This bug was fixed in the package linux - 3.13.0-157.207 --------------- linux (3.13.0-157.207) trusty; urgency=medium * linux: 3.13.0-157.207 -proposed tracker (LP: #1787982) * CVE-2017-5715 (Spectre v2 retpoline) - SAUCE: Fix "x86/retpoline/entry: Convert entry assembler indirect jumps" * CVE-2017-2583 - KVM: x86: fix emulation of "MOV SS, null selector" * CVE-2017-7518 - KVM: x86: fix singlestepping over syscall * CVE-2017-18270 - KEYS: prevent creating a different user's keyrings * Update to upstream's implementation of Spectre v1 mitigation (LP: #1774181) - Documentation: Document array_index_nospec - array_index_nospec: Sanitize speculative array de-references - x86: Implement array_index_mask_nospec - x86: Introduce barrier_nospec - x86/get_user: Use pointer masking to limit speculation - x86/syscall: Sanitize syscall table de-references under speculation - vfs, fdtable: Prevent bounds-check bypass via speculative execution - nl80211: Sanitize array index in parse_txq_params - x86/spectre: Report get_user mitigation for spectre_v1 - x86/kvm: Update spectre-v1 mitigation - nospec: Allow index argument to have const-qualified type - nospec: Move array_index_nospec() parameter checking into separate macro - nospec: Kill array_index_nospec_mask_check() - SAUCE: Replace osb() calls with array_index_nospec() - SAUCE: Rename osb() to barrier_nospec() - SAUCE: x86: Use barrier_nospec in arch/x86/um/asm/barrier.h * Prevent speculation on user controlled pointer (LP: #1775137) - x86: reorganize SMAP handling in user space accesses - x86: fix SMAP in 32-bit environments - x86: Introduce __uaccess_begin_nospec() and uaccess_try_nospec - x86/usercopy: Replace open coded stac/clac with __uaccess_{begin, end} - x86/uaccess: Use __uaccess_begin_nospec() and uaccess_try_nospec * CVE-2016-10208 - ext4: validate s_first_meta_bg at mount time - ext4: fix fencepost in s_first_meta_bg validation * CVE-2018-10323 - xfs: set format back to extents if xfs_bmap_extents_to_btree * CVE-2017-16911 - usbip: prevent vhci_hcd driver from leaking a socket pointer address * CVE-2018-13406 - video: uvesafb: Fix integer overflow in allocation * CVE-2018-10877 - ext4: verify the depth of extent tree in ext4_find_extent() * CVE-2018-10881 - ext4: clear i_data in ext4_inode_info when removing inline data * CVE-2018-1092 - ext4: fail ext4_iget for root directory if unallocated * CVE-2018-1093 - ext4: fix block bitmap validation when bigalloc, ^flex_bg - ext4: add validity checks for bitmap block numbers * CVE-2018-12233 - jfs: Fix inconsistency between memory allocation and ea_buf->max_size * CVE-2017-16912 - usbip: fix stub_rx: get_pipe() to validate endpoint number * CVE-2018-10675 - mm/mempolicy: fix use after free when calling get_mempolicy * CVE-2017-8831 - saa7164: fix sparse warnings - saa7164: fix double fetch PCIe access condition * CVE-2017-16533 - HID: usbhid: fix out-of-bounds bug * CVE-2017-16538 - media: dvb-usb-v2: lmedm04: move ts2020 attach to dm04_lme2510_tuner - media: dvb-usb-v2: lmedm04: Improve logic checking of warm start * CVE-2017-16644 - hdpvr: Remove deprecated create_singlethread_workqueue - media: hdpvr: Fix an error handling path in hdpvr_probe() * CVE-2017-16645 - Input: ims-psu - check if CDC union descriptor is sane * CVE-2017-5549 - USB: serial: kl5kusb105: fix line-state error handling * CVE-2017-16532 - usb: usbtest: fix NULL pointer dereference * CVE-2017-16537 - media: imon: Fix null-ptr-deref in imon_probe * CVE-2017-11472 - ACPICA: Add additional debug info/statements - ACPICA: Namespace: fix operand cache leak * CVE-2017-16643 - Input: gtco - fix potential out-of-bound access * CVE-2017-16531 - USB: fix out-of-bounds in usb_set_configuration * CVE-2018-10124 - kernel/signal.c: avoid undefined behaviour in kill_something_info * CVE-2017-6348 - irda: Fix lockdep annotations in hashbin_delete(). * CVE-2017-17558 - USB: core: prevent malicious bNumInterfaces overflow * CVE-2017-5897 - ip6_gre: fix ip6gre_err() invalid reads * CVE-2017-6345 - SAUCE: import sock_efree() - net/llc: avoid BUG_ON() in skb_orphan() * CVE-2017-7645 - nfsd: check for oversized NFSv2/v3 arguments * CVE-2017-9984 - ALSA: msnd: Optimize / harden DSP and MIDI loops * CVE-2018-1000204 - scsi: sg: allocate with __GFP_ZERO in sg_build_indirect() * CVE-2018-10021 - scsi: libsas: defer ata device eh commands to libata * CVE-2017-16914 - usbip: fix stub_send_ret_submit() vulnerability to null transfer_buffer * CVE-2017-16913 - usbip: fix stub_rx: harden CMD_SUBMIT path to handle malicious input * CVE-2017-16535 - USB: core: fix out-of-bounds access bug in usb_get_bos_descriptor() * CVE-2017-16536 - cx231xx-cards: fix NULL-deref on missing association descriptor * CVE-2017-16650 - net: qmi_wwan: fix divide by 0 on bad descriptors * CVE-2017-18255 - perf/core: Fix the perf_cpu_time_max_percent check * CVE-2018-10940 - cdrom: information leak in cdrom_ioctl_media_changed() * CVE-2018-13094 - xfs: don't call xfs_da_shrink_inode with NULL bp * other users' coredumps can be read via setgid directory and killpriv bypass (LP: #1779923) // CVE-2018-13405 - Fix up non-directory creation in SGID directories * CVE-2017-16529 - ALSA: usb-audio: Check out-of-bounds access by corrupted buffer descriptor * CVE-2017-2671 - ping: implement proper locking * CVE-2017-15649 - packet: hold bind lock when rebinding to fanout hook - packet: in packet_do_bind, test fanout with bind_lock held * CVE-2017-16527 - ALSA: usb-audio: Kill stray URB at exiting * CVE-2017-16526 - uwb: properly check kthread_run return value * CVE-2017-11473 - x86/acpi: Prevent out of bound access caused by broken ACPI tables * CVE-2017-14991 - scsi: sg: fixup infoleak when using SG_GET_REQUEST_TABLE * CVE-2017-2584 - KVM: x86: Introduce segmented_write_std * CVE-2018-10087 - kernel/exit.c: avoid undefined behaviour when calling wait4() * fscache: Fix hanging wait on page discarded by writeback (LP: #1777029) - fscache: Fix hanging wait on page discarded by writeback -- Khalid Elmously