This bug was fixed in the package linux - 3.13.0-27.50
---------------
linux (3.13.0-27.50) trusty; urgency=low
[ Brad Figg ]
* Revert "rtlwifi: Set the link state"
linux (3.13.0-27.49) trusty; urgency=low
[ Brad Figg ]
* Revert "SAUCE: (no-up) HID: rmi: do not stop the device at the end of
probe"
* Revert "SAUCE: (no-up) HID: rmi: introduce RMI driver for Synaptics
touchpads"
* Revert "[Config] CONFIG_HID_RMI=m"
linux (3.13.0-26.48) trusty; urgency=low
[ Benjamin Tissoires ]
* SAUCE: (no-up) HID: rmi: introduce RMI driver for Synaptics touchpads
- LP: #1305522
* SAUCE: (no-up) HID: rmi: do not stop the device at the end of probe
- LP: #1305522
[ Kamal Mostafa ]
* Merged back Ubuntu-3.13.0-24.47 security release
* Revert "n_tty: Fix n_tty_write crash when echoing in raw mode"
- LP: #1314762
* Release Tracking Bug
- LP: #1316835
[ Tim Gardner ]
* [Config] CONFIG_HID_RMI=m
- LP: #1305522
* [Config] CONFIG_CRYPTO_DEV_NX=n for ppc64el
- LP: #1314625
* [Config] CONFIG_ZSWAP=y
- LP: #1315203
* Add rpcsec_gss_krb5 to generic inclusion list
- LP: #769527
[ Upstream Kernel Changes ]
* HID: hidraw: make comment more accurate and nicer
- LP: #1305522
* HID: remove hid_get_raw_report in struct hid_device
- LP: #1305522
* HID: i2c-hid: implement ll_driver transport-layer callbacks
- LP: #1305522
* HID: add inliners for ll_driver transport-layer callbacks
- LP: #1305522
* HID: Add transport-driver callbacks to the hid_ll_driver struct
- LP: #1305522
* drm/nouveau: fail runtime pm properly.
- LP: #1313986
* drm/nouveau: don't suspend/resume display on runtime s/r
- LP: #1313986
* n_tty: Fix n_tty_write crash when echoing in raw mode
- LP: #1314762
- CVE-2014-0196
* floppy: ignore kernel-only members in FDRAWCMD ioctl input
- LP: #1316729
- CVE-2014-1737
* floppy: don't write kernel-only members to FDRAWCMD ioctl output
- LP: #1316735
- CVE-2014-1738
linux (3.13.0-25.47) trusty; urgency=low
[ Joseph Salisbury ]
* Release Tracking Bug
- LP: #1313868
[ Adam Lee ]
* [Config] CONFIG_RTL8723BE=m, CONFIG_RTL8723_COMMON=m
- LP: #1240940
[ Alex Hung ]
* SAUCE: (no-up) dell-led: add mic mute led interface
- LP: #1308297
[ Andy Whitcroft ]
* SAUCE: (no-up) powerpc: Increase COMMAND_LINE_SIZE to 2048 from 512.
- LP: #1306677
[ Ben Collins ]
* [Config] Disable PAMU on Freescale kernels
- LP: #1311738
[ Tim Gardner ]
* Revert "SAUCE: x86, hyperv: bypass the timer_irq_works() check"
- LP: #1311683
* SAUCE: (no-up) ALSA: usb-audio: Suppress repetitive debug messages from
retire_playback_urb()
- LP: #1305133
* SAUCE: (no-up) 'BUG:' message unnecessarily triggers kerneloops
- LP: #1305480
* [Config] CONFIG_POWERNV_CPUFREQ=m
- LP: #1309576
* [Config] CONFIG_CPU_FREQ_DEFAULT_GOV_ONDEMAND=y for ppc64el
- LP: #1309576
* [Config] CONFIG_TRANSPARENT_HUGEPAGE=n for arm64
- LP: #1309221
* [Config] CONFIG_MEMCG_KMEM=y
- LP: #1309586
* [Config] CONFIG_CRASH_DUMP=y for ppc64el
- LP: #1312783
[ Upstream Kernel Changes ]
* Revert "rtlwifi: rtl8188ee: enable MSI interrupts mode"
- LP: #1310512
* mac80211: add length check in ieee80211_is_robust_mgmt_frame()
- LP: #1240940
* rtlwifi: rtl8723ae: rtl8723-common: Create new driver for common code
- LP: #1240940
* rtlwifi: rtl8723ae: rtl8723-common: Copy common firmware code
- LP: #1240940
* rtlwifi: rtl8723ae: rtl8723-common: Copy common dynamic power
management code
- LP: #1240940
* rtlwifi: rtl8723be: Add new driver
- LP: #1240940
* selinux: correctly label /proc inodes in use before the policy is
loaded
- LP: #1309007
* net: sctp: fix skb leakage in COOKIE ECHO path of chunk->auth_chunk
- LP: #1309007
* bridge: multicast: add sanity check for query source addresses
- LP: #1309007
* tipc: allow connection shutdown callback to be invoked in advance
- LP: #1309007
* tipc: fix connection refcount leak
- LP: #1309007
* tipc: drop subscriber connection id invalidation
- LP: #1309007
* tipc: fix memory leak during module removal
- LP: #1309007
* tipc: don't log disabled tasklet handler errors
- LP: #1309007
* inet: frag: make sure forced eviction removes all frags
- LP: #1309007
* net: unix: non blocking recvmsg() should not return -EINTR
- LP: #1309007
* ipv6: Fix exthdrs offload registration.
- LP: #1309007
* bnx2: Fix shutdown sequence
- LP: #1309007
* pkt_sched: fq: do not hold qdisc lock while allocating memory
- LP: #1309007
* Xen-netback: Fix issue caused by using gso_type wrongly
- LP: #1309007
* vlan: Set correct source MAC address with TX VLAN offload enabled
- LP: #1309007
* tcp: tcp_release_cb() should release socket ownership
- LP: #1309007
* bridge: multicast: add sanity check for general query destination
- LP: #1309007
* bridge: multicast: enable snooping on general queries only
- LP: #1309007
* net: socket: error on a negative msg_namelen
- LP: #1309007
* bonding: set correct vlan id for alb xmit path
- LP: #1309007
* eth: fec: Fix lost promiscuous mode after reconnecting cable
- LP: #1309007
* ipv6: Avoid unnecessary temporary addresses being generated
- LP: #1309007
* ipv6: ip6_append_data_mtu do not handle the mtu of the second fragment
properly
- LP: #1309007
* net: cdc_ncm: fix control message ordering
- LP: #1309007
* vxlan: fix potential NULL dereference in arp_reduce()
- LP: #1309007
* vxlan: fix nonfunctional neigh_reduce()
- LP: #1309007
* tcp: syncookies: do not use getnstimeofday()
- LP: #1309007
* rtnetlink: fix fdb notification flags
- LP: #1309007
* ipmr: fix mfc notification flags
- LP: #1309007
* ip6mr: fix mfc notification flags
- LP: #1309007
* net: micrel : ks8851-ml: add vdd-supply support
- LP: #1309007
* netpoll: fix the skb check in pkt_is_ns
- LP: #1309007
* tipc: fix spinlock recursion bug for failed subscriptions
- LP: #1309007
* ip_tunnel: Fix dst ref-count.
- LP: #1309007
* tg3: Do not include vlan acceleration features in vlan_features
- LP: #1309007
* virtio-net: correct error handling of virtqueue_kick()
- LP: #1309007
* usbnet: include wait queue head in device structure
- LP: #1309007
* vlan: Set hard_header_len according to available acceleration
- LP: #1309007
* vhost: fix total length when packets are too short
- LP: #1309007
- CVE-2014-0077
* tcp: fix get_timewait4_sock() delay computation on 64bit
- LP: #1309007
* xen-netback: remove pointless clause from if statement
- LP: #1309007
* ipv6: some ipv6 statistic counters failed to disable bh
- LP: #1309007
* netlink: don't compare the nul-termination in nla_strcmp
- LP: #1309007
* xen-netback: disable rogue vif in kthread context
- LP: #1309007
* Call efx_set_channels() before efx->type->dimension_resources()
- LP: #1309007
* net: vxlan: fix crash when interface is created with no group
- LP: #1309007
* isdnloop: Validate NUL-terminated strings from user.
- LP: #1309007
* isdnloop: several buffer overflows
- LP: #1309007
* powernow-k6: disable cache when changing frequency
- LP: #1309007
* powernow-k6: correctly initialize default parameters
- LP: #1309007
* powernow-k6: reorder frequencies
- LP: #1309007
* ARC: [nsimosci] Change .dts to use generic 8250 UART
- LP: #1309007
* ARC: [nsimosci] Unbork console
- LP: #1309007
* futex: Allow architectures to skip futex_atomic_cmpxchg_inatomic() test
- LP: #1309007
* m68k: Skip futex_atomic_cmpxchg_inatomic() test
- LP: #1309007
* crypto: ghash-clmulni-intel - use C implementation for setkey()
- LP: #1309007
* Linux 3.13.10
- LP: #1309007
* cpufreq: powernv: cpufreq driver for powernv platform
- LP: #1309576
* cpufreq: powernv: Use cpufreq_frequency_table.driver_data to store
pstate ids
- LP: #1309576
* cpufreq: powernv: Select CPUFreq related Kconfig options for powernv
- LP: #1309576
* support Thinkpad X1 Carbon 2nd generation's adaptive keyboard
- LP: #1309609
* save and restore adaptive keyboard mode for suspend and,resume
- LP: #1309609
* user namespace: fix incorrect memory barriers
- LP: #1311683
* Char: ipmi_bt_sm, fix infinite loop
- LP: #1311683
* x86, hyperv: Bypass the timer_irq_works() check
- LP: #1311683
* x86: Adjust irq remapping quirk for older revisions of 5500/5520
chipsets
- LP: #1311683
* PCI: designware: Fix RC BAR to be single 64-bit non-prefetchable memory
BAR
- LP: #1311683
* PCI: designware: Fix iATU programming for cfg1, io and mem viewport
- LP: #1311683
* ACPI / button: Add ACPI Button event via netlink routine
- LP: #1311683
* PCI: Enable INTx in pci_reenable_device() only when MSI/MSI-X not
enabled
- LP: #1311683
* staging: comedi: 8255_pci: initialize MITE data window
- LP: #1311683
* tty: Set correct tty name in 'active' sysfs attribute
- LP: #1311683
* tty: Fix low_latency BUG
- LP: #1311683
* SCSI: sd: don't fail if the device doesn't recognize SYNCHRONIZE CACHE
- LP: #1311683
* pid_namespace: pidns_get() should check task_active_pid_ns() != NULL
- LP: #1311683
* Bluetooth: Fix removing Long Term Key
- LP: #1311683
* ima: restore the original behavior for sending data with ima template
- LP: #1311683
* backing_dev: fix hung task on sync
- LP: #1311683
* bdi: avoid oops on device removal
- LP: #1311683
* xfs: fix directory hash ordering bug
- LP: #1311683
* Btrfs: skip submitting barrier for missing device
- LP: #1311683
* Btrfs: fix deadlock with nested trans handles
- LP: #1311683
* ext4: fix error return from ext4_ext_handle_uninitialized_extents()
- LP: #1311683
* ext4: fix partial cluster handling for bigalloc file systems
- LP: #1311683
* ext4: fix premature freeing of partial clusters split across leaf
blocks
- LP: #1311683
* jffs2: Fix segmentation fault found in stress test
- LP: #1311683
* jffs2: Fix crash due to truncation of csize
- LP: #1311683
* jffs2: avoid soft-lockup in jffs2_reserve_space_gc()
- LP: #1311683
* jffs2: remove from wait queue after schedule()
- LP: #1311683
* sparc32: fix build failure for arch_jump_label_transform
- LP: #1311683
* sparc64: don't treat 64-bit syscall return codes as 32-bit
- LP: #1311683
* sparc64: Make sure %pil interrupts are enabled during hypervisor yield.
- LP: #1311683
* wait: fix reparent_leader() vs EXIT_DEAD->EXIT_ZOMBIE race
- LP: #1311683
* exit: call disassociate_ctty() before exit_task_namespaces()
- LP: #1311683
* Linux 3.13.11
- LP: #1311683
* powerpc/le: Enable RTAS events support
- LP: #1312230
* net: ipv4: current group_info should be put after using.
- CVE-2014-2851
* powerpc/relocate fix relocate processing in LE mode
- LP: #1312783
-- Brad Figg <brad.f...@canonical.com> Thu, 15 May 2014 10:21:43 -0700
** Changed in: linux (Ubuntu Trusty)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-armadaxp in Ubuntu.
https://bugs.launchpad.net/bugs/1316729
Title:
CVE-2014-1737
Status in “linux” package in Ubuntu:
Fix Committed
Status in “linux-armadaxp” package in Ubuntu:
Invalid
Status in “linux-ec2” package in Ubuntu:
Invalid
Status in “linux-fsl-imx51” package in Ubuntu:
Invalid
Status in “linux-lts-backport-maverick” package in Ubuntu:
New
Status in “linux-lts-backport-natty” package in Ubuntu:
New
Status in “linux-lts-quantal” package in Ubuntu:
Invalid
Status in “linux-lts-raring” package in Ubuntu:
Invalid
Status in “linux-lts-saucy” package in Ubuntu:
Invalid
Status in “linux-mvl-dove” package in Ubuntu:
Invalid
Status in “linux-ti-omap4” package in Ubuntu:
Invalid
Status in “linux” source package in Lucid:
Fix Released
Status in “linux-armadaxp” source package in Lucid:
Invalid
Status in “linux-ec2” source package in Lucid:
Fix Released
Status in “linux-fsl-imx51” source package in Lucid:
Invalid
Status in “linux-lts-backport-maverick” source package in Lucid:
New
Status in “linux-lts-backport-natty” source package in Lucid:
New
Status in “linux-lts-quantal” source package in Lucid:
Invalid
Status in “linux-lts-raring” source package in Lucid:
Invalid
Status in “linux-lts-saucy” source package in Lucid:
Invalid
Status in “linux-mvl-dove” source package in Lucid:
Invalid
Status in “linux-ti-omap4” source package in Lucid:
Invalid
Status in “linux” source package in Precise:
Fix Released
Status in “linux-armadaxp” source package in Precise:
Fix Released
Status in “linux-ec2” source package in Precise:
Invalid
Status in “linux-fsl-imx51” source package in Precise:
Invalid
Status in “linux-lts-backport-maverick” source package in Precise:
New
Status in “linux-lts-backport-natty” source package in Precise:
New
Status in “linux-lts-quantal” source package in Precise:
Fix Released
Status in “linux-lts-raring” source package in Precise:
Fix Released
Status in “linux-lts-saucy” source package in Precise:
Fix Released
Status in “linux-mvl-dove” source package in Precise:
Invalid
Status in “linux-ti-omap4” source package in Precise:
Fix Committed
Status in “linux-lts-backport-maverick” source package in Quantal:
New
Status in “linux-lts-backport-natty” source package in Quantal:
New
Status in “linux” source package in Saucy:
Fix Committed
Status in “linux-armadaxp” source package in Saucy:
Invalid
Status in “linux-ec2” source package in Saucy:
Invalid
Status in “linux-fsl-imx51” source package in Saucy:
Invalid
Status in “linux-lts-backport-maverick” source package in Saucy:
New
Status in “linux-lts-backport-natty” source package in Saucy:
New
Status in “linux-lts-quantal” source package in Saucy:
Invalid
Status in “linux-lts-raring” source package in Saucy:
Invalid
Status in “linux-lts-saucy” source package in Saucy:
Invalid
Status in “linux-mvl-dove” source package in Saucy:
Invalid
Status in “linux-ti-omap4” source package in Saucy:
Fix Committed
Status in “linux” source package in Trusty:
Fix Released
Status in “linux-armadaxp” source package in Trusty:
Invalid
Status in “linux-ec2” source package in Trusty:
Invalid
Status in “linux-fsl-imx51” source package in Trusty:
Invalid
Status in “linux-lts-backport-maverick” source package in Trusty:
New
Status in “linux-lts-backport-natty” source package in Trusty:
New
Status in “linux-lts-quantal” source package in Trusty:
Invalid
Status in “linux-lts-raring” source package in Trusty:
Invalid
Status in “linux-lts-saucy” source package in Trusty:
Invalid
Status in “linux-mvl-dove” source package in Trusty:
Invalid
Status in “linux-ti-omap4” source package in Trusty:
Invalid
Status in “linux” source package in Utopic:
Fix Committed
Status in “linux-armadaxp” source package in Utopic:
Invalid
Status in “linux-ec2” source package in Utopic:
Invalid
Status in “linux-fsl-imx51” source package in Utopic:
Invalid
Status in “linux-lts-backport-maverick” source package in Utopic:
New
Status in “linux-lts-backport-natty” source package in Utopic:
New
Status in “linux-lts-quantal” source package in Utopic:
Invalid
Status in “linux-lts-raring” source package in Utopic:
Invalid
Status in “linux-lts-saucy” source package in Utopic:
Invalid
Status in “linux-mvl-dove” source package in Utopic:
Invalid
Status in “linux-ti-omap4” source package in Utopic:
Invalid
Bug description:
The raw_cmd_copyin function in drivers/block/floppy.c in the Linux
kernel through 3.14.3 does not properly handle error conditions during
processing of an FDRAWCMD ioctl call, which allows local users to
trigger kfree operations and gain privileges by leveraging write
access to a /dev/fd device. First, raw_cmd_ioctl calls raw_cmd_copyin.
This function kmallocs space for a floppy_raw_cmd structure and stores
the resulting allocation in the "rcmd" pointer argument. It then
attempts to copy_from_user the structure from userspace. If this
fails, an early EFAULT return is taken. The problem is that even if
the early return is taken, the pointer to the non-/partially-
initialized floppy_raw_cmd structure has already been returned via the
"rcmd" pointer. Back out in raw_cmd_ioctl, it attempts to raw_cmd_free
this pointer. raw_cmd_free attempts to free any DMA pages allocated
for the raw command, kfrees the raw command structure itself, and
follows the linked list, if any, of further raw commands (a user can
specify the FD_RAW_MORE flag to signal that there are more raw
commands to follow in a single FDRAWCMD ioctl). So, a malicious user
can send a FDRAWCMD ioctl with a raw command argument structure that
has some bytes inaccessible (ie. off the end of an allocated page).
The copy_from_user will fail but raw_cmd_free will attempt to process
the floppy_raw_cmd as if it had been fully initialized by the rest of
raw_cmd_copyin. The user can control the arguments passed to
fd_dma_mem_free and kfree (by making use of the linked-list feature
and specifying the target address as a next-in-list structure).
Break-Fix: - ef87dbe7614341c2e7bfe8d32fcb7028cc97442c
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1316729/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
