← Back to team overview

kernel-packages team mailing list archive

[Bug 1229975] Re: CVE-2013-4343

 

This bug was fixed in the package linux-lts-raring -
3.8.0-33.48~precise1

---------------
linux-lts-raring (3.8.0-33.48~precise1) precise; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1243887

  [ Maximiliano Curia ]

  * SAUCE: (no-up) Only let characters through when there are active
    readers.
    - LP: #1208740

  [ Upstream Kernel Changes ]

  * cciss: fix info leak in cciss_ioctl32_passthru()
    - LP: #1188355
    - CVE-2013-2147
  * cpqarray: fix info leak in ida_locked_ioctl()
    - LP: #1188355
    - CVE-2013-2147
  * mount: consolidate permission checks
    - LP: #1226726
  * get rid of full-hash scan on detaching vfsmounts
    - LP: #1226726
  * Smack: Fix the bug smackcipso can't set CIPSO correctly
    - LP: #1236743
  * ipvs: add backup_only flag to avoid loops
    - LP: #1238494
  * tuntap: correctly handle error in tun_set_iff()
    - LP: #1229975
    - CVE-2013-4343
  * htb: fix sign extension bug
    - LP: #1240580
  * net: avoid to hang up on sending due to sysctl configuration overflow.
    - LP: #1240580
  * net: check net.core.somaxconn sysctl values
    - LP: #1240580
  * macvlan: validate flags
    - LP: #1240580
  * neighbour: populate neigh_parms on alloc before calling ndo_neigh_setup
    - LP: #1240580
  * bonding: modify only neigh_parms owned by us
    - LP: #1240580
  * fib_trie: remove potential out of bound access
    - LP: #1240580
  * bridge: don't try to update timers in case of broken MLD queries
    - LP: #1240580
  * tcp: cubic: fix overflow error in bictcp_update()
    - LP: #1240580
  * tcp: cubic: fix bug in bictcp_acked()
    - LP: #1240580
  * ipv6: don't stop backtracking in fib6_lookup_1 if subtree does not
    match
    - LP: #1240580
  * 8139cp: Fix skb leak in rx_status_loop failure path.
    - LP: #1240580
  * tun: signedness bug in tun_get_user()
    - LP: #1240580
  * ipv6: remove max_addresses check from ipv6_create_tempaddr
    - LP: #1240580
  * ipv6: Store Router Alert option in IP6CB directly.
    - LP: #1240580
  * ipv6: drop packets with multiple fragmentation headers
    - LP: #1240580
  * tcp: set timestamps for restored skb-s
    - LP: #1240580
  * net: usb: Add HP hs2434 device to ZLP exception table
    - LP: #1240580
  * tcp: initialize rcv_tstamp for restored sockets
    - LP: #1240580
  * ipv4: sendto/hdrincl: don't use destination address found in header
    - LP: #1240580
  * tcp: tcp_make_synack() should use sock_wmalloc
    - LP: #1240580
  * tipc: set sk_err correctly when connection fails
    - LP: #1240580
  * net: bridge: convert MLDv2 Query MRC into msecs_to_jiffies for
    max_delay
    - LP: #1240580
  * ICMPv6: treat dest unreachable codes 5 and 6 as EACCES, not EPROTO
    - LP: #1240580
  * tg3: Don't turn off led on 5719 serdes port 0
    - LP: #1240580
  * vhost_net: poll vhost queue after marking DMA is done
    - LP: #1240580
  * net: ipv6: tcp: fix potential use after free in tcp_v6_do_rcv
    - LP: #1240580
  * drm/radeon/si: Add support for CP DMA to CS checker for compute v2
    - LP: #1240580
  * sfc: Fix efx_rx_buf_offset() for recycled pages
    - LP: #1240580
  * cfq: explicitly use 64bit divide operation for 64bit arguments
    - LP: #1240580
  * drm/radeon/atom: workaround vbios bug in transmitter table on rs880
    (v2)
    - LP: #1240580
  * drm/ast: fix the ast open key function
    - LP: #1240580
  * sched/fair: Fix small race where child->se.parent,cfs_rq might point to
    invalid ones
    - LP: #1240580
  * tg3: Expand led off fix to include 5720
    - LP: #1240580
  * HID: provide a helper for validating hid reports
    - LP: #1240580
  * HID: zeroplus: validate output report details
    - LP: #1240580
    - CVE-2013-2889
  * HID: LG: validate HID output report details
    - LP: #1240580
    - CVE-2013-2893
  * HID: lenovo-tpkbd: validate output report details
    - LP: #1240580
    - CVE-2013-2894
  * HID: validate feature and input report details
    - LP: #1240580
    - CVE-2013-2897
  * HID: logitech-dj: validate output report details
    - LP: #1240580
    - CVE-2013-2895
  * HID: multitouch: validate indexes details
    - LP: #1240580
    - CVE-2013-2897
  * HID: lenovo-tpkbd: fix leak if tpkbd_probe_tp fails
    - LP: #1240580
  * drm/radeon: fix panel scaling with eDP and LVDS bridges
    - LP: #1240580
  * cifs: fix filp leak in cifs_atomic_open()
    - LP: #1240580
  * net: usb: cdc_ether: Use wwan interface for Telit modules
    - LP: #1240580
  * usb: gadget: fix a bug and a WARN_ON in dummy-hcd
    - LP: #1240580
  * drm/i915: do not update cursor in crtc mode set
    - LP: #1240580
  * drm/i915: Don't enable the cursor on a disable pipe
    - LP: #1240580
  * drm/ttm: fix the tt_populated check in ttm_tt_destroy()
    - LP: #1240580
  * PCI / ACPI / PM: Clear pme_poll for devices in D3cold on wakeup
    - LP: #1240580
  * serial: pch_uart: fix tty-kref leak in dma-rx path
    - LP: #1240580
  * x86, efi: Don't map Boot Services on i386
    - LP: #1240580
  * ALSA: compress: Fix compress device unregister.
    - LP: #1240580
  * dm snapshot: workaround for a false positive lockdep warning
    - LP: #1240580
  * dm-snapshot: fix performance degradation due to small hash size
    - LP: #1240580
  * drm/radeon: Make r100_cp_ring_info() and radeon_ring_gfx() safe (v2)
    - LP: #1240580
  * ARM: 7837/3: fix Thumb-2 bug in AES assembler code
    - LP: #1240580
  * x86/reboot: Add quirk to make Dell C6100 use reboot=pci automatically
    - LP: #1240580
  * drm/radeon: disable tests/benchmarks if accel is disabled
    - LP: #1240580
  * xhci: Fix oops happening after address device timeout
    - LP: #1240580
  * xhci: Ensure a command structure points to the correct trb on the
    command ring
    - LP: #1240580
  * drm/i915/dp: increase i2c-over-aux retry interval on AUX DEFER
    - LP: #1240580
  * staging: vt6656: [BUG] main_usb.c oops on device_close move flag
    earlier.
    - LP: #1240580
  * staging: vt6656: [BUG] iwctl_siwencodeext return if device not open
    - LP: #1240580
  * USB: UHCI: accept very late isochronous URBs
    - LP: #1240580
  * USB: OHCI: accept very late isochronous URBs
    - LP: #1240580
  * USB: fix PM config symbol in uhci-hcd, ehci-hcd, and xhci-hcd
    - LP: #1240580
  * usb/core/devio.c: Don't reject control message to endpoint with wrong
    direction bit
    - LP: #1240580
  * hwmon: (applesmc) Check key count before proceeding
    - LP: #1240580
  * fsl/usb: Resolve PHY_CLK_VLD instability issue for ULPI phy
    - LP: #1240580
  * driver core : Fix use after free of dev->parent in device_shutdown
    - LP: #1240580
  * USB: Fix breakage in ffs_fs_mount()
    - LP: #1240580
  * usb: dwc3: pci: add support for BayTrail
    - LP: #1240580
  * usb: dwc3: add support for Merrifield
    - LP: #1240580
  * ASoC: max98095: a couple array underflows
    - LP: #1240580
  * ASoC: ab8500-codec: info leak in anc_status_control_put()
    - LP: #1240580
  * ASoC: 88pm860x: array overflow in snd_soc_put_volsw_2r_st()
    - LP: #1240580
  * Bluetooth: Add a new PID/VID 0cf3/e005 for AR3012.
    - LP: #1240580
  * Bluetooth: Fix security level for peripheral role
    - LP: #1240580
  * Bluetooth: Fix encryption key size for peripheral role
    - LP: #1240580
  * Bluetooth: Add support for BCM20702A0 [0b05, 17cb]
    - LP: #1240580
  * Bluetooth: Introduce a new HCI_RFKILLED flag
    - LP: #1240580
  * rtlwifi: Align private space in rtl_priv struct
    - LP: #1240580
  * p54usb: add USB ID for Corega WLUSB2GTST USB adapter
    - LP: #1240580
  * mwifiex: fix hang issue for USB chipsets
    - LP: #1240580
  * mwifiex: fix NULL pointer dereference in usb suspend handler
    - LP: #1240580
  * fs/binfmt_elf.c: prevent a coredump with a large vm_map_count from
    Oopsing
    - LP: #1240580
  * nilfs2: fix issue with race condition of competition between segments
    for dirty blocks
    - LP: #1240580
  * mm: avoid reinserting isolated balloon pages into LRU lists
    - LP: #1240580
  * USB: serial: option: Ignore card reader interface on Huawei E1750
    - LP: #1240580
  * gpio/omap: maintain GPIO and IRQ usage separately
    - LP: #1240580
  * gpio/omap: auto-setup a GPIO when used as an IRQ
    - LP: #1240580
  * ib_srpt: Destroy cm_id before destroying QP.
    - LP: #1240580
  * powerpc: Fix parameter clobber in csum_partial_copy_generic()
    - LP: #1240580
  * powerpc: Restore registers on error exit from
    csum_partial_copy_generic()
    - LP: #1240580
  * powerpc/sysfs: Disable writing to PURR in guest mode
    - LP: #1240580
  * powerpc/iommu: Use GFP_KERNEL instead of GFP_ATOMIC in
    iommu_init_table()
    - LP: #1240580
  * powerpc/vio: Fix modalias_show return values
    - LP: #1240580
  * ib_srpt: always set response for task management
    - LP: #1240580
  * xen/hvc: allow xenboot console to be used again
    - LP: #1240580
  * net: Update the sysctl permissions handler to test effective uid/gid
    - LP: #1240580
  * Linux 3.8.13.11
    - LP: #1240580
 -- Brad Figg <brad.figg@xxxxxxxxxxxxx>   Mon, 21 Oct 2013 12:04:49 -0700

** Changed in: linux-lts-raring (Ubuntu Precise)
       Status: Fix Committed => Fix Released

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2013-2147

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2013-2889

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2013-2893

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2013-2894

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2013-2895

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2013-2897

** Changed in: linux (Ubuntu Raring)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-armadaxp in Ubuntu.
https://bugs.launchpad.net/bugs/1229975

Title:
  CVE-2013-4343

Status in “linux” package in Ubuntu:
  Fix Committed
Status in “linux-armadaxp” package in Ubuntu:
  Invalid
Status in “linux-ec2” package in Ubuntu:
  Invalid
Status in “linux-fsl-imx51” package in Ubuntu:
  Invalid
Status in “linux-lts-backport-maverick” package in Ubuntu:
  New
Status in “linux-lts-backport-natty” package in Ubuntu:
  New
Status in “linux-lts-quantal” package in Ubuntu:
  Invalid
Status in “linux-lts-raring” package in Ubuntu:
  Invalid
Status in “linux-lts-saucy” package in Ubuntu:
  New
Status in “linux-mvl-dove” package in Ubuntu:
  Invalid
Status in “linux-ti-omap4” package in Ubuntu:
  Invalid
Status in “linux” source package in Lucid:
  Invalid
Status in “linux-armadaxp” source package in Lucid:
  Invalid
Status in “linux-ec2” source package in Lucid:
  Invalid
Status in “linux-fsl-imx51” source package in Lucid:
  Invalid
Status in “linux-lts-backport-maverick” source package in Lucid:
  New
Status in “linux-lts-backport-natty” source package in Lucid:
  New
Status in “linux-lts-quantal” source package in Lucid:
  Invalid
Status in “linux-lts-raring” source package in Lucid:
  Invalid
Status in “linux-lts-saucy” source package in Lucid:
  New
Status in “linux-mvl-dove” source package in Lucid:
  Invalid
Status in “linux-ti-omap4” source package in Lucid:
  Invalid
Status in “linux” source package in Precise:
  Invalid
Status in “linux-armadaxp” source package in Precise:
  Invalid
Status in “linux-ec2” source package in Precise:
  Invalid
Status in “linux-fsl-imx51” source package in Precise:
  Invalid
Status in “linux-lts-backport-maverick” source package in Precise:
  New
Status in “linux-lts-backport-natty” source package in Precise:
  New
Status in “linux-lts-quantal” source package in Precise:
  Invalid
Status in “linux-lts-raring” source package in Precise:
  Fix Released
Status in “linux-lts-saucy” source package in Precise:
  New
Status in “linux-mvl-dove” source package in Precise:
  Invalid
Status in “linux-ti-omap4” source package in Precise:
  Invalid
Status in “linux” source package in Quantal:
  Invalid
Status in “linux-armadaxp” source package in Quantal:
  Invalid
Status in “linux-ec2” source package in Quantal:
  Invalid
Status in “linux-fsl-imx51” source package in Quantal:
  Invalid
Status in “linux-lts-backport-maverick” source package in Quantal:
  New
Status in “linux-lts-backport-natty” source package in Quantal:
  New
Status in “linux-lts-quantal” source package in Quantal:
  Invalid
Status in “linux-lts-raring” source package in Quantal:
  Invalid
Status in “linux-lts-saucy” source package in Quantal:
  New
Status in “linux-mvl-dove” source package in Quantal:
  Invalid
Status in “linux-ti-omap4” source package in Quantal:
  Invalid
Status in “linux” source package in Raring:
  Fix Released
Status in “linux-armadaxp” source package in Raring:
  Invalid
Status in “linux-ec2” source package in Raring:
  Invalid
Status in “linux-fsl-imx51” source package in Raring:
  Invalid
Status in “linux-lts-backport-maverick” source package in Raring:
  New
Status in “linux-lts-backport-natty” source package in Raring:
  New
Status in “linux-lts-quantal” source package in Raring:
  Invalid
Status in “linux-lts-raring” source package in Raring:
  Invalid
Status in “linux-lts-saucy” source package in Raring:
  New
Status in “linux-mvl-dove” source package in Raring:
  Invalid
Status in “linux-ti-omap4” source package in Raring:
  Invalid
Status in “linux” source package in Saucy:
  Fix Committed
Status in “linux-armadaxp” source package in Saucy:
  Invalid
Status in “linux-ec2” source package in Saucy:
  Invalid
Status in “linux-fsl-imx51” source package in Saucy:
  Invalid
Status in “linux-lts-backport-maverick” source package in Saucy:
  New
Status in “linux-lts-backport-natty” source package in Saucy:
  New
Status in “linux-lts-quantal” source package in Saucy:
  Invalid
Status in “linux-lts-raring” source package in Saucy:
  Invalid
Status in “linux-lts-saucy” source package in Saucy:
  New
Status in “linux-mvl-dove” source package in Saucy:
  Invalid
Status in “linux-ti-omap4” source package in Saucy:
  Invalid
Status in “linux” source package in Trusty:
  Fix Committed
Status in “linux-armadaxp” source package in Trusty:
  Invalid
Status in “linux-ec2” source package in Trusty:
  Invalid
Status in “linux-fsl-imx51” source package in Trusty:
  Invalid
Status in “linux-lts-backport-maverick” source package in Trusty:
  New
Status in “linux-lts-backport-natty” source package in Trusty:
  New
Status in “linux-lts-quantal” source package in Trusty:
  Invalid
Status in “linux-lts-raring” source package in Trusty:
  Invalid
Status in “linux-lts-saucy” source package in Trusty:
  New
Status in “linux-mvl-dove” source package in Trusty:
  Invalid
Status in “linux-ti-omap4” source package in Trusty:
  Invalid

Bug description:
  Use-after-free vulnerability in drivers/net/tun.c in the Linux kernel
  through 3.11.1 allows local users to gain privileges by leveraging the
  CAP_NET_ADMIN capability and providing an invalid tuntap interface
  name in a TUNSETIFF ioctl call.

  Break-Fix: c8d68e6be1c3b242f1c598595830890b65cea64a
  662ca437e714caaab855b12415d6ffd815985bc0

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1229975/+subscriptions


References