Ubuntu

CVE-2013-2852

Reported by John Johansen on 2013-06-11
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Status tracked in Trusty
Lucid
Medium
Unassigned
Precise
Medium
Unassigned
Quantal
Medium
Unassigned
Saucy
Medium
Unassigned
Trusty
Medium
Unassigned
linux-armadaxp (Ubuntu)
Status tracked in Trusty
Lucid
Medium
Unassigned
Precise
Medium
Unassigned
Quantal
Medium
Unassigned
Saucy
Medium
Unassigned
Trusty
Medium
Unassigned
linux-ec2 (Ubuntu)
Status tracked in Trusty
Lucid
Medium
Unassigned
Precise
Medium
Unassigned
Quantal
Medium
Unassigned
Saucy
Medium
Unassigned
Trusty
Medium
Unassigned
linux-fsl-imx51 (Ubuntu)
Status tracked in Trusty
Lucid
Medium
Unassigned
Precise
Medium
Unassigned
Quantal
Medium
Unassigned
Saucy
Medium
Unassigned
Trusty
Medium
Unassigned
linux-lts-backport-maverick (Ubuntu)
Status tracked in Trusty
Lucid
Medium
Unassigned
Precise
Medium
Unassigned
Quantal
Medium
Unassigned
Raring
Medium
Unassigned
Saucy
Medium
Unassigned
Trusty
Medium
Unassigned
linux-lts-backport-natty (Ubuntu)
Status tracked in Trusty
Lucid
Undecided
Unassigned
Precise
Undecided
Unassigned
Quantal
Undecided
Unassigned
Raring
Undecided
Unassigned
Saucy
Undecided
Unassigned
Trusty
Undecided
Unassigned
linux-lts-backport-oneiric (Ubuntu)
Status tracked in Trusty
Lucid
Undecided
Unassigned
Precise
Undecided
Unassigned
Quantal
Undecided
Unassigned
Raring
Undecided
Unassigned
Saucy
Undecided
Unassigned
Trusty
Undecided
Unassigned
linux-lts-quantal (Ubuntu)
Status tracked in Trusty
Lucid
Medium
Unassigned
Precise
Medium
Unassigned
Quantal
Medium
Unassigned
Saucy
Medium
Unassigned
Trusty
Medium
Unassigned
linux-lts-raring (Ubuntu)
Status tracked in Trusty
Lucid
Medium
Unassigned
Precise
Medium
Unassigned
Quantal
Medium
Unassigned
Saucy
Medium
Unassigned
Trusty
Medium
Unassigned
linux-lts-saucy (Ubuntu)
Status tracked in Trusty
Lucid
Undecided
Unassigned
Precise
Undecided
Unassigned
Quantal
Undecided
Unassigned
Saucy
Undecided
Unassigned
Trusty
Undecided
Unassigned
linux-mvl-dove (Ubuntu)
Status tracked in Trusty
Lucid
Medium
Unassigned
Precise
Medium
Unassigned
Quantal
Medium
Unassigned
Saucy
Medium
Unassigned
Trusty
Medium
Unassigned
linux-ti-omap4 (Ubuntu)
Status tracked in Trusty
Lucid
Medium
Unassigned
Precise
Medium
Unassigned
Quantal
Medium
Unassigned
Saucy
Medium
Unassigned
Trusty
Medium
Unassigned

Bug Description

Format string vulnerability in the b43_request_firmware function in drivers/net/wireless/b43/main.c in the Broadcom B43 wireless driver in the Linux kernel through 3.9.4 allows local users to gain privileges by leveraging root access and including format string specifiers in an fwpostfix modprobe parameter, leading to improper construction of an error message.

Break-Fix: - e0e29b683d6784ef59bbc914eac85a04b650e63c

John Johansen (jjohansen) wrote :

CVE-2013-2852

tags: added: kernel-cve-tracking-bug
information type: Public → Public Security
Changed in linux-armadaxp (Ubuntu Lucid):
status: New → Invalid
Changed in linux-armadaxp (Ubuntu Saucy):
status: New → Invalid
Changed in linux-armadaxp (Ubuntu Raring):
status: New → Invalid
Changed in linux-ec2 (Ubuntu Precise):
status: New → Invalid
Changed in linux-ec2 (Ubuntu Saucy):
status: New → Invalid
Changed in linux-ec2 (Ubuntu Quantal):
status: New → Invalid
Changed in linux-ec2 (Ubuntu Raring):
status: New → Invalid
Changed in linux-lts-quantal (Ubuntu Lucid):
status: New → Invalid
Changed in linux-lts-quantal (Ubuntu Saucy):
status: New → Invalid
Changed in linux-lts-quantal (Ubuntu Quantal):
status: New → Invalid
Changed in linux-lts-quantal (Ubuntu Raring):
status: New → Invalid
Changed in linux-mvl-dove (Ubuntu Precise):
status: New → Invalid
Changed in linux-mvl-dove (Ubuntu Saucy):
status: New → Invalid
Changed in linux-mvl-dove (Ubuntu Quantal):
status: New → Invalid
Changed in linux-mvl-dove (Ubuntu Raring):
status: New → Invalid
Changed in linux-lts-backport-maverick (Ubuntu Precise):
status: New → Invalid
Changed in linux-lts-backport-maverick (Ubuntu Saucy):
status: New → Invalid
Changed in linux-lts-backport-maverick (Ubuntu Quantal):
status: New → Invalid
Changed in linux-lts-backport-maverick (Ubuntu Raring):
status: New → Invalid
Changed in linux-ti-omap4 (Ubuntu Lucid):
status: New → Invalid
Changed in linux-fsl-imx51 (Ubuntu Precise):
status: New → Invalid
Changed in linux-fsl-imx51 (Ubuntu Saucy):
status: New → Invalid
Changed in linux-fsl-imx51 (Ubuntu Quantal):
status: New → Invalid
Changed in linux-fsl-imx51 (Ubuntu Raring):
status: New → Invalid
Changed in linux-lts-raring (Ubuntu Lucid):
status: New → Invalid
Changed in linux-lts-raring (Ubuntu Saucy):
status: New → Invalid
Changed in linux-lts-raring (Ubuntu Quantal):
status: New → Invalid
Changed in linux-lts-raring (Ubuntu Raring):
status: New → Invalid
description: updated
Changed in linux-armadaxp (Ubuntu Precise):
importance: Undecided → Medium
Changed in linux-armadaxp (Ubuntu Lucid):
importance: Undecided → Medium
Changed in linux-armadaxp (Ubuntu Saucy):
importance: Undecided → Medium
Changed in linux-armadaxp (Ubuntu Quantal):
importance: Undecided → Medium
Changed in linux-armadaxp (Ubuntu Raring):
importance: Undecided → Medium
Changed in linux-ec2 (Ubuntu Precise):
importance: Undecided → Medium
Changed in linux-ec2 (Ubuntu Lucid):
importance: Undecided → Medium
Changed in linux-ec2 (Ubuntu Saucy):
importance: Undecided → Medium
Changed in linux-ec2 (Ubuntu Quantal):
importance: Undecided → Medium
Changed in linux-ec2 (Ubuntu Raring):
importance: Undecided → Medium
Changed in linux-lts-quantal (Ubuntu Precise):
importance: Undecided → Medium
Changed in linux-lts-quantal (Ubuntu Lucid):
importance: Undecided → Medium
Changed in linux-lts-quantal (Ubuntu Saucy):
importance: Undecided → Medium
Changed in linux-lts-quantal (Ubuntu Quantal):
importance: Undecided → Medium
Changed in linux-lts-quantal (Ubuntu Raring):
importance: Undecided → Medium
Changed in linux-mvl-dove (Ubuntu Precise):
importance: Undecided → Medium
Changed in linux-mvl-dove (Ubuntu Lucid):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-mvl-dove (Ubuntu Saucy):
importance: Undecided → Medium
Changed in linux-mvl-dove (Ubuntu Quantal):
importance: Undecided → Medium
Changed in linux-mvl-dove (Ubuntu Raring):
importance: Undecided → Medium
Changed in linux-lts-backport-maverick (Ubuntu Precise):
importance: Undecided → Medium
Changed in linux-lts-backport-maverick (Ubuntu Lucid):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-lts-backport-maverick (Ubuntu Saucy):
importance: Undecided → Medium
Changed in linux-lts-backport-maverick (Ubuntu Quantal):
importance: Undecided → Medium
Changed in linux-lts-backport-maverick (Ubuntu Raring):
importance: Undecided → Medium
Changed in linux (Ubuntu Precise):
importance: Undecided → Medium
Changed in linux (Ubuntu Lucid):
importance: Undecided → Medium
Changed in linux (Ubuntu Saucy):
importance: Undecided → Medium
Changed in linux (Ubuntu Quantal):
importance: Undecided → Medium
Changed in linux (Ubuntu Raring):
importance: Undecided → Medium
Changed in linux-ti-omap4 (Ubuntu Precise):
importance: Undecided → Medium
Changed in linux-ti-omap4 (Ubuntu Lucid):
importance: Undecided → Medium
Changed in linux-ti-omap4 (Ubuntu Saucy):
importance: Undecided → Medium
Changed in linux-ti-omap4 (Ubuntu Quantal):
importance: Undecided → Medium
Changed in linux-ti-omap4 (Ubuntu Raring):
importance: Undecided → Medium
Changed in linux-fsl-imx51 (Ubuntu Precise):
importance: Undecided → Medium
Changed in linux-fsl-imx51 (Ubuntu Lucid):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-fsl-imx51 (Ubuntu Saucy):
importance: Undecided → Medium
Changed in linux-fsl-imx51 (Ubuntu Quantal):
importance: Undecided → Medium
Changed in linux-fsl-imx51 (Ubuntu Raring):
importance: Undecided → Medium
Changed in linux-lts-raring (Ubuntu Precise):
importance: Undecided → Medium
Changed in linux-lts-raring (Ubuntu Lucid):
importance: Undecided → Medium
Changed in linux-lts-raring (Ubuntu Saucy):
importance: Undecided → Medium
Changed in linux-lts-raring (Ubuntu Quantal):
importance: Undecided → Medium
Changed in linux-lts-raring (Ubuntu Raring):
importance: Undecided → Medium
description: updated
Changed in linux-ec2 (Ubuntu Lucid):
status: New → Fix Committed
Changed in linux (Ubuntu Lucid):
status: New → Fix Committed
Changed in linux (Ubuntu Saucy):
status: New → Invalid
Launchpad Janitor (janitor) wrote :
Download full text (10.4 KiB)

This bug was fixed in the package linux - 2.6.32-49.111

---------------
linux (2.6.32-49.111) lucid; urgency=low

  [Steve Conklin]

  * Release Tracking Bug
    - LP: #1193108

  [ Upstream Kernel Changes ]

  * Revert "pcdp: use early_ioremap/early_iounmap to access pcdp table"
    - LP: #1193044
  * Revert "block: improve queue_should_plug() by looking at IO depths"
    - LP: #1193044
  * kernel/signal.c: stop info leak via the tkill and the tgkill syscalls
    - LP: #1187732
    - CVE-2013-2141
  * b43: stop format string leaking into error msgs
    - LP: #1189833
    - CVE-2013-2852
  * 2.6.32.y: timekeeping: Fix nohz issue with commit
    61b76840ddee647c0c223365378c3f394355b7d7
    - LP: #1193044
  * clockevents: Don't allow dummy broadcast timers
    - LP: #1193044
  * posix-cpu-timers: Fix nanosleep task_struct leak
    - LP: #1193044
  * timer: Don't reinitialize the cpu base lock during CPU_UP_PREPARE
    - LP: #1193044
  * tick: Cleanup NOHZ per cpu data on cpu down
    - LP: #1193044
  * kbuild: Fix gcc -x syntax
    - LP: #1193044
  * gen_init_cpio: avoid stack overflow when expanding
    - LP: #1193044
  * coredump: prevent double-free on an error path in core dumper
    - LP: #1193044
  * kernel/sys.c: call disable_nonboot_cpus() in kernel_restart()
    - LP: #1193044
  * ring-buffer: Fix race between integrity check and readers
    - LP: #1193044
  * genalloc: stop crashing the system when destroying a pool
    - LP: #1193044
  * kernel/resource.c: fix stack overflow in __reserve_region_with_split()
    - LP: #1193044
  * Driver core: treat unregistered bus_types as having no devices
    - LP: #1193044
  * cgroup: remove incorrect dget/dput() pair in cgroup_create_dir()
    - LP: #1193044
  * Fix a dead loop in async_synchronize_full()
    - LP: #1193044
  * tracing: Don't call page_to_pfn() if page is NULL
    - LP: #1193044
  * tracing: Fix double free when function profile init failed
    - LP: #1193044
  * mm: Fix PageHead when !CONFIG_PAGEFLAGS_EXTENDED
    - LP: #1193044
  * mm: bugfix: set current->reclaim_state to NULL while returning from
    kswapd()
    - LP: #1193044
  * mm: fix invalidate_complete_page2() lock ordering
    - LP: #1193044
  * mempolicy: fix a race in shared_policy_replace()
    - LP: #1193044
  * ALSA: hda - More ALC663 fixes and support of compatible chips
    - LP: #1193044
  * ALSA: hda - Add a pin-fix for FSC Amilo Pi1505
    - LP: #1193044
  * ALSA: seq: Fix missing error handling in snd_seq_timer_open()
    - LP: #1193044
  * ALSA: ac97 - Fix missing NULL check in snd_ac97_cvol_new()
    - LP: #1193044
  * x86, ioapic: initialize nr_ioapic_registers early in
    mp_register_ioapic()
    - LP: #1193044
  * x86: Don't use the EFI reboot method by default
    - LP: #1193044
  * x86, random: make ARCH_RANDOM prompt if EMBEDDED, not EXPERT
    - LP: #1193044
  * x86/mm: Check if PUD is large when validating a kernel address
    - LP: #1193044
  * x86, mm, paravirt: Fix vmalloc_fault oops during lazy MMU updates
    - LP: #1193044
  * xen/bootup: allow read_tscp call for Xen PV guests.
    - LP: #1193044
  * xen/bootup: allow {read|write}_cr8 pvops call.
    - LP: #1193044
  * KVM: x86: relax MSR...

Changed in linux (Ubuntu Lucid):
status: Fix Committed → Fix Released

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

Launchpad Janitor (janitor) wrote :
Download full text (10.7 KiB)

This bug was fixed in the package linux-ec2 - 2.6.32-354.67

---------------
linux-ec2 (2.6.32-354.67) lucid-proposed; urgency=low

  [ Stefan Bader ]

  * Rebased to Ubuntu-2.6.32-49.111
  * SAUCE: ec2: Backport x86/mm: Check if PUD is large when validating a
    kernel address
    - LP: #1193044
  * SAUCE: ec2: Backport x86, ioapic: initialize nr_ioapic_registers early
    in mp_register_ioapic()
    - LP: #1193044
  * Release Tracking Bug
    - LP: #1193202

  [ Ubuntu: 2.6.32-49.111 ]

  * Revert "pcdp: use early_ioremap/early_iounmap to access pcdp table"
    - LP: #1193044
  * Revert "block: improve queue_should_plug() by looking at IO depths"
    - LP: #1193044
  * kernel/signal.c: stop info leak via the tkill and the tgkill syscalls
    - LP: #1187732
    - CVE-2013-2141
  * b43: stop format string leaking into error msgs
    - LP: #1189833
    - CVE-2013-2852
  * 2.6.32.y: timekeeping: Fix nohz issue with commit
    61b76840ddee647c0c223365378c3f394355b7d7
    - LP: #1193044
  * clockevents: Don't allow dummy broadcast timers
    - LP: #1193044
  * posix-cpu-timers: Fix nanosleep task_struct leak
    - LP: #1193044
  * timer: Don't reinitialize the cpu base lock during CPU_UP_PREPARE
    - LP: #1193044
  * tick: Cleanup NOHZ per cpu data on cpu down
    - LP: #1193044
  * kbuild: Fix gcc -x syntax
    - LP: #1193044
  * gen_init_cpio: avoid stack overflow when expanding
    - LP: #1193044
  * coredump: prevent double-free on an error path in core dumper
    - LP: #1193044
  * kernel/sys.c: call disable_nonboot_cpus() in kernel_restart()
    - LP: #1193044
  * ring-buffer: Fix race between integrity check and readers
    - LP: #1193044
  * genalloc: stop crashing the system when destroying a pool
    - LP: #1193044
  * kernel/resource.c: fix stack overflow in __reserve_region_with_split()
    - LP: #1193044
  * Driver core: treat unregistered bus_types as having no devices
    - LP: #1193044
  * cgroup: remove incorrect dget/dput() pair in cgroup_create_dir()
    - LP: #1193044
  * Fix a dead loop in async_synchronize_full()
    - LP: #1193044
  * tracing: Don't call page_to_pfn() if page is NULL
    - LP: #1193044
  * tracing: Fix double free when function profile init failed
    - LP: #1193044
  * mm: Fix PageHead when !CONFIG_PAGEFLAGS_EXTENDED
    - LP: #1193044
  * mm: bugfix: set current->reclaim_state to NULL while returning from
    kswapd()
    - LP: #1193044
  * mm: fix invalidate_complete_page2() lock ordering
    - LP: #1193044
  * mempolicy: fix a race in shared_policy_replace()
    - LP: #1193044
  * ALSA: hda - More ALC663 fixes and support of compatible chips
    - LP: #1193044
  * ALSA: hda - Add a pin-fix for FSC Amilo Pi1505
    - LP: #1193044
  * ALSA: seq: Fix missing error handling in snd_seq_timer_open()
    - LP: #1193044
  * ALSA: ac97 - Fix missing NULL check in snd_ac97_cvol_new()
    - LP: #1193044
  * x86, ioapic: initialize nr_ioapic_registers early in
    mp_register_ioapic()
    - LP: #1193044
  * x86: Don't use the EFI reboot method by default
    - LP: #1193044
  * x86, random: make ARCH_RANDOM prompt if EMBEDDED, not EXPERT
    - LP: #1193044
  * x86/mm: Check if PUD is large when validating a kernel...

Changed in linux-ec2 (Ubuntu Lucid):
status: Fix Committed → Fix Released
Changed in linux-lts-backport-natty (Ubuntu Lucid):
status: New → Invalid
Changed in linux-lts-backport-natty (Ubuntu Precise):
status: New → Invalid
Changed in linux-lts-backport-natty (Ubuntu Quantal):
status: New → Invalid
Changed in linux-lts-backport-natty (Ubuntu Raring):
status: New → Invalid
Changed in linux-lts-backport-natty (Ubuntu Saucy):
status: New → Invalid
Changed in linux-lts-backport-oneiric (Ubuntu Lucid):
status: New → Invalid
Changed in linux-lts-backport-oneiric (Ubuntu Precise):
status: New → Invalid
Changed in linux-lts-backport-oneiric (Ubuntu Quantal):
status: New → Invalid
Changed in linux-lts-backport-oneiric (Ubuntu Raring):
status: New → Invalid
Changed in linux-lts-backport-oneiric (Ubuntu Saucy):
status: New → Invalid
Changed in linux-armadaxp (Ubuntu Precise):
status: New → Fix Committed
Changed in linux-armadaxp (Ubuntu Quantal):
status: New → Fix Committed
Changed in linux-lts-quantal (Ubuntu Precise):
status: New → Fix Committed
Changed in linux (Ubuntu Quantal):
status: New → Fix Committed
Changed in linux (Ubuntu Raring):
status: New → Fix Committed
Changed in linux-ti-omap4 (Ubuntu Saucy):
status: New → Fix Committed
Changed in linux-ti-omap4 (Ubuntu Quantal):
status: New → Fix Committed
Changed in linux-ti-omap4 (Ubuntu Raring):
status: New → Fix Committed
Changed in linux-lts-raring (Ubuntu Precise):
status: New → Fix Committed
Changed in linux-armadaxp (Ubuntu Precise):
status: Fix Committed → Fix Released
Changed in linux-armadaxp (Ubuntu Quantal):
status: Fix Committed → Fix Released
Changed in linux-lts-quantal (Ubuntu Precise):
status: Fix Committed → Fix Released
Changed in linux (Ubuntu Precise):
status: New → Fix Released
Changed in linux (Ubuntu Quantal):
status: Fix Committed → Fix Released
Changed in linux (Ubuntu Raring):
status: Fix Committed → Fix Released
Changed in linux-ti-omap4 (Ubuntu Quantal):
status: Fix Committed → Fix Released
Changed in linux-ti-omap4 (Ubuntu Raring):
status: Fix Committed → Fix Released
Changed in linux-lts-raring (Ubuntu Precise):
status: Fix Committed → Fix Released
Changed in linux-ti-omap4 (Ubuntu Precise):
status: New → Fix Committed
Changed in linux-ti-omap4 (Ubuntu Precise):
status: Fix Committed → Fix Released
no longer affects: linux-armadaxp (Ubuntu Raring)
no longer affects: linux-ec2 (Ubuntu Raring)
no longer affects: linux-lts-saucy (Ubuntu Raring)
no longer affects: linux-lts-quantal (Ubuntu Raring)
no longer affects: linux-mvl-dove (Ubuntu Raring)
no longer affects: linux (Ubuntu Raring)
no longer affects: linux-fsl-imx51 (Ubuntu Raring)
no longer affects: linux-ti-omap4 (Ubuntu Raring)
no longer affects: linux-lts-raring (Ubuntu Raring)
Changed in linux-ti-omap4 (Ubuntu Trusty):
status: Fix Committed → Invalid
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers