← Back to team overview

kernel-packages team mailing list archive

[Bug 1438504] Re: CVE-2015-2666

 

This bug was fixed in the package linux-lts-trusty -
3.13.0-51.84~precise1

---------------
linux-lts-trusty (3.13.0-51.84~precise1) precise; urgency=low

  [ Luis Henriques ]

  * Release Tracking Bug
    - LP: #1444698
  * Merged back Ubuntu-3.13.0-49.83 security release

linux (3.13.0-50.82) trusty; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1442285

  [ Andy Whitcroft ]

  * [Config] CONFIG_DEFAULT_MMAP_MIN_ADDR needs to match on armhf and arm64
    - LP: #1418140

  [ Chris J Arges ]

  * [Config] CONFIG_PCIEASPM_DEBUG=y
    - LP: #1398544

  [ Upstream Kernel Changes ]

  * KEYS: request_key() should reget expired keys rather than give
    EKEYEXPIRED
    - LP: #1124250
  * audit: correctly record file names with different path name types
    - LP: #1439441
  * KVM: x86: Check for nested events if there is an injectable interrupt
    - LP: #1413540
  * be2iscsi: fix memory leak in error path
    - LP: #1440156
  * block: remove old blk_iopoll_enabled variable
    - LP: #1440156
  * be2iscsi: Fix handling timed out MBX completion from FW
    - LP: #1440156
  * be2iscsi: Fix doorbell format for EQ/CQ/RQ s per SLI spec.
    - LP: #1440156
  * be2iscsi: Fix the session cleanup when reboot/shutdown happens
    - LP: #1440156
  * be2iscsi: Fix scsi_cmnd leakage in driver.
    - LP: #1440156
  * be2iscsi : Fix DMA Out of SW-IOMMU space error
    - LP: #1440156
  * be2iscsi: Fix retrieving MCCQ_WRB in non-embedded Mbox path
    - LP: #1440156
  * be2iscsi: Fix exposing Host in sysfs after adapter initialization is
    complete
    - LP: #1440156
  * be2iscsi: Fix interrupt Coalescing mechanism.
    - LP: #1440156
  * be2iscsi: Fix TCP parameters while connection offloading.
    - LP: #1440156
  * be2iscsi: Fix memory corruption in MBX path
    - LP: #1440156
  * be2iscsi: Fix destroy MCC-CQ before MCC-EQ is destroyed
    - LP: #1440156
  * be2iscsi: add an missing goto in error path
    - LP: #1440156
  * be2iscsi: remove potential junk pointer free
    - LP: #1440156
  * be2iscsi: Fix memory leak in mgmt_set_ip()
    - LP: #1440156
  * be2iscsi: Fix the sparse warning introduced in previous submission
    - LP: #1440156
  * be2iscsi: Fix updating the boot enteries in sysfs
    - LP: #1440156
  * be2iscsi: Fix processing CQE before connection resources are freed
    - LP: #1440156
  * be2iscsi : Fix kernel panic during reboot/shutdown
    - LP: #1440156
  * fixed invalid assignment of 64bit mask to host dma_boundary for scatter
    gather segment boundary limit.
    - LP: #1440156
  * quota: Store maximum space limit in bytes
    - LP: #1441284
  * ip: zero sockaddr returned on error queue
    - LP: #1441284
  * net: rps: fix cpu unplug
    - LP: #1441284
  * ipv6: stop sending PTB packets for MTU < 1280
    - LP: #1441284
  * netxen: fix netxen_nic_poll() logic
    - LP: #1441284
  * udp_diag: Fix socket skipping within chain
    - LP: #1441284
  * ping: Fix race in free in receive path
    - LP: #1441284
  * bnx2x: fix napi poll return value for repoll
    - LP: #1441284
  * net: don't OOPS on socket aio
    - LP: #1441284
  * bridge: dont send notification when skb->len == 0 in rtnl_bridge_notify
    - LP: #1441284
  * ipv4: tcp: get rid of ugly unicast_sock
    - LP: #1441284
  * ppp: deflate: never return len larger than output buffer
    - LP: #1441284
  * net: sctp: fix passing wrong parameter header to param_type2af in
    sctp_process_param
    - LP: #1441284
  * ARM: pxa: add regulator_has_full_constraints to corgi board file
    - LP: #1441284
  * ARM: pxa: add regulator_has_full_constraints to poodle board file
    - LP: #1441284
  * ARM: pxa: add regulator_has_full_constraints to spitz board file
    - LP: #1441284
  * hx4700: regulator: declare full constraints
    - LP: #1441284
  * HID: input: fix confusion on conflicting mappings
    - LP: #1441284
  * HID: fixup the conflicting keyboard mappings quirk
    - LP: #1441284
  * megaraid_sas: disable interrupt_mask before enabling hardware
    interrupts
    - LP: #1441284
  * PCI: Generate uppercase hex for modalias var in uevent
    - LP: #1441284
  * usb: core: buffer: smallest buffer should start at ARCH_DMA_MINALIGN
    - LP: #1441284
  * tty/serial: at91: enable peripheral clock before accessing I/O
    registers
    - LP: #1441284
  * tty/serial: at91: fix error handling in atmel_serial_probe()
    - LP: #1441284
  * axonram: Fix bug in direct_access
    - LP: #1441284
  * ksoftirqd: Enable IRQs and call cond_resched() before poking RCU
    - LP: #1441284
  * TPM: Add new TPMs to the tail of the list to prevent inadvertent change
    of dev
    - LP: #1441284
  * char: tpm: Add missing error check for devm_kzalloc
    - LP: #1441284
  * tpm_tis: verify interrupt during init
    - LP: #1441284
  * tpm: Fix NULL return in tpm_ibmvtpm_get_desired_dma
    - LP: #1441284
  * tpm/tpm_i2c_stm_st33: Fix potential bug in tpm_stm_i2c_send
    - LP: #1441284
  * tpm/tpm_i2c_stm_st33: Add status check when reading data on the FIFO
    - LP: #1441284
  * mmc: sdhci-pxav3: fix unbalanced clock issues during probe
    - LP: #1441284
  * iwlwifi: mvm: validate tid and sta_id in ba_notif
    - LP: #1441284
  * power: bq24190: Fix ignored supplicants
    - LP: #1441284
  * ARM: DRA7: hwmod: Fix boot crash with DEBUG_LL enabled on UART3
    - LP: #1441284
  * Bluetooth: ath3k: Add support of AR3012 bluetooth 13d3:3423 device
    - LP: #1411193, #1441284
  * cfq-iosched: fix incorrect filing of rt async cfqq
    - LP: #1441284
  * smack: fix possible use after frees in task_security() callers
    - LP: #1441284
  * xfs: ensure buffer types are set correctly
    - LP: #1441284
  * xfs: inode unlink does not set AGI buffer type
    - LP: #1441284
  * xfs: set buf types when converting extent formats
    - LP: #1441284
  * xfs: set superblock buffer type correctly
    - LP: #1441284
  * btrfs: set proper message level for skinny metadata
    - LP: #1441284
  * KVM: s390: base hrtimer on a monotonic clock
    - LP: #1441284
  * PCI: Fix infinite loop with ROM image of size 0
    - LP: #1441284
  * USB: cp210x: add ID for RUGGEDCOM USB Serial Console
    - LP: #1441284
  * clk: zynq: Force CPU_2X clock to be ungated
    - LP: #1441284
  * mmc: sdhci-pxav3: Remove checks for mandatory host clock
    - LP: #1441284
  * mmc: sdhci-pxav3: fix race between runtime pm and irq
    - LP: #1441284
  * power_supply: 88pm860x: Fix leaked power supply on probe fail
    - LP: #1441284
  * staging: comedi: comedi_compat32.c: fix COMEDI_CMD copy back
    - LP: #1441284
  * mmc: sdhci-pxav3: fix setting of pdata->clk_delay_cycles
    - LP: #1441284
  * ARM: 8284/1: sa1100: clear RCSR_SMR on resume
    - LP: #1441284
  * usb: musb: omap2plus bus glue needs USB host support
    - LP: #1441284
  * USB: add flag for HCDs that can't receive wakeup requests (isp1760-hcd)
    - LP: #1441284
  * USB: fix use-after-free bug in usb_hcd_unlink_urb()
    - LP: #1441284
  * iwlwifi: mvm: always use mac color zero
    - LP: #1441284
  * iwlwifi: pcie: disable the SCD_BASE_ADDR when we resume from WoWLAN
    - LP: #1441284
  * vt: provide notifications on selection changes
    - LP: #1441284
  * tty: Prevent untrappable signals from malicious program
    - LP: #1441284
  * cpufreq: Set cpufreq_cpu_data to NULL before putting kobject
    - LP: #1441284
  * lmedm04: Fix usb_submit_urb BOGUS urb xfer, pipe 1 != type 3 in
    interrupt urb
    - LP: #1441284
  * mei: mask interrupt set bit on clean reset bit
    - LP: #1441284
  * mei: me: release hw from reset only during the reset flow
    - LP: #1441284
  * MIPS: KVM: Deliver guest interrupts after local_irq_disable()
    - LP: #1441284
  * KVM: MIPS: Don't leak FPU/DSP to guest
    - LP: #1441284
  * ALSA: hda - Add the pin fixup for HP Envy TS bass speaker
    - LP: #1441284
  * ALSA: hda - Set up GPIO for Toshiba Satellite S50D
    - LP: #1441284
  * xen/manage: Fix USB interaction issues when resuming
    - LP: #1441284
  * drm/i915: Correct the IOSF Dev_FN field for IOSF transfers
    - LP: #1441284
  * cfq-iosched: handle failure of cfq group allocation
    - LP: #1441284
  * tracing: Fix unmapping loop in tracing_mark_write
    - LP: #1441284
  * fsnotify: fix handling of renames in audit
    - LP: #1441284
  * drm/radeon: workaround for CP HW bug on CIK
    - LP: #1441284
  * drm/radeon: only enable kv/kb dpm interrupts once v3
    - LP: #1441284
  * NFSv4.1: Fix a kfree() of uninitialised pointers in
    decode_cb_sequence_args
    - LP: #1441284
  * cpufreq: speedstep-smi: enable interrupts when waiting
    - LP: #1441284
  * mm/hugetlb: pmd_huge() returns true for non-present hugepage
    - LP: #1441284
  * mm: cleanup follow_page_mask()
    - LP: #1441284
  * mm/hugetlb: take page table lock in follow_huge_pmd()
    - LP: #1441284
  * mm/hugetlb: fix getting refcount 0 page in hugetlb_fault()
    - LP: #1441284
  * mm/hugetlb: add migration/hwpoisoned entry check in
    hugetlb_change_protection
    - LP: #1441284
  * mm/hugetlb: add migration entry check in __unmap_hugepage_range
    - LP: #1441284
  * mm: softdirty: unmapped addresses between VMAs are clean
    - LP: #1441284
  * proc/pagemap: walk page tables under pte lock
    - LP: #1441284
  * mm: when stealing freepages, also take pages created by splitting buddy
    page
    - LP: #1441284
  * mm/mmap.c: fix arithmetic overflow in __vm_enough_memory()
    - LP: #1441284
  * mm/nommu.c: fix arithmetic overflow in __vm_enough_memory()
    - LP: #1441284
  * iscsi-target: Drop problematic active_ts_list usage
    - LP: #1441284
  * target: Fix PR_APTPL_BUF_LEN buffer size limitation
    - LP: #1441284
  * mm/compaction: fix wrong order check in compact_finished()
    - LP: #1441284
  * mm/memory.c: actually remap enough memory
    - LP: #1441284
  * mm: hwpoison: drop lru_add_drain_all() in __soft_offline_page()
    - LP: #1441284
  * ARC: fix page address calculation if PAGE_OFFSET != LINUX_LINK_BASE
    - LP: #1441284
  * drm/radeon/dp: Set EDP_CONFIGURATION_SET for bridge chips if necessary
    - LP: #1441284
  * drm/radeon: fix voltage setup on hawaii
    - LP: #1441284
  * ALSA: hdspm - Constrain periods to 2 on older cards
    - LP: #1441284
  * jffs2: fix handling of corrupted summary length
    - LP: #1441284
  * dm mirror: do not degrade the mirror on discard error
    - LP: #1441284
  * dm io: reject unsupported DISCARD requests with EOPNOTSUPP
    - LP: #1441284
  * target: Add missing WRITE_SAME end-of-device sanity check
    - LP: #1441284
  * target: Check for LBA + sectors wrap-around in sbc_parse_cdb
    - LP: #1441284
  * Btrfs: fix fsync data loss after adding hard link to inode
    - LP: #1441284
  * Added Little Endian support to vtpm module
    - LP: #1441284
  * sg: fix read() error reporting
    - LP: #1441284
  * IB/qib: Do not write EEPROM
    - LP: #1441284
  * md/raid5: Fix livelock when array is both resyncing and degraded.
    - LP: #1441284
  * dm: fix a race condition in dm_get_md
    - LP: #1441284
  * dm snapshot: fix a possible invalid memory access on unload
    - LP: #1441284
  * cpufreq: s3c: remove incorrect __init annotations
    - LP: #1441284
  * libceph: assert both regular and lingering lists in __remove_osd()
    - LP: #1441284
  * libceph: change from BUG to WARN for __remove_osd() asserts
    - LP: #1441284
  * libceph: fix double __remove_osd() problem
    - LP: #1441284
  * MIPS: Export FP functions used by lose_fpu(1) for KVM
    - LP: #1441284
  * kdb: fix incorrect counts in KDB summary command output
    - LP: #1441284
  * blk-throttle: check stats_cpu before reading it from sysfs
    - LP: #1441284
  * procfs: fix race between symlink removals and traversals
    - LP: #1441284
  * autofs4 copy_dev_ioctl(): keep the value of ->size we'd used for
    allocation
    - LP: #1441284
  * pktgen: fix UDP checksum computation
    - LP: #1441284
  * ipv6: fix ipv6_cow_metrics for non DST_HOST case
    - LP: #1441284
  * clk-gate: fix bit # check in clk_register_gate()
    - LP: #1441284
  * ALSA: off by one bug in snd_riptide_joystick_probe()
    - LP: #1441284
  * ath5k: fix spontaneus AR5312 freezes
    - LP: #1441284
  * pinctrl: pinctrl-imx: don't use invalid value of conf_reg
    - LP: #1441284
  * ALSA: hda - Add one more node in the EAPD supporting candidate list
    - LP: #1436745, #1441284
  * ALSA: hda - Add pin configs for ASUS mobo with IDT 92HD73XX codec
    - LP: #1441284
  * drm/i915/bdw: PCI IDs ending in 0xb are ULT.
    - LP: #1441284
  * xfs: Fix quota type in quota structures when reusing quota file
    - LP: #1441284
  * gpiolib: of: allow of_gpiochip_find_and_xlate to find more than one
    chip per node
    - LP: #1441284
  * gpio: tps65912: fix wrong container_of arguments
    - LP: #1441284
  * ALSA: pcm: Don't leave PREPARED state after draining
    - LP: #1441284
  * metag: Fix KSTK_EIP() and KSTK_ESP() macros
    - LP: #1441284
  * md/raid1: fix read balance when a drive is write-mostly.
    - LP: #1441284
  * drm/radeon: use drm_mode_vrefresh() rather than mode->vrefresh
    - LP: #1441284
  * drm/radeon: fix 1 RB harvest config setup for TN/RL
    - LP: #1441284
  * arm64: compat Fix siginfo_t -> compat_siginfo_t conversion on big
    endian
    - LP: #1441284
  * nilfs2: fix potential memory overrun on inode
    - LP: #1441284
  * HID: i2c-hid: Limit reads to wMaxInputLength bytes for input events
    - LP: #1441284
  * Linux 3.13.11-ckt18
    - LP: #1441284
  * ipv6: Don't reduce hop limit for an interface
    - LP: #1441103
    - CVE-2015-2922
  * x86/microcode/intel: Guard against stack overflow in the loader
    - LP: #1438504
    - CVE-2015-2666

linux (3.13.0-49.83) trusty; urgency=low

  [ Upstream Kernel Changes ]

  * powerpc/perf: Cap 64bit userspace backtraces to PERF_MAX_STACK_DEPTH
    - LP: #1442180
 -- Luis Henriques <luis.henriques@xxxxxxxxxxxxx>   Wed, 15 Apr 2015 22:16:16 +0100

** Changed in: linux-lts-trusty (Ubuntu Precise)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-armadaxp in Ubuntu.
https://bugs.launchpad.net/bugs/1438504

Title:
  CVE-2015-2666

Status in linux package in Ubuntu:
  Fix Released
Status in linux-armadaxp package in Ubuntu:
  Invalid
Status in linux-ec2 package in Ubuntu:
  Invalid
Status in linux-flo package in Ubuntu:
  Invalid
Status in linux-fsl-imx51 package in Ubuntu:
  Invalid
Status in linux-goldfish package in Ubuntu:
  Invalid
Status in linux-lts-backport-maverick package in Ubuntu:
  New
Status in linux-lts-backport-natty package in Ubuntu:
  New
Status in linux-lts-quantal package in Ubuntu:
  Invalid
Status in linux-lts-raring package in Ubuntu:
  Invalid
Status in linux-lts-saucy package in Ubuntu:
  Invalid
Status in linux-lts-trusty package in Ubuntu:
  Invalid
Status in linux-lts-utopic package in Ubuntu:
  Invalid
Status in linux-mako package in Ubuntu:
  Invalid
Status in linux-manta package in Ubuntu:
  Invalid
Status in linux-mvl-dove package in Ubuntu:
  Invalid
Status in linux-ti-omap4 package in Ubuntu:
  Invalid
Status in linux source package in Lucid:
  Invalid
Status in linux-armadaxp source package in Lucid:
  Invalid
Status in linux-ec2 source package in Lucid:
  Invalid
Status in linux-flo source package in Lucid:
  Invalid
Status in linux-fsl-imx51 source package in Lucid:
  Invalid
Status in linux-goldfish source package in Lucid:
  Invalid
Status in linux-lts-backport-maverick source package in Lucid:
  New
Status in linux-lts-backport-natty source package in Lucid:
  New
Status in linux-lts-quantal source package in Lucid:
  Invalid
Status in linux-lts-raring source package in Lucid:
  Invalid
Status in linux-lts-saucy source package in Lucid:
  Invalid
Status in linux-lts-trusty source package in Lucid:
  Invalid
Status in linux-lts-utopic source package in Lucid:
  Invalid
Status in linux-mako source package in Lucid:
  Invalid
Status in linux-manta source package in Lucid:
  Invalid
Status in linux-mvl-dove source package in Lucid:
  Invalid
Status in linux-ti-omap4 source package in Lucid:
  Invalid
Status in linux source package in Precise:
  Invalid
Status in linux-armadaxp source package in Precise:
  Invalid
Status in linux-ec2 source package in Precise:
  Invalid
Status in linux-flo source package in Precise:
  Invalid
Status in linux-fsl-imx51 source package in Precise:
  Invalid
Status in linux-goldfish source package in Precise:
  Invalid
Status in linux-lts-backport-maverick source package in Precise:
  New
Status in linux-lts-backport-natty source package in Precise:
  New
Status in linux-lts-quantal source package in Precise:
  Invalid
Status in linux-lts-raring source package in Precise:
  Invalid
Status in linux-lts-saucy source package in Precise:
  Invalid
Status in linux-lts-trusty source package in Precise:
  Fix Released
Status in linux-lts-utopic source package in Precise:
  Invalid
Status in linux-mako source package in Precise:
  Invalid
Status in linux-manta source package in Precise:
  Invalid
Status in linux-mvl-dove source package in Precise:
  Invalid
Status in linux-ti-omap4 source package in Precise:
  Invalid
Status in linux source package in Trusty:
  Fix Released
Status in linux-armadaxp source package in Trusty:
  Invalid
Status in linux-ec2 source package in Trusty:
  Invalid
Status in linux-flo source package in Trusty:
  Invalid
Status in linux-fsl-imx51 source package in Trusty:
  Invalid
Status in linux-goldfish source package in Trusty:
  Invalid
Status in linux-lts-backport-maverick source package in Trusty:
  New
Status in linux-lts-backport-natty source package in Trusty:
  New
Status in linux-lts-quantal source package in Trusty:
  Invalid
Status in linux-lts-raring source package in Trusty:
  Invalid
Status in linux-lts-saucy source package in Trusty:
  Invalid
Status in linux-lts-trusty source package in Trusty:
  Invalid
Status in linux-lts-utopic source package in Trusty:
  Fix Released
Status in linux-mako source package in Trusty:
  Invalid
Status in linux-manta source package in Trusty:
  Invalid
Status in linux-mvl-dove source package in Trusty:
  Invalid
Status in linux-ti-omap4 source package in Trusty:
  Invalid
Status in linux source package in Utopic:
  Fix Released
Status in linux-armadaxp source package in Utopic:
  Invalid
Status in linux-ec2 source package in Utopic:
  Invalid
Status in linux-flo source package in Utopic:
  Invalid
Status in linux-fsl-imx51 source package in Utopic:
  Invalid
Status in linux-goldfish source package in Utopic:
  Invalid
Status in linux-lts-backport-maverick source package in Utopic:
  New
Status in linux-lts-backport-natty source package in Utopic:
  New
Status in linux-lts-quantal source package in Utopic:
  Invalid
Status in linux-lts-raring source package in Utopic:
  Invalid
Status in linux-lts-saucy source package in Utopic:
  Invalid
Status in linux-lts-trusty source package in Utopic:
  Invalid
Status in linux-lts-utopic source package in Utopic:
  Invalid
Status in linux-mako source package in Utopic:
  Invalid
Status in linux-manta source package in Utopic:
  Invalid
Status in linux-mvl-dove source package in Utopic:
  Invalid
Status in linux-ti-omap4 source package in Utopic:
  Invalid
Status in linux source package in Vivid:
  Fix Released
Status in linux-armadaxp source package in Vivid:
  Invalid
Status in linux-ec2 source package in Vivid:
  Invalid
Status in linux-flo source package in Vivid:
  Invalid
Status in linux-fsl-imx51 source package in Vivid:
  Invalid
Status in linux-goldfish source package in Vivid:
  Invalid
Status in linux-lts-backport-maverick source package in Vivid:
  New
Status in linux-lts-backport-natty source package in Vivid:
  New
Status in linux-lts-quantal source package in Vivid:
  Invalid
Status in linux-lts-raring source package in Vivid:
  Invalid
Status in linux-lts-saucy source package in Vivid:
  Invalid
Status in linux-lts-trusty source package in Vivid:
  Invalid
Status in linux-lts-utopic source package in Vivid:
  Invalid
Status in linux-mako source package in Vivid:
  Invalid
Status in linux-manta source package in Vivid:
  Invalid
Status in linux-mvl-dove source package in Vivid:
  Invalid
Status in linux-ti-omap4 source package in Vivid:
  Invalid

Bug description:
  [execution in the early microcode loader x86/intel] Guard against
  stack overflow in the loader mc_saved_tmp is a static array allocated
  on the stack, we need to make sure mc_saved_count stays within its
  bounds, otherwise we're overflowing the stack in _save_mc(). A
  specially crafted microcode header could lead to a kernel crash or
  potentially kernel execution.

  Break-Fix: ec400ddeff200b068ddc6c70f7321f49ecf32ed5
  f84598bd7c851f8b0bf8cd0d7c3be0d73c432ff4

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1438504/+subscriptions


References