kernel-packages team mailing list archive
-
kernel-packages team
-
Mailing list archive
-
Message #45471
[Bug 1274754] Re: CVE-2014-0038
*** This bug is a duplicate of bug 1274349 ***
https://bugs.launchpad.net/bugs/1274349
This bug was fixed in the package linux-lts-raring -
3.8.0-36.52~precise1
---------------
linux-lts-raring (3.8.0-36.52~precise1) precise; urgency=low
[ John Johansen]
* UBUNTU: [Upstream] x86, x32: Correct invalid use of user timespec in the
kernel
- LP: #1274754
[ Brad Figg ]
* Revert "UBUNTU: SAUCE: Fix compat_sys_recvmsg on x32 archs"
* Release Tracking Bug
- LP: #1275862
linux-lts-raring (3.8.0-36.51~precise1) precise; urgency=low
[ Brad Figg ]
* Release Tracking Bug
- LP: #1266582
[ Brad Figg ]
* debian.raring/etc/getabis: get the packages from linux-lts-raring in
the archive
* debian/scripts/misc/getabis: the abi directory should only be made up
of the version-abi-bld
[ Upstream Kernel Changes ]
* Revert "ima: policy for RAMFS"
- LP: #1265572
* ipv6: ip6_dst_check needs to check for expired dst_entries
- LP: #1265572
* ipv6: reset dst.expires value when clearing expire flag
- LP: #1265572
* cxgb3: Fix length calculation in write_ofld_wr() on 32-bit
architectures
- LP: #1265572
* xen-netback: use jiffies_64 value to calculate credit timeout
- LP: #1265572
* virtio-net: correctly handle cpu hotplug notifier during resuming
- LP: #1265572
* net: flow_dissector: fail on evil iph->ihl
- LP: #1265572
* X.509: Remove certificate date checks
- LP: #1265572
* selinux: correct locking in selinux_netlbl_socket_connect)
- LP: #1265572
* NFSv4: Fix a use-after-free situation in _nfs4_proc_getlk()
- LP: #1265572
* usb: musb: cancel work on removal
- LP: #1265572
* USB: mos7840: fix tiocmget error handling
- LP: #1265572
* pinctrl: dove: unset twsi option3 for gconfig as well
- LP: #1265572
* usb: Disable USB 2.0 Link PM before device reset.
- LP: #1265572
* usb: hub: Clear Port Reset Change during init/resume
- LP: #1265572
* rt2400pci: fix RSSI read
- LP: #1265572
* rt2x00: check if device is still available on rt2x00mac_flush()
- LP: #1265572
* rt2800usb: slow down TX status polling
- LP: #1265572
* cfg80211: fix scheduled scan pointer access
- LP: #1265572
* ARM: OMAP2+: irq, AM33XX add missing register check
- LP: #1265572
* ALSA: hda - Add support of new codec ALC233
- LP: #1265572
* ALSA: hda - Add support of ALC255 codecs
- LP: #1265572
* USB:add new zte 3g-dongle's pid to option.c
- LP: #1265572
* [SCSI] sd: Reduce buffer size for vpd request
- LP: #1265572
* libata: Fix display of sata speed
- LP: #1265572
* ahci: disabled FBS prior to issuing software reset
- LP: #1265572
* drivers/libata: Set max sector to 65535 for Slimtype DVD A DS8A9SH
drive
- LP: #1265572
* NFSv4: fix NULL dereference in open recover
- LP: #1265572
* ALSA: 6fire: Fix probe of multiple cards
- LP: #1265572
* ARM: sa11x0/assabet: ensure CS2 is configured appropriately
- LP: #1265572
* usb: wusbcore: set the RPIPE wMaxPacketSize value correctly
- LP: #1265572
* usb: wusbcore: change WA_SEGS_MAX to a legal value
- LP: #1265572
* powerpc/vio: use strcpy in modalias_show
- LP: #1265572
* i2c: mux: gpio: use gpio_set_value_cansleep()
- LP: #1265572
* i2c: mux: gpio: use reg value for i2c_add_mux_adapter
- LP: #1265572
* s390/vtime: correct idle time calculation
- LP: #1265572
* dm: allocate buffer for messages with small number of arguments using
GFP_NOIO
- LP: #1265572
* can: c_can: Fix RX message handling, handle lost message before EOB
- LP: #1265572
* can: kvaser_usb: fix usb endpoints detection
- LP: #1265572
* dm mpath: fix race condition between multipath_dtr and pg_init_done
- LP: #1265572
* ext4: avoid bh leak in retry path of ext4_expand_extra_isize_ea()
- LP: #1265572
* ASoC: ak4642: prevent un-necessary changes to SG_SL1
- LP: #1265572
* drm/radeon/si: fix define for MC_SEQ_TRAIN_WAKEUP_CNTL
- LP: #1265572
* drm/radeon: don't share PPLLs on DCE4.1
- LP: #1265572
* KVM: x86: fix emulation of "movzbl %bpl, %eax"
- LP: #1265572
* ALSA: hda - Enable SPDIF for Acer TravelMate 6293
- LP: #1265572
* ahci: Add Device IDs for Intel Wildcat Point-LP
- LP: #1265572
* edac, highbank: Fix interrupt setup of mem and l2 controller
- LP: #1265572
* KVM: IOMMU: hva align mapping page size
- LP: #1265572
* audit: printk USER_AVC messages when audit isn't enabled
- LP: #1265572
* audit: fix info leak in AUDIT_GET requests
- LP: #1265572
* audit: use nlmsg_len() to get message payload length
- LP: #1265572
* ALSA: hda - Force buffer alignment for Haswell HDMI controllers
- LP: #1265572
* ftrace/x86: skip over the breakpoint for ftrace caller
- LP: #1265572
* drm: shmobile: Add dependency on BACKLIGHT_CLASS_DEVICE
- LP: #1265572
* powerpc/powernv: Add PE to its own PELTV
- LP: #1265572
* drm/ttm: Handle in-memory region copies
- LP: #1265572
* drm/ttm: Fix ttm_bo_move_memcpy
- LP: #1265572
* drm/ttm: Fix memory type compatibility check
- LP: #1265572
* perf/ftrace: Fix paranoid level for enabling function tracer
- LP: #1265572
* ARM: entry: move IRQ tracing exit into svc_exit
- LP: #1265572
* ARM: entry: move disable_irq_notrace into svc_exit
- LP: #1265572
* ARM: 7876/1: clear Thumb-2 IT state on exception handling
- LP: #1265572
* PM / hibernate: Avoid overflow in hibernate_preallocate_memory()
- LP: #1265572
* ALSA: hda - Add support for CX20952
- LP: #1265572
* ALSA: hda - Add pincfg fixup for ASUS W5A
- LP: #1265572
* mtd: nand: hack ONFI for non-power-of-2 dimensions
- LP: #1265572
* mtd: map: fixed bug in 64-bit systems
- LP: #1265572
* mtd: m25p80: fix allocation size
- LP: #1265572
* qeth: avoid buffer overflow in snmp ioctl
- LP: #1265572
* x86/ioapic/kcrash: Prevent crash_kexec() from deadlocking on
ioapic_lock
- LP: #1265572
* x86/apic: Disable I/O APIC before shutdown of the local APIC
- LP: #1265572
* parisc: sticon - unbreak on 64bit kernel
- LP: #1265572
* block: fix race between request completion and timeout handling
- LP: #1265572
* blk-core: Fix memory corruption if blkcg_init_queue fails
- LP: #1265572
* loop: fix crash if blk_alloc_queue fails
- LP: #1265572
* block: fix a probe argument to blk_register_region
- LP: #1265572
* block: properly stack underlying max_segment_size to DM device
- LP: #1265572
* xen/blkback: fix reference counting
- LP: #1265572
* loop: fix crash when using unassigned loop device
- LP: #1265572
* SUNRPC: Fix a data corruption issue when retransmitting RPC calls
- LP: #1265572
* IB/ipath: Convert ipath_user_sdma_pin_pages() to use
get_user_pages_fast()
- LP: #1265572
* IB/qib: Fix txselect regression
- LP: #1265572
* IB/srp: Remove target from list before freeing Scsi_Host structure
- LP: #1265572
* IB/srp: Avoid offlining operational SCSI devices
- LP: #1265572
* IB/srp: Report receive errors correctly
- LP: #1265572
* rtlwifi: rtl8192se: Fix wrong assignment
- LP: #1265572
* rt2x00: fix HT TX descriptor settings regression
- LP: #1265572
* rtlwifi: Fix endian error in extracting packet type
- LP: #1265572
* rtlwifi: rtl8192cu: Fix incorrect signal strength for unassociated AP
- LP: #1265572
* rtlwifi: rtl8192de: Fix incorrect signal strength for unassociated AP
- LP: #1265572
* mwifiex: correct packet length for packets from SDIO interface
- LP: #1265572
* mwifiex: fix wrong eth_hdr usage for bridged packets in AP mode
- LP: #1265572
* prism54: set netdev type to "wlan"
- LP: #1265572
* ALSA: msnd: Avoid duplicated driver name
- LP: #1265572
* x86/microcode/amd: Tone down printk(), don't treat a missing firmware
file as an error
- LP: #1265572
* SUNRPC: fix races on PipeFS UMOUNT notifications
- LP: #1265572
* SUNRPC: Avoid deep recursion in rpc_release_client
- LP: #1265572
* cris: media platform drivers: fix build
- LP: #1265572
* mm: ensure get_unmapped_area() returns higher address than
mmap_min_addr
- LP: #1265572
* mm: Only flush TLBs if a transhuge PMD is modified for NUMA pte
scanning
- LP: #1265572
* mm: numa: return the number of base pages altered by protection changes
- LP: #1265572
* vsprintf: check real user/group id for %pK
- LP: #1265572
* backlight: atmel-pwm-bl: fix reported brightness
- LP: #1265572
* backlight: atmel-pwm-bl: fix gpio polarity in remove
- LP: #1265572
* coredump: remove redundant defines for dumpable states
- LP: #1265572
* exec/ptrace: fix get_dumpable() incorrect tests
- LP: #1265572
- CVE-2013-2929
* devpts: plug the memory leak in kill_sb
- LP: #1265572
* ipc: clamp with min()
- LP: #1265572
* ipc: separate msg allocation from userspace copy
- LP: #1265572
* ipc: tighten msg copy loops
- LP: #1265572
* ipc: set EFAULT as default error in load_msg()
- LP: #1265572
* ipc, msg: fix message length check for negative values
- LP: #1265572
* drm/vmwgfx: Resource evict fixes
- LP: #1265572
* ALSA: hda - Don't clear the power state at snd_hda_codec_reset()
- LP: #1265572
* ASoC: blackfin: Fix missing break
- LP: #1265572
* target: Fix delayed Task Aborted Status (TAS) handling bug
- LP: #1265572
* md: fix calculation of stacking limits on level change.
- LP: #1265572
* drm/nouveau: when bailing out of a pushbuf ioctl, do not remove
previous fence
- LP: #1265572
* ASoC: fsl: imx-pcm-fiq: omit fiq counter to avoid harm in unbalanced
situations
- LP: #1265572
* ALSA: pcsp: Fix the order of input device unregistration
- LP: #1265572
* ASoC: wm8962: Turn on regcache_cache_only before disabling regulator
- LP: #1265572
* ARM: integrator_cp: Set LCD{0,1} enable lines when turning on CLCD
- LP: #1265572
* hwmon: (lm90) Fix max6696 alarm handling
- LP: #1265572
* ASoC: cs42l52: Correct MIC CTL mask
- LP: #1265572
* ARM: OMAP2+: omap_device: maintain sane runtime pm status around
suspend/resume
- LP: #1265572
* drm/i915: flush cursors harder
- LP: #1265572
* rt2x00: fix a crash bug in the HT descriptor handling fix
- LP: #1265572
* rtlwifi: rtl8192cu: Fix more pointer arithmetic errors
- LP: #1265572
* radeon/i2c: do not count reg index in number of i2c byte we are
writing.
- LP: #1265572
* radeon: workaround pinning failure on low ram gpu
- LP: #1265572
* drm/radeon: add semaphore trace point
- LP: #1265572
* ACPI / EC: Ensure lock is acquired before accessing ec struct members
- LP: #1265572
* setfacl removes part of ACL when setting POSIX ACLs to Samba
- LP: #1265572
* nfsd: split up nfsd_setattr
- LP: #1265572
* nfsd: make sure to balance get/put_write_access
- LP: #1265572
* ASoC: wm5110: Add post SYSCLK register patch for rev D chip
- LP: #1265572
* nfsd4: fix xdr decoding of large non-write compounds
- LP: #1265572
* avr32: setup crt for early panic()
- LP: #1265572
* avr32: fix out-of-range jump in large kernels
- LP: #1265572
* ALSA: hda - Fix unbalanced runtime PM notification at resume
- LP: #1265572
* PCI: Remove duplicate pci_disable_device() from pcie_portdrv_remove()
- LP: #1265572
* powerpc/pseries: Duplicate dtl entries sometimes sent to userspace
- LP: #1265572
* powerpc/signals: Mark VSX not saved with small contexts
- LP: #1265572
* iscsi-target: fix extract_param to handle buffer length corner case
- LP: #1265572
* iscsi-target: chap auth shouldn't match username with trailing garbage
- LP: #1265572
* ALSA: hda - Fix the headphone jack detection on Sony VAIO TX
- LP: #1265572
* configfs: fix race between dentry put and lookup
- LP: #1265572
* ALSA: hda - Provide missing pin configs for VAIO with ALC260
- LP: #1265572
* KVM: Fix iommu map/unmap to handle memory slot moves
- LP: #1265572
* libertas: potential oops in debugfs
- LP: #1265572
* Linux 3.8.13.14
- LP: #1265572
* tmp
-- Brad Figg <brad.figg@xxxxxxxxxxxxx> Mon, 03 Feb 2014 10:07:27 -0800
** Changed in: linux-lts-raring (Ubuntu Precise)
Status: New => Fix Released
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2013-2929
** Changed in: linux-lts-saucy (Ubuntu Precise)
Status: New => Fix Released
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-armadaxp in Ubuntu.
https://bugs.launchpad.net/bugs/1274754
Title:
CVE-2014-0038
Status in “linux” package in Ubuntu:
New
Status in “linux-armadaxp” package in Ubuntu:
Invalid
Status in “linux-ec2” package in Ubuntu:
Invalid
Status in “linux-fsl-imx51” package in Ubuntu:
Invalid
Status in “linux-lts-backport-maverick” package in Ubuntu:
New
Status in “linux-lts-backport-natty” package in Ubuntu:
New
Status in “linux-lts-quantal” package in Ubuntu:
Invalid
Status in “linux-lts-raring” package in Ubuntu:
Invalid
Status in “linux-lts-saucy” package in Ubuntu:
Invalid
Status in “linux-mvl-dove” package in Ubuntu:
Invalid
Status in “linux-ti-omap4” package in Ubuntu:
Invalid
Status in “linux” source package in Lucid:
Invalid
Status in “linux-armadaxp” source package in Lucid:
Invalid
Status in “linux-ec2” source package in Lucid:
Invalid
Status in “linux-fsl-imx51” source package in Lucid:
Invalid
Status in “linux-lts-backport-maverick” source package in Lucid:
New
Status in “linux-lts-backport-natty” source package in Lucid:
New
Status in “linux-lts-quantal” source package in Lucid:
Invalid
Status in “linux-lts-raring” source package in Lucid:
Invalid
Status in “linux-lts-saucy” source package in Lucid:
Invalid
Status in “linux-mvl-dove” source package in Lucid:
Invalid
Status in “linux-ti-omap4” source package in Lucid:
Invalid
Status in “linux” source package in Precise:
Invalid
Status in “linux-armadaxp” source package in Precise:
Invalid
Status in “linux-ec2” source package in Precise:
Invalid
Status in “linux-fsl-imx51” source package in Precise:
Invalid
Status in “linux-lts-backport-maverick” source package in Precise:
New
Status in “linux-lts-backport-natty” source package in Precise:
New
Status in “linux-lts-quantal” source package in Precise:
New
Status in “linux-lts-raring” source package in Precise:
Fix Released
Status in “linux-lts-saucy” source package in Precise:
Fix Released
Status in “linux-mvl-dove” source package in Precise:
Invalid
Status in “linux-ti-omap4” source package in Precise:
Invalid
Status in “linux” source package in Quantal:
New
Status in “linux-armadaxp” source package in Quantal:
Invalid
Status in “linux-ec2” source package in Quantal:
Invalid
Status in “linux-fsl-imx51” source package in Quantal:
Invalid
Status in “linux-lts-backport-maverick” source package in Quantal:
New
Status in “linux-lts-backport-natty” source package in Quantal:
New
Status in “linux-lts-quantal” source package in Quantal:
Invalid
Status in “linux-lts-raring” source package in Quantal:
Invalid
Status in “linux-lts-saucy” source package in Quantal:
Invalid
Status in “linux-mvl-dove” source package in Quantal:
Invalid
Status in “linux-ti-omap4” source package in Quantal:
Invalid
Status in “linux” source package in Saucy:
Fix Released
Status in “linux-armadaxp” source package in Saucy:
Invalid
Status in “linux-ec2” source package in Saucy:
Invalid
Status in “linux-fsl-imx51” source package in Saucy:
Invalid
Status in “linux-lts-backport-maverick” source package in Saucy:
New
Status in “linux-lts-backport-natty” source package in Saucy:
New
Status in “linux-lts-quantal” source package in Saucy:
Invalid
Status in “linux-lts-raring” source package in Saucy:
Invalid
Status in “linux-lts-saucy” source package in Saucy:
Invalid
Status in “linux-mvl-dove” source package in Saucy:
Invalid
Status in “linux-ti-omap4” source package in Saucy:
Invalid
Status in “linux” source package in Trusty:
New
Status in “linux-armadaxp” source package in Trusty:
Invalid
Status in “linux-ec2” source package in Trusty:
Invalid
Status in “linux-fsl-imx51” source package in Trusty:
Invalid
Status in “linux-lts-backport-maverick” source package in Trusty:
New
Status in “linux-lts-backport-natty” source package in Trusty:
New
Status in “linux-lts-quantal” source package in Trusty:
Invalid
Status in “linux-lts-raring” source package in Trusty:
Invalid
Status in “linux-lts-saucy” source package in Trusty:
Invalid
Status in “linux-mvl-dove” source package in Trusty:
Invalid
Status in “linux-ti-omap4” source package in Trusty:
Invalid
Bug description:
The timeout pointer parameter is provided by userland (hence the
__user annotation) but for x32 syscalls it's simply cast to a kernel
pointer and is passed to __sys_recvmmsg which will eventually directly
dereference it for both reading and writing. Other callers to
__sys_recvmmsg properly copy from userland to the kernel first. The
impact is a sort of arbitrary kernel write-where-what primitive by
unprivileged users where the to-be-written area must contain valid
timespec data initially (the first 64 bit long field must be positive
and the second one must be < 1G).
Break-Fix: ee4fa23c4bfcc635d077a9633d405610de45bc70 lp1274754
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1274754/+subscriptions
References
