CVE-2010-3698
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| | linux (Ubuntu) |
Medium
|
Unassigned | ||
| | Dapper |
Medium
|
Unassigned | ||
| | Hardy |
Medium
|
Stefan Bader | ||
| | Karmic |
Medium
|
Stefan Bader | ||
| | Lucid |
Medium
|
Unassigned | ||
| | Maverick |
Medium
|
Stefan Bader | ||
| | Natty |
Medium
|
Unassigned | ||
Bug Description
The KVM implementation in the Linux kernel before 2.6.36 does not properly
reload the FS and GS segment registers, which allows host OS users to cause
a denial of service (host OS crash) via a KVM_RUN ioctl call in conjunction
with a modified Local Descriptor Table (LDT).
CVE References
- 2010-0435
- 2010-2943
- 2010-3296
- 2010-3297
- 2010-3448
- 2010-3698
- 2010-3699
- 2010-3848
- 2010-3849
- 2010-3850
- 2010-3858
- 2010-3859
- 2010-3865
- 2010-3873
- 2010-3874
- 2010-3875
- 2010-3876
- 2010-3877
- 2010-3880
- 2010-4072
- 2010-4074
- 2010-4078
- 2010-4079
- 2010-4080
- 2010-4081
- 2010-4082
- 2010-4083
- 2010-4157
- 2010-4160
- 2010-4165
- 2010-4169
- 2010-4248
| Changed in linux (Ubuntu): | |
| assignee: | nobody → Stefan Bader (stefan-bader-canonical) |
| importance: | Undecided → Medium |
| status: | New → In Progress |
| status: | In Progress → Fix Released |
| Changed in linux (Ubuntu Hardy): | |
| assignee: | nobody → Stefan Bader (stefan-bader-canonical) |
| importance: | Undecided → Medium |
| status: | New → In Progress |
| Changed in linux (Ubuntu Karmic): | |
| assignee: | nobody → Stefan Bader (stefan-bader-canonical) |
| importance: | Undecided → Medium |
| status: | New → In Progress |
| Changed in linux (Ubuntu Maverick): | |
| assignee: | nobody → Stefan Bader (stefan-bader-canonical) |
| importance: | Undecided → Medium |
| status: | New → In Progress |
| Changed in linux (Ubuntu): | |
| assignee: | Stefan Bader (stefan-bader-canonical) → nobody |
| security vulnerability: | no → yes |
| tags: | added: kernel-cve-tracker |
| Stefan Bader (smb) wrote : | #1 |
| Changed in linux (Ubuntu Dapper): | |
| importance: | Undecided → Medium |
| status: | New → Invalid |
| Stefan Bader (smb) wrote : | #2 |
Already released in Lucid as part of a upstream stable update.
| Changed in linux (Ubuntu Lucid): | |
| importance: | Undecided → Medium |
| status: | New → Fix Released |
| Stefan Bader (smb) wrote : | #3 |
| Stefan Bader (smb) wrote : | #4 |
| Stefan Bader (smb) wrote : | #5 |
| Changed in linux (Ubuntu Hardy): | |
| status: | In Progress → Fix Committed |
| Changed in linux (Ubuntu Karmic): | |
| status: | In Progress → Fix Committed |
| Changed in linux (Ubuntu Maverick): | |
| status: | In Progress → Fix Committed |
Accepted linux into lucid-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https:/
| Brad Figg (brad-figg) wrote : | #7 |
This is a CVE fix, there is no test case.
| tags: | added: verification-done |
| tags: |
added: verification-done-maverick removed: verification-done |
| Launchpad Janitor (janitor) wrote : | #8 |
This bug was fixed in the package linux - 2.6.24-28.86
---------------
linux (2.6.24-28.86) hardy-proposed; urgency=low
[ Brad Figg ]
* Release Tracking Bug
- LP: #716166
[Tim Gardner]
* xen unified block-device I/O interface back end can orphan devices,
CVE-2010-3699
- LP: #708019
- CVE-2010-3699
[Upstream Kernel Changes]
* Hardy SRU: thinkpad-acpi: lock down video output state access,
CVE-2010-3448
- LP: #706999
- CVE-2010-3448
* net: Limit socket I/O iovec total length to INT_MAX., CVE-2010-3859
- LP: #711855, #708839
- CVE-2010-4160
* net: Truncate recvfrom and sendto length to INT_MAX., CVE-2010-3859
- LP: #711855, #708839
- CVE-2010-4160
* net: ax25: fix information leak to userland, CVE-2010-3875
- LP: #710714
- CVE-2010-3875
* net: ax25: fix information leak to userland harder, CVE-2010-3875
- LP: #710714
- CVE-2010-3875
* memory corruption in X.25 facilities parsing, CVE-2010-3873
- LP: #709372
- CVE-2010-3873
* net: packet: fix information leak to userland, CVE-2010-3876
- LP: #710714
- CVE-2010-3876
* net: tipc: fix information leak to userland, CVE-2010-3877
- LP: #711291
- CVE-2010-3877
* KVM: VMX: fix vmx null pointer dereference on debug register access,
CVE-2010-0435
- LP: #712615
- CVE-2010-0435
* gdth: integer overflow in ioctl, CVE-2010-4157
- LP: #711797
- CVE-2010-4157
* posix-cpu-timers: workaround to suppress the problems with mt exec,
CVE-2010-4248
- LP: #712609
- CVE-2010-4248
* ALSA: sound/pci/rme9652: prevent reading uninitialized stack memory,
CVE-2010-4080, CVE-2010-4081
- LP: #712723, #712737
- CVE-2010-4081
* sys_semctl: fix kernel stack leakage, CVE-2010-4083
- LP: #712749
- CVE-2010-4083
* inet_diag: Make sure we actually run the same bytecode we audited,
CVE-2010-3880
- LP: #711865
- CVE-2010-3880
linux (2.6.24-28.85) hardy-proposed; urgency=low
[ Brad Figg ]
* Tracking Bug
- LP: #708315
[Upstream Kernel Changes]
* ata_piix: IDE mode SATA patch for Intel ICH10 DeviceID's
- LP: #693401
* USB: serial/mos*: prevent reading uninitialized stack memory,
CVE-2010-4074
- LP: #706149
- CVE-2010-4074
* KVM: Fix fs/gs reload oops with invalid ldt
- LP: #707000
- CVE-2010-3698
* drivers/
memory, CVE-2010-4078
- LP: #707579
- CVE-2010-4078
* V4L/DVB: ivtvfb: prevent reading uninitialized stack memory,
CVE-2010-4079
- LP: #707649
- CVE-2010-4079
linux (2.6.24-28.84) hardy-proposed; urgency=low
[ Steve Conklin ]
* Tracking Bug
- LP: #698185
linux (2.6.24-28.83) hardy-proposed; urgency=low
[ Steve Conklin ]
* tracking bug moved from here to latest entry
linux (2.6.24-28.82) hardy-proposed; urgency=low
[ Leann Ogasawara ]
* Revert "SAUCE: AF_ECONET saddr->cookie prevent NULL pointer
dereference"
* Revert "SAUCE: AF_ECONET SIOCSIFADDR ioctl does not check privileges"
* Revert "SAUCE: AF_ECONET prevent kernel stack overflow"
[Upstream Kernel Changes]
* xfs: validate untrust...
| Changed in linux (Ubuntu Hardy): | |
| status: | Fix Committed → Fix Released |
| Launchpad Janitor (janitor) wrote : | #9 |
This bug was fixed in the package linux - 2.6.31-22.73
---------------
linux (2.6.31-22.73) karmic-proposed; urgency=low
[ Steve Conklin ]
* Release Tracking Bug
- LP: #716648
[ Upstream Kernel Changes ]
* copied ABI directory
* net: Limit socket I/O iovec total length to INT_MAX., CVE-2010-3859
- LP: #708839, #711855
- CVE-2010-4160
* net: Truncate recvfrom and sendto length to INT_MAX., CVE-2010-3859
- LP: #708839, #711855
- CVE-2010-4160
* net: fix rds_iovec page count overflow, CVE-2010-3865
- LP: #709153
- CVE-2010-3865
* net: ax25: fix information leak to userland, CVE-2010-3875
- LP: #710714
- CVE-2010-3875
* net: ax25: fix information leak to userland harder, CVE-2010-3875
- LP: #710714
- CVE-2010-3875
* can-bcm: fix minor heap overflow
- LP: #710680
- CVE-2010-3874
* memory corruption in X.25 facilities parsing, CVE-2010-3873
- LP: #709372
- CVE-2010-3873
* net: packet: fix information leak to userland, CVE-2010-3876
- LP: #710714
- CVE-2010-3876
* net: tipc: fix information leak to userland, CVE-2010-3877
- LP: #711291
- CVE-2010-3877
* KVM: VMX: fix vmx null pointer dereference on debug register access,
CVE-2010-0435
- LP: #712615
- CVE-2010-0435
* gdth: integer overflow in ioctl, CVE-2010-4157
- LP: #711797
- CVE-2010-4157
* posix-cpu-timers: workaround to suppress the problems with mt exec,
CVE-2010-4248
- LP: #712609
- CVE-2010-4248
* ALSA: sound/pci/rme9652: prevent reading uninitialized stack memory,
CVE-2010-4080, CVE-2010-4081
- LP: #712723, #712737
- CVE-2010-4081
* drivers/
CVE-2010-4082
- LP: #712744
- CVE-2010-4082
* sys_semctl: fix kernel stack leakage, CVE-2010-4083
- LP: #712749
- CVE-2010-4083
* inet_diag: Make sure we actually run the same bytecode we audited,
CVE-2010-3880
- LP: #711865
- CVE-2010-3880
linux (2.6.31-22.72) karmic-proposed; urgency=low
[ Brad Figg ]
* Tracking Bug
- LP: #708860
[ Upstream Kernel Changes ]
* Karmic SRU: thinkpad-acpi: lock down video output state access, CVE-2010-3448
- LP: #706999
- CVE-2010-3448
* USB: serial/mos*: prevent reading uninitialized stack memory,
CVE-2010-4074
- LP: #706149
- CVE-2010-4074
* KVM: Fix fs/gs reload oops with invalid ldt
- LP: #707000
- CVE-2010-3698
* drivers/
memory, CVE-2010-4078
- LP: #707579
- CVE-2010-4078
* V4L/DVB: ivtvfb: prevent reading uninitialized stack memory,
CVE-2010-4079
- LP: #707649
- CVE-2010-4079
linux (2.6.31-22.71) karmic-proposed; urgency=low
[ Brad Figg ]
- LP: #698214
[ Upstream Kernel Changes ]
* ipc: initialize structure memory to zero for compat functions
* tcp: Increase TCP_MAXSEG socket option minimum.
- CVE-2010-4165
* perf_events: Fix perf_counter_mmap() hook in mprotect()
- CVE-2010-4169
* af_unix: limit unix_tot_inflight
- CVE-2010-4249
-- Steve Conklin <email address hidden> Thu, 10 Feb 2011 13:49:49...
| Changed in linux (Ubuntu Karmic): | |
| status: | Fix Committed → Fix Released |
| Launchpad Janitor (janitor) wrote : | #10 |
This bug was fixed in the package linux - 2.6.35-27.48
---------------
linux (2.6.35-27.48) maverick-proposed; urgency=low
[ Steve Conklin ]
* Release Tracking Bug
- LP: #723335
[ Upstream Kernel Changes ]
* thinkpad-acpi: avoid keymap pitfall
- LP: #722747
linux (2.6.35-27.47) maverick-proposed; urgency=low
[ Brad Figg ]
* Release Tracking Bug
- LP: #716532
[ Upstream Kernel Changes ]
* Revert "USB: gadget: Allow function access to device ID data during
bind()"
- LP: #714732
* net: fix rds_iovec page count overflow, CVE-2010-3865
- LP: #709153
- CVE-2010-3865
* Input: fix typo in keycode validation supporting large scancodes
- LP: #658198
* net: ax25: fix information leak to userland, CVE-2010-3875
- LP: #710714
- CVE-2010-3875
* net: ax25: fix information leak to userland harder, CVE-2010-3875
- LP: #710714
- CVE-2010-3875
* net: packet: fix information leak to userland, CVE-2010-3876
- LP: #710714
- CVE-2010-3876
* net: tipc: fix information leak to userland, CVE-2010-3877
- LP: #711291
- CVE-2010-3877
* posix-cpu-timers: workaround to suppress the problems with mt exec,
CVE-2010-4248
- LP: #712609
- CVE-2010-4248
* sys_semctl: fix kernel stack leakage, CVE-2010-4083
- LP: #712749
- CVE-2010-4083
* thinkpad-acpi: lock down size of hotkey keymap
- LP: #712174
* thinkpad-acpi: add support for model-specific keymaps
- LP: #712174
* thinkpad-acpi: Add KEY_CAMERA (Fn-F6) for Lenovo keyboards
- LP: #712174
* x86, hotplug: Use mwait to offline a processor, fix the legacy case
- LP: #714732
* fuse: verify ioctl retries
- LP: #714732
* fuse: fix ioctl when server is 32bit
- LP: #714732
* ALSA: hda: Use position_fix=1 for Acer Aspire 5538 to enable capture on
internal mic
- LP: #685161, #714732
* ALSA: hda: Use model=lg quirk for LG P1 Express to enable playback and
capture
- LP: #595482, #714732
* drm/radeon/kms: don't apply 7xx HDP flush workaround on AGP
- LP: #714732
* drm/kms: remove spaces from connector names (v2)
- LP: #714732
* drm/radeon/kms: fix vram base calculation on rs780/rs880
- LP: #714732
* nohz: Fix printk_needs_cpu() return value on offline cpus
- LP: #714732
* nohz: Fix get_next_
- LP: #714732
* nfsd: Fix possible BUG_ON firing in set_change_info
- LP: #714732
* NFS: Fix fcntl F_GETLK not reporting some conflicts
- LP: #714732
* sunrpc: prevent use-after-free on clearing XPT_BUSY
- LP: #714732
* hwmon: (adm1026) Allow 1 as a valid divider value
- LP: #714732
* hwmon: (adm1026) Fix setting fan_div
- LP: #714732
* EDAC: Fix workqueue-related crashes
- LP: #714732
* amd64_edac: Fix interleaving check
- LP: #714732
* ASoC: Fix swap of left and right channels for WM8993/4 speaker boost
gain
- LP: #714732
* ASoC: Fix off by one error in WM8994 EQ register bank size
- LP: #714732
* ASoC: WM8580: Fix R8 initial value
- LP: #714732
* ASoC: fix deemphasis control in wm8904/55/60 codecs
- LP: #714732
* bootmem: Add alloc_bootmem_...
| Changed in linux (Ubuntu Maverick): | |
| status: | Fix Committed → Fix Released |
No KVM in Dapper, so not affected.