CVE-2010-3876
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| linux (Ubuntu) |
Fix Released
|
Low
|
Andy Whitcroft | ||
| Dapper |
Won't Fix
|
Low
|
Andy Whitcroft | ||
| Hardy |
Won't Fix
|
Low
|
Andy Whitcroft | ||
| Karmic |
Won't Fix
|
Low
|
Andy Whitcroft | ||
| Lucid |
Fix Released
|
Low
|
Andy Whitcroft | ||
| Maverick |
Won't Fix
|
Low
|
Andy Whitcroft | ||
| Natty |
Fix Released
|
Low
|
Andy Whitcroft | ||
| linux-fsl-imx51 (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
| Dapper |
Invalid
|
Undecided
|
Unassigned | ||
| Hardy |
Invalid
|
Undecided
|
Unassigned | ||
| Karmic |
Won't Fix
|
Undecided
|
Unassigned | ||
| Lucid |
Fix Released
|
Undecided
|
Paolo Pisati | ||
| Maverick |
Invalid
|
Undecided
|
Unassigned | ||
| Natty |
Invalid
|
Undecided
|
Unassigned | ||
| linux-mvl-dove (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
| Dapper |
Invalid
|
Undecided
|
Unassigned | ||
| Hardy |
Invalid
|
Undecided
|
Unassigned | ||
| Karmic |
Invalid
|
Undecided
|
Unassigned | ||
| Lucid |
Fix Released
|
Undecided
|
Unassigned | ||
| Maverick |
Fix Released
|
Undecided
|
Unassigned | ||
| Natty |
Invalid
|
Undecided
|
Unassigned | ||
Bug Description
net/packet/
properly initialize certain structure members, which allows local users to
obtain potentially sensitive information from kernel stack memory by
leveraging the CAP_NET_RAW capability to read copies of the applicable
structures.
CVE References
- 2010-0435
- 2010-2942
- 2010-2943
- 2010-2954
- 2010-2955
- 2010-2960
- 2010-2962
- 2010-2963
- 2010-3067
- 2010-3078
- 2010-3080
- 2010-3084
- 2010-3310
- 2010-3432
- 2010-3437
- 2010-3442
- 2010-3477
- 2010-3705
- 2010-3848
- 2010-3849
- 2010-3850
- 2010-3861
- 2010-3865
- 2010-3875
- 2010-3876
- 2010-3877
- 2010-3880
- 2010-3904
- 2010-4072
- 2010-4073
- 2010-4076
- 2010-4077
- 2010-4158
- 2010-4163
- 2010-4164
- 2010-4165
- 2010-4169
- 2010-4175
- 2010-4258
- 2010-4342
- 2010-4346
- 2010-4527
- 2010-4529
- 2010-4565
- 2010-4656
- 2011-0463
- 2011-0521
- 2011-0695
- 2011-0711
- 2011-0712
- 2011-1017
This was fixed by the commit below, this is already upstream and released in v2.6.37, therefore closing off for Natty:
commit 67286640f638f5a
Author: Vasiliy Kulikov <email address hidden>
Date: Wed Nov 10 12:09:10 2010 -0800
net: packet: fix information leak to userland
packet_
sockaddr struct if strlen(dev->name) < 13. This structure is then copied
to userland. It leads to leaking of contents of kernel stack memory.
We have to fully fill sa_data with strncpy() instead of strlcpy().
The same with packet_getname(): it doesn't initialize sll_pkttype field of
sockaddr_ll. Set it to zero.
Signed-off-by: Vasiliy Kulikov <email address hidden>
Signed-off-by: David S. Miller <email address hidden>
Not supported.
Not supported in this release.
This bug was fixed in the package linux-mvl-dove - 2.6.32-216.33
---------------
linux-mvl-dove (2.6.32-216.33) lucid-proposed; urgency=low
[ Ubuntu: 2.6.32-31.60 ]
* Release Tracking Bug
- LP: #734950
* SAUCE: Clear new_profile in error path
- LP: #732700
* [Config] CONFIG_
- LP: #733191
* Revert "drm/radeon/bo: add some fallback placements for VRAM only
objects."
- LP: #652934
* drm/radeon: fall back to GTT if bo creation/validation in VRAM fails.
- LP: #652934
* drm/radeon/kms: Fix retrying ttm_bo_init() after it failed once.
- LP: #652934
* xfs: always use iget in bulkstat
- LP: #692848
* drm/radeon/kms: make the mac rv630 quirk generic
- LP: #728687
* drm/radeon/kms: add pll debugging output
- LP: #728687
* drm/radeon: remove 0x4243 pci id
- LP: #728687
* drm/radeon/kms: fix s/r issues with bios scratch regs
- LP: #728687
* drm/i915/lvds: Add AOpen i915GMm-HFS to the list of false-positive LVDS
- LP: #728687
* drm/i915: Add dependency on CONFIG_TMPFS
- LP: #728687
* Linux 2.6.32.29+drm33.14
- LP: #728687
* NFSD: memory corruption due to writing beyond the stat array
- LP: #728687
* mptfusion: mptctl_release is required in mptctl.c
- LP: #728687
* mptfusion: Fix Incorrect return value in mptscsih_dev_reset
- LP: #728687
* ocfs2_connectio
- LP: #728687
* x25: decrement netdev reference counts on unload
- LP: #728687
* x86, hpet: Disable per-cpu hpet timer if ARAT is supported
- LP: #728687
* OHCI: work around for nVidia shutdown problem
- LP: #728687
* x86/pvclock: Zero last_value on resume
- LP: #728687
* av7110: check for negative array offset
- LP: #728687
* CRED: Fix get_task_cred() and task_state() to not resurrect dead
credentials
- LP: #728687
* bonding/vlan: Avoid mangled NAs on slaves without VLAN tag insertion
- LP: #728687
* CRED: Fix kernel panic upon security_
- LP: #728687
* CRED: Fix BUG() upon security_
- LP: #728687
* CRED: Fix memory and refcount leaks upon security_
failure
- LP: #728687
* sendfile(): check f_op.splice_write() rather than f_op.sendpage()
- LP: #728687
* isdn: hisax: Replace the bogus access to irq stats
- LP: #728687
* ixgbe: add support for 82599 based Express Module X520-P2
- LP: #728687
* ixgbe: prevent speculative processing of descriptors before ready
- LP: #728687
* scsi_dh_alua: add netapp to dev list
- LP: #728687
* scsi_dh_alua: Add IBM Power Virtual SCSI ALUA device to dev list
- LP: #728687
* dm raid1: fail writes if errors are not handled and log fails
- LP: #728687
* GFS2: Fix bmap allocation corner-case bug
- LP: #728687
* dm raid1: fix null pointer dereference in suspend
- LP: #728687
* sunrpc/cache: fix module refcnt leak in a failure path
- LP: #728687
* be2net: Maintain tx and rx counters in driver
- LP: #728687
* tcp: Make TCP_MAXSEG minimum more correct.
- LP: #728687
* nfsd: correctly handle return value from ...
karmic is EOL
This bug was fixed in the package linux-fsl-imx51 - 2.6.31-609.26
---------------
linux-fsl-imx51 (2.6.31-609.26) lucid; urgency=low
[ Paolo Pisati ]
* Tracking bug
- LP: #795219
* [Config] Disable parport_pc on fsl-imx51
- LP: #601226
[ Upstream Kernel Changes ]
* ALSA: sound/pci/rme9652: prevent reading uninitialized stack memory
- LP: #712723, #712737
* can-bcm: fix minor heap overflow
- LP: #710680
* drivers/
- LP: #712744
* gdth: integer overflow in ioctl
- LP: #711797
* inet_diag: Make sure we actually run the same bytecode we audited, CVE-2010-3880
- LP: #711865
- CVE-2010-3880
* net: fix rds_iovec page count overflow, CVE-2010-3865
- LP: #709153
- CVE-2010-3865
* net: packet: fix information leak to userland, CVE-2010-3876
- LP: #711045
- CVE-2010-3876
* net: tipc: fix information leak to userland, CVE-2010-3877
- LP: #711291
- CVE-2010-3877
* net: Truncate recvfrom and sendto length to INT_MAX.
- LP: #708839
* posix-cpu-timers: workaround to suppress the problems with mt exec
- LP: #712609
* sys_semctl: fix kernel stack leakage
- LP: #712749
* x25: Patch to fix bug 15678 - x25 accesses fields beyond end of packet.
- LP: #709372
* memory corruption in X.25 facilities parsing
- LP: #709372
* net: ax25: fix information leak to userland, CVE-2010-3875
- LP: #710714
- CVE-2010-3875
* net: ax25: fix information leak to userland harder, CVE-2010-3875
- LP: #710714
- CVE-2010-3875
* fs/partitions/
- LP: #771382
- CVE-2011-1017
* net: clear heap allocations for privileged ethtool actions
- LP: #771445
* Prevent rt_sigqueueinfo and rt_tgsigqueueinfo from spoofing the signal code
- LP: #772543
* Relax si_code check in rt_sigqueueinfo and rt_tgsigqueueinfo
- LP: #772543
* exec: make argv/envp memory visible to oom-killer
- LP: #768408
* next_pidmap: fix overflow condition
- LP: #784727
* proc: do proper range check on readdir offset
- LP: #784727
* mpt2sas: prevent heap overflows and unchecked reads
- LP: #787145
* agp: fix arbitrary kernel memory writes
- LP: #788684
* can: add missing socket check in can/raw release
- LP: #788694
* agp: fix OOM and buffer overflow
- LP: #788700
* do_exit(): make sure that we run with get_fs() == USER_DS - CVE-2010-4258
- LP: #723945
- CVE-2010-4258
* x25: Prevent crashing when parsing bad X.25 facilities - CVE-2010-4164
- LP: #731199
- CVE-2010-4164
* install_
- LP: #731971
- CVE-2010-4346
* econet: Fix crash in aun_incoming() - CVE-2010-4342
- LP: #736394
- CVE-2010-4342
* sound: Prevent buffer overflow in OSS load_mixer_volumes - CVE-2010-4527
- LP: #737073
- CVE-2010-4527
* irda: prevent integer underflow in IRLMP_ENUMDEVICES, CVE-2010-4529
- LP: #737823
- CVE-2010-4529
* CAN: Use inode instead of kernel address for /proc file - CVE-2010-4565
- LP: #765007...
removed: kernel-cve-tracker
This bug was nominated against a series that is no longer supported, ie karmic. The bug task representing the karmic nomination is being closed as Won't Fix.
This change has been made by an automated script, maintained by the Ubuntu Kernel Team.
Applied in a -stable update.