CVE-2010-4078

Bug #707579 reported by Brad Figg on 2011-01-25
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Undecided
Andy Whitcroft
Dapper
Low
Brad Figg
Hardy
Low
Brad Figg
Karmic
Low
Brad Figg
Lucid
Undecided
Unassigned
Maverick
Undecided
Unassigned
Natty
Undecided
Andy Whitcroft

Bug Description

The FBIOGET_VBLANK device ioctl allows unprivileged users to read 16 bytes of uninitialized stack memory, because the "reserved" member of the fb_vblank struct declared on the stack is not altered or zeroed before being copied back to the user.

Brad Figg (brad-figg) wrote :

Applied commit fd02db9de73faebc51240619c7c7f99bee9f65c7 from git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux-2.6.git

Brad Figg (brad-figg) wrote :
Changed in linux (Ubuntu Maverick):
status: New → Fix Released
Changed in linux (Ubuntu Lucid):
status: New → Fix Released
Changed in linux (Ubuntu Dapper):
status: New → In Progress
Changed in linux (Ubuntu Karmic):
assignee: nobody → Brad Figg (brad-figg)
Changed in linux (Ubuntu Hardy):
status: New → In Progress
Changed in linux (Ubuntu Karmic):
status: New → In Progress
Changed in linux (Ubuntu Dapper):
assignee: nobody → Brad Figg (brad-figg)
Changed in linux (Ubuntu Hardy):
assignee: nobody → Brad Figg (brad-figg)
Brad Figg (brad-figg) wrote :
Brad Figg (brad-figg) wrote :
Brad Figg (brad-figg) on 2011-01-25
Changed in linux (Ubuntu Dapper):
importance: Undecided → Low
Changed in linux (Ubuntu Karmic):
importance: Undecided → Low
Changed in linux (Ubuntu Hardy):
importance: Undecided → Low
Brad Figg (brad-figg) on 2011-01-25
security vulnerability: no → yes
Andy Whitcroft (apw) wrote :

This commit was released in mainline v2.6.36 and is therefore Fix Released in Natty, closing out.

Changed in linux (Ubuntu Natty):
status: New → Fix Released
assignee: nobody → Andy Whitcroft (apw)
Launchpad Janitor (janitor) wrote :
Download full text (4.0 KiB)

This bug was fixed in the package linux - 2.6.24-28.86

---------------
linux (2.6.24-28.86) hardy-proposed; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #716166

  [Tim Gardner]

  * xen unified block-device I/O interface back end can orphan devices,
    CVE-2010-3699
    - LP: #708019
    - CVE-2010-3699

  [Upstream Kernel Changes]

  * Hardy SRU: thinkpad-acpi: lock down video output state access,
    CVE-2010-3448
    - LP: #706999
    - CVE-2010-3448
  * net: Limit socket I/O iovec total length to INT_MAX., CVE-2010-3859
    - LP: #711855, #708839
    - CVE-2010-4160
  * net: Truncate recvfrom and sendto length to INT_MAX., CVE-2010-3859
    - LP: #711855, #708839
    - CVE-2010-4160
  * net: ax25: fix information leak to userland, CVE-2010-3875
    - LP: #710714
    - CVE-2010-3875
  * net: ax25: fix information leak to userland harder, CVE-2010-3875
    - LP: #710714
    - CVE-2010-3875
  * memory corruption in X.25 facilities parsing, CVE-2010-3873
    - LP: #709372
    - CVE-2010-3873
  * net: packet: fix information leak to userland, CVE-2010-3876
    - LP: #710714
    - CVE-2010-3876
  * net: tipc: fix information leak to userland, CVE-2010-3877
    - LP: #711291
    - CVE-2010-3877
  * KVM: VMX: fix vmx null pointer dereference on debug register access,
    CVE-2010-0435
    - LP: #712615
    - CVE-2010-0435
  * gdth: integer overflow in ioctl, CVE-2010-4157
    - LP: #711797
    - CVE-2010-4157
  * posix-cpu-timers: workaround to suppress the problems with mt exec,
    CVE-2010-4248
    - LP: #712609
    - CVE-2010-4248
  * ALSA: sound/pci/rme9652: prevent reading uninitialized stack memory,
    CVE-2010-4080, CVE-2010-4081
    - LP: #712723, #712737
    - CVE-2010-4081
  * sys_semctl: fix kernel stack leakage, CVE-2010-4083
    - LP: #712749
    - CVE-2010-4083
  * inet_diag: Make sure we actually run the same bytecode we audited,
    CVE-2010-3880
    - LP: #711865
    - CVE-2010-3880

linux (2.6.24-28.85) hardy-proposed; urgency=low

  [ Brad Figg ]

  * Tracking Bug
    - LP: #708315

  [Upstream Kernel Changes]

  * ata_piix: IDE mode SATA patch for Intel ICH10 DeviceID's
    - LP: #693401
  * USB: serial/mos*: prevent reading uninitialized stack memory,
    CVE-2010-4074
    - LP: #706149
    - CVE-2010-4074
  * KVM: Fix fs/gs reload oops with invalid ldt
    - LP: #707000
    - CVE-2010-3698
  * drivers/video/sis/sis_main.c: prevent reading uninitialized stack
    memory, CVE-2010-4078
    - LP: #707579
    - CVE-2010-4078
  * V4L/DVB: ivtvfb: prevent reading uninitialized stack memory,
    CVE-2010-4079
    - LP: #707649
    - CVE-2010-4079

linux (2.6.24-28.84) hardy-proposed; urgency=low

  [ Steve Conklin ]

  * Tracking Bug
    - LP: #698185

linux (2.6.24-28.83) hardy-proposed; urgency=low

  [ Steve Conklin ]
  * tracking bug moved from here to latest entry

linux (2.6.24-28.82) hardy-proposed; urgency=low

  [ Leann Ogasawara ]

  * Revert "SAUCE: AF_ECONET saddr->cookie prevent NULL pointer
    dereference"
  * Revert "SAUCE: AF_ECONET SIOCSIFADDR ioctl does not check privileges"
  * Revert "SAUCE: AF_ECONET prevent kernel stack overflow"

  [Upstream Kernel Changes]

  * xfs: validate untrust...

Read more...

Changed in linux (Ubuntu Hardy):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :
Download full text (3.1 KiB)

This bug was fixed in the package linux - 2.6.31-22.73

---------------
linux (2.6.31-22.73) karmic-proposed; urgency=low

  [ Steve Conklin ]

  * Release Tracking Bug
    - LP: #716648

  [ Upstream Kernel Changes ]

  * copied ABI directory
  * net: Limit socket I/O iovec total length to INT_MAX., CVE-2010-3859
    - LP: #708839, #711855
    - CVE-2010-4160
  * net: Truncate recvfrom and sendto length to INT_MAX., CVE-2010-3859
    - LP: #708839, #711855
    - CVE-2010-4160
  * net: fix rds_iovec page count overflow, CVE-2010-3865
    - LP: #709153
    - CVE-2010-3865
  * net: ax25: fix information leak to userland, CVE-2010-3875
    - LP: #710714
    - CVE-2010-3875
  * net: ax25: fix information leak to userland harder, CVE-2010-3875
    - LP: #710714
    - CVE-2010-3875
  * can-bcm: fix minor heap overflow
    - LP: #710680
    - CVE-2010-3874
  * memory corruption in X.25 facilities parsing, CVE-2010-3873
    - LP: #709372
    - CVE-2010-3873
  * net: packet: fix information leak to userland, CVE-2010-3876
    - LP: #710714
    - CVE-2010-3876
  * net: tipc: fix information leak to userland, CVE-2010-3877
    - LP: #711291
    - CVE-2010-3877
  * KVM: VMX: fix vmx null pointer dereference on debug register access,
    CVE-2010-0435
    - LP: #712615
    - CVE-2010-0435
  * gdth: integer overflow in ioctl, CVE-2010-4157
    - LP: #711797
    - CVE-2010-4157
  * posix-cpu-timers: workaround to suppress the problems with mt exec,
    CVE-2010-4248
    - LP: #712609
    - CVE-2010-4248
  * ALSA: sound/pci/rme9652: prevent reading uninitialized stack memory,
    CVE-2010-4080, CVE-2010-4081
    - LP: #712723, #712737
    - CVE-2010-4081
  * drivers/video/via/ioctl.c: prevent reading uninitialized stack memory,
    CVE-2010-4082
    - LP: #712744
    - CVE-2010-4082
  * sys_semctl: fix kernel stack leakage, CVE-2010-4083
    - LP: #712749
    - CVE-2010-4083
  * inet_diag: Make sure we actually run the same bytecode we audited,
    CVE-2010-3880
    - LP: #711865
    - CVE-2010-3880

linux (2.6.31-22.72) karmic-proposed; urgency=low

  [ Brad Figg ]

  * Tracking Bug
    - LP: #708860

  [ Upstream Kernel Changes ]

  * Karmic SRU: thinkpad-acpi: lock down video output state access, CVE-2010-3448
    - LP: #706999
    - CVE-2010-3448
  * USB: serial/mos*: prevent reading uninitialized stack memory,
    CVE-2010-4074
    - LP: #706149
    - CVE-2010-4074
  * KVM: Fix fs/gs reload oops with invalid ldt
    - LP: #707000
    - CVE-2010-3698
  * drivers/video/sis/sis_main.c: prevent reading uninitialized stack
    memory, CVE-2010-4078
    - LP: #707579
    - CVE-2010-4078
  * V4L/DVB: ivtvfb: prevent reading uninitialized stack memory,
    CVE-2010-4079
    - LP: #707649
    - CVE-2010-4079

linux (2.6.31-22.71) karmic-proposed; urgency=low

  [ Brad Figg ]

  - LP: #698214

  [ Upstream Kernel Changes ]

  * ipc: initialize structure memory to zero for compat functions
  * tcp: Increase TCP_MAXSEG socket option minimum.
    - CVE-2010-4165
  * perf_events: Fix perf_counter_mmap() hook in mprotect()
    - CVE-2010-4169
  * af_unix: limit unix_tot_inflight
    - CVE-2010-4249
 -- Steve Conklin <email address hidden> Thu, 10 Feb 2011 13:49:49...

Read more...

Changed in linux (Ubuntu Karmic):
status: In Progress → Fix Released
Changed in linux (Ubuntu Dapper):
status: In Progress → Won't Fix
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers