← Back to team overview

kernel-packages team mailing list archive

[Bug 1414651] Re: CVE-2015-0239

 

This bug was fixed in the package linux-lts-trusty -
3.13.0-46.75~precise1

---------------
linux-lts-trusty (3.13.0-46.75~precise1) precise; urgency=low

  [ Seth Forshee ]

  * Release Tracking Bug
    - LP: #1420661

  [ Andy Whitcroft ]

  * [Debian] arm64 -- build ubuntu drivers
    - LP: #1411284
  * hyper-v -- fix comment handing in /etc/network/interfaces
    - LP: #1413020

  [ Kamal Mostafa ]

  * [Packaging] force "dpkg-source -I -i" behavior

  [ Upstream Kernel Changes ]

  * Revert "[SCSI] mpt2sas: Remove phys on topology change."
    - LP: #1419838
  * Revert "[SCSI] mpt3sas: Remove phys on topology change"
    - LP: #1419838
  * Btrfs: fix transaction abortion when remounting btrfs from RW to RO
    - LP: #1411320
  * Btrfs: fix a crash of clone with inline extents's split
    - LP: #1413129
  * net/mlx4_en: Add VXLAN ndo calls to the PF net device ops too
    - LP: #1407760
  * KVM: x86: SYSENTER emulation is broken
    - LP: #1414651
    - CVE-2015-0239
  * powerpc/xmon: Fix another endiannes issue in RTAS call from xmon
    - LP: #1415919
  * ipv6: fix swapped ipv4/ipv6 mtu_reduced callbacks
    - LP: #1404558, #1419837
  * usb: gadget: at91_udc: move prepare clk into process context
    - LP: #1419837
  * KVM: x86: Fix far-jump to non-canonical check
    - LP: #1419837
  * x86/tls: Validate TLS entries to protect espfix
    - LP: #1419837
  * userns: Check euid no fsuid when establishing an unprivileged uid
    mapping
    - LP: #1419837
  * userns: Document what the invariant required for safe unprivileged
    mappings.
    - LP: #1419837
  * userns: Only allow the creator of the userns unprivileged mappings
    - LP: #1419837
  * x86_64, switch_to(): Load TLS descriptors before switching DS and ES
    - LP: #1419837
  * isofs: Fix infinite looping over CE entries
    - LP: #1419837
  * batman-adv: Calculate extra tail size based on queued fragments
    - LP: #1419837
  * KEYS: close race between key lookup and freeing
    - LP: #1419837
  * isofs: Fix unchecked printing of ER records
    - LP: #1419837
  * x86_64, vdso: Fix the vdso address randomization algorithm
    - LP: #1419837
  * groups: Consolidate the setgroups permission checks
    - LP: #1419837
  * userns: Don't allow setgroups until a gid mapping has been setablished
    - LP: #1419837
  * userns: Don't allow unprivileged creation of gid mappings
    - LP: #1419837
  * move d_rcu from overlapping d_child to overlapping d_alias
    - LP: #1419837
  * deal with deadlock in d_walk()
    - LP: #1419837
  * Linux 3.13.11-ckt14
    - LP: #1419837
  * gre: fix the inner mac header in nbma tunnel xmit path
    - LP: #1419838
  * netlink: Always copy on mmap TX.
    - LP: #1419838
  * netlink: Don't reorder loads/stores before marking mmap netlink frame
    as available
    - LP: #1419838
  * in6: fix conflict with glibc
    - LP: #1419838
  * tg3: tg3_disable_ints using uninitialized mailbox value to disable
    interrupts
    - LP: #1419838
  * batman-adv: Unify fragment size calculation
    - LP: #1419838
  * batman-adv: avoid NULL dereferences and fix if check
    - LP: #1419838
  * net: Fix stacked vlan offload features computation
    - LP: #1419838
  * net: Reset secmark when scrubbing packet
    - LP: #1419838
  * tcp: Do not apply TSO segment limit to non-TSO packets
    - LP: #1419838
  * alx: fix alx_poll()
    - LP: #1419838
  * team: avoid possible underflow of count_pending value for notify_peers
    and mcast_rejoin
    - LP: #1419838
  * enic: fix rx skb checksum
    - LP: #1419838
  * net/core: Handle csum for CHECKSUM_COMPLETE VXLAN forwarding
    - LP: #1419838
  * macvlan: unregister net device when netdev_upper_dev_link() fails
    - LP: #1419838
  * netfilter: conntrack: disable generic tracking for known protocols
    - LP: #1419838
  * xen-netfront: Fix handling packets on compound pages with skb_linearize
    - LP: #1317811, #1419838
  * xen-netfront: use correct linear area after linearizing an skb
    - LP: #1317811, #1419838
  * eCryptfs: Force RO mount when encrypted view is enabled
    - LP: #1419838
  * smiapp: Take mutex during PLL update in sensor initialisation
    - LP: #1419838
  * smiapp-pll: Correct clock debug prints
    - LP: #1419838
  * sound: simplify au0828 quirk table
    - LP: #1419838
  * sound: Update au0828 quirks table
    - LP: #1419838
  * af9005: fix kernel panic on init if compiled without IR
    - LP: #1419838
  * writeback: fix a subtle race condition in I_DIRTY clearing
    - LP: #1419838
  * usb: renesas_usbhs: gadget: fix NULL pointer dereference in
    ep_disable()
    - LP: #1419838
  * KVM: s390: flush CPU on load control
    - LP: #1419838
  * UBI: Fix double free after do_sync_erase()
    - LP: #1419838
  * UBI: Fix invalid vfree()
    - LP: #1419838
  * Drivers: hv: vmbus: Fix a race condition when unregistering a device
    - LP: #1419838
  * driver core: Fix unbalanced device reference in drivers_probe
    - LP: #1419838
  * PCI: Restore detection of read-only BARs
    - LP: #1419838
  * scsi: correct return values for .eh_abort_handler implementations
    - LP: #1419838
  * drm/radeon: fix typo in CI dpm disable
    - LP: #1419838
  * ARM: tegra: Re-add removed SoC id macro to tegra_resume()
    - LP: #1419838
  * arm64: Add COMPAT_HWCAP_LPAE
    - LP: #1419838
  * genhd: check for int overflow in disk_expand_part_tbl()
    - LP: #1419838
  * ftrace/x86: Add frames pointers to trampoline as necessary
    - LP: #1419838
  * drm/ttm: Avoid memory allocation from shrinker functions.
    - LP: #1419838
  * ASoC: sigmadsp: Refuse to load firmware files with a non-supported
    version
    - LP: #1419838
  * drm/radeon: work around a hw bug in MGCG on CIK
    - LP: #1419838
  * Btrfs: make sure we wait on logged extents when fsycning two subvols
    - LP: #1419838
  * Btrfs: do not move em to modified list when unpinning
    - LP: #1419838
  * megaraid_sas: corrected return of wait_event from abort frame path
    - LP: #1419838
  * ASoC: max98090: Fix ill-defined sidetone route
    - LP: #1419838
  * blk-mq: use 'nr_cpu_ids' as highest CPU ID count for hwq <-> cpu map
    - LP: #1419838
  * nfs41: fix nfs4_proc_layoutget error handling
    - LP: #1419838
  * cdc-acm: memory leak in error case
    - LP: #1419838
  * USB: cdc-acm: check for valid interfaces
    - LP: #1419838
  * x86/asm/traps: Disable tracing and kprobes in fixup_bad_iret and
    sync_regs
    - LP: #1419838
  * uvcvideo: Fix destruction order in uvc_delete()
    - LP: #1419838
  * HID: i2c-hid: fix race condition reading reports
    - LP: #1419838
  * mfd: tc6393xb: Fail ohci suspend if full state restore is required
    - LP: #1419838
  * serial: samsung: wait for transfer completion before clock disable
    - LP: #1419838
  * mmc: dw_mmc: avoid write to CDTHRCTL on older versions
    - LP: #1419838
  * Bluetooth: ath3k: Add support of MCI 13d3:3408 bt device
    - LP: #1419838
  * eCryptfs: Remove buggy and unnecessary write in file name decode
    routine
    - LP: #1419838
  * n_tty: Fix read_buf race condition, increment read_head after pushing
    data
    - LP: #1419838
  * dm cache: only use overwrite optimisation for promotion when in
    writeback mode
    - LP: #1419838
  * dm cache: dirty flag was mistakenly being cleared when promoting via
    overwrite
    - LP: #1419838
  * dm bufio: fix memleak when using a dm_buffer's inline bio
    - LP: #1419838
  * ath9k_hw: fix hardware queue allocation
    - LP: #1419838
  * ath9k: fix BE/BK queue order
    - LP: #1419838
  * ath5k: fix hardware queue index assignment
    - LP: #1419838
  * tcm_loop: Fix wrong I_T nexus association
    - LP: #1419838
  * iwlwifi: dvm: fix flush support for old firmware
    - LP: #1419838
  * iommu/vt-d: Fix an off-by-one bug in __domain_mapping()
    - LP: #1419838
  * dm crypt: use memzero_explicit for on-stack buffer
    - LP: #1419838
  * mnt: Implicitly add MNT_NODEV on remount when it was implicitly added
    by mount
    - LP: #1419838
  * mnt: Update unprivileged remount test
    - LP: #1419838
  * umount: Disallow unprivileged mount force
    - LP: #1419838
  * md/raid56: Don't perform reads to support writes until stripe is ready.
    - LP: #1419838
  * md/raid5: avoid livelock caused by non-aligned writes.
    - LP: #1419838
  * md/raid5: fetch_block must fetch all the blocks handle_stripe_dirtying
    wants.
    - LP: #1419838
  * drm/i915: Disallow pin ioctl completely for kms drivers
    - LP: #1419838
  * drm/vmwgfx: Don't use memory accounting for kernel-side fence objects
    - LP: #1419838
  * drm/vmwgfx: Fix fence event code
    - LP: #1419838
  * hp_accel: Add support for HP ZBook 15
    - LP: #1419838
  * drm/radeon: check the right ring in radeon_evict_flags()
    - LP: #1419838
  * swiotlb-xen: pass dev_addr to xen_dma_unmap_page and
    xen_dma_sync_single_for_cpu
    - LP: #1419838
  * swiotlb-xen: call xen_dma_sync_single_for_device when appropriate
    - LP: #1419838
  * clocksource: arch_timer: Fix code to use physical timers when requested
    - LP: #1419838
  * ALSA: hda - Fix built-in mic at resume on Lenovo Ideapad S210
    - LP: #1419838
  * can: peak_usb: fix memset() usage
    - LP: #1419838
  * can: peak_usb: fix cleanup sequence order in case of error during init
    - LP: #1419838
  * ALSA: usb-audio: Don't resubmit pending URBs at MIDI error recovery
    - LP: #1419838
  * KEYS: Fix stale key registration at error path
    - LP: #1419838
  * thermal: Fix error path in thermal_init()
    - LP: #1419838
  * blk-mq: Fix a use-after-free
    - LP: #1419838
  * fs: nfsd: Fix signedness bug in compare_blob
    - LP: #1419838
  * nfsd4: fix xdr4 inclusion of escaped char
    - LP: #1419838
  * userns: Rename id_map_mutex to userns_state_mutex
    - LP: #1419838
  * drm/i915: Don't complain about stolen conflicts on gen3
    - LP: #1419838
  * ALSA: hda - Add EAPD fixup for ASUS Z99He laptop
    - LP: #1419838
  * Btrfs: fix fs corruption on transaction abort if device supports
    discard
    - LP: #1419838
  * ncpfs: return proper error from NCP_IOC_SETROOT ioctl
    - LP: #1419838
  * drivers/rtc/rtc-sirfsoc.c: move hardware initilization earlier in probe
    - LP: #1419838
  * rtc: omap: fix missing wakealarm attribute
    - LP: #1419838
  * exit: pidns: alloc_pid() leaks pid_namespace if child_reaper is exiting
    - LP: #1419838
  * perf/x86/intel/uncore: Make sure only uncore events are collected
    - LP: #1419838
  * perf: Fix events installation during moving group
    - LP: #1419838
  * KVM: nVMX: Disable unrestricted mode if ept=0
    - LP: #1419838
  * drm/i915: save/restore GMBUS freq across suspend/resume on gen4
    - LP: #1419838
  * pstore-ram: Fix hangs by using write-combine mappings
    - LP: #1419838
  * pstore-ram: Allow optional mapping with pgprot_noncached
    - LP: #1419838
  * userns: Add a knob to disable setgroups on a per user namespace basis
    - LP: #1419838
  * userns: Allow setting gid_maps without privilege when setgroups is
    disabled
    - LP: #1419838
  * userns: Unbreak the unprivileged remount tests
    - LP: #1419838
  * HID: i2c-hid: prevent buffer overflow in early IRQ
    - LP: #1419838
  * mac80211: fix multicast LED blinking and counter
    - LP: #1419838
  * cfg80211: avoid mem leak on driver hint set
    - LP: #1419838
  * mtd: tests: abort torturetest on erase errors
    - LP: #1419838
  * tracing/sched: Check preempt_count() for current when reading
    task->state
    - LP: #1419838
  * iscsi,iser-target: Initiate termination only once
    - LP: #1419838
  * iser-target: Fix flush + disconnect completion handling
    - LP: #1419838
  * iser-target: Parallelize CM connection establishment
    - LP: #1419838
  * iser-target: Fix connected_handler + teardown flow race
    - LP: #1419838
  * iser-target: Handle ADDR_CHANGE event for listener cm_id
    - LP: #1419838
  * iser-target: Fix implicit termination of connections
    - LP: #1419838
  * genirq: Prevent proc race against freeing of irq descriptors
    - LP: #1419838
  * x86/tls: Disallow unusual TLS segments
    - LP: #1419838
  * powerpc/powernv: Switch off MMU before entering nap/sleep/rvwinkle mode
    - LP: #1419838
  * ARC: [nsimosci] move peripherals to match model to FPGA
    - LP: #1419838
  * scsi: blacklist RSOC for Microsoft iSCSI target devices
    - LP: #1419838
  * rtlwifi: rtl8192ce: Set fw_ready flag
    - LP: #1419838
  * iscsi-target: Fail connection on short sendmsg writes
    - LP: #1419838
  * mac80211: free management frame keys when removing station
    - LP: #1419838
  * ceph: do_sync is never initialized
    - LP: #1419838
  * x86/tls: Don't validate lm in set_thread_area() after all
    - LP: #1419838
  * ALSA: usb-audio: extend KEF X300A FU 10 tweak to Arcam rPAC
    - LP: #1419838
  * mnt: Fix a memory stomp in umount
    - LP: #1419838
  * ocfs2: fix journal commit deadlock
    - LP: #1419838
  * tick/powerclamp: Remove tick_nohz_idle abuse
    - LP: #1419838
  * Linux 3.13.11-ckt15
    - LP: #1419838

  [ Xiong Zhang ]

  * SAUCE: ubuntu/i915: power on sink if dpcd read fail
    - LP: #1416451
 -- Seth Forshee <seth.forshee@xxxxxxxxxxxxx>   Wed, 11 Feb 2015 08:52:25 -0600

** Changed in: linux-armadaxp (Ubuntu Precise)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-armadaxp in Ubuntu.
https://bugs.launchpad.net/bugs/1414651

Title:
  CVE-2015-0239

Status in linux package in Ubuntu:
  Invalid
Status in linux-armadaxp package in Ubuntu:
  Invalid
Status in linux-ec2 package in Ubuntu:
  Invalid
Status in linux-flo package in Ubuntu:
  New
Status in linux-fsl-imx51 package in Ubuntu:
  Invalid
Status in linux-goldfish package in Ubuntu:
  New
Status in linux-lts-backport-maverick package in Ubuntu:
  New
Status in linux-lts-backport-natty package in Ubuntu:
  New
Status in linux-lts-quantal package in Ubuntu:
  Invalid
Status in linux-lts-raring package in Ubuntu:
  Invalid
Status in linux-lts-saucy package in Ubuntu:
  Invalid
Status in linux-lts-trusty package in Ubuntu:
  Invalid
Status in linux-lts-utopic package in Ubuntu:
  Invalid
Status in linux-mako package in Ubuntu:
  New
Status in linux-manta package in Ubuntu:
  New
Status in linux-mvl-dove package in Ubuntu:
  Invalid
Status in linux-ti-omap4 package in Ubuntu:
  Invalid
Status in linux source package in Lucid:
  New
Status in linux-armadaxp source package in Lucid:
  Invalid
Status in linux-ec2 source package in Lucid:
  New
Status in linux-flo source package in Lucid:
  Invalid
Status in linux-fsl-imx51 source package in Lucid:
  Invalid
Status in linux-goldfish source package in Lucid:
  Invalid
Status in linux-lts-backport-maverick source package in Lucid:
  New
Status in linux-lts-backport-natty source package in Lucid:
  New
Status in linux-lts-quantal source package in Lucid:
  Invalid
Status in linux-lts-raring source package in Lucid:
  Invalid
Status in linux-lts-saucy source package in Lucid:
  Invalid
Status in linux-lts-trusty source package in Lucid:
  Invalid
Status in linux-lts-utopic source package in Lucid:
  Invalid
Status in linux-mako source package in Lucid:
  Invalid
Status in linux-manta source package in Lucid:
  Invalid
Status in linux-mvl-dove source package in Lucid:
  Invalid
Status in linux-ti-omap4 source package in Lucid:
  Invalid
Status in linux source package in Precise:
  Fix Released
Status in linux-armadaxp source package in Precise:
  Fix Released
Status in linux-ec2 source package in Precise:
  Invalid
Status in linux-flo source package in Precise:
  Invalid
Status in linux-fsl-imx51 source package in Precise:
  Invalid
Status in linux-goldfish source package in Precise:
  Invalid
Status in linux-lts-backport-maverick source package in Precise:
  New
Status in linux-lts-backport-natty source package in Precise:
  New
Status in linux-lts-quantal source package in Precise:
  Fix Committed
Status in linux-lts-raring source package in Precise:
  Invalid
Status in linux-lts-saucy source package in Precise:
  Invalid
Status in linux-lts-trusty source package in Precise:
  Fix Released
Status in linux-lts-utopic source package in Precise:
  Invalid
Status in linux-mako source package in Precise:
  Invalid
Status in linux-manta source package in Precise:
  Invalid
Status in linux-mvl-dove source package in Precise:
  Invalid
Status in linux-ti-omap4 source package in Precise:
  Fix Committed
Status in linux source package in Trusty:
  Fix Released
Status in linux-armadaxp source package in Trusty:
  Invalid
Status in linux-ec2 source package in Trusty:
  Invalid
Status in linux-flo source package in Trusty:
  Invalid
Status in linux-fsl-imx51 source package in Trusty:
  Invalid
Status in linux-goldfish source package in Trusty:
  Invalid
Status in linux-lts-backport-maverick source package in Trusty:
  New
Status in linux-lts-backport-natty source package in Trusty:
  New
Status in linux-lts-quantal source package in Trusty:
  Invalid
Status in linux-lts-raring source package in Trusty:
  Invalid
Status in linux-lts-saucy source package in Trusty:
  Invalid
Status in linux-lts-trusty source package in Trusty:
  Invalid
Status in linux-lts-utopic source package in Trusty:
  Fix Released
Status in linux-mako source package in Trusty:
  Invalid
Status in linux-manta source package in Trusty:
  Invalid
Status in linux-mvl-dove source package in Trusty:
  Invalid
Status in linux-ti-omap4 source package in Trusty:
  Invalid
Status in linux source package in Utopic:
  Fix Committed
Status in linux-armadaxp source package in Utopic:
  Invalid
Status in linux-ec2 source package in Utopic:
  Invalid
Status in linux-flo source package in Utopic:
  New
Status in linux-fsl-imx51 source package in Utopic:
  Invalid
Status in linux-goldfish source package in Utopic:
  New
Status in linux-lts-backport-maverick source package in Utopic:
  New
Status in linux-lts-backport-natty source package in Utopic:
  New
Status in linux-lts-quantal source package in Utopic:
  Invalid
Status in linux-lts-raring source package in Utopic:
  Invalid
Status in linux-lts-saucy source package in Utopic:
  Invalid
Status in linux-lts-trusty source package in Utopic:
  Invalid
Status in linux-lts-utopic source package in Utopic:
  Invalid
Status in linux-mako source package in Utopic:
  New
Status in linux-manta source package in Utopic:
  New
Status in linux-mvl-dove source package in Utopic:
  Invalid
Status in linux-ti-omap4 source package in Utopic:
  Invalid
Status in linux source package in Vivid:
  Invalid
Status in linux-armadaxp source package in Vivid:
  Invalid
Status in linux-ec2 source package in Vivid:
  Invalid
Status in linux-flo source package in Vivid:
  New
Status in linux-fsl-imx51 source package in Vivid:
  Invalid
Status in linux-goldfish source package in Vivid:
  New
Status in linux-lts-backport-maverick source package in Vivid:
  New
Status in linux-lts-backport-natty source package in Vivid:
  New
Status in linux-lts-quantal source package in Vivid:
  Invalid
Status in linux-lts-raring source package in Vivid:
  Invalid
Status in linux-lts-saucy source package in Vivid:
  Invalid
Status in linux-lts-trusty source package in Vivid:
  Invalid
Status in linux-lts-utopic source package in Vivid:
  Invalid
Status in linux-mako source package in Vivid:
  New
Status in linux-manta source package in Vivid:
  New
Status in linux-mvl-dove source package in Vivid:
  Invalid
Status in linux-ti-omap4 source package in Vivid:
  Invalid

Bug description:
  Linux 2.6.32 - 3.18 that runs KVM may enable a malicious guest process
  to crash the guest OS or launch a privilege escalation attack on the
  guest. The attack can be launched by tricking the hypervisor to
  emulate a SYSENTER instruction in 16-bit mode, if the guest OS does
  not initialize the SYSENTER MSRs. KVM does not check under these
  conditions that the selector IA32_SYSENTER_CS is not zero, and does
  not generate a #GP exception as real hardware does. Instead, it sets
  the guest instruction pointer to zero and changes the code privilege
  level (CPL) to zero (privileged). Note that the attack can only be
  issued under very certain conditions (see the details below). Windows
  and distro Linux guest OSes should be safe. The bug existed since the
  introduction of SYSENTER emulation (em_sysenter function on recent
  Linux releases), in commit 8c60435261deaefeb53ce3222d04d7d5bea81296 ,
  which is present in Linux 2.6.32 - 3.18.

  Break-Fix: - f3747379accba8e95d70cec0eae0582c8c182050

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1414651/+subscriptions


References