Ubuntu

CVE-2013-4343

Reported by John Johansen on 2013-09-24
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Status tracked in Trusty
Lucid
Medium
Unassigned
Precise
Medium
Unassigned
Quantal
Medium
Unassigned
Raring
Medium
Unassigned
Saucy
Medium
Unassigned
Trusty
Medium
Unassigned
linux-armadaxp (Ubuntu)
Status tracked in Trusty
Lucid
Medium
Unassigned
Precise
Medium
Unassigned
Quantal
Medium
Unassigned
Raring
Medium
Unassigned
Saucy
Medium
Unassigned
Trusty
Medium
Unassigned
linux-ec2 (Ubuntu)
Status tracked in Trusty
Lucid
Medium
Unassigned
Precise
Medium
Unassigned
Quantal
Medium
Unassigned
Raring
Medium
Unassigned
Saucy
Medium
Unassigned
Trusty
Medium
Unassigned
linux-fsl-imx51 (Ubuntu)
Status tracked in Trusty
Lucid
Medium
Unassigned
Precise
Medium
Unassigned
Quantal
Medium
Unassigned
Raring
Medium
Unassigned
Saucy
Medium
Unassigned
Trusty
Medium
Unassigned
linux-lts-backport-maverick (Ubuntu)
Undecided
Unassigned
Lucid
Undecided
Unassigned
Precise
Undecided
Unassigned
Quantal
Undecided
Unassigned
Raring
Undecided
Unassigned
Saucy
Undecided
Unassigned
Trusty
Undecided
Unassigned
linux-lts-backport-natty (Ubuntu)
Undecided
Unassigned
Lucid
Undecided
Unassigned
Precise
Undecided
Unassigned
Quantal
Undecided
Unassigned
Raring
Undecided
Unassigned
Saucy
Undecided
Unassigned
Trusty
Undecided
Unassigned
linux-lts-quantal (Ubuntu)
Status tracked in Trusty
Lucid
Medium
Unassigned
Precise
Medium
Unassigned
Quantal
Medium
Unassigned
Raring
Medium
Unassigned
Saucy
Medium
Unassigned
Trusty
Medium
Unassigned
linux-lts-raring (Ubuntu)
Status tracked in Trusty
Lucid
Medium
Unassigned
Precise
Medium
Unassigned
Quantal
Medium
Unassigned
Raring
Medium
Unassigned
Saucy
Medium
Unassigned
Trusty
Medium
Unassigned
linux-lts-saucy (Ubuntu)
Status tracked in Trusty
Lucid
Medium
Unassigned
Precise
Medium
Unassigned
Quantal
Medium
Unassigned
Raring
Medium
Unassigned
Saucy
Medium
Unassigned
Trusty
Medium
Unassigned
linux-mvl-dove (Ubuntu)
Status tracked in Trusty
Lucid
Medium
Unassigned
Precise
Medium
Unassigned
Quantal
Medium
Unassigned
Raring
Medium
Unassigned
Saucy
Medium
Unassigned
Trusty
Medium
Unassigned
linux-ti-omap4 (Ubuntu)
Status tracked in Trusty
Lucid
Medium
Unassigned
Precise
Medium
Unassigned
Quantal
Medium
Unassigned
Raring
Medium
Unassigned
Saucy
Medium
Unassigned
Trusty
Medium
Unassigned

Bug Description

Use-after-free vulnerability in drivers/net/tun.c in the Linux kernel through 3.11.1 allows local users to gain privileges by leveraging the CAP_NET_ADMIN capability and providing an invalid tuntap interface name in a TUNSETIFF ioctl call.

Break-Fix: c8d68e6be1c3b242f1c598595830890b65cea64a 662ca437e714caaab855b12415d6ffd815985bc0

John Johansen (jjohansen) wrote :

CVE-2013-4343

tags: added: kernel-cve-tracking-bug
information type: Public → Public Security
Changed in linux-armadaxp (Ubuntu Precise):
status: New → Invalid
Changed in linux-armadaxp (Ubuntu Lucid):
status: New → Invalid
Changed in linux-armadaxp (Ubuntu Saucy):
status: New → Invalid
Changed in linux-armadaxp (Ubuntu Quantal):
status: New → Invalid
Changed in linux-armadaxp (Ubuntu Raring):
status: New → Invalid
Changed in linux-ec2 (Ubuntu Precise):
status: New → Invalid
Changed in linux-ec2 (Ubuntu Lucid):
status: New → Invalid
Changed in linux-ec2 (Ubuntu Saucy):
status: New → Invalid
Changed in linux-ec2 (Ubuntu Quantal):
status: New → Invalid
Changed in linux-ec2 (Ubuntu Raring):
status: New → Invalid
Changed in linux-lts-quantal (Ubuntu Precise):
status: New → Invalid
Changed in linux-lts-quantal (Ubuntu Lucid):
status: New → Invalid
Changed in linux-lts-quantal (Ubuntu Saucy):
status: New → Invalid
Changed in linux-lts-quantal (Ubuntu Quantal):
status: New → Invalid
Changed in linux-lts-quantal (Ubuntu Raring):
status: New → Invalid
Changed in linux-mvl-dove (Ubuntu Precise):
status: New → Invalid
Changed in linux-mvl-dove (Ubuntu Saucy):
status: New → Invalid
Changed in linux-mvl-dove (Ubuntu Quantal):
status: New → Invalid
Changed in linux-mvl-dove (Ubuntu Raring):
status: New → Invalid
Changed in linux (Ubuntu Precise):
status: New → Invalid
Changed in linux (Ubuntu Lucid):
status: New → Invalid
Changed in linux (Ubuntu Quantal):
status: New → Invalid
Changed in linux-ti-omap4 (Ubuntu Precise):
status: New → Invalid
Changed in linux-ti-omap4 (Ubuntu Lucid):
status: New → Invalid
Changed in linux-ti-omap4 (Ubuntu Saucy):
status: New → Invalid
Changed in linux-ti-omap4 (Ubuntu Quantal):
status: New → Invalid
Changed in linux-ti-omap4 (Ubuntu Raring):
status: New → Invalid
Changed in linux-fsl-imx51 (Ubuntu Precise):
status: New → Invalid
Changed in linux-fsl-imx51 (Ubuntu Saucy):
status: New → Invalid
Changed in linux-fsl-imx51 (Ubuntu Quantal):
status: New → Invalid
Changed in linux-fsl-imx51 (Ubuntu Raring):
status: New → Invalid
Changed in linux-lts-raring (Ubuntu Lucid):
status: New → Invalid
Changed in linux-lts-raring (Ubuntu Saucy):
status: New → Invalid
Changed in linux-lts-raring (Ubuntu Quantal):
status: New → Invalid
Changed in linux-lts-raring (Ubuntu Raring):
status: New → Invalid
description: updated
Changed in linux-armadaxp (Ubuntu Precise):
importance: Undecided → Medium
Changed in linux-armadaxp (Ubuntu Lucid):
importance: Undecided → Medium
Changed in linux-armadaxp (Ubuntu Saucy):
importance: Undecided → Medium
Changed in linux-armadaxp (Ubuntu Quantal):
importance: Undecided → Medium
Changed in linux-armadaxp (Ubuntu Raring):
importance: Undecided → Medium
Changed in linux-ec2 (Ubuntu Precise):
importance: Undecided → Medium
Changed in linux-ec2 (Ubuntu Lucid):
importance: Undecided → Medium
Changed in linux-ec2 (Ubuntu Saucy):
importance: Undecided → Medium
Changed in linux-ec2 (Ubuntu Quantal):
importance: Undecided → Medium
Changed in linux-ec2 (Ubuntu Raring):
importance: Undecided → Medium
Changed in linux-lts-quantal (Ubuntu Precise):
importance: Undecided → Medium
Changed in linux-lts-quantal (Ubuntu Lucid):
importance: Undecided → Medium
Changed in linux-lts-quantal (Ubuntu Saucy):
importance: Undecided → Medium
Changed in linux-lts-quantal (Ubuntu Quantal):
importance: Undecided → Medium
Changed in linux-lts-quantal (Ubuntu Raring):
importance: Undecided → Medium
Changed in linux-mvl-dove (Ubuntu Precise):
importance: Undecided → Medium
Changed in linux-mvl-dove (Ubuntu Lucid):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-mvl-dove (Ubuntu Saucy):
importance: Undecided → Medium
Changed in linux-mvl-dove (Ubuntu Quantal):
importance: Undecided → Medium
Changed in linux-mvl-dove (Ubuntu Raring):
importance: Undecided → Medium
Changed in linux (Ubuntu Precise):
importance: Undecided → Medium
Changed in linux (Ubuntu Lucid):
importance: Undecided → Medium
Changed in linux (Ubuntu Saucy):
importance: Undecided → Medium
Changed in linux (Ubuntu Quantal):
importance: Undecided → Medium
Changed in linux (Ubuntu Raring):
importance: Undecided → Medium
Changed in linux-ti-omap4 (Ubuntu Precise):
importance: Undecided → Medium
Changed in linux-ti-omap4 (Ubuntu Lucid):
importance: Undecided → Medium
Changed in linux-ti-omap4 (Ubuntu Saucy):
importance: Undecided → Medium
Changed in linux-ti-omap4 (Ubuntu Quantal):
importance: Undecided → Medium
Changed in linux-ti-omap4 (Ubuntu Raring):
importance: Undecided → Medium
Changed in linux-fsl-imx51 (Ubuntu Precise):
importance: Undecided → Medium
Changed in linux-fsl-imx51 (Ubuntu Lucid):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-fsl-imx51 (Ubuntu Saucy):
importance: Undecided → Medium
Changed in linux-fsl-imx51 (Ubuntu Quantal):
importance: Undecided → Medium
Changed in linux-fsl-imx51 (Ubuntu Raring):
importance: Undecided → Medium
Changed in linux-lts-raring (Ubuntu Precise):
importance: Undecided → Medium
Changed in linux-lts-raring (Ubuntu Lucid):
importance: Undecided → Medium
Changed in linux-lts-raring (Ubuntu Saucy):
importance: Undecided → Medium
Changed in linux-lts-raring (Ubuntu Quantal):
importance: Undecided → Medium
Changed in linux-lts-raring (Ubuntu Raring):
importance: Undecided → Medium
description: updated
Changed in linux (Ubuntu Saucy):
status: New → Fix Committed
Changed in linux (Ubuntu Raring):
status: New → Fix Committed
Changed in linux-lts-raring (Ubuntu Precise):
status: New → Fix Committed
Launchpad Janitor (janitor) wrote :
Download full text (8.9 KiB)

This bug was fixed in the package linux-lts-raring - 3.8.0-33.48~precise1

---------------
linux-lts-raring (3.8.0-33.48~precise1) precise; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1243887

  [ Maximiliano Curia ]

  * SAUCE: (no-up) Only let characters through when there are active
    readers.
    - LP: #1208740

  [ Upstream Kernel Changes ]

  * cciss: fix info leak in cciss_ioctl32_passthru()
    - LP: #1188355
    - CVE-2013-2147
  * cpqarray: fix info leak in ida_locked_ioctl()
    - LP: #1188355
    - CVE-2013-2147
  * mount: consolidate permission checks
    - LP: #1226726
  * get rid of full-hash scan on detaching vfsmounts
    - LP: #1226726
  * Smack: Fix the bug smackcipso can't set CIPSO correctly
    - LP: #1236743
  * ipvs: add backup_only flag to avoid loops
    - LP: #1238494
  * tuntap: correctly handle error in tun_set_iff()
    - LP: #1229975
    - CVE-2013-4343
  * htb: fix sign extension bug
    - LP: #1240580
  * net: avoid to hang up on sending due to sysctl configuration overflow.
    - LP: #1240580
  * net: check net.core.somaxconn sysctl values
    - LP: #1240580
  * macvlan: validate flags
    - LP: #1240580
  * neighbour: populate neigh_parms on alloc before calling ndo_neigh_setup
    - LP: #1240580
  * bonding: modify only neigh_parms owned by us
    - LP: #1240580
  * fib_trie: remove potential out of bound access
    - LP: #1240580
  * bridge: don't try to update timers in case of broken MLD queries
    - LP: #1240580
  * tcp: cubic: fix overflow error in bictcp_update()
    - LP: #1240580
  * tcp: cubic: fix bug in bictcp_acked()
    - LP: #1240580
  * ipv6: don't stop backtracking in fib6_lookup_1 if subtree does not
    match
    - LP: #1240580
  * 8139cp: Fix skb leak in rx_status_loop failure path.
    - LP: #1240580
  * tun: signedness bug in tun_get_user()
    - LP: #1240580
  * ipv6: remove max_addresses check from ipv6_create_tempaddr
    - LP: #1240580
  * ipv6: Store Router Alert option in IP6CB directly.
    - LP: #1240580
  * ipv6: drop packets with multiple fragmentation headers
    - LP: #1240580
  * tcp: set timestamps for restored skb-s
    - LP: #1240580
  * net: usb: Add HP hs2434 device to ZLP exception table
    - LP: #1240580
  * tcp: initialize rcv_tstamp for restored sockets
    - LP: #1240580
  * ipv4: sendto/hdrincl: don't use destination address found in header
    - LP: #1240580
  * tcp: tcp_make_synack() should use sock_wmalloc
    - LP: #1240580
  * tipc: set sk_err correctly when connection fails
    - LP: #1240580
  * net: bridge: convert MLDv2 Query MRC into msecs_to_jiffies for
    max_delay
    - LP: #1240580
  * ICMPv6: treat dest unreachable codes 5 and 6 as EACCES, not EPROTO
    - LP: #1240580
  * tg3: Don't turn off led on 5719 serdes port 0
    - LP: #1240580
  * vhost_net: poll vhost queue after marking DMA is done
    - LP: #1240580
  * net: ipv6: tcp: fix potential use after free in tcp_v6_do_rcv
    - LP: #1240580
  * drm/radeon/si: Add support for CP DMA to CS checker for compute v2
    - LP: #1240580
  * sfc: Fix efx_rx_buf_offset() for recycled pages
    - LP: #1240580
  * cfq: explicitly use 64bit divide operation for 64bit arguments
  ...

Read more...

Changed in linux-lts-raring (Ubuntu Precise):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :
Download full text (8.8 KiB)

This bug was fixed in the package linux - 3.8.0-33.48

---------------
linux (3.8.0-33.48) raring; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1242849

  [ Maximiliano Curia ]

  * SAUCE: (no-up) Only let characters through when there are active
    readers.
    - LP: #1208740

  [ Upstream Kernel Changes ]

  * cciss: fix info leak in cciss_ioctl32_passthru()
    - LP: #1188355
    - CVE-2013-2147
  * cpqarray: fix info leak in ida_locked_ioctl()
    - LP: #1188355
    - CVE-2013-2147
  * mount: consolidate permission checks
    - LP: #1226726
  * get rid of full-hash scan on detaching vfsmounts
    - LP: #1226726
  * Smack: Fix the bug smackcipso can't set CIPSO correctly
    - LP: #1236743
  * ipvs: add backup_only flag to avoid loops
    - LP: #1238494
  * tuntap: correctly handle error in tun_set_iff()
    - LP: #1229975
    - CVE-2013-4343
  * htb: fix sign extension bug
    - LP: #1240580
  * net: avoid to hang up on sending due to sysctl configuration overflow.
    - LP: #1240580
  * net: check net.core.somaxconn sysctl values
    - LP: #1240580
  * macvlan: validate flags
    - LP: #1240580
  * neighbour: populate neigh_parms on alloc before calling ndo_neigh_setup
    - LP: #1240580
  * bonding: modify only neigh_parms owned by us
    - LP: #1240580
  * fib_trie: remove potential out of bound access
    - LP: #1240580
  * bridge: don't try to update timers in case of broken MLD queries
    - LP: #1240580
  * tcp: cubic: fix overflow error in bictcp_update()
    - LP: #1240580
  * tcp: cubic: fix bug in bictcp_acked()
    - LP: #1240580
  * ipv6: don't stop backtracking in fib6_lookup_1 if subtree does not
    match
    - LP: #1240580
  * 8139cp: Fix skb leak in rx_status_loop failure path.
    - LP: #1240580
  * tun: signedness bug in tun_get_user()
    - LP: #1240580
  * ipv6: remove max_addresses check from ipv6_create_tempaddr
    - LP: #1240580
  * ipv6: Store Router Alert option in IP6CB directly.
    - LP: #1240580
  * ipv6: drop packets with multiple fragmentation headers
    - LP: #1240580
  * tcp: set timestamps for restored skb-s
    - LP: #1240580
  * net: usb: Add HP hs2434 device to ZLP exception table
    - LP: #1240580
  * tcp: initialize rcv_tstamp for restored sockets
    - LP: #1240580
  * ipv4: sendto/hdrincl: don't use destination address found in header
    - LP: #1240580
  * tcp: tcp_make_synack() should use sock_wmalloc
    - LP: #1240580
  * tipc: set sk_err correctly when connection fails
    - LP: #1240580
  * net: bridge: convert MLDv2 Query MRC into msecs_to_jiffies for
    max_delay
    - LP: #1240580
  * ICMPv6: treat dest unreachable codes 5 and 6 as EACCES, not EPROTO
    - LP: #1240580
  * tg3: Don't turn off led on 5719 serdes port 0
    - LP: #1240580
  * vhost_net: poll vhost queue after marking DMA is done
    - LP: #1240580
  * net: ipv6: tcp: fix potential use after free in tcp_v6_do_rcv
    - LP: #1240580
  * drm/radeon/si: Add support for CP DMA to CS checker for compute v2
    - LP: #1240580
  * sfc: Fix efx_rx_buf_offset() for recycled pages
    - LP: #1240580
  * cfq: explicitly use 64bit divide operation for 64bit arguments
    - LP: #1240580
  * drm/radeon/atom: wor...

Read more...

Changed in linux (Ubuntu Raring):
status: Fix Committed → Fix Released
Changed in linux-lts-backport-maverick (Ubuntu Lucid):
status: New → Won't Fix
Changed in linux-lts-backport-natty (Ubuntu Lucid):
status: New → Won't Fix
Changed in linux-lts-backport-maverick (Ubuntu Precise):
status: New → Won't Fix
Changed in linux-lts-backport-natty (Ubuntu Precise):
status: New → Won't Fix
Changed in linux-lts-backport-maverick (Ubuntu Quantal):
status: New → Won't Fix
Changed in linux-lts-backport-natty (Ubuntu Quantal):
status: New → Won't Fix
Changed in linux-lts-backport-maverick (Ubuntu Raring):
status: New → Won't Fix
Changed in linux-lts-backport-natty (Ubuntu Raring):
status: New → Won't Fix
Changed in linux-lts-backport-maverick (Ubuntu Saucy):
status: New → Won't Fix
Changed in linux-lts-backport-natty (Ubuntu Saucy):
status: New → Won't Fix
Changed in linux-lts-backport-maverick (Ubuntu Trusty):
status: New → Won't Fix
Changed in linux-lts-backport-natty (Ubuntu Trusty):
status: New → Won't Fix
Changed in linux-lts-backport-maverick (Ubuntu):
status: New → Won't Fix
Changed in linux-lts-backport-natty (Ubuntu):
status: New → Won't Fix
Changed in linux-lts-saucy (Ubuntu Precise):
status: New → Fix Committed
importance: Undecided → Medium
Changed in linux-lts-saucy (Ubuntu Saucy):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-lts-saucy (Ubuntu Lucid):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-lts-saucy (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-lts-saucy (Ubuntu Quantal):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-lts-saucy (Ubuntu Raring):
status: New → Invalid
importance: Undecided → Medium
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers