← Back to team overview

kernel-packages team mailing list archive

[Bug 1316729] Re: CVE-2014-1737

 

This bug was fixed in the package linux-lts-raring -
3.8.0-41.60~precise1

---------------
linux-lts-raring (3.8.0-41.60~precise1) precise; urgency=low

  [ Kamal Mostafa ]

  * Revert "rtlwifi: Set the link state"
    - LP: #1289429
    - LP: #1319735
  * Release Tracking Bug
    - re-used previous tracking bug

linux-lts-raring (3.8.0-41.59~precise1) precise; urgency=low

  [ Kamal Mostafa ]

  * Merged back Ubuntu-3.8.0-39.58 security release
  * Revert: "n_tty: Fix n_tty_write crash when echoing in raw mode"
    - LP: #1317242
  * Release Tracking Bug
    - LP: #1317246

  [ Upstream Kernel Changes ]

  * Input: ALPS - add support for "Dolphin" devices
    - LP: #1256213
  * n_tty: Fix n_tty_write crash when echoing in raw mode
    - LP: #1317242
    - LP: #1314762
    - CVE-2014-0196
  * floppy: ignore kernel-only members in FDRAWCMD ioctl input
    - LP: #1317242
    - LP: #1316729
    - CVE-2014-1737
  * floppy: don't write kernel-only members to FDRAWCMD ioctl output
    - LP: #1317242
    - LP: #1316735
    - CVE-2014-1738
  * Linux 3.8.13.23
    - LP: #1317242

linux-lts-raring (3.8.0-40.58~precise1) precise; urgency=low

  [ Joseph Salisbury ]

  * Release Tracking Bug
    - LP: #1314348

  [ Upstream Kernel Changes ]

  * Revert "sparc64: Fix __copy_{to,from}_user_inatomic defines."
    - LP: #1313767
  * rds: prevent dereference of a NULL device in rds_iw_laddr_check
    - LP: #1302222
    - CVE-2014-2678
  * 6lowpan: fix lockdep splats
    - LP: #1307561
  * 9p/trans_virtio.c: Fix broken zero-copy on vmalloc() buffers
    - LP: #1307561
  * ipv4: Fix runtime WARNING in rtmsg_ifa()
    - LP: #1307561
  * net: fix 'ip rule' iif/oif device rename
    - LP: #1307561
  * net: qmi_wwan: add Netgear Aircard 340U
    - LP: #1307561
  * tcp: tsq: fix nonagle handling
    - LP: #1307561
  * tg3: Fix deadlock in tg3_change_mtu()
    - LP: #1307561
  * net: asix: add missing flag to struct driver_info
    - LP: #1307561
  * bonding: 802.3ad: make aggregator_identifier bond-private
    - LP: #1307561
  * ipv4: fix counter in_slow_tot
    - LP: #1307561
  * net: sctp: fix sctp_connectx abi for ia32 emulation/compat mode
    - LP: #1307561
  * net: add and use skb_gso_transport_seglen()
    - LP: #1307561
  * net: core: introduce netif_skb_dev_features
    - LP: #1307561
  * net: ip, ipv6: handle gso skbs in forwarding path
    - LP: #1307561
  * net: use __GFP_NORETRY for high order allocations
    - LP: #1307561
  * net-tcp: fastopen: fix high order allocations
    - LP: #1307561
  * virtio-net: alloc big buffers also when guest can receive UFO
    - LP: #1307561
  * ipv6: reuse ip6_frag_id from ip6_ufo_append_data
    - LP: #1307561
  * sfc: check for NULL efx->ptp_data in efx_ptp_event
    - LP: #1307561
  * ipv6: ipv6_find_hdr restore prev functionality
    - LP: #1307561
  * tg3: Don't check undefined error bits in RXBD
    - LP: #1307561
  * net: sctp: fix sctp_sf_do_5_1D_ce to verify if we/peer is AUTH capable
    - LP: #1307561
  * mac80211: send control port protocol frames to the VO queue
    - LP: #1307561
  * mac80211: fix AP powersave TX vs. wakeup race
    - LP: #1307561
  * iwlwifi: dvm: clear IWL_STA_UCODE_INPROGRESS when assoc fails
    - LP: #1307561
  * ath9k: protect tid->sched check
    - LP: #1307561
  * ath9k: Fix ETSI compliance for AR9462 2.0
    - LP: #1307561
  * iwlwifi: fix TX status for aggregated packets
    - LP: #1307561
  * genirq: Remove racy waitqueue_active check
    - LP: #1307561
  * sched: Fix double normalization of vruntime
    - LP: #1307561
  * cpuset: fix a race condition in __cpuset_node_allowed_softwall()
    - LP: #1307561
  * mac80211: fix association to 20/40 MHz VHT networks
    - LP: #1307561
  * firewire: net: fix use after free
    - LP: #1307561
  * mwifiex: do not advertise usb autosuspend support
    - LP: #1307561
  * ACPI / resources: ignore invalid ACPI device resources
    - LP: #1307561
  * NFS: Fix a delegation callback race
    - LP: #1307561
  * ALSA: hda - Added inverted digital-mic handling for Acer TravelMate
    8371
    - LP: #1307561
  * can: flexcan: fix shutdown: first disable chip, then all interrupts
    - LP: #1307561
  * can: flexcan: flexcan_open(): fix error path if flexcan_chip_start()
    fails
    - LP: #1307561
  * can: flexcan: fix transition from and to low power mode in
    chip_{en,dis}able
    - LP: #1307561
  * can: flexcan: flexcan_remove(): add missing netif_napi_del()
    - LP: #1307561
  * tracing: Do not add event files for modules that fail tracepoints
    - LP: #1307561
  * ocfs2: fix quota file corruption
    - LP: #1307561
  * rapidio/tsi721: fix tasklet termination in dma channel release
    - LP: #1307561
  * spi: coldfire-qspi: Fix getting correct address for *mcfqspi
    - LP: #1307561
  * ALSA: usb-audio: Add quirk for Logitech Webcam C500
    - LP: #1307561
  * drm/radeon: TTM must be init with cpu-visible VRAM, v2
    - LP: #1307561
  * drm/radeon/atom: select the proper number of lanes in transmitter setup
    - LP: #1307561
  * powerpc: Align p_dyn, p_rela and p_st symbols
    - LP: #1307561
  * libata: add ATA_HORKAGE_BROKEN_FPDMA_AA quirk for Seagate Momentus
    SpinPoint M8 (2BA30001)
    - LP: #1307561
  * usb: Add device quirk for Logitech HD Pro Webcams C920 and C930e
    - LP: #1307561
  * usb: Make DELAY_INIT quirk wait 100ms between Get Configuration
    requests
    - LP: #1307561
  * ARM: fix noMMU kallsyms symbol filtering
    - LP: #1307561
  * ARM: 7991/1: sa1100: fix compile problem on Collie
    - LP: #1307561
  * x86: Ignore NMIs that come in during early boot
    - LP: #1307561
  * x86: fix compile error due to X86_TRAP_NMI use in asm files
    - LP: #1307561
  * mac80211: clear sequence/fragment number in QoS-null frames
    - LP: #1307561
  * mwifiex: copy AP's HT capability info correctly
    - LP: #1307561
  * net: unix socket code abuses csum_partial
    - LP: #1307561
  * ibmveth: Fix endian issues with MAC addresses
    - LP: #1307561
  * [SCSI] isci: fix reset timeout handling
    - LP: #1307561
  * [SCSI] isci: correct erroneous for_each_isci_host macro
    - LP: #1307561
  * [SCSI] qla2xxx: Poll during initialization for ISP25xx and ISP83xx
    - LP: #1307561
  * ocfs2 syncs the wrong range...
    - LP: #1307561
  * mm/compaction: break out of loop on !PageBuddy in
    isolate_freepages_block
    - LP: #1307561
  * fs/proc/base.c: fix GPF in /proc/$PID/map_files
    - LP: #1307561
  * vmxnet3: fix netpoll race condition
    - LP: #1307561
  * [SCSI] storvsc: NULL pointer dereference fix
    - LP: #1307561
  * KVM: SVM: fix cr8 intercept window
    - LP: #1307561
  * drm/ttm: don't oops if no invalidate_caches()
    - LP: #1307561
  * vmxnet3: fix building without CONFIG_PCI_MSI
    - LP: #1307561
  * i2c: Remove usage of orphaned symbol OF_I2C
    - LP: #1307561
  * x86/amd/numa: Fix northbridge quirk to assign correct NUMA node
    - LP: #1307561
  * ipc: Fix 2 bugs in msgrcv() MSG_COPY implementation
    - LP: #1307561
  * drm/i915: Disable stolen memory when DMAR is active
    - LP: #1307561
  * ALSA: compress: Pass through return value of open ops callback
    - LP: #1307561
  * i2c: cpm: Fix build by adding of_address.h and of_irq.h
    - LP: #1307561
  * net: mvneta: rename MVNETA_GMAC2_PSC_ENABLE to MVNETA_GMAC2_PCS_ENABLE
    - LP: #1307561
  * Input: synaptics - add manual min/max quirk
    - LP: #1307561
  * Input: synaptics - add manual min/max quirk for ThinkPad X240
    - LP: #1307561
  * x86: fix boot on uniprocessor systems
    - LP: #1307561
  * Input: mousedev - fix race when creating mixed device
    - LP: #1307561
  * staging: speakup: Prefix externally-visible symbols
    - LP: #1307561
  * ext4: atomically set inode->i_flags in ext4_set_inode_flags()
    - LP: #1307561
  * Linux 3.8.13.21
    - LP: #1307561
  * net: ipv4: current group_info should be put after using.
    - CVE-2014-2851
  * netfilter: nf_conntrack_dccp: fix skb_header_pointer API usages
    - LP: #1295090
    - CVE-2014-2523
  * net: sctp: fix skb leakage in COOKIE ECHO path of chunk->auth_chunk
    - LP: #1313767
  * bridge: multicast: add sanity check for query source addresses
    - LP: #1313767
  * net: unix: non blocking recvmsg() should not return -EINTR
    - LP: #1313767
  * ipv6: Fix exthdrs offload registration.
    - LP: #1313767
  * ipv6: don't set DST_NOCOUNT for remotely added routes
    - LP: #1313767
  * vlan: Set correct source MAC address with TX VLAN offload enabled
    - LP: #1313767
  * tcp: tcp_release_cb() should release socket ownership
    - LP: #1313767
  * net: socket: error on a negative msg_namelen
    - LP: #1313767
  * ipv6: Avoid unnecessary temporary addresses being generated
    - LP: #1313767
  * ipv6: ip6_append_data_mtu do not handle the mtu of the second fragment
    properly
    - LP: #1313767
  * vxlan: fix potential NULL dereference in arp_reduce()
    - LP: #1313767
  * rtnetlink: fix fdb notification flags
    - LP: #1313767
  * ipmr: fix mfc notification flags
    - LP: #1313767
  * ip6mr: fix mfc notification flags
    - LP: #1313767
  * usbnet: include wait queue head in device structure
    - LP: #1313767
  * vhost: fix total length when packets are too short
    - LP: #1313767
    - CVE-2014-0077
  * vhost: validate vhost_get_vq_desc return value
    - LP: #1313767
    - CVE-2014-0055
  * xen-netback: remove pointless clause from if statement
    - LP: #1313767
  * ipv6: some ipv6 statistic counters failed to disable bh
    - LP: #1313767
  * netlink: don't compare the nul-termination in nla_strcmp
    - LP: #1313767
  * isdnloop: Validate NUL-terminated strings from user.
    - LP: #1313767
  * isdnloop: several buffer overflows
    - LP: #1313767
  * sparc: PCI: Fix incorrect address calculation of PCI Bridge windows on
    Simba-bridges
    - LP: #1313767
  * sparc32: fix build failure for arch_jump_label_transform
    - LP: #1313767
  * sparc64: don't treat 64-bit syscall return codes as 32-bit
    - LP: #1313767
  * drm/i915: quirk invert brightness for Acer Aspire 5336
    - LP: #1313767
  * w1: fix w1_send_slave dropping a slave id
    - LP: #1313767
  * ARM: 7954/1: mm: remove remaining domain support from ARMv6
    - LP: #1313767
  * matroxfb: restore the registers M_ACCESS and M_PITCH
    - LP: #1313767
  * framebuffer: fix cfb_copyarea
    - LP: #1313767
  * mach64: use unaligned access
    - LP: #1313767
  * mach64: fix cursor when character width is not a multiple of 8 pixels
    - LP: #1313767
  * tgafb: fix mode setting with fbset
    - LP: #1313767
  * tgafb: fix data copying
    - LP: #1313767
  * hvc: ensure hvc_init is only ever called once in hvc_console.c
    - LP: #1313767
  * usb: dwc3: fix wrong bit mask in dwc3_event_devt
    - LP: #1313767
  * x86, AVX-512: AVX-512 Feature Detection
    - LP: #1313767
  * media: gspca: sn9c20x: add ID for Genius Look 1320 V2
    - LP: #1313767
  * m88rs2000: add caps FE_CAN_INVERSION_AUTO
    - LP: #1313767
  * m88rs2000: prevent frontend crash on continuous transponder scans
    - LP: #1313767
  * tty: Set correct tty name in 'active' sysfs attribute
    - LP: #1313767
  * Bluetooth: Fix removing Long Term Key
    - LP: #1313767
  * uvcvideo: Do not use usb_set_interface on bulk EP
    - LP: #1313767
  * usb: gadget: atmel_usba: fix crashed during stopping when DEBUG is
    enabled
    - LP: #1313767
  * blktrace: fix accounting of partially completed requests
    - LP: #1313767
  * rtlwifi: rtl8192cu: Fix too long disable of IRQs
    - LP: #1313767
  * rtlwifi: rtl8192se: Fix too long disable of IRQs
    - LP: #1313767
  * rtlwifi: rtl8723ae: Fix too long disable of IRQs
    - LP: #1313767
  * xhci: Prevent runtime pm from autosuspending during initialization
    - LP: #1313767
  * staging:serqt_usb2: Fix sparse warning restricted __le16 degrades to
    integer
    - LP: #1313767
  * Btrfs: skip submitting barrier for missing device
    - LP: #1313767
  * jffs2: remove from wait queue after schedule()
    - LP: #1313767
  * jffs2: avoid soft-lockup in jffs2_reserve_space_gc()
    - LP: #1313767
  * jffs2: Fix segmentation fault found in stress test
    - LP: #1313767
  * jffs2: Fix crash due to truncation of csize
    - LP: #1313767
  * mtd: atmel_nand: Disable subpage NAND write when using Atmel PMECC
    - LP: #1313767
  * iwlwifi: dvm: take mutex when sending SYNC BT config command
    - LP: #1313767
  * virtio_balloon: don't softlockup on huge balloon changes.
    - LP: #1313767
  * arm64: Use Normal NonCacheable memory for writecombine
    - LP: #1313767
  * arm64: Make DMA coherent and strongly ordered mappings not executable
    - LP: #1313767
  * arm64: Do not synchronise I and D caches for special ptes
    - LP: #1313767
  * ARM: OMAP2+: INTC: Acknowledge stuck active interrupts
    - LP: #1313767
  * mtip32xx: Set queue bounce limit
    - LP: #1313767
  * mtip32xx: Unmap the DMA segments before completing the IO request
    - LP: #1313767
  * ath9k: fix ready time of the multicast buffer queue
    - LP: #1313767
  * usb: gadget: tcm_usb_gadget: stop format strings
    - LP: #1313767
  * USB: unbind all interfaces before rebinding any
    - LP: #1313767
  * IB/ipath: Fix potential buffer overrun in sending diag packet routine
    - LP: #1313767
  * IB/nes: Return an error on ib_copy_from_udata() failure instead of NULL
    - LP: #1313767
  * mfd: sec-core: Fix possible NULL pointer dereference when i2c_new_dummy
    error
    - LP: #1313767
  * regulator: arizona-ldo1: Correct default regulator init_data
    - LP: #1313767
  * ASoC: cs42l73: Fix mask bits for SOC_VALUE_ENUM_SINGLE
    - LP: #1313767
  * ASoC: cs42l52: Fix mask bits for SOC_VALUE_ENUM_SINGLE
    - LP: #1313767
  * mfd: Include all drivers in subsystem menu
    - LP: #1313767
  * mfd: max8997: Fix possible NULL pointer dereference on i2c_new_dummy
    error
    - LP: #1313767
  * mfd: max77686: Fix possible NULL pointer dereference on i2c_new_dummy
    error
    - LP: #1313767
  * mfd: max8998: Fix possible NULL pointer dereference on i2c_new_dummy
    error
    - LP: #1313767
  * mfd: max8925: Fix possible NULL pointer dereference on i2c_new_dummy
    error
    - LP: #1313767
  * mfd: 88pm860x: Fix I2C device resource leak on regmap init fail
    - LP: #1313767
  * mfd: 88pm860x: Fix possible NULL pointer dereference on i2c_new_dummy
    error
    - LP: #1313767
  * mfd: max77693: Fix possible NULL pointer dereference on i2c_new_dummy
    error
    - LP: #1313767
  * mfd: tps65910: Fix possible invalid pointer dereference on
    regmap_add_irq_chip fail
    - LP: #1313767
  * ASoC: cs42l51: Fix SOC_DOUBLE_R_SX_TLV shift values for ADC, PCM, and
    Analog kcontrols
    - LP: #1313767
  * pid: get pid_t ppid of task in init_pid_ns
    - LP: #1313767
  * audit: convert PPIDs to the inital PID namespace.
    - LP: #1313767
  * Btrfs: fix deadlock with nested trans handles
    - LP: #1313767
  * gpio: mxs: Allow for recursive enable_irq_wake() call
    - LP: #1313767
  * x86, hyperv: Bypass the timer_irq_works() check
    - LP: #1313767
  * nfsd4: buffer-length check for SUPPATTR_EXCLCREAT
    - LP: #1313767
  * nfsd4: session needs room for following op to error out
    - LP: #1313767
  * nfsd4: leave reply buffer space for failed setattr
    - LP: #1313767
  * nfsd4: fix test_stateid error reply encoding
    - LP: #1313767
  * nfsd: notify_change needs elevated write count
    - LP: #1313767
  * dm transaction manager: fix corruption due to non-atomic transaction
    commit
    - LP: #1313767
  * dm: take care to copy the space map roots before locking the superblock
    - LP: #1313767
  * NFSD: Traverse unconfirmed client through hash-table
    - LP: #1313767
  * lockd: ensure we tear down any live sockets when socket creation fails
    during lockd_up
    - LP: #1313767
  * drm/i915/tv: fix gen4 composite s-video tv-out
    - LP: #1313767
  * dm thin: fix dangling bio in process_deferred_bios error path
    - LP: #1313767
  * NFSv4: Fix a use-after-free problem in open()
    - LP: #1313767
  * nfsd4: fix setclientid encode size
    - LP: #1313767
  * MIPS: Hibernate: Flush TLB entries in swsusp_arch_resume()
    - LP: #1313767
  * ALSA: hda - Enable beep for ASUS 1015E
    - LP: #1313767
  * x86: Adjust irq remapping quirk for older revisions of 5500/5520
    chipsets
    - LP: #1313767
  * nfsd: check passed socket's net matches NFSd superblock's one
    - LP: #1313767
  * IB/mthca: Return an error on ib_copy_to_udata() failure
    - LP: #1313767
  * IB/ehca: Returns an error on ib_copy_to_udata() failure
    - LP: #1313767
  * don't bother with {get,put}_write_access() on non-regular files
    - LP: #1313767
  * reiserfs: fix race in readdir
    - LP: #1313767
  * pid_namespace: pidns_get() should check task_active_pid_ns() != NULL
    - LP: #1313767
  * drm/vmwgfx: correct fb_fix_screeninfo.line_length
    - LP: #1313767
  * drm/radeon: call drm_edid_to_eld when we update the edid
    - LP: #1313767
  * sh: fix format string bug in stack tracer
    - LP: #1313767
  * ocfs2: dlm: fix lock migration crash
    - LP: #1313767
  * ocfs2: dlm: fix recovery hung
    - LP: #1313767
  * ocfs2: do not put bh when buffer_uptodate failed
    - LP: #1313767
  * Skip intel_crt_init for Dell XPS 8700
    - LP: #1313767
  * iscsi-target: Fix ERL=2 ASYNC_EVENT connection pointer bug
    - LP: #1313767
  * mm: try_to_unmap_cluster() should lock_page() before mlocking
    - LP: #1313767
  * mm: hugetlb: fix softlockup when a large number of hugepages are freed.
    - LP: #1313767
  * wait: fix reparent_leader() vs EXIT_DEAD->EXIT_ZOMBIE race
    - LP: #1313767
  * hung_task: check the value of "sysctl_hung_task_timeout_sec"
    - LP: #1313767
  * ALSA: ice1712: Fix boundary checks in PCM pointer ops
    - LP: #1313767
  * lib/percpu_counter.c: fix bad percpu counter state during suspend
    - LP: #1313767
  * b43: Fix machine check error due to improper access of
    B43_MMIO_PSM_PHY_HDR
    - LP: #1313767
  * x86-64, modify_ldt: Ban 16-bit segments on 64-bit kernels
    - LP: #1313767
  * target/tcm_fc: Fix use-after-free of ft_tpg
    - LP: #1313767
  * ib_srpt: Use correct ib_sg_dma primitives
    - LP: #1313767
  * x86, AVX-512: Enable AVX-512 States Context Switch
    - LP: #1313767
  * Linux 3.8.13.22
    - LP: #1313767
 -- Brad Figg <brad.figg@xxxxxxxxxxxxx>   Thu, 15 May 2014 16:09:52 -0700

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-armadaxp in Ubuntu.
https://bugs.launchpad.net/bugs/1316729

Title:
  CVE-2014-1737

Status in “linux” package in Ubuntu:
  Fix Committed
Status in “linux-armadaxp” package in Ubuntu:
  Invalid
Status in “linux-ec2” package in Ubuntu:
  Invalid
Status in “linux-fsl-imx51” package in Ubuntu:
  Invalid
Status in “linux-lts-backport-maverick” package in Ubuntu:
  New
Status in “linux-lts-backport-natty” package in Ubuntu:
  New
Status in “linux-lts-quantal” package in Ubuntu:
  Invalid
Status in “linux-lts-raring” package in Ubuntu:
  Invalid
Status in “linux-lts-saucy” package in Ubuntu:
  Invalid
Status in “linux-mvl-dove” package in Ubuntu:
  Invalid
Status in “linux-ti-omap4” package in Ubuntu:
  Invalid
Status in “linux” source package in Lucid:
  Fix Released
Status in “linux-armadaxp” source package in Lucid:
  Invalid
Status in “linux-ec2” source package in Lucid:
  Fix Released
Status in “linux-fsl-imx51” source package in Lucid:
  Invalid
Status in “linux-lts-backport-maverick” source package in Lucid:
  New
Status in “linux-lts-backport-natty” source package in Lucid:
  New
Status in “linux-lts-quantal” source package in Lucid:
  Invalid
Status in “linux-lts-raring” source package in Lucid:
  Invalid
Status in “linux-lts-saucy” source package in Lucid:
  Invalid
Status in “linux-mvl-dove” source package in Lucid:
  Invalid
Status in “linux-ti-omap4” source package in Lucid:
  Invalid
Status in “linux” source package in Precise:
  Fix Released
Status in “linux-armadaxp” source package in Precise:
  Fix Released
Status in “linux-ec2” source package in Precise:
  Invalid
Status in “linux-fsl-imx51” source package in Precise:
  Invalid
Status in “linux-lts-backport-maverick” source package in Precise:
  New
Status in “linux-lts-backport-natty” source package in Precise:
  New
Status in “linux-lts-quantal” source package in Precise:
  Fix Released
Status in “linux-lts-raring” source package in Precise:
  Fix Released
Status in “linux-lts-saucy” source package in Precise:
  Fix Released
Status in “linux-mvl-dove” source package in Precise:
  Invalid
Status in “linux-ti-omap4” source package in Precise:
  Fix Committed
Status in “linux-lts-backport-maverick” source package in Quantal:
  New
Status in “linux-lts-backport-natty” source package in Quantal:
  New
Status in “linux” source package in Saucy:
  Fix Committed
Status in “linux-armadaxp” source package in Saucy:
  Invalid
Status in “linux-ec2” source package in Saucy:
  Invalid
Status in “linux-fsl-imx51” source package in Saucy:
  Invalid
Status in “linux-lts-backport-maverick” source package in Saucy:
  New
Status in “linux-lts-backport-natty” source package in Saucy:
  New
Status in “linux-lts-quantal” source package in Saucy:
  Invalid
Status in “linux-lts-raring” source package in Saucy:
  Invalid
Status in “linux-lts-saucy” source package in Saucy:
  Invalid
Status in “linux-mvl-dove” source package in Saucy:
  Invalid
Status in “linux-ti-omap4” source package in Saucy:
  Fix Committed
Status in “linux” source package in Trusty:
  Fix Committed
Status in “linux-armadaxp” source package in Trusty:
  Invalid
Status in “linux-ec2” source package in Trusty:
  Invalid
Status in “linux-fsl-imx51” source package in Trusty:
  Invalid
Status in “linux-lts-backport-maverick” source package in Trusty:
  New
Status in “linux-lts-backport-natty” source package in Trusty:
  New
Status in “linux-lts-quantal” source package in Trusty:
  Invalid
Status in “linux-lts-raring” source package in Trusty:
  Invalid
Status in “linux-lts-saucy” source package in Trusty:
  Invalid
Status in “linux-mvl-dove” source package in Trusty:
  Invalid
Status in “linux-ti-omap4” source package in Trusty:
  Invalid
Status in “linux” source package in Utopic:
  Fix Committed
Status in “linux-armadaxp” source package in Utopic:
  Invalid
Status in “linux-ec2” source package in Utopic:
  Invalid
Status in “linux-fsl-imx51” source package in Utopic:
  Invalid
Status in “linux-lts-backport-maverick” source package in Utopic:
  New
Status in “linux-lts-backport-natty” source package in Utopic:
  New
Status in “linux-lts-quantal” source package in Utopic:
  Invalid
Status in “linux-lts-raring” source package in Utopic:
  Invalid
Status in “linux-lts-saucy” source package in Utopic:
  Invalid
Status in “linux-mvl-dove” source package in Utopic:
  Invalid
Status in “linux-ti-omap4” source package in Utopic:
  Invalid

Bug description:
  The raw_cmd_copyin function in drivers/block/floppy.c in the Linux
  kernel through 3.14.3 does not properly handle error conditions during
  processing of an FDRAWCMD ioctl call, which allows local users to
  trigger kfree operations and gain privileges by leveraging write
  access to a /dev/fd device. First, raw_cmd_ioctl calls raw_cmd_copyin.
  This function kmallocs space for a floppy_raw_cmd structure and stores
  the resulting allocation in the "rcmd" pointer argument. It then
  attempts to copy_from_user the structure from userspace. If this
  fails, an early EFAULT return is taken. The problem is that even if
  the early return is taken, the pointer to the non-/partially-
  initialized floppy_raw_cmd structure has already been returned via the
  "rcmd" pointer. Back out in raw_cmd_ioctl, it attempts to raw_cmd_free
  this pointer. raw_cmd_free attempts to free any DMA pages allocated
  for the raw command, kfrees the raw command structure itself, and
  follows the linked list, if any, of further raw commands (a user can
  specify the FD_RAW_MORE flag to signal that there are more raw
  commands to follow in a single FDRAWCMD ioctl). So, a malicious user
  can send a FDRAWCMD ioctl with a raw command argument structure that
  has some bytes inaccessible (ie. off the end of an allocated page).
  The copy_from_user will fail but raw_cmd_free will attempt to process
  the floppy_raw_cmd as if it had been fully initialized by the rest of
  raw_cmd_copyin. The user can control the arguments passed to
  fd_dma_mem_free and kfree (by making use of the linked-list feature
  and specifying the target address as a next-in-list structure).

  Break-Fix: - ef87dbe7614341c2e7bfe8d32fcb7028cc97442c

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1316729/+subscriptions


References