← Back to team overview

kernel-packages team mailing list archive

[Bug 1581866] Re: CVE-2016-4578

 

This bug was fixed in the package linux - 4.2.0-41.48

---------------
linux (4.2.0-41.48) wily; urgency=low

  [ Luis Henriques ]

  * Release Tracking Bug
    - LP: #1595914

  [ Upstream Kernel Changes ]

  * netfilter: x_tables: validate e->target_offset early
    - LP: #1555338
    - CVE-2016-3134
  * netfilter: x_tables: make sure e->next_offset covers remaining blob
    size
    - LP: #1555338
    - CVE-2016-3134
  * netfilter: x_tables: fix unconditional helper
    - LP: #1555338
    - CVE-2016-3134
  * netfilter: x_tables: don't move to non-existent next rule
    - LP: #1595350
  * netfilter: x_tables: validate targets of jumps
    - LP: #1595350
  * netfilter: x_tables: add and use xt_check_entry_offsets
    - LP: #1595350
  * netfilter: x_tables: kill check_entry helper
    - LP: #1595350
  * netfilter: x_tables: assert minimum target size
    - LP: #1595350
  * netfilter: x_tables: add compat version of xt_check_entry_offsets
    - LP: #1595350
  * netfilter: x_tables: check standard target size too
    - LP: #1595350
  * netfilter: x_tables: check for bogus target offset
    - LP: #1595350
  * netfilter: x_tables: validate all offsets and sizes in a rule
    - LP: #1595350
  * netfilter: x_tables: don't reject valid target size on some
    architectures
    - LP: #1595350
  * netfilter: arp_tables: simplify translate_compat_table args
    - LP: #1595350
  * netfilter: ip_tables: simplify translate_compat_table args
    - LP: #1595350
  * netfilter: ip6_tables: simplify translate_compat_table args
    - LP: #1595350
  * netfilter: x_tables: xt_compat_match_from_user doesn't need a retval
    - LP: #1595350
  * netfilter: x_tables: do compat validation via translate_table
    - LP: #1595350
  * netfilter: x_tables: introduce and use xt_copy_counters_from_user
    - LP: #1595350

linux (4.2.0-40.47) wily; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
    - LP: #1595725

  [ Serge Hallyn ]

  * SAUCE: add a sysctl to disable unprivileged user namespace unsharing
    - LP: #1555338, #1595350

linux (4.2.0-39.46) wily; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
    - LP: #1591301

  [ J. R. Okajima ]

  * SAUCE: AUFS: mm/mmap: fix oopsing on remap_file_pages aufs mmap:
    bugfix, mainly for linux-4.5-rc5, remap_file_pages(2) emulation
    - LP: #1558120

  [ Kamal Mostafa ]

  * [debian] getabis: Only git add $abidir if running in local repo
    - LP: #1584890
  * [debian] getabis: Fix inconsistent compiler versions check
    - LP: #1584890

  [ Tim Gardner ]

  * Revert "SAUCE: mm/mmap: fix oopsing on remap_file_pages"
    - LP: #1558120
  * [Config] Remove arc4 from nic-modules
    - LP: #1582991

  [ Upstream Kernel Changes ]

  * Revert "usb: hub: do not clear BOS field during reset device"
    - LP: #1582864
  * hpsa: move lockup_detected attribute to host attr
    - LP: #1581169
  * ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS
    - LP: #1580379
    - CVE-2016-4569
  * ALSA: timer: Fix leak in events via snd_timer_user_ccallback
    - LP: #1581866
    - CVE-2016-4578
  * ALSA: timer: Fix leak in events via snd_timer_user_tinterrupt
    - LP: #1581866
    - CVE-2016-4578
  * net: fix a kernel infoleak in x25 module
    - LP: #1585366
    - CVE-2016-4580
  * get_rock_ridge_filename(): handle malformed NM entries
    - LP: #1583962
    - CVE-2016-4913
  * tipc: check nl sock before parsing nested attributes
    - LP: #1585365
    - CVE-2016-4951
  * netfilter: Set /proc/net entries owner to root in namespace
    - LP: #1584953
  * USB: usbfs: fix potential infoleak in devio
    - LP: #1578493
    - CVE-2016-4482
  * USB: leave LPM alone if possible when binding/unbinding interface
    drivers
    - LP: #1577024
  * [4.2-stable only] fix backport "IB/security: restrict use of the
    write() interface"
    - LP: #1586447
  * regulator: s2mps11: Fix invalid selector mask and voltages for buck9
    - LP: #1586447
  * regmap: spmi: Fix regmap_spmi_ext_read in multi-byte case
    - LP: #1586447
  * ALSA: usb-audio: Quirk for yet another Phoenix Audio devices (v2)
    - LP: #1586447
  * atomic_open(): fix the handling of create_error
    - LP: #1586447
  * drm/i915/bdw: Add missing delay during L3 SQC credit programming
    - LP: #1586447
  * crypto: hash - Fix page length clamping in hash walk
    - LP: #1586447
  * drm/radeon: fix DP link training issue with second 4K monitor
    - LP: #1586447
  * drm/radeon: fix PLL sharing on DCE6.1 (v2)
    - LP: #1586447
  * ALSA: hda - Fix white noise on Asus UX501VW headset
    - LP: #1586447
  * Input: max8997-haptic - fix NULL pointer dereference
    - LP: #1586447
  * drm/i915: Bail out of pipe config compute loop on LPT
    - LP: #1586447
  * ALSA: hda - Fix broken reconfig
    - LP: #1586447
  * ALSA: hda - Fix subwoofer pin on ASUS N751 and N551
    - LP: #1586447
  * vfs: add vfs_select_inode() helper
    - LP: #1586447
  * vfs: rename: check backing inode being equal
    - LP: #1586447
  * ALSA: usb-audio: Yet another Phoneix Audio device quirk
    - LP: #1586447
  * perf/x86: Fix undefined shift on 32-bit kernels
    - LP: #1586447
  * perf/x86/intel/pt: Generate PMI in the STOP region as well
    - LP: #1586447
  * perf/core: Disable the event on a truncated AUX record
    - LP: #1586447
  * tools lib traceevent: Do not reassign parg after collapse_tree()
    - LP: #1586447
  * workqueue: fix rebind bound workers warning
    - LP: #1586447
  * ocfs2: fix posix_acl_create deadlock
    - LP: #1586447
  * nf_conntrack: avoid kernel pointer value leak in slab name
    - LP: #1586447
  * macvtap: segmented packet is consumed
    - LP: #1586447
  * regulator: axp20x: Fix axp22x ldo_io voltage ranges
    - LP: #1586447
  * arm64: bpf: jit JMP_JSET_{X,K}
    - LP: #1586447
  * bridge: fix igmp / mld query parsing
    - LP: #1586447
  * net/mlx4_en: Fix endianness bug in IPV6 csum calculation
    - LP: #1586447
  * net: fec: only clear a queue's work bit if the queue was emptied
    - LP: #1586447
  * tcp: refresh skb timestamp at retransmit time
    - LP: #1586447
  * net/route: enforce hoplimit max value
    - LP: #1586447
  * decnet: Do not build routes to devices without decnet private data.
    - LP: #1586447
  * route: do not cache fib route info on local routes with oif
    - LP: #1586447
  * net: use skb_postpush_rcsum instead of own implementations
    - LP: #1586447
  * vlan: pull on __vlan_insert_tag error path and fix csum correction
    - LP: #1586447
  * ipv4/fib: don't warn when primary address is missing if in_dev is dead
    - LP: #1586447
  * bpf: fix double-fdput in replace_map_fd_with_map_ptr()
    - LP: #1586447
  * net_sched: introduce qdisc_replace() helper
    - LP: #1586447
  * net_sched: update hierarchical backlog too
    - LP: #1586447
  * sch_htb: update backlog as well
    - LP: #1586447
  * sch_dsmark: update backlog as well
    - LP: #1586447
  * netem: Segment GSO packets on enqueue
    - LP: #1586447
  * VSOCK: do not disconnect socket when peer has shutdown SEND only
    - LP: #1586447
  * net: bridge: fix old ioctl unlocked net device walk
    - LP: #1586447
  * cdc_mbim: apply "NDP to end" quirk to all Huawei devices
    - LP: #1586447
  * soreuseport: fix ordering for mixed v4/v6 sockets
    - LP: #1586447
  * uapi glibc compat: fix compile errors when glibc net/if.h included
    before linux/if.h
    - LP: #1586447
  * Linux 4.2.8-ckt11
    - LP: #1586447
  * usb: core: hub: hub_port_init lock controller instead of bus
    - LP: #1437492

 -- Luis Henriques <luis.henriques@xxxxxxxxxxxxx>  Fri, 24 Jun 2016
11:46:57 +0100

** Changed in: linux (Ubuntu Wily)
       Status: Fix Committed => Fix Released

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-3134

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-4580

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-4913

** Changed in: linux-raspi2 (Ubuntu Wily)
       Status: New => Fix Released

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-armadaxp in Ubuntu.
https://bugs.launchpad.net/bugs/1581866

Title:
  CVE-2016-4578

Status in linux package in Ubuntu:
  Fix Released
Status in linux-armadaxp package in Ubuntu:
  Invalid
Status in linux-flo package in Ubuntu:
  New
Status in linux-goldfish package in Ubuntu:
  New
Status in linux-lts-quantal package in Ubuntu:
  Invalid
Status in linux-lts-raring package in Ubuntu:
  Invalid
Status in linux-lts-saucy package in Ubuntu:
  Invalid
Status in linux-lts-trusty package in Ubuntu:
  Invalid
Status in linux-lts-utopic package in Ubuntu:
  Invalid
Status in linux-lts-vivid package in Ubuntu:
  Invalid
Status in linux-lts-wily package in Ubuntu:
  Invalid
Status in linux-lts-xenial package in Ubuntu:
  Invalid
Status in linux-mako package in Ubuntu:
  New
Status in linux-manta package in Ubuntu:
  Invalid
Status in linux-raspi2 package in Ubuntu:
  Fix Released
Status in linux-snapdragon package in Ubuntu:
  Fix Released
Status in linux-ti-omap4 package in Ubuntu:
  Invalid
Status in linux source package in Precise:
  Fix Committed
Status in linux-armadaxp source package in Precise:
  New
Status in linux-flo source package in Precise:
  Invalid
Status in linux-goldfish source package in Precise:
  Invalid
Status in linux-lts-quantal source package in Precise:
  Invalid
Status in linux-lts-raring source package in Precise:
  Invalid
Status in linux-lts-saucy source package in Precise:
  Invalid
Status in linux-lts-trusty source package in Precise:
  New
Status in linux-lts-utopic source package in Precise:
  Invalid
Status in linux-lts-vivid source package in Precise:
  Invalid
Status in linux-lts-wily source package in Precise:
  Invalid
Status in linux-lts-xenial source package in Precise:
  Invalid
Status in linux-mako source package in Precise:
  Invalid
Status in linux-manta source package in Precise:
  Invalid
Status in linux-raspi2 source package in Precise:
  Invalid
Status in linux-snapdragon source package in Precise:
  Invalid
Status in linux-ti-omap4 source package in Precise:
  New
Status in linux source package in Trusty:
  Fix Committed
Status in linux-armadaxp source package in Trusty:
  Invalid
Status in linux-flo source package in Trusty:
  Invalid
Status in linux-goldfish source package in Trusty:
  Invalid
Status in linux-lts-quantal source package in Trusty:
  Invalid
Status in linux-lts-raring source package in Trusty:
  Invalid
Status in linux-lts-saucy source package in Trusty:
  Invalid
Status in linux-lts-trusty source package in Trusty:
  Invalid
Status in linux-lts-utopic source package in Trusty:
  Fix Committed
Status in linux-lts-vivid source package in Trusty:
  New
Status in linux-lts-wily source package in Trusty:
  New
Status in linux-lts-xenial source package in Trusty:
  New
Status in linux-mako source package in Trusty:
  Invalid
Status in linux-manta source package in Trusty:
  Invalid
Status in linux-raspi2 source package in Trusty:
  Invalid
Status in linux-snapdragon source package in Trusty:
  Invalid
Status in linux-ti-omap4 source package in Trusty:
  Invalid
Status in linux source package in Vivid:
  Fix Released
Status in linux-armadaxp source package in Vivid:
  New
Status in linux-flo source package in Vivid:
  New
Status in linux-goldfish source package in Vivid:
  New
Status in linux-lts-quantal source package in Vivid:
  New
Status in linux-lts-raring source package in Vivid:
  New
Status in linux-lts-saucy source package in Vivid:
  New
Status in linux-lts-trusty source package in Vivid:
  New
Status in linux-lts-utopic source package in Vivid:
  New
Status in linux-lts-vivid source package in Vivid:
  New
Status in linux-lts-wily source package in Vivid:
  New
Status in linux-lts-xenial source package in Vivid:
  New
Status in linux-mako source package in Vivid:
  New
Status in linux-manta source package in Vivid:
  New
Status in linux-raspi2 source package in Vivid:
  New
Status in linux-snapdragon source package in Vivid:
  New
Status in linux-ti-omap4 source package in Vivid:
  New
Status in linux source package in Wily:
  Fix Released
Status in linux-armadaxp source package in Wily:
  Invalid
Status in linux-flo source package in Wily:
  New
Status in linux-goldfish source package in Wily:
  New
Status in linux-lts-quantal source package in Wily:
  Invalid
Status in linux-lts-raring source package in Wily:
  Invalid
Status in linux-lts-saucy source package in Wily:
  Invalid
Status in linux-lts-trusty source package in Wily:
  Invalid
Status in linux-lts-utopic source package in Wily:
  Invalid
Status in linux-lts-vivid source package in Wily:
  Invalid
Status in linux-lts-wily source package in Wily:
  Invalid
Status in linux-lts-xenial source package in Wily:
  Invalid
Status in linux-mako source package in Wily:
  New
Status in linux-manta source package in Wily:
  New
Status in linux-raspi2 source package in Wily:
  Fix Released
Status in linux-snapdragon source package in Wily:
  Invalid
Status in linux-ti-omap4 source package in Wily:
  Invalid
Status in linux source package in Xenial:
  Fix Released
Status in linux-armadaxp source package in Xenial:
  Invalid
Status in linux-flo source package in Xenial:
  New
Status in linux-goldfish source package in Xenial:
  New
Status in linux-lts-quantal source package in Xenial:
  Invalid
Status in linux-lts-raring source package in Xenial:
  Invalid
Status in linux-lts-saucy source package in Xenial:
  Invalid
Status in linux-lts-trusty source package in Xenial:
  Invalid
Status in linux-lts-utopic source package in Xenial:
  Invalid
Status in linux-lts-vivid source package in Xenial:
  Invalid
Status in linux-lts-wily source package in Xenial:
  Invalid
Status in linux-lts-xenial source package in Xenial:
  Invalid
Status in linux-mako source package in Xenial:
  New
Status in linux-manta source package in Xenial:
  Invalid
Status in linux-raspi2 source package in Xenial:
  Fix Released
Status in linux-snapdragon source package in Xenial:
  Fix Released
Status in linux-ti-omap4 source package in Xenial:
  Invalid
Status in linux source package in Yakkety:
  Fix Released
Status in linux-armadaxp source package in Yakkety:
  Invalid
Status in linux-flo source package in Yakkety:
  New
Status in linux-goldfish source package in Yakkety:
  New
Status in linux-lts-quantal source package in Yakkety:
  Invalid
Status in linux-lts-raring source package in Yakkety:
  Invalid
Status in linux-lts-saucy source package in Yakkety:
  Invalid
Status in linux-lts-trusty source package in Yakkety:
  Invalid
Status in linux-lts-utopic source package in Yakkety:
  Invalid
Status in linux-lts-vivid source package in Yakkety:
  Invalid
Status in linux-lts-wily source package in Yakkety:
  Invalid
Status in linux-lts-xenial source package in Yakkety:
  Invalid
Status in linux-mako source package in Yakkety:
  New
Status in linux-manta source package in Yakkety:
  Invalid
Status in linux-raspi2 source package in Yakkety:
  Fix Released
Status in linux-snapdragon source package in Yakkety:
  Fix Released
Status in linux-ti-omap4 source package in Yakkety:
  Invalid

Bug description:
  sound/core/timer.c in the Linux kernel through 4.6 does not initialize
  certain r1 data structures, which allows local users to obtain
  sensitive information from kernel stack memory via crafted use of the
  ALSA timer interface, related to the (1) snd_timer_user_ccallback and
  (2) snd_timer_user_tinterrupt functions.

  Break-Fix: - 9a47e9cff994f37f7f0dbd9ae23740d0f64f9fe6
  Break-Fix: - e4ec8cc8039a7063e24204299b462bd1383184a5

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1581866/+subscriptions


References