kernel-packages team mailing list archive
-
kernel-packages team
-
Mailing list archive
-
Message #62668
[Bug 1316729] Re: CVE-2014-1737
This bug was fixed in the package linux - 2.6.32-60.122
---------------
linux (2.6.32-60.122) lucid; urgency=low
[ Andy Whitcroft ]
* Release Tracking Bug
- LP: #1317230
* merge CVE release 2.6.32-58.121
* Revert "n_tty: Fix n_tty_write crash when echoing in raw mode"
- LP: #1314762
[ Upstream Kernel Changes ]
* floppy: ignore kernel-only members in FDRAWCMD ioctl input
- LP: #1316729
- CVE-2014-1737
* floppy: don't write kernel-only members to FDRAWCMD ioctl output
- LP: #1316735
- CVE-2014-1738
* n_tty: Fix n_tty_write crash when echoing in raw mode
- LP: #1314762
- CVE-2014-0196
- switch existing patch for upstream code.
linux (2.6.32-59.121) lucid; urgency=low
[ Joseph Salisbury ]
* Release Tracking Bug
- LP: #1313820
[ Upstream Kernel Changes ]
* rds: prevent dereference of a NULL device in rds_iw_laddr_check
- LP: #1302222
- CVE-2014-2678
* rds: prevent dereference of a NULL device
- LP: #1297738
- CVE-2013-7339
-- Andy Whitcroft <apw@xxxxxxxxxxxxx> Wed, 07 May 2014 19:32:40 +0100
** Changed in: linux (Ubuntu Lucid)
Status: Fix Committed => Fix Released
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2013-7339
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-0196
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-1738
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-2678
** Changed in: linux-ec2 (Ubuntu Lucid)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-armadaxp in Ubuntu.
https://bugs.launchpad.net/bugs/1316729
Title:
CVE-2014-1737
Status in “linux” package in Ubuntu:
Fix Committed
Status in “linux-armadaxp” package in Ubuntu:
Invalid
Status in “linux-ec2” package in Ubuntu:
Invalid
Status in “linux-fsl-imx51” package in Ubuntu:
Invalid
Status in “linux-lts-backport-maverick” package in Ubuntu:
New
Status in “linux-lts-backport-natty” package in Ubuntu:
New
Status in “linux-lts-quantal” package in Ubuntu:
Invalid
Status in “linux-lts-raring” package in Ubuntu:
Invalid
Status in “linux-lts-saucy” package in Ubuntu:
Invalid
Status in “linux-mvl-dove” package in Ubuntu:
Invalid
Status in “linux-ti-omap4” package in Ubuntu:
Invalid
Status in “linux” source package in Lucid:
Fix Released
Status in “linux-armadaxp” source package in Lucid:
Invalid
Status in “linux-ec2” source package in Lucid:
Fix Released
Status in “linux-fsl-imx51” source package in Lucid:
Invalid
Status in “linux-lts-backport-maverick” source package in Lucid:
New
Status in “linux-lts-backport-natty” source package in Lucid:
New
Status in “linux-lts-quantal” source package in Lucid:
Invalid
Status in “linux-lts-raring” source package in Lucid:
Invalid
Status in “linux-lts-saucy” source package in Lucid:
Invalid
Status in “linux-mvl-dove” source package in Lucid:
Invalid
Status in “linux-ti-omap4” source package in Lucid:
Invalid
Status in “linux” source package in Precise:
Fix Committed
Status in “linux-armadaxp” source package in Precise:
Fix Committed
Status in “linux-ec2” source package in Precise:
Invalid
Status in “linux-fsl-imx51” source package in Precise:
Invalid
Status in “linux-lts-backport-maverick” source package in Precise:
New
Status in “linux-lts-backport-natty” source package in Precise:
New
Status in “linux-lts-quantal” source package in Precise:
Fix Committed
Status in “linux-lts-raring” source package in Precise:
Fix Committed
Status in “linux-lts-saucy” source package in Precise:
Fix Committed
Status in “linux-mvl-dove” source package in Precise:
Invalid
Status in “linux-ti-omap4” source package in Precise:
Fix Committed
Status in “linux-lts-backport-maverick” source package in Quantal:
New
Status in “linux-lts-backport-natty” source package in Quantal:
New
Status in “linux” source package in Saucy:
Fix Committed
Status in “linux-armadaxp” source package in Saucy:
Invalid
Status in “linux-ec2” source package in Saucy:
Invalid
Status in “linux-fsl-imx51” source package in Saucy:
Invalid
Status in “linux-lts-backport-maverick” source package in Saucy:
New
Status in “linux-lts-backport-natty” source package in Saucy:
New
Status in “linux-lts-quantal” source package in Saucy:
Invalid
Status in “linux-lts-raring” source package in Saucy:
Invalid
Status in “linux-lts-saucy” source package in Saucy:
Invalid
Status in “linux-mvl-dove” source package in Saucy:
Invalid
Status in “linux-ti-omap4” source package in Saucy:
Fix Committed
Status in “linux” source package in Trusty:
Fix Committed
Status in “linux-armadaxp” source package in Trusty:
Invalid
Status in “linux-ec2” source package in Trusty:
Invalid
Status in “linux-fsl-imx51” source package in Trusty:
Invalid
Status in “linux-lts-backport-maverick” source package in Trusty:
New
Status in “linux-lts-backport-natty” source package in Trusty:
New
Status in “linux-lts-quantal” source package in Trusty:
Invalid
Status in “linux-lts-raring” source package in Trusty:
Invalid
Status in “linux-lts-saucy” source package in Trusty:
Invalid
Status in “linux-mvl-dove” source package in Trusty:
Invalid
Status in “linux-ti-omap4” source package in Trusty:
Invalid
Status in “linux” source package in Utopic:
Fix Committed
Status in “linux-armadaxp” source package in Utopic:
Invalid
Status in “linux-ec2” source package in Utopic:
Invalid
Status in “linux-fsl-imx51” source package in Utopic:
Invalid
Status in “linux-lts-backport-maverick” source package in Utopic:
New
Status in “linux-lts-backport-natty” source package in Utopic:
New
Status in “linux-lts-quantal” source package in Utopic:
Invalid
Status in “linux-lts-raring” source package in Utopic:
Invalid
Status in “linux-lts-saucy” source package in Utopic:
Invalid
Status in “linux-mvl-dove” source package in Utopic:
Invalid
Status in “linux-ti-omap4” source package in Utopic:
Invalid
Bug description:
The raw_cmd_copyin function in drivers/block/floppy.c in the Linux
kernel through 3.14.3 does not properly handle error conditions during
processing of an FDRAWCMD ioctl call, which allows local users to
trigger kfree operations and gain privileges by leveraging write
access to a /dev/fd device. First, raw_cmd_ioctl calls raw_cmd_copyin.
This function kmallocs space for a floppy_raw_cmd structure and stores
the resulting allocation in the "rcmd" pointer argument. It then
attempts to copy_from_user the structure from userspace. If this
fails, an early EFAULT return is taken. The problem is that even if
the early return is taken, the pointer to the non-/partially-
initialized floppy_raw_cmd structure has already been returned via the
"rcmd" pointer. Back out in raw_cmd_ioctl, it attempts to raw_cmd_free
this pointer. raw_cmd_free attempts to free any DMA pages allocated
for the raw command, kfrees the raw command structure itself, and
follows the linked list, if any, of further raw commands (a user can
specify the FD_RAW_MORE flag to signal that there are more raw
commands to follow in a single FDRAWCMD ioctl). So, a malicious user
can send a FDRAWCMD ioctl with a raw command argument structure that
has some bytes inaccessible (ie. off the end of an allocated page).
The copy_from_user will fail but raw_cmd_free will attempt to process
the floppy_raw_cmd as if it had been fully initialized by the rest of
raw_cmd_copyin. The user can control the arguments passed to
fd_dma_mem_free and kfree (by making use of the linked-list feature
and specifying the target address as a next-in-list structure).
Break-Fix: - ef87dbe7614341c2e7bfe8d32fcb7028cc97442c
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1316729/+subscriptions
References