← Back to team overview

kernel-packages team mailing list archive

[Bug 1563916] Re: CVE-2016-0774

 

This bug was fixed in the package linux - 3.13.0-86.130

---------------
linux (3.13.0-86.130) trusty; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
    - LP: #1571718

  [ Benjamin Tissoires ]

  * SAUCE: Input: synaptics - handle spurious release of trackstick
    buttons, again
    - LP: #1553811

  [ K. Y. Srinivasan ]

  * SAUCE: (noup): Drivers: hv: vmbus: Fix a bug in
    hv_need_to_signal_on_read()
    - LP: #1556264

  [ Kamal Mostafa ]

  * [debian] BugLink: close LP: bugs only for Launchpad urls
  * [Config] updateconfigs after v3.13.11-ckt38

  [ Tim Gardner ]

  * [Debian] Fix linux-doc dangling symlinks
    - LP: #661306

  [ Upstream Kernel Changes ]

  * Revert "jffs2: Fix lock acquisition order bug in jffs2_write_begin"
    - LP: #1562900
  * [stable-only] AIO: properly check iovec sizes
    - LP: #1562900
  * Input: aiptek - fix crash on detecting device without endpoints
    - LP: #1562900
  * wext: fix message delay/ordering
    - LP: #1562900
  * cfg80211/wext: fix message ordering
    - LP: #1562900
  * mac80211: fix use of uninitialised values in RX aggregation
    - LP: #1562900
  * libata: fix HDIO_GET_32BIT ioctl
    - LP: #1562900
  * mac80211: minstrel_ht: set default tx aggregation timeout to 0
    - LP: #1562900
  * jffs2: Fix page lock / f->sem deadlock
    - LP: #1562900
  * Fix directory hardlinks from deleted directories
    - LP: #1562900
  * iommu/amd: Fix boot warning when device 00:00.0 is not iommu covered
    - LP: #1562900
  * libata: Align ata_device's id on a cacheline
    - LP: #1562900
  * vfio: fix ioctl error handling
    - LP: #1562900
  * ALSA: ctl: Fix ioctls for X32 ABI
    - LP: #1562900
  * ALSA: rawmidi: Fix ioctls X32 ABI
    - LP: #1562900
  * ALSA: timer: Fix broken compat timer user status ioctl
    - LP: #1562900
  * ALSA: timer: Fix ioctls for X32 ABI
    - LP: #1562900
  * cifs: fix out-of-bounds access in lease parsing
    - LP: #1562900
  * CIFS: Fix SMB2+ interim response processing for read requests
    - LP: #1562900
  * ALSA: hdspm: Fix wrong boolean ctl value accesses
    - LP: #1562900
  * ALSA: hdspm: Fix zero-division
    - LP: #1562900
  * ALSA: hdsp: Fix wrong boolean ctl value accesses
    - LP: #1562900
  * USB: cp210x: Add ID for Parrot NMEA GPS Flight Recorder
    - LP: #1562900
  * ASoC: wm8958: Fix enum ctl accesses in a wrong type
    - LP: #1562900
  * ASoC: wm8994: Fix enum ctl accesses in a wrong type
    - LP: #1562900
  * ASoC: wm_adsp: Fix enum ctl accesses in a wrong type
    - LP: #1562900
  * USB: serial: option: add support for Telit LE922 PID 0x1045
    - LP: #1562900
  * USB: serial: option: add support for Quectel UC20
    - LP: #1562900
  * ALSA: seq: oss: Don't drain at closing a client
    - LP: #1562900
  * drm/ast: Fix incorrect register check for DRAM width
    - LP: #1562900
  * drm/radeon/pm: update current crtc info after setting the powerstate
    - LP: #1562900
  * PM / sleep / x86: Fix crash on graph trace through x86 suspend
    - LP: #1562900
  * ALSA: hda - Fix mic issues on Acer Aspire E1-472
    - LP: #1562900
  * MIPS: traps: Fix SIGFPE information leak from `do_ov' and
    `do_trap_or_bp'
    - LP: #1562900
  * ubi: Fix out of bounds write in volume update code
    - LP: #1562900
  * KVM: VMX: disable PEBS before a guest entry
    - LP: #1562900
  * ext4: iterate over buffer heads correctly in move_extent_per_page()
    - LP: #1562900
  * net/mlx4_core: Allow resetting VF admin mac to zero
    - LP: #1562900
  * ipv6: re-enable fragment header matching in ipv6_find_hdr
    - LP: #1562900
  * cdc_ncm: do not call usbnet_link_change from cdc_ncm_bind
    - LP: #1562900
  * net: moxa: fix an error code
    - LP: #1562900
  * IB/core: Use GRH when the path hop-limit > 0
    - LP: #1562900
  * Linux 3.13.11-ckt37
    - LP: #1562900
  * Drivers: hv_vmbus: Fix signal to host condition
    - LP: #1556264
  * [stable-only] pipe: Fix buffer offset after partially failed read
    - LP: #1563916
  * EDAC, amd64_edac: Shift wrapping issue in f1x_get_norm_dct_addr()
    - LP: #1567615
  * tty: Fix GPF in flush_to_ldisc(), part 2
    - LP: #1567615
  * [media] media: v4l2-compat-ioctl32: fix missing length copy in
    put_v4l2_buffer32
    - LP: #1567615
  * [media] pwc: Add USB id for Philips Spc880nc webcam
    - LP: #1567615
  * 8250: use callbacks to access UART_DLL/UART_DLM
    - LP: #1567615
  * net: irda: Fix use-after-free in irtty_open()
    - LP: #1567615
  * usb: retry reset if a device times out
    - LP: #1567615
  * HID: core: do not scan reports if the group is already set
    - LP: #1567615
  * HID: fix hid_ignore_special_drivers module parameter
    - LP: #1567615
  * scripts/coccinelle: modernize &
    - LP: #1567615
  * [media] adv7511: TX_EDID_PRESENT is still 1 after a disconnect
    - LP: #1567615
  * [media] saa7134: Fix bytesperline not being set correctly for planar
    formats
    - LP: #1567615
  * perf tools: Dont stop PMU parsing on alias parse error
    - LP: #1567615
  * Bluetooth: btusb: Add new AR3012 ID 13d3:3395
    - LP: #1542564, #1567615
  * Bluetooth: Add new AR3012 ID 0489:e095
    - LP: #1542944, #1567615
  * aacraid: Fix memory leak in aac_fib_map_free
    - LP: #1567615
  * mtd: onenand: fix deadlock in onenand_block_markbad
    - LP: #1567615
  * PCI: Disable IO/MEM decoding for devices with non-compliant BARs
    - LP: #1567615
  * md/raid5: Compare apples to apples (or sectors to sectors)
    - LP: #1567615
  * Bluetooth: btusb: Add a new AR3012 ID 04ca:3014
    - LP: #1546694, #1567615
  * IB/srpt: Simplify srpt_handle_tsk_mgmt()
    - LP: #1567615
  * [media] bttv: Width must be a multiple of 16 when capturing planar
    formats
    - LP: #1567615
  * watchdog: rc32434_wdt: fix ioctl error handling
    - LP: #1567615
  * xfs: fix two memory leaks in xfs_attr_list.c error paths
    - LP: #1567615
  * quota: Fix possible GPF due to uninitialised pointers
    - LP: #1567615
  * mtip32xx: Print exact time when an internal command is interrupted
    - LP: #1567615
  * KVM: i8254: change PIT discard tick policy
    - LP: #1567615
  * sched/cputime: Fix steal time accounting vs. CPU hotplug
    - LP: #1567615
  * rt2x00: add new rt2800usb device Buffalo WLI-UC-G450
    - LP: #1567615
  * pinctrl-bcm2835: Fix cut-and-paste error in "pull" parsing
    - LP: #1567615
  * perf/core: Fix perf_sched_count derailment
    - LP: #1567615
  * perf/x86/intel: Use PAGE_SIZE for PEBS buffer size on Core2
    - LP: #1567615
  * bcache: fix cache_set_flush() NULL pointer dereference on OOM
    - LP: #1567615
  * x86/PCI: Mark Broadwell-EP Home Agent & PCU as having non-compliant
    BARs
    - LP: #1567615
  * be2iscsi: set the boot_kset pointer to NULL in case of failure
    - LP: #1567615
  * drm/radeon: Don't drop DP 2.7 Ghz link setup on some cards.
    - LP: #1567615
  * sg: fix dxferp in from_to case
    - LP: #1567615
  * jbd2: fix FS corruption possibility in jbd2_journal_destroy() on umount
    path
    - LP: #1567615
  * Bluetooth: btusb: Add a new AR3012 ID 13d3:3472
    - LP: #1552925, #1567615
  * iser-target: Separate flows for np listeners and connections cma events
    - LP: #1567615
  * xtensa: ISS: don't hang if stdin EOF is reached
    - LP: #1567615
  * xtensa: clear all DBREAKC registers on start
    - LP: #1567615
  * bus: imx-weim: Take the 'status' property value into account
    - LP: #1567615
  * ALSA: intel8x0: Add clock quirk entry for AD1981B on IBM ThinkPad X41.
    - LP: #1567615
  * s390/pci: enforce fmb page boundary rule
    - LP: #1567615
  * Input: powermate - fix oops with malicious USB descriptors
    - LP: #1567615
  * net: mvneta: enable change MAC address when interface is up
    - LP: #1567615
  * HID: i2c-hid: fix OOB write in i2c_hid_set_or_send_report()
    - LP: #1567615
  * ALSA: hda - Fix unconditional GPIO toggle via automute
    - LP: #1567615
  * ALSA: usb-audio: Fix NULL dereference in create_fixed_stream_quirk()
    - LP: #1567615
  * ALSA: usb-audio: Add sanity checks for endpoint accesses
    - LP: #1567615
  * nfsd: fix deadlock secinfo+readdir compound
    - LP: #1567615
  * x86/iopl: Fix iopl capability check on Xen PV
    - LP: #1567615
  * Input: ims-pcu - sanity check against missing interfaces
    - LP: #1567615
  * x86/apic: Fix suspicious RCU usage in
    smp_trace_call_function_interrupt()
    - LP: #1567615
  * USB: iowarrior: fix oops with malicious USB descriptors
    - LP: #1567615
  * USB: usb_driver_claim_interface: add sanity checking
    - LP: #1567615
  * USB: cdc-acm: more sanity checking
    - LP: #1567615
  * USB: uas: Reduce can_queue to MAX_CMNDS
    - LP: #1567615
  * tracing: Have preempt(irqs)off trace preempt disabled functions
    - LP: #1567615
  * tracing: Fix crash from reading trace_pipe with sendfile
    - LP: #1567615
  * splice: handle zero nr_pages in splice_to_pipe()
    - LP: #1567615
  * target: Fix target_release_cmd_kref shutdown comp leak
    - LP: #1567615
  * KVM: VMX: avoid guest hang on invalid invept instruction
    - LP: #1567615
  * KVM: fix spin_lock_init order on x86
    - LP: #1567615
  * tracing: Fix trace_printk() to print when not using bprintk()
    - LP: #1567615
  * fs/coredump: prevent fsuid=0 dumps into user-controlled directories
    - LP: #1567615
  * rapidio/rionet: fix deadlock on SMP
    - LP: #1567615
  * Input: ati_remote2 - fix crashes on detecting device with invalid
    descriptor
    - LP: #1567615
  * MAINTAINERS: Update mailing list and web page for hwmon subsystem
    - LP: #1567615
  * ocfs2/dlm: fix race between convert and recovery
    - LP: #1567615
  * ocfs2/dlm: fix BUG in dlm_move_lockres_to_recovery_list
    - LP: #1567615
  * clk: xgene: Add missing parenthesis when clearing divider value
    - LP: #1567615
  * ppp: take reference on channels netns
    - LP: #1567615
  * mdio-sun4i: oops in error handling in probe
    - LP: #1567615
  * net: Fix use after free in the recvmmsg exit path
    - LP: #1567615
  * ethernet: micrel: fix some error codes
    - LP: #1567615
  * misc/bmp085: Enable building as a module
    - LP: #1567615
  * net/mlx5: Make command timeout way shorter
    - LP: #1567615
  * ipvs: correct initial offset of Call-ID header search in SIP
    persistence engine
    - LP: #1567615
  * ath9k: fix buffer overrun for ar9287
    - LP: #1567615
  * mtd: map: fix .set_vpp() documentation
    - LP: #1567615
  * ARM: OMAP3: Add cpuidle parameters table for omap3430
    - LP: #1567615
  * rtc: vr41xx: Wire up alarm_irq_enable
    - LP: #1567615
  * sunrpc/cache: drop reference when sunrpc_cache_pipe_upcall() detects a
    race
    - LP: #1567615
  * ipv4: fix broadcast packets reception
    - LP: #1567615
  * lpfc: fix misleading indentation
    - LP: #1567615
  * ASoC: s3c24xx: use const snd_soc_component_driver pointer
    - LP: #1567615
  * kbuild/mkspec: fix grub2 installkernel issue
    - LP: #1567615
  * paride: make 'verbose' parameter an 'int' again
    - LP: #1567615
  * ppp: ensure file->private_data can't be overridden
    - LP: #1567615
  * clk: versatile: sp810: support reentrance
    - LP: #1567615
  * drivers/misc/ad525x_dpot: AD5274 fix RDAC read back errors
    - LP: #1567615
  * perf stat: Document --detailed option
    - LP: #1567615
  * x86/iopl/64: Properly context-switch IOPL on Xen PV
    - LP: #1567615
  * Linux 3.13.11-ckt38
    - LP: #1567615
  * drm/radeon: add a dpm quirk for sapphire Dual-X R7 370 2G D5
    - LP: #1571041
  * hwmon: (max1111) Return -ENODEV from max1111_read_channel if not
    instantiated
    - LP: #1571041
  * drm/radeon: add another R7 370 quirk
    - LP: #1571041
  * usb: renesas_usbhs: avoid NULL pointer derefernce in
    usbhsf_pkt_handler()
    - LP: #1571041
  * usb: renesas_usbhs: disable TX IRQ before starting TX DMAC transfer
    - LP: #1571041
  * USB: mct_u232: add sanity checking in probe
    - LP: #1571041
    - CVE-2016-3136
  * USB: cypress_m8: add endpoint sanity check
    - LP: #1571041
    - CVE-2016-3137
  * USB: digi_acceleport: do sanity checking for the number of ports
    - LP: #1571041
  * ALSA: timer: Use mod_timer() for rearming the system timer
    - LP: #1571041
  * mm: fix invalid node in alloc_migrate_target()
    - LP: #1571041
  * iio: st_magn: always define ST_MAGN_TRIGGER_SET_STATE
    - LP: #1571041
  * USB: serial: ftdi_sio: Add support for ICP DAS I-756xU devices
    - LP: #1571041
  * USB: serial: cp210x: Adding GE Healthcare Device ID
    - LP: #1571041
  * USB: option: add "D-Link DWM-221 B1" device id
    - LP: #1571041
  * parisc: Avoid function pointers for kernel exception routines
    - LP: #1571041
  * ip6_tunnel: set rtnl_link_ops before calling register_netdevice
    - LP: #1571041
  * Linux 3.13.11-ckt39
    - LP: #1571041
  * include/linux/poison.h: fix LIST_POISON{1,2} offset
    - LP: #1561389
    - CVE-2016-0821
  * ipv4: Don't do expensive useless work during inetdev destroy.
    - LP: #1558847
    - CVE-2016-3156

 -- Kamal Mostafa <kamal@xxxxxxxxxxxxx>  Mon, 18 Apr 2016 09:03:12 -0700

** Changed in: linux (Ubuntu Trusty)
       Status: Fix Committed => Fix Released

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-0821

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-3136

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-3137

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-3156

** Changed in: linux (Ubuntu Precise)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-armadaxp in Ubuntu.
https://bugs.launchpad.net/bugs/1563916

Title:
  CVE-2016-0774

Status in linux package in Ubuntu:
  Invalid
Status in linux-armadaxp package in Ubuntu:
  Invalid
Status in linux-flo package in Ubuntu:
  New
Status in linux-goldfish package in Ubuntu:
  New
Status in linux-lts-quantal package in Ubuntu:
  Invalid
Status in linux-lts-raring package in Ubuntu:
  Invalid
Status in linux-lts-saucy package in Ubuntu:
  Invalid
Status in linux-lts-trusty package in Ubuntu:
  Invalid
Status in linux-lts-utopic package in Ubuntu:
  Invalid
Status in linux-lts-vivid package in Ubuntu:
  Invalid
Status in linux-lts-wily package in Ubuntu:
  Invalid
Status in linux-lts-xenial package in Ubuntu:
  Invalid
Status in linux-mako package in Ubuntu:
  New
Status in linux-manta package in Ubuntu:
  Invalid
Status in linux-raspi2 package in Ubuntu:
  Invalid
Status in linux-snapdragon package in Ubuntu:
  Invalid
Status in linux-ti-omap4 package in Ubuntu:
  Invalid
Status in linux source package in Precise:
  Fix Released
Status in linux-armadaxp source package in Precise:
  Fix Released
Status in linux-flo source package in Precise:
  Invalid
Status in linux-goldfish source package in Precise:
  Invalid
Status in linux-lts-quantal source package in Precise:
  Invalid
Status in linux-lts-raring source package in Precise:
  Invalid
Status in linux-lts-saucy source package in Precise:
  Invalid
Status in linux-lts-trusty source package in Precise:
  Fix Released
Status in linux-lts-utopic source package in Precise:
  Invalid
Status in linux-lts-vivid source package in Precise:
  Invalid
Status in linux-lts-wily source package in Precise:
  Invalid
Status in linux-lts-xenial source package in Precise:
  Invalid
Status in linux-mako source package in Precise:
  Invalid
Status in linux-manta source package in Precise:
  Invalid
Status in linux-raspi2 source package in Precise:
  Invalid
Status in linux-snapdragon source package in Precise:
  Invalid
Status in linux-ti-omap4 source package in Precise:
  Fix Released
Status in linux source package in Trusty:
  Fix Released
Status in linux-armadaxp source package in Trusty:
  Invalid
Status in linux-flo source package in Trusty:
  Invalid
Status in linux-goldfish source package in Trusty:
  Invalid
Status in linux-lts-quantal source package in Trusty:
  Invalid
Status in linux-lts-raring source package in Trusty:
  Invalid
Status in linux-lts-saucy source package in Trusty:
  Invalid
Status in linux-lts-trusty source package in Trusty:
  Invalid
Status in linux-lts-utopic source package in Trusty:
  Invalid
Status in linux-lts-vivid source package in Trusty:
  Invalid
Status in linux-lts-wily source package in Trusty:
  Invalid
Status in linux-lts-xenial source package in Trusty:
  Invalid
Status in linux-mako source package in Trusty:
  Invalid
Status in linux-manta source package in Trusty:
  Invalid
Status in linux-raspi2 source package in Trusty:
  Invalid
Status in linux-snapdragon source package in Trusty:
  Invalid
Status in linux-ti-omap4 source package in Trusty:
  Invalid
Status in linux source package in Vivid:
  New
Status in linux-armadaxp source package in Vivid:
  New
Status in linux-flo source package in Vivid:
  New
Status in linux-goldfish source package in Vivid:
  New
Status in linux-lts-quantal source package in Vivid:
  New
Status in linux-lts-raring source package in Vivid:
  New
Status in linux-lts-saucy source package in Vivid:
  New
Status in linux-lts-trusty source package in Vivid:
  New
Status in linux-lts-utopic source package in Vivid:
  New
Status in linux-lts-vivid source package in Vivid:
  New
Status in linux-lts-wily source package in Vivid:
  New
Status in linux-lts-xenial source package in Vivid:
  New
Status in linux-mako source package in Vivid:
  New
Status in linux-manta source package in Vivid:
  New
Status in linux-raspi2 source package in Vivid:
  New
Status in linux-snapdragon source package in Vivid:
  New
Status in linux-ti-omap4 source package in Vivid:
  New
Status in linux source package in Wily:
  Invalid
Status in linux-armadaxp source package in Wily:
  Invalid
Status in linux-flo source package in Wily:
  New
Status in linux-goldfish source package in Wily:
  New
Status in linux-lts-quantal source package in Wily:
  Invalid
Status in linux-lts-raring source package in Wily:
  Invalid
Status in linux-lts-saucy source package in Wily:
  Invalid
Status in linux-lts-trusty source package in Wily:
  Invalid
Status in linux-lts-utopic source package in Wily:
  Invalid
Status in linux-lts-vivid source package in Wily:
  Invalid
Status in linux-lts-wily source package in Wily:
  Invalid
Status in linux-lts-xenial source package in Wily:
  Invalid
Status in linux-mako source package in Wily:
  New
Status in linux-manta source package in Wily:
  New
Status in linux-raspi2 source package in Wily:
  Invalid
Status in linux-snapdragon source package in Wily:
  Invalid
Status in linux-ti-omap4 source package in Wily:
  Invalid
Status in linux source package in Xenial:
  Invalid
Status in linux-armadaxp source package in Xenial:
  Invalid
Status in linux-flo source package in Xenial:
  New
Status in linux-goldfish source package in Xenial:
  New
Status in linux-lts-quantal source package in Xenial:
  Invalid
Status in linux-lts-raring source package in Xenial:
  Invalid
Status in linux-lts-saucy source package in Xenial:
  Invalid
Status in linux-lts-trusty source package in Xenial:
  Invalid
Status in linux-lts-utopic source package in Xenial:
  Invalid
Status in linux-lts-vivid source package in Xenial:
  Invalid
Status in linux-lts-wily source package in Xenial:
  Invalid
Status in linux-lts-xenial source package in Xenial:
  Invalid
Status in linux-mako source package in Xenial:
  New
Status in linux-manta source package in Xenial:
  Invalid
Status in linux-raspi2 source package in Xenial:
  Invalid
Status in linux-snapdragon source package in Xenial:
  Invalid
Status in linux-ti-omap4 source package in Xenial:
  Invalid
Status in linux source package in Yakkety:
  Invalid
Status in linux-armadaxp source package in Yakkety:
  Invalid
Status in linux-flo source package in Yakkety:
  New
Status in linux-goldfish source package in Yakkety:
  New
Status in linux-lts-quantal source package in Yakkety:
  Invalid
Status in linux-lts-raring source package in Yakkety:
  Invalid
Status in linux-lts-saucy source package in Yakkety:
  Invalid
Status in linux-lts-trusty source package in Yakkety:
  Invalid
Status in linux-lts-utopic source package in Yakkety:
  Invalid
Status in linux-lts-vivid source package in Yakkety:
  Invalid
Status in linux-lts-wily source package in Yakkety:
  Invalid
Status in linux-lts-xenial source package in Yakkety:
  Invalid
Status in linux-mako source package in Yakkety:
  New
Status in linux-manta source package in Yakkety:
  Invalid
Status in linux-raspi2 source package in Yakkety:
  Invalid
Status in linux-snapdragon source package in Yakkety:
  Invalid
Status in linux-ti-omap4 source package in Yakkety:
  Invalid

Bug description:
  The (1) pipe_read and (2) pipe_write implementations in fs/pipe.c in a
  certain Linux kernel backport in the linux package before
  3.2.73-2+deb7u3 on Debian wheezy and the kernel package before
  3.10.0-229.26.2 on Red Hat Enterprise Linux (RHEL) 7.1 do not properly
  consider the side effects of failed __copy_to_user_inatomic and
  __copy_from_user_inatomic calls, which allows local users to cause a
  denial of service (system crash) or possibly gain privileges via a
  crafted application, aka an "I/O vector array overrun." NOTE: this
  vulnerability exists because of an incorrect fix for CVE-2015-1805.

  Break-Fix: local-2016-0774-break local-2016-0774-fix

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1563916/+subscriptions


References