Lucid update to 2.6.32.62 stable release

Bug #1321293 reported by Luis Henriques
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Invalid
Undecided
Unassigned
Lucid
Fix Released
Undecided
Unassigned

Bug Description

SRU Justification

    Impact:
       The upstream process for stable tree updates is quite similar
       in scope to the Ubuntu SRU process, e.g., each patch has to
       demonstrably fix a bug, and each patch is vetted by upstream
       by originating either directly from Linus' tree or in a minimally
       backported form of that patch. The 2.6.32.62 upstream stable
       patch set is now available. It should be included in the Ubuntu
       kernel as well.

       git://git.kernel.org/

    TEST CASE: TBD

       The following patches are in the 2.6.32.62 stable release:

Linux 2.6.32.62
s390: fix kernel crash due to linkage stack instructions
qeth: avoid buffer overflow in snmp ioctl
tcp_cubic: fix the range of delayed_ack
tcp_cubic: limit delayed_ack ratio to prevent divide error
tcp: fix tcp_trim_head() to adjust segment count with skb MSS
powernow-k6: reorder frequencies
powernow-k6: correctly initialize default parameters
powernow-k6: disable cache when changing frequency
powernow-k6: set transition latency value so ondemand governor can be used
gianfar: disable TX vlan based on kernel 2.6.x
x86, fpu, amd: Clear exceptions in AMD FXSAVE workaround
inet: fix possible memory corruption with UDP_CORK and UFO
ipv6: udp packets following an UFO enqueued packet need also be handled by UFO
sctp: unbalanced rcu lock in ip_queue_xmit()
isdnloop: Validate NUL-terminated strings from user.
isdnloop: several buffer overflows
netlink: don't compare the nul-termination in nla_strcmp
net: socket: error on a negative msg_namelen
net: sctp: fix skb leakage in COOKIE ECHO path of chunk->auth_chunk
tg3: Don't check undefined error bits in RXBD
virtio-net: alloc big buffers also when guest can receive UFO
net: sctp: fix sctp_connectx abi for ia32 emulation/compat mode
bonding: 802.3ad: make aggregator_identifier bond-private
tg3: Fix deadlock in tg3_change_mtu()
net: fix 'ip rule' iif/oif device rename
inet_diag: fix inet_diag_dump_icsk() timewait socket state logic
net: llc: fix use after free in llc_ui_recvmsg
drivers/net/hamradio: Integer overflow in hdlcdrv_ioctl()
net: unix: allow bind to fail on mutex lock
net: drop_monitor: fix the value of maxattr
{pktgen, xfrm} Update IPv4 header total len and checksum after tranformation
ipv6: fix possible seqlock deadlock in ip6_finish_output2
inet: fix possible seqlock deadlocks
bridge: flush br's address entry in fdb when remove the bridge dev
net: core: Always propagate flag changes to interfaces
atm: idt77252: fix dev refcnt leak
ipv6: fix leaking uninitialized port number of offender sockaddr
net: clamp ->msg_namelen instead of returning an error
net: add BUG_ON if kernel advertises msg_namelen > sizeof(struct sockaddr_storage)
ipv4: fix possible seqlock deadlock
isdnloop: use strlcpy() instead of strcpy()
bonding: fix two race conditions in bond_store_updelay/downdelay
random32: fix off-by-one in seeding requirement
ipv6: use rt6_get_dflt_router to get default router in rt6_route_rcv
net: Fix "ip rule delete table 256"
tipc: fix lockdep warning during bearer initialization
ICMPv6: treat dest unreachable codes 5 and 6 as EACCES, not EPROTO
ipv6: Don't depend on per socket memory for neighbour discovery messages
ipv6: drop packets with multiple fragmentation headers
ipv6: don't stop backtracking in fib6_lookup_1 if subtree does not match
tcp: cubic: fix bug in bictcp_acked()
net: check net.core.somaxconn sysctl values
htb: fix sign extension bug
net_sched: info leak in atm_tc_dump_class()
af_key: more info leaks in pfkey messages
net_sched: Fix stack info leak in cbq_dump_wrr().
sctp: fully initialize sctp_outq in sctp_outq_init
sysctl net: Keep tcp_syn_retries inside the boundary
arcnet: cleanup sizeof parameter
vlan: fix a race in egress prio management
ifb: fix oops when loading the ifb failed
dummy: fix oops when loading the dummy failed
ifb: fix rcu_sched self-detected stalls
sunvnet: vnet_port_remove must call unregister_netdev
net: Swap ver and type in pppoe_hdr
neighbour: fix a race in neigh_destroy()
packet: packet_getname_spkt: make sure string is always 0-terminated
net: sctp: fix NULL pointer dereference in socket destruction
ip_tunnel: fix kernel panic with icmp_dest_unreach
ipv6: fix possible crashes in ip6_cork_release()
tcp: fix tcp_md5_hash_skb_data()
ll_temac: Reset dma descriptors indexes on ndo_open
bonding: Fix broken promiscuity reference counting issue
dm9601: fix IFF_ALLMULTI handling
ipv4 igmp: use in_dev_put in timer handlers instead of __in_dev_put
ipv6 mcast: use in6_dev_put in timer handlers instead of __in6_dev_put
resubmit bridge: fix message_age_timer calculation
davinci_emac.c: Fix IFF_ALLMULTI setup
sctp: Perform software checksum if packet has to be fragmented.
sctp: Use software crc32 checksum when xfrm transform will happen.
net: dst: provide accessor function to dst->xfrm
connector: use nlmsg_len() to check message length
net: vlan: fix nlmsg size calculation in vlan_get_size()
can: dev: fix nlmsg size calculation in can_get_size()
proc connector: fix info leaks
net: heap overflow in __audit_sockaddr()
net: do not call sock_put() on TIMEWAIT sockets
tcp: must unclone packets before mangling them
ipv6: tcp: fix panic in SYN processing
crypto: api - Fix race condition in larval lookup
HID: check for NULL field when setting values
kernel/kmod.c: check for NULL in call_usermodehelper_exec()
staging: comedi: ni_65xx: (bug fix) confine insn_bits to one subdevice
intel-iommu: Flush unmaps at domain_exit
ipvs: fix CHECKSUM_PARTIAL for TCP, UDP
x86, ptrace: fix build breakage with gcc 4.7 (second try)
Fix lockup related to stop_machine being stuck in __do_softirq.
scsi: fix missing include linux/types.h in scsi_netlink.h

The following patches from 2.6.32.62 stable release were not applied as they were already present in Lucid kernel:

Revert "x86, ptrace: fix build breakage with gcc 4.7"
cciss: fix info leak in cciss_ioctl32_passthru()
cpqarray: fix info leak in ida_locked_ioctl()
drivers/cdrom/cdrom.c: use kzalloc() for failing hardware
sctp: deal with multiple COOKIE_ECHO chunks
sctp: Use correct sideffect command in duplicate cookie handling
ipv6: ip6_sk_dst_check() must not assume ipv6 dst
af_key: fix info leaks in notify messages
af_key: initialize satype in key_notify_policy_flush()
block: do not pass disk names as format strings
b43: stop format string leaking into error msgs
HID: validate HID report id size
HID: zeroplus: validate output report details
HID: pantherlord: validate output report details
HID: LG: validate HID output report details
HID: provide a helper for validating hid reports
farsync: fix info leak in ioctl
wanxl: fix info leak in ioctl
ipv6: remove max_addresses check from ipv6_create_tempaddr
inet: prevent leakage of uninitialized memory to user in recv syscalls
net: rework recvmsg handler msg_name and msg_namelen logic
inet: fix addr_len/msg->msg_namelen assignment in recv_error and rxpmtu functions
hamradio/yam: fix info leak in ioctl
rds: prevent dereference of a NULL device
net: rose: restore old recvmsg behavior
net: sctp: fix sctp_sf_do_5_1D_ce to verify if we/peer is AUTH capable
rds: prevent dereference of a NULL device in rds_iw_laddr_check
aacraid: prevent invalid pointer dereference
vm: add vm_iomap_memory() helper function
Fix a few incorrectly checked [io_]remap_pfn_range() calls
libertas: potential oops in debugfs
n_tty: Fix n_tty_write crash when echoing in raw mode
exec/ptrace: fix get_dumpable() incorrect tests
ipv6: call udp_push_pending_frames when uncorking a socket with AF_INET pending data
dm snapshot: fix data corruption
crypto: ansi_cprng - Fix off by one error in non-block size request
uml: check length in exitcode_proc_write()
KVM: Improve create VCPU parameter (CVE-2013-4587)
KVM: x86: Fix potential divide by 0 in lapic (CVE-2013-6367)
xfs: underflow bug in xfs_attrlist_by_handle()
aacraid: missing capable() check in compat ioctl
SELinux: Fix kernel BUG on empty security contexts.
netfilter: nf_conntrack_dccp: fix skb_header_pointer API usages
floppy: don't write kernel-only members to FDRAWCMD ioctl output
floppy: ignore kernel-only members in FDRAWCMD ioctl input

CVE References

Luis Henriques (henrix)
tags: added: kernel-stable-tracking-bug
Luis Henriques (henrix)
description: updated
Luis Henriques (henrix)
Changed in linux (Ubuntu):
status: New → Fix Committed
Changed in linux (Ubuntu Lucid):
status: New → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 2.6.32-61.124

---------------
linux (2.6.32-61.124) lucid; urgency=low

  [ Luis Henriques ]

  * Revert "sysctl net: Keep tcp_syn_retries inside the boundary"
    - LP: #1326473
  * Revert "net: check net.core.somaxconn sysctl values"
    - LP: #1326473

  [ Upstream Kernel Changes ]

  * futex-prevent-requeue-pi-on-same-futex.patch futex: Forbid uaddr ==
    uaddr2 in futex_requeue(..., requeue_pi=1)
    - LP: #1326367
    - CVE-2014-3153
  * futex: Validate atomic acquisition in futex_lock_pi_atomic()
    - LP: #1326367
    - CVE-2014-3153
  * futex: Always cleanup owner tid in unlock_pi
    - LP: #1326367
    - CVE-2014-3153
  * futex: Make lookup_pi_state more robust
    - LP: #1326367
    - CVE-2014-3153
 -- Brad Figg <email address hidden> Wed, 04 Jun 2014 07:21:55 -0700

Changed in linux (Ubuntu Lucid):
status: Fix Committed → Fix Released
Mathew Hodson (mhodson)
Changed in linux (Ubuntu):
status: Fix Committed → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.