vec count in bio_kmalloc() and bio_alloc_map_data()
    - LP: #688669
  * block: take care not to overflow when calculating total iov length
    - LP: #688669
  * block: check for proper length of iov entries in blk_rq_map_user_iov()
    - LP: #688669
  * jme: Fix PHY power-off error
    - LP: #688669
  * irda: Fix parameter extraction stack overflow
    - LP: #688669
  * irda: Fix heap memory corruption in iriap.c
    - LP: #688669
  * i2c-pca-platform: Change device name of request_irq
    - LP: #688669
  * microblaze: Fix build with make 3.82
    - LP: #688669
  * Staging: asus_oled: fix up some sysfs attribute permissions
    - LP: #688669
  * Staging: asus_oled: fix up my fixup for some sysfs attribute
    permissions
    - LP: #688669
  * Staging: line6: fix up some sysfs attribute permissions
    - LP: #688669
  * hpet: fix unwanted interrupt due to stale irq status bit
    - LP: #688669
  * hpet: unmap unused I/O space
    - LP: #688669
  * olpc_battery: Fix endian neutral breakage for s16 values
    - LP: #688669
  * percpu: fix list_head init bug in __percpu_counter_init()
    - LP: #688669
  * um: remove PAGE_SIZE alignment in linker script causing kernel
    segfault.
    - LP: #688669
  * um: fix global timer issue when using CONFIG_NO_HZ
    - LP: #688669
  * numa: fix slab_node(MPOL_BIND)
    - LP: #688669
  * hwmon: (lm85) Fix ADT7468 frequency table
    - LP: #688669
  * mm: fix return value of scan_lru_pages in memory unplug
    - LP: #688669
  * mm: fix is_mem_section_removable() page_order BUG_ON check
    - LP: #688669
  * ssb: b43-pci-bridge: Add new vendor for BCM4318
    - LP: #688669
  * sgi-xpc: XPC fails to discover partitions with all nasids above 128
    - LP: #688669
  * xen: ensure that all event channels start off bound to VCPU 0
    - LP: #688669
  * xen: don't bother to stop other cpus on shutdown/reboot
    - LP: #688669
  * sys_semctl: fix kernel stack leakage
    - LP: #688669
  * net: NETIF_F_HW_CSUM does not imply FCoE CRC offload
    - LP: #688669
  * drivers/char/vt_ioctl.c: fix VT_OPENQRY error value
    - LP: #688669
  * viafb: use proper register for colour when doing fill ops
    - LP: #688669
  * eCryptfs: Clear LOOKUP_OPEN flag when creating lower file
    - LP: #688669
  * md/raid1: really fix recovery looping when single good device fails.
    - LP: #688669
  * md: fix return value of rdev_size_change()
    - LP: #688669
  * x86: AMD Northbridge: Verify NB's node is online
    - LP: #688669
  * tty: prevent DOS in the flush_to_ldisc
    - LP: #688669
  * TTY: restore tty_ldisc_wait_idle
    - LP: #688669
  * tty_ldisc: Fix BUG() on hangup
    - LP: #688669
  * TTY: ldisc, fix open flag handling
    - LP: #688669
  * KVM: VMX: fix vmx null pointer dereference on debug register access
    - LP: #688669
    - CVE-2010-0435
  * KVM: x86: fix information leak to userland
    - LP: #688669
  * firewire: cdev: fix information leak
    - LP: #688669
  * firewire: core: fix an information leak
    - LP: #688669
  * firewire: ohci: fix buffer overflow in AR split packet handling
    - LP: #688669
  * firewire: ohci: fix race in AR split packet handling
    - LP: #688669
  * ALSA: ac97: Apply quirk for Dell Latitude D610 binding Master and
    Headphone controls
    - LP: #669279, #688669
  * ALSA: HDA: Add an extra DAC for Realtek ALC887-VD
    - LP: #688669
  * ALSA: hda: Use "alienware" model quirk for another SSID
    - LP: #683695, #688669
  * netfilter: nf_conntrack: allow nf_ct_alloc_hashtable() to get highmem
    pages
    - LP: #688669
  * latencytop: fix per task accumulator
    - LP: #688669
  * mm/vfs: revalidate page->mapping in do_generic_file_read()
    - LP: #688669
  * bio: take care not overflow page count when mapping/copying user data
    - LP: #688669
  * libata-scsi passthru: fix bug which truncated LBA48 return values
    - LP: #688669
  * libata: fix NULL sdev dereference race in atapi_qc_complete()
    - LP: #688669
  * PCI: fix size checks for mmap() on /proc/bus/pci files
    - LP: #688669
  * PCI: fix offset check for sysfs mmapped files
    - LP: #688669
  * efifb: check that the base address is plausible on pci systems
    - LP: #688669
  * USB: gadget: AT91: fix typo in atmel_usba_udc driver
    - LP: #688669
  * USB: ftdi_sio: add device IDs for Milkymist One JTAG/serial
    - LP: #688669
  * USB: option: fix when the driver is loaded incorrectly for some Huawei
    devices.
    - LP: #688669
  * usb: misc: sisusbvga: fix information leak to userland
    - LP: #688669
  * usb: misc: iowarrior: fix information leak to userland
    - LP: #688669
  * usb: core: fix information leak to userland
    - LP: #688669
  * USB: EHCI: fix obscure race in ehci_endpoint_disable
    - LP: #688669
  * USB: storage: sierra_ms: fix sysfs file attribute
    - LP: #688669
  * USB: atm: ueagle-atm: fix up some permissions on the sysfs files
    - LP: #688669
  * USB: misc: cypress_cy7c63: fix up some sysfs attribute permissions
    - LP: #688669
  * USB: misc: usbled: fix up some sysfs attribute permissions
    - LP: #688669
  * USB: ftdi_sio: revert "USB: ftdi_sio: fix DTR/RTS line modes"
    - LP: #688669
  * USB: misc: trancevibrator: fix up a sysfs attribute permission
    - LP: #688669
  * USB: misc: usbsevseg: fix up some sysfs attribute permissions
    - LP: #688669
  * USB: ftdi_sio: Add ID for RT Systems USB-29B radio cable
    - LP: #688669
  * USB: serial: ftdi_sio: Vardaan USB RS422/485 converter PID added
    - LP: #688669
  * acpi-cpufreq: fix a memleak when unloading driver
    - LP: #688669
  * ACPI: EC: add Vista incompatibility DMI entry for Toshiba Satellite
    L355
    - LP: #688669
  * fuse: fix attributes after open(O_TRUNC)
    - LP: #688669
  * do_exit(): make sure that we run with get_fs() == USER_DS
    - LP: #688669
  * uml: disable winch irq before freeing handler data
    - LP: #688669
  * backlight: grab ops_lock before testing bd->ops
    - LP: #688669
  * nommu: yield CPU while disposing VM
    - LP: #688669
  * DECnet: don't leak uninitialized stack byte
    - LP: #688669
  * ARM: 6489/1: thumb2: fix incorrect optimisation in usracc
    - LP: #688669
  * ARM: 6482/2: Fix find_next_zero_bit and related assembly
    - LP: #688669
  * Staging: frontier: fix up some sysfs attribute permissions
    - LP: #688669
  * staging: rtl8187se: Change panic to warn when RF switch turned off
    - LP: #688669
  * HID: hidraw, fix a NULL pointer dereference in hidraw_ioctl
    - LP: #688669
  * HID: hidraw, fix a NULL pointer dereference in hidraw_write
    - LP: #688669
  * gianfar: Fix crashes on RX path (Was Re: [Bugme-new] [Bug 19692] New:
    linux-2.6.36-rc5 crash with gianfar ethernet at full line rate traffic)
    - LP: #688669
  * Limit sysctl_tcp_mem and sysctl_udp_mem initializers to prevent integer
    overflows.
    - LP: #688669
  * sparc64: Fix race in signal instruction flushing.
    - LP: #688669
  * sparc: Don't mask signal when we can't setup signal frame.
    - LP: #688669
  * sparc: Prevent no-handler signal syscall restart recursion.
    - LP: #688669
  * x86, UV: Delete unneeded boot messages
    - LP: #688669
  * x86, UV: Fix initialization of max_pnode
    - LP: #688669
  * drivers/video/efifb.c: support framebuffer for NVIDIA 9400M in MacBook
    Pro 5,1
    - LP: #688669
  * efifb: support the EFI framebuffer on more Apple hardware
    - LP: #688669
  * V4L/DVB (13154): uvcvideo: Handle garbage at the end of streaming
    interface descriptors
    - LP: #688669
  * Input: i8042 - add Sony VAIO VPCZ122GX to nomux list
    - LP: #688669
  * x25: Patch to fix bug 15678 - x25 accesses fields beyond end of packet.
    - LP: #688669
  * memory corruption in X.25 facilities parsing
    - LP: #688669
  * can-bcm: fix minor heap overflow
    - LP: #688669
  * V4L/DVB: ivtvfb: prevent reading uninitialized stack memory
    - LP: #688669
  * x25: Prevent crashing when parsing bad X.25 facilities
    - LP: #688669
  * crypto: padlock - Fix AES-CBC handling on odd-block-sized input
    - LP: #688669
  * x86-32: Separate 1:1 pagetables from swapper_pg_dir
    - LP: #688669
  * x86, mm: Fix CONFIG_VMSPLIT_1G and 2G_OPT trampoline
    - LP: #688669
  * x86-32: Fix dummy trampoline-related inline stubs
    - LP: #688669
  * rds: Integer overflow in RDS cmsg handling
    - LP: #688669
  * net: Truncate recvfrom and sendto length to INT_MAX.
    - LP: #688669
  * net: Limit socket I/O iovec total length to INT_MAX.
    - LP: #688669
  * nmi: fix clock comparator revalidation
    - LP: #688669
  * UV - XPC: pass nasid instead of nid to gru_create_message_queue
    - LP: #688669
  * x86: uv: XPC receive message reuse triggers invalid BUG_ON()
    - LP: #688669
  * X86: uv: xpc_make_first_contact hang due to not accepting ACTIVE state
    - LP: #688669
  * x86: uv: xpc NULL deref when mesq becomes empty
    - LP: #688669
  * Linux 2.6.32.27
    - LP: #688669
 -- Steve Conklin <sconklin@xxxxxxxxxxxxx>   Mon, 10 Jan 2011 14:51:10 -0600

** Changed in: linux (Ubuntu Lucid)
       Status: Incomplete => Fix Released

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-lts-backport-maverick in Ubuntu.
https://bugs.launchpad.net/bugs/769182

Title:
  CVE-2010-4249

Status in linux package in Ubuntu:
  Fix Released
Status in linux-fsl-imx51 package in Ubuntu:
  Invalid
Status in linux-lts-backport-maverick package in Ubuntu:
  Invalid
Status in linux-mvl-dove package in Ubuntu:
  Invalid
Status in linux-ti-omap4 package in Ubuntu:
  Invalid
Status in linux source package in Lucid:
  Fix Released
Status in linux-fsl-imx51 source package in Lucid:
  Fix Released
Status in linux-lts-backport-maverick source package in Lucid:
  Won't Fix
Status in linux-mvl-dove source package in Lucid:
  Fix Released
Status in linux-ti-omap4 source package in Lucid:
  Invalid
Status in linux source package in Maverick:
  Fix Released
Status in linux-fsl-imx51 source package in Maverick:
  Invalid
Status in linux-lts-backport-maverick source package in Maverick:
  Won't Fix
Status in linux-mvl-dove source package in Maverick:
  Fix Released
Status in linux-ti-omap4 source package in Maverick:
  Fix Released
Status in linux source package in Natty:
  Invalid
Status in linux-fsl-imx51 source package in Natty:
  Invalid
Status in linux-lts-backport-maverick source package in Natty:
  Invalid
Status in linux-mvl-dove source package in Natty:
  Invalid
Status in linux-ti-omap4 source package in Natty:
  Invalid
Status in linux source package in Dapper:
  Won't Fix
Status in linux-fsl-imx51 source package in Dapper:
  Invalid
Status in linux-lts-backport-maverick source package in Dapper:
  Won't Fix
Status in linux-mvl-dove source package in Dapper:
  Invalid
Status in linux-ti-omap4 source package in Dapper:
  Invalid
Status in linux source package in Hardy:
  Fix Released
Status in linux-fsl-imx51 source package in Hardy:
  Invalid
Status in linux-lts-backport-maverick source package in Hardy:
  Won't Fix
Status in linux-mvl-dove source package in Hardy:
  Invalid
Status in linux-ti-omap4 source package in Hardy:
  Invalid
Status in linux source package in Karmic:
  Won't Fix
Status in linux-fsl-imx51 source package in Karmic:
  Won't Fix
Status in linux-lts-backport-maverick source package in Karmic:
  Won't Fix
Status in linux-mvl-dove source package in Karmic:
  Invalid
Status in linux-ti-omap4 source package in Karmic:
  Invalid

Bug description:
  CVE-2010-4249

  Vegard Nossum found a unix socket OOM was possible, posting an exploit
  program.

  My analysis is we can eat all LOWMEM memory before unix_gc() being
  called from unix_release_sock(). Moreover, the thread blocked in
  unix_gc() can consume huge amount of time to perform cleanup because of
  huge working set.

  One way to handle this is to have a sensible limit on unix_tot_inflight,
  tested from wait_for_unix_gc() and to force a call to unix_gc() if this
  limit is hit.

  This solves the OOM and also reduce overall latencies, and should not
  slowdown normal workloads.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/769182/+subscriptions